[selinux-policy/f21] * Wed Nov 25 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-100 - Add seutil_dontaudit_access_check_s
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Nov 26 14:44:47 UTC 2014
commit 0bf50144193d99c85630edc0c2a1b3329de493a5
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Nov 26 15:44:33 2014 +0100
* Wed Nov 25 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-100
- Add seutil_dontaudit_access_check_semanage_module_store() interface
- Update to have all _systemctl() interface also init_reload_services()
- Allow named_filetrans_domain to create ibus directory with correct labeling
- Add labeling for /sbin/iw.
- Label tcp port 5280 as ejabberd port. BZ(1059930)
- Make /usr/bin/vncserver running as unconfined_service_t.
- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain
- Label /etc/docker/certs.d as cert_t
- Allow all systemd domains to search file systems
- I guess there can be content under /var/lib/lockdown #1167502
- Dontaudit access check on SELinux module store for sssd
- Update to have all _systemctl() interface also init_reload_services()
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working
- Allow keystone to send a generic signal to own process.
- Dontaudit list user_tmp files for system_mail_t
- label virt-who as virtd_exec_t
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
- Add virt_signull() interface
- Allow .snapshots to be created in other directories, on all mountpoints
- Add missing alias for _content_rw_t
- Allow spamd to access razor-agent.log
policy-f21-base.patch | 138 +++--
policy-f21-contrib.patch | 1293 ++++++++++++++++++++++++++--------------------
selinux-policy.spec | 25 +-
3 files changed, 842 insertions(+), 614 deletions(-)
---
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index e3dd6c6..e631c63 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -5484,7 +5484,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..2f2f2b9 100644
+index b191055..87df0ad 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5662,12 +5662,13 @@ index b191055..2f2f2b9 100644
network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
- network_port(jabber_interserver, tcp,5269,s0)
+-network_port(jabber_interserver, tcp,5269,s0)
-network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
-network_port(kismet, tcp,2501,s0)
++network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0)
+network_port(jabber_router, tcp,5347,s0)
+network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
+network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
@@ -8984,7 +8985,7 @@ index 6a1e4d1..1b9b0b5 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c2776d0 100644
+index cf04cb5..7fad46c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9133,7 +9134,7 @@ index cf04cb5..c2776d0 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,356 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9242,6 +9243,10 @@ index cf04cb5..c2776d0 100644
+')
+
+optional_policy(`
++ dbus_filetrans_named_content_system(named_filetrans_domain)
++')
++
++optional_policy(`
+ devicekit_filetrans_named_content(named_filetrans_domain)
+')
+
@@ -20431,7 +20436,7 @@ index 0000000..63bc797
+logging_stream_connect_syslog(sysadm_t)
diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
new file mode 100644
-index 0000000..0e8654b
+index 0000000..b680867
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
@@ -20439,7 +20444,7 @@ index 0000000..0e8654b
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++#/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -22263,7 +22268,7 @@ index 76d9f66..5c271ce 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..eb9cefe 100644
+index fe0c682..3ad1b1f 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -22818,7 +22823,7 @@ index fe0c682..eb9cefe 100644
')
######################################
-@@ -754,3 +874,150 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +874,151 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -22964,6 +22969,7 @@ index fe0c682..eb9cefe 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 sshd_unit_file_t:file manage_file_perms;
+ allow $1 sshd_unit_file_t:service manage_service_perms;
+
@@ -27258,7 +27264,7 @@ index 2479587..890e1e2 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..f645c21 100644
+index 3efd5b6..9e85ea0 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -27320,7 +27326,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -95,69 +117,68 @@ interface(`auth_use_pam',`
+@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -27378,7 +27384,6 @@ index 3efd5b6..f645c21 100644
mls_file_downgrade($1)
mls_process_set_level($1)
+ mls_process_write_to_clearance($1)
-+ mls_process_write_all_levels($1)
mls_fd_share_all_levels($1)
auth_use_pam($1)
@@ -27430,7 +27435,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -231,6 +252,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@@ -27456,7 +27461,7 @@ index 3efd5b6..f645c21 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -322,6 +362,24 @@ interface(`auth_rw_cache',`
+@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
########################################
## <summary>
@@ -27481,7 +27486,7 @@ index 3efd5b6..f645c21 100644
## Manage authentication cache
## </summary>
## <param name="domain">
-@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -27490,7 +27495,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
########################################
## <summary>
@@ -27515,7 +27520,7 @@ index 3efd5b6..f645c21 100644
## Execute chkpwd programs in the chkpwd domain.
## </summary>
## <param name="domain">
-@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -27541,7 +27546,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -27549,7 +27554,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -664,6 +760,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -27560,7 +27565,7 @@ index 3efd5b6..f645c21 100644
')
#######################################
-@@ -763,7 +863,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -27612,7 +27617,7 @@ index 3efd5b6..f645c21 100644
')
#######################################
-@@ -824,9 +967,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -27643,7 +27648,7 @@ index 3efd5b6..f645c21 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +997,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -27674,7 +27679,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -854,15 +1032,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -27693,7 +27698,7 @@ index 3efd5b6..f645c21 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +1053,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -27731,7 +27736,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -959,9 +1157,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -27765,7 +27770,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -1040,6 +1259,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -27776,7 +27781,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -1176,6 +1399,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -27784,7 +27789,7 @@ index 3efd5b6..f645c21 100644
')
#######################################
-@@ -1576,6 +1800,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -27810,7 +27815,7 @@ index 3efd5b6..f645c21 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1726,24 +1969,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -27836,7 +27841,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -1767,11 +1993,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -27853,7 +27858,7 @@ index 3efd5b6..f645c21 100644
')
########################################
-@@ -1805,3 +2033,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -29031,7 +29036,7 @@ index e4376aa..2c98c56 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea..77a3b65 100644
+index f6743ea..09fbb87 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
@@ -29046,7 +29051,7 @@ index f6743ea..77a3b65 100644
+')
+
+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(getty_t, getty_exec_t, mls_systemhigh)
++ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mls_systemhigh)
+')
+
########################################
@@ -32292,7 +32297,7 @@ index 662e79b..ad9ef4e 100644
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..e6ffda3 100644
+index 0d4c8d3..9395313 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',`
@@ -32453,7 +32458,7 @@ index 0d4c8d3..e6ffda3 100644
')
########################################
-@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +479,27 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -32475,6 +32480,7 @@ index 0d4c8d3..e6ffda3 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms;
+ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms;
+
@@ -32841,7 +32847,7 @@ index 73a1c4e..af8050d 100644
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index c42fbc3..174cfdb 100644
+index c42fbc3..277fe6c 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@@ -32855,7 +32861,7 @@ index c42fbc3..174cfdb 100644
')
########################################
-@@ -86,6 +82,29 @@ interface(`iptables_initrc_domtrans',`
+@@ -86,6 +82,30 @@ interface(`iptables_initrc_domtrans',`
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')
@@ -32876,6 +32882,7 @@ index c42fbc3..174cfdb 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 iptables_unit_file_t:file read_file_perms;
+ allow $1 iptables_unit_file_t:service manage_service_perms;
+
@@ -35549,15 +35556,16 @@ index 79048c4..ce6f0ce 100644
udev_read_pid_files(lvm_t)
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..83acb32 100644
+index 9fe8e01..3d71062 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
-@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
# /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/localtime gen_context(system_u:object_r:locale_t,s0)
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
@@ -35568,7 +35576,7 @@ index 9fe8e01..83acb32 100644
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,24 +39,20 @@ ifdef(`distro_redhat',`
+@@ -37,24 +40,20 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -35598,7 +35606,7 @@ index 9fe8e01..83acb32 100644
/usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -77,7 +75,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -35607,7 +35615,7 @@ index 9fe8e01..83acb32 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +88,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -37273,7 +37281,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..c10f55b 100644
+index 3822072..a7912c5 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -37765,7 +37773,7 @@ index 3822072..c10f55b 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1382,67 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1382,85 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -37832,10 +37840,28 @@ index 3822072..c10f55b 100644
+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ read_files_pattern($1, semanage_store_t, semanage_store_t)
+ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
++')
++
++#######################################
++## <summary>
++## Dontaudit access check on module store
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_dontaudit_access_check_semanage_module_store',`
++ gen_require(`
++ type semanage_store_t;
++ ')
++
++ dontaudit $1 semanage_store_t:dir_file_class_set audit_access;
')
########################################
-@@ -1043,7 +1464,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1482,11 @@ interface(`seutil_manage_module_store',`
files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
@@ -37847,7 +37873,7 @@ index 3822072..c10f55b 100644
')
#######################################
-@@ -1067,6 +1492,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1510,24 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
## <summary>
@@ -37872,7 +37898,7 @@ index 3822072..c10f55b 100644
## Get trans lock on module store
## </summary>
## <param name="domain">
-@@ -1137,3 +1580,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1598,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -38866,7 +38892,7 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..04ea6dd 100644
+index 40edc18..8896a27 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -17,22 +17,25 @@ ifdef(`distro_debian',`
@@ -38899,7 +38925,15 @@ index 40edc18..04ea6dd 100644
')
#
-@@ -55,6 +58,21 @@ ifdef(`distro_redhat',`
+@@ -44,6 +47,7 @@ ifdef(`distro_redhat',`
+ /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -55,6 +59,21 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -38921,7 +38955,7 @@ index 40edc18..04ea6dd 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -77,3 +95,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +96,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
@@ -41321,10 +41355,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a75ffd3
+index 0000000..c7c145b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,700 @@
+@@ -0,0 +1,702 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41999,6 +42033,8 @@ index 0000000..a75ffd3
+
+dev_read_urand(systemd_domain)
+
++fs_search_all(systemd_domain)
++
+files_read_etc_files(systemd_domain)
+files_read_etc_runtime_files(systemd_domain)
+files_read_usr_files(systemd_domain)
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 9225690..57c8d02 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -73,7 +73,7 @@ index 1a93dc5..f2b26f5 100644
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..2f6c3a9 100644
+index 058d908..1e92177 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -295,7 +295,7 @@ index 058d908..2f6c3a9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,10 +354,51 @@ interface(`abrt_manage_pid_files',`
+@@ -276,10 +354,52 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -334,6 +334,7 @@ index 058d908..2f6c3a9 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 abrt_unit_file_t:file manage_file_perms;
+ allow $1 abrt_unit_file_t:service manage_service_perms;
+
@@ -349,7 +350,7 @@ index 058d908..2f6c3a9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -288,39 +407,174 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +408,174 @@ interface(`abrt_manage_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -1109,10 +1110,10 @@ index f9d8d7a..0682710 100644
/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
-index bd5ec9a..a5ed692 100644
+index bd5ec9a..554177c 100644
--- a/accountsd.if
+++ b/accountsd.if
-@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',`
+@@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -1129,6 +1130,7 @@ index bd5ec9a..a5ed692 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 accountsd_unit_file_t:file read_file_perms;
+ allow $1 accountsd_unit_file_t:service manage_service_perms;
+
@@ -1900,7 +1902,7 @@ index 33d9d31..58bf182 100644
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
-index ca8d8cf..2cc5ce6 100644
+index ca8d8cf..053a30a 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
@@ -1911,7 +1913,7 @@ index ca8d8cf..2cc5ce6 100644
')
########################################
-@@ -210,51 +211,87 @@ interface(`alsa_relabel_home_files',`
+@@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',`
########################################
## <summary>
@@ -2007,6 +2009,7 @@ index ca8d8cf..2cc5ce6 100644
- files_search_var_lib($1)
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 alsa_unit_file_t:file read_file_perms;
+ allow $1 alsa_unit_file_t:service manage_service_perms;
+
@@ -2682,10 +2685,10 @@ index 0000000..219f32d
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
-index 0000000..ae5f0a3
+index 0000000..36251b9
--- /dev/null
+++ b/antivirus.if
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,325 @@
+## <summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
+
+######################################
@@ -2942,6 +2945,7 @@ index 0000000..ae5f0a3
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 antivirus_unit_file_t:file read_file_perms;
+ allow $1 antivirus_unit_file_t:service manage_service_perms;
@@ -3635,7 +3639,7 @@ index 7caefc3..3009a35 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..f6d065e 100644
+index f6eb485..164501c 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3755,7 +3759,7 @@ index f6eb485..f6d065e 100644
+
+ type $1_rw_content_t; # customizable
+ typeattribute $1_rw_content_t httpd_content_type;
-+ typealias $1_rw_content_t alias { $1_script_rw_t };
++ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+ files_type($1_rw_content_t)
+
+ type $1_ra_content_t, httpd_content_type; # customizable
@@ -4905,7 +4909,7 @@ index f6eb485..f6d065e 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1171,8 +1423,30 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1423,31 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4926,6 +4930,7 @@ index f6eb485..f6d065e 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 httpd_unit_file_t:file read_file_perms;
+ allow $1 httpd_unit_file_t:service manage_service_perms;
+
@@ -4938,7 +4943,7 @@ index f6eb485..f6d065e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1189,18 +1463,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1464,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4967,7 +4972,7 @@ index f6eb485..f6d065e 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1210,10 +1485,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1486,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4981,7 +4986,7 @@ index f6eb485..f6d065e 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1499,141 @@ interface(`apache_admin',`
+@@ -1224,9 +1500,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -7477,7 +7482,7 @@ index 5ec0e13..97c204f 100644
+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..2b3352b 100644
+index f3c0aba..f6e25ed 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
@@ -7503,7 +7508,7 @@ index f3c0aba..2b3352b 100644
optional_policy(`
apache_search_sys_content($1)
-@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
+@@ -125,6 +125,50 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
## <summary>
@@ -7522,6 +7527,7 @@ index f3c0aba..2b3352b 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 apcupsd_unit_file_t:file read_file_perms;
+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
@@ -7553,7 +7559,7 @@ index f3c0aba..2b3352b 100644
## All of the rules required to
## administrate an apcupsd environment.
## </summary>
-@@ -144,11 +187,17 @@ interface(`apcupsd_admin',`
+@@ -144,11 +188,17 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
@@ -7572,7 +7578,7 @@ index f3c0aba..2b3352b 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +214,11 @@ interface(`apcupsd_admin',`
+@@ -165,4 +215,11 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
@@ -7723,10 +7729,10 @@ index ce27d2f..d20377e 100644
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
diff --git a/apm.if b/apm.if
-index 1a7a97e..1d29dce 100644
+index 1a7a97e..2c7252a 100644
--- a/apm.if
+++ b/apm.if
-@@ -141,6 +141,29 @@ interface(`apm_stream_connect',`
+@@ -141,6 +141,30 @@ interface(`apm_stream_connect',`
########################################
## <summary>
@@ -7745,6 +7751,7 @@ index 1a7a97e..1d29dce 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 apmd_unit_file_t:file read_file_perms;
+ allow $1 apmd_unit_file_t:service manage_service_perms;
+
@@ -7756,7 +7763,7 @@ index 1a7a97e..1d29dce 100644
## All of the rules required to
## administrate an apm environment.
## </summary>
-@@ -163,9 +186,13 @@ interface(`apm_admin',`
+@@ -163,9 +187,13 @@ interface(`apm_admin',`
type apmd_tmp_t;
')
@@ -7936,10 +7943,10 @@ index 9ca0d0f..9a1a61f 100644
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
-index 50c9b9c..51c8cc0 100644
+index 50c9b9c..533a555 100644
--- a/arpwatch.if
+++ b/arpwatch.if
-@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
+@@ -119,6 +119,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
########################################
## <summary>
@@ -7958,6 +7965,7 @@ index 50c9b9c..51c8cc0 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 arpwatch_unit_file_t:file read_file_perms;
+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
@@ -7969,7 +7977,7 @@ index 50c9b9c..51c8cc0 100644
## All of the rules required to
## administrate an arpwatch environment.
## </summary>
-@@ -138,11 +161,16 @@ interface(`arpwatch_admin',`
+@@ -138,11 +162,16 @@ interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
type arpwatch_data_t, arpwatch_var_run_t;
@@ -7987,7 +7995,7 @@ index 50c9b9c..51c8cc0 100644
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
-@@ -156,4 +184,8 @@ interface(`arpwatch_admin',`
+@@ -156,4 +185,8 @@ interface(`arpwatch_admin',`
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
@@ -8333,7 +8341,7 @@ index 92adb37..0a2ffc6 100644
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
-index f24e369..9bce868 100644
+index f24e369..4484a98 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -8370,7 +8378,7 @@ index f24e369..9bce868 100644
## Do not audit attempts to get
## attributes of automount temporary
## directories.
-@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+@@ -134,6 +152,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
########################################
## <summary>
@@ -8389,6 +8397,7 @@ index f24e369..9bce868 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 automount_unit_file_t:file read_file_perms;
+ allow $1 automount_unit_file_t:service manage_service_perms;
+
@@ -8400,7 +8409,7 @@ index f24e369..9bce868 100644
## All of the rules required to
## administrate an automount environment.
## </summary>
-@@ -153,12 +194,16 @@ interface(`automount_admin',`
+@@ -153,12 +195,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
@@ -8419,7 +8428,7 @@ index f24e369..9bce868 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
-@@ -175,4 +220,8 @@ interface(`automount_admin',`
+@@ -175,4 +221,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
@@ -8529,10 +8538,10 @@ index e9fe2ca..4c2d076 100644
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
-index 9078c3d..bca0ac9 100644
+index 9078c3d..2f6b250 100644
--- a/avahi.if
+++ b/avahi.if
-@@ -211,6 +211,29 @@ interface(`avahi_dontaudit_search_pid',`
+@@ -211,6 +211,30 @@ interface(`avahi_dontaudit_search_pid',`
########################################
## <summary>
@@ -8551,6 +8560,7 @@ index 9078c3d..bca0ac9 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 avahi_unit_file_t:file read_file_perms;
+ allow $1 avahi_unit_file_t:service manage_service_perms;
+
@@ -8562,7 +8572,7 @@ index 9078c3d..bca0ac9 100644
## Create specified objects in generic
## pid directories with the avahi pid file type.
## </summary>
-@@ -258,12 +281,17 @@ interface(`avahi_filetrans_pid',`
+@@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
@@ -8581,7 +8591,7 @@ index 9078c3d..bca0ac9 100644
avahi_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
-@@ -274,4 +302,8 @@ interface(`avahi_admin',`
+@@ -274,4 +303,8 @@ interface(`avahi_admin',`
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
@@ -8857,10 +8867,10 @@ index fb42e35..8af0e14 100644
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
-index ec95d36..7132e1e 100644
+index ec95d36..186271b 100644
--- a/bcfg2.if
+++ b/bcfg2.if
-@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',`
+@@ -117,6 +117,32 @@ interface(`bcfg2_manage_lib_dirs',`
########################################
## <summary>
@@ -8879,6 +8889,7 @@ index ec95d36..7132e1e 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bcfg2_unit_file_t:file read_file_perms;
+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
@@ -8892,7 +8903,7 @@ index ec95d36..7132e1e 100644
## All of the rules required to
## administrate an bcfg2 environment.
## </summary>
-@@ -136,11 +161,16 @@ interface(`bcfg2_admin',`
+@@ -136,11 +162,16 @@ interface(`bcfg2_admin',`
gen_require(`
type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
type bcfg2_var_run_t;
@@ -8910,7 +8921,7 @@ index ec95d36..7132e1e 100644
bcfg2_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 bcfg2_initrc_exec_t system_r;
-@@ -151,4 +181,13 @@ interface(`bcfg2_admin',`
+@@ -151,4 +182,13 @@ interface(`bcfg2_admin',`
files_search_var_lib($1)
admin_pattern($1, bcfg2_var_lib_t)
@@ -9073,10 +9084,10 @@ index 2b9a3a1..750788c 100644
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
-index 531a8f2..67b6c3d 100644
+index 531a8f2..0b86f2f 100644
--- a/bind.if
+++ b/bind.if
-@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
+@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
########################################
## <summary>
@@ -9095,6 +9106,7 @@ index 531a8f2..67b6c3d 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 named_unit_file_t:file read_file_perms;
+ allow $1 named_unit_file_t:service manage_service_perms;
+
@@ -9106,7 +9118,7 @@ index 531a8f2..67b6c3d 100644
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
-@@ -169,6 +192,7 @@ interface(`bind_read_config',`
+@@ -169,6 +193,7 @@ interface(`bind_read_config',`
type named_conf_t;
')
@@ -9114,7 +9126,7 @@ index 531a8f2..67b6c3d 100644
read_files_pattern($1, named_conf_t, named_conf_t)
')
-@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',`
+@@ -212,6 +237,25 @@ interface(`bind_manage_config_dirs',`
########################################
## <summary>
@@ -9140,7 +9152,7 @@ index 531a8f2..67b6c3d 100644
## Search bind cache directories.
## </summary>
## <param name="domain">
-@@ -310,6 +353,27 @@ interface(`bind_read_zone',`
+@@ -310,6 +354,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
@@ -9168,7 +9180,7 @@ index 531a8f2..67b6c3d 100644
## Create, read, write, and delete
## bind zone files.
## </summary>
-@@ -344,6 +408,25 @@ interface(`bind_udp_chat_named',`
+@@ -344,6 +409,25 @@ interface(`bind_udp_chat_named',`
########################################
## <summary>
@@ -9194,7 +9206,7 @@ index 531a8f2..67b6c3d 100644
## All of the rules required to
## administrate an bind environment.
## </summary>
-@@ -364,11 +447,17 @@ interface(`bind_admin',`
+@@ -364,11 +448,17 @@ interface(`bind_admin',`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
@@ -9215,7 +9227,7 @@ index 531a8f2..67b6c3d 100644
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -384,11 +473,15 @@ interface(`bind_admin',`
+@@ -384,11 +474,15 @@ interface(`bind_admin',`
files_list_etc($1)
admin_pattern($1, { named_keytab_t named_conf_t })
@@ -9591,7 +9603,7 @@ index 2b9c7f3..0086b95 100644
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
-index c723a0a..3e8a553 100644
+index c723a0a..b23b46a 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
@@ -9648,7 +9660,7 @@ index c723a0a..3e8a553 100644
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
-@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -190,6 +218,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
## <summary>
@@ -9667,6 +9679,7 @@ index c723a0a..3e8a553 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 bluetooth_unit_file_t:file read_file_perms;
+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
@@ -9678,7 +9691,7 @@ index c723a0a..3e8a553 100644
## All of the rules required to
## administrate an bluetooth environment.
## </summary>
-@@ -210,12 +261,16 @@ interface(`bluetooth_admin',`
+@@ -210,12 +262,16 @@ interface(`bluetooth_admin',`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
@@ -9697,7 +9710,7 @@ index c723a0a..3e8a553 100644
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
-@@ -235,4 +290,8 @@ interface(`bluetooth_admin',`
+@@ -235,4 +291,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
@@ -9822,10 +9835,10 @@ index 6d3ccad..bda740a 100644
+
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
-index 02fefaa..fbcef10 100644
+index 02fefaa..308616e 100644
--- a/boinc.if
+++ b/boinc.if
-@@ -1,9 +1,165 @@
+@@ -1,9 +1,166 @@
-## <summary>Platform for computing using volunteered resources.</summary>
+## <summary>policy for boinc</summary>
@@ -9981,6 +9994,7 @@ index 02fefaa..fbcef10 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 boinc_unit_file_t:file read_file_perms;
+ allow $1 boinc_unit_file_t:service manage_service_perms;
+
@@ -9994,7 +10008,7 @@ index 02fefaa..fbcef10 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -19,26 +175,32 @@
+@@ -19,26 +176,32 @@
#
interface(`boinc_admin',`
gen_require(`
@@ -10361,10 +10375,10 @@ index 0000000..d541924
+
diff --git a/brltty.if b/brltty.if
new file mode 100644
-index 0000000..b552259
+index 0000000..968c957
--- /dev/null
+++ b/brltty.if
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
+
+## <summary>brltty is refreshable braille display driver for Linux/Unix</summary>
+
@@ -10403,6 +10417,7 @@ index 0000000..b552259
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 brltty_unit_file_t:file read_file_perms;
+ allow $1 brltty_unit_file_t:service manage_service_perms;
@@ -10693,10 +10708,10 @@ index 0000000..b5ee23b
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
-index 0000000..de66654
+index 0000000..2d2e60c
--- /dev/null
+++ b/bumblebee.if
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,122 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
@@ -10754,6 +10769,7 @@ index 0000000..de66654
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bumblebee_unit_file_t:file read_file_perms;
+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
@@ -12333,7 +12349,7 @@ index 4e4143e..d5e0260 100644
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/chronyd.if b/chronyd.if
-index 32e8265..0de4af3 100644
+index 32e8265..74fd151 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
@@ -12370,7 +12386,7 @@ index 32e8265..0de4af3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',`
+@@ -129,18 +126,62 @@ interface(`chronyd_stream_connect',`
## </summary>
## </param>
#
@@ -12400,6 +12416,7 @@ index 32e8265..0de4af3 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
+ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
@@ -12435,7 +12452,7 @@ index 32e8265..0de4af3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',`
+@@ -148,13 +189,13 @@ interface(`chronyd_dgram_send',`
## </summary>
## </param>
#
@@ -12453,7 +12470,7 @@ index 32e8265..0de4af3 100644
')
####################################
-@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',`
+@@ -176,28 +217,38 @@ interface(`chronyd_read_key_files',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -12866,7 +12883,7 @@ index d72afcc..c53b80d 100644
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
diff --git a/clamav.if b/clamav.if
-index 4cc4a5c..99c5cca 100644
+index 4cc4a5c..a6c6322 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
@@ -12969,7 +12986,7 @@ index 4cc4a5c..99c5cca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',`
+@@ -166,21 +142,63 @@ interface(`clamav_exec_clamscan',`
## </summary>
## </param>
#
@@ -13024,6 +13041,7 @@ index 4cc4a5c..99c5cca 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 clamd_unit_file_t:file read_file_perms;
+ allow $1 clamd_unit_file_t:service manage_service_perms;
@@ -13040,7 +13058,7 @@ index 4cc4a5c..99c5cca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',`
+@@ -189,7 +207,7 @@ interface(`clamav_read_state_clamd',`
## </param>
## <param name="role">
## <summary>
@@ -13049,7 +13067,7 @@ index 4cc4a5c..99c5cca 100644
## </summary>
## </param>
## <rolecap/>
-@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',`
+@@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
@@ -13090,7 +13108,7 @@ index 4cc4a5c..99c5cca 100644
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
-@@ -217,11 +251,21 @@ interface(`clamav_admin',`
+@@ -217,11 +252,21 @@ interface(`clamav_admin',`
admin_pattern($1, clamd_var_lib_t)
logging_list_logs($1)
@@ -13919,10 +13937,10 @@ index 0000000..bb87537
+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
-index 0000000..573dcae
+index 0000000..a8a678a
--- /dev/null
+++ b/cockpit.if
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,189 @@
+## <summary>policy for cockpit</summary>
+
+########################################
@@ -14056,6 +14074,7 @@ index 0000000..573dcae
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 cockpit_unit_file_t:file read_file_perms;
+ allow $1 cockpit_unit_file_t:service manage_service_perms;
@@ -14234,10 +14253,10 @@ index 79a3abe..3237fb0 100644
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
-index 954309e..f4db2ca 100644
+index 954309e..6780142 100644
--- a/collectd.if
+++ b/collectd.if
-@@ -2,8 +2,144 @@
+@@ -2,8 +2,145 @@
########################################
## <summary>
@@ -14371,6 +14390,7 @@ index 954309e..f4db2ca 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 collectd_unit_file_t:file read_file_perms;
+ allow $1 collectd_unit_file_t:service manage_service_perms;
+
@@ -14384,7 +14404,7 @@ index 954309e..f4db2ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -20,13 +156,17 @@
+@@ -20,13 +157,17 @@
interface(`collectd_admin',`
gen_require(`
type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
@@ -14405,7 +14425,7 @@ index 954309e..f4db2ca 100644
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
allow $2 system_r;
-@@ -36,4 +176,9 @@ interface(`collectd_admin',`
+@@ -36,4 +177,9 @@ interface(`collectd_admin',`
files_search_var_lib($1)
admin_pattern($1, collectd_var_lib_t)
@@ -14539,7 +14559,7 @@ index 71639eb..08ab891 100644
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
-index 8e27a37..825f537 100644
+index 8e27a37..c69be28 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
@@ -14564,7 +14584,7 @@ index 8e27a37..825f537 100644
')
######################################
-@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',`
+@@ -58,3 +58,27 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
@@ -14586,6 +14606,7 @@ index 8e27a37..825f537 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 colord_unit_file_t:file read_file_perms;
+ allow $1 colord_unit_file_t:service manage_service_perms;
+
@@ -14753,10 +14774,10 @@ index ad2b696..28d1af0 100644
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
-index 881d92f..4998ee9 100644
+index 881d92f..a2d588a 100644
--- a/condor.if
+++ b/condor.if
-@@ -1,75 +1,390 @@
+@@ -1,75 +1,391 @@
-## <summary>High-Throughput Computing System.</summary>
+
+## <summary>policy for condor</summary>
@@ -15103,6 +15124,7 @@ index 881d92f..4998ee9 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 condor_unit_file_t:file read_file_perms;
+ allow $1 condor_unit_file_t:service manage_service_perms;
@@ -15185,7 +15207,7 @@ index 881d92f..4998ee9 100644
files_search_etc($1)
admin_pattern($1, condor_conf_t)
-@@ -77,8 +392,8 @@ interface(`condor_admin',`
+@@ -77,8 +393,8 @@ interface(`condor_admin',`
logging_search_logs($1)
admin_pattern($1, condor_log_t)
@@ -15196,7 +15218,7 @@ index 881d92f..4998ee9 100644
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
-@@ -88,4 +403,13 @@ interface(`condor_admin',`
+@@ -88,4 +404,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
@@ -15386,10 +15408,10 @@ index 0000000..d2f5c80
+/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0)
diff --git a/conman.if b/conman.if
new file mode 100644
-index 0000000..54b4b04
+index 0000000..1cc5fa4
--- /dev/null
+++ b/conman.if
-@@ -0,0 +1,142 @@
+@@ -0,0 +1,143 @@
+## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
+
+########################################
@@ -15486,6 +15508,7 @@ index 0000000..54b4b04
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 conman_unit_file_t:file read_file_perms;
+ allow $1 conman_unit_file_t:service manage_service_perms;
@@ -15604,7 +15627,7 @@ index 23c9558..29e5fd3 100644
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
-index 5b830ec..0647a3b 100644
+index 5b830ec..78025c5 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
@@ -15660,7 +15683,7 @@ index 5b830ec..0647a3b 100644
## Read consolekit log files.
## </summary>
## <param name="domain">
-@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',`
+@@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
@@ -15720,6 +15743,7 @@ index 5b830ec..0647a3b 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 consolekit_unit_file_t:file read_file_perms;
+ allow $1 consolekit_unit_file_t:service manage_service_perms;
+
@@ -15834,7 +15858,7 @@ index da39f0f..6a96733 100644
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
diff --git a/corosync.if b/corosync.if
-index 694a037..b836c07 100644
+index 694a037..d859681 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
@@ -15863,7 +15887,7 @@ index 694a037..b836c07 100644
#####################################
## <summary>
## Connect to corosync over a unix
-@@ -91,29 +110,54 @@ interface(`corosync_read_log',`
+@@ -91,29 +110,55 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
@@ -15917,6 +15941,7 @@ index 694a037..b836c07 100644
- fs_search_tmpfs($1)
- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 corosync_unit_file_t:file read_file_perms;
+ allow $1 corosync_unit_file_t:service manage_service_perms;
+
@@ -15924,7 +15949,7 @@ index 694a037..b836c07 100644
')
######################################
-@@ -160,12 +204,17 @@ interface(`corosync_admin',`
+@@ -160,12 +205,17 @@ interface(`corosync_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
@@ -15944,7 +15969,7 @@ index 694a037..b836c07 100644
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
-@@ -183,4 +232,8 @@ interface(`corosync_admin',`
+@@ -183,4 +233,8 @@ interface(`corosync_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
@@ -16044,7 +16069,7 @@ index c086302..5380ab6 100644
/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 715a826..3f0c0dc 100644
+index 715a826..a1cbdb2 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,7 +2,7 @@
@@ -16145,7 +16170,7 @@ index 715a826..3f0c0dc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -73,19 +112,87 @@ interface(`couchdb_read_pid_files',`
+@@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',`
')
files_search_pids($1)
@@ -16216,6 +16241,7 @@ index 715a826..3f0c0dc 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 couchdb_unit_file_t:file read_file_perms;
+ allow $1 couchdb_unit_file_t:service manage_service_perms;
@@ -16237,7 +16263,7 @@ index 715a826..3f0c0dc 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -95,14 +202,19 @@ interface(`couchdb_read_pid_files',`
+@@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',`
#
interface(`couchdb_admin',`
gen_require(`
@@ -16258,7 +16284,7 @@ index 715a826..3f0c0dc 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -122,4 +234,13 @@ interface(`couchdb_admin',`
+@@ -122,4 +235,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -16905,7 +16931,7 @@ index ad0bae9..615a947 100644
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
-index 1303b30..615caac 100644
+index 1303b30..759412f 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
@@ -17353,7 +17379,7 @@ index 1303b30..615caac 100644
can_exec($1, crond_exec_t)
')
-@@ -376,7 +392,31 @@ interface(`cron_initrc_domtrans',`
+@@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
@@ -17373,6 +17399,7 @@ index 1303b30..615caac 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
+ allow $1 crond_unit_file_t:service manage_service_perms;
+
@@ -17386,7 +17413,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -394,7 +434,7 @@ interface(`cron_use_fds',`
+@@ -394,7 +435,7 @@ interface(`cron_use_fds',`
########################################
## <summary>
@@ -17395,7 +17422,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -412,7 +452,7 @@ interface(`cron_sigchld',`
+@@ -412,7 +453,7 @@ interface(`cron_sigchld',`
########################################
## <summary>
@@ -17404,7 +17431,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,17 +460,17 @@ interface(`cron_sigchld',`
+@@ -420,17 +461,17 @@ interface(`cron_sigchld',`
## </summary>
## </param>
#
@@ -17426,7 +17453,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -438,17 +478,17 @@ interface(`cron_setattr_log_files',`
+@@ -438,17 +479,17 @@ interface(`cron_setattr_log_files',`
## </summary>
## </param>
#
@@ -17448,7 +17475,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -456,18 +496,20 @@ interface(`cron_create_log_files',`
+@@ -456,18 +497,20 @@ interface(`cron_create_log_files',`
## </summary>
## </param>
#
@@ -17474,7 +17501,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -475,48 +517,37 @@ interface(`cron_write_log_files',`
+@@ -475,48 +518,37 @@ interface(`cron_write_log_files',`
## </summary>
## </param>
#
@@ -17534,7 +17561,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -524,18 +555,17 @@ interface(`cron_generic_log_filetrans_log',`
+@@ -524,18 +556,17 @@ interface(`cron_generic_log_filetrans_log',`
## </summary>
## </param>
#
@@ -17556,7 +17583,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -543,17 +573,17 @@ interface(`cron_read_pipes',`
+@@ -543,17 +574,17 @@ interface(`cron_read_pipes',`
## </summary>
## </param>
#
@@ -17577,7 +17604,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -561,17 +591,35 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -561,17 +592,35 @@ interface(`cron_dontaudit_write_pipes',`
## </summary>
## </param>
#
@@ -17617,7 +17644,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -589,8 +637,7 @@ interface(`cron_rw_tcp_sockets',`
+@@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',`
########################################
## <summary>
@@ -17627,7 +17654,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -608,7 +655,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
+@@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
@@ -17636,7 +17663,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -627,8 +674,26 @@ interface(`cron_search_spool',`
+@@ -627,8 +675,26 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -17665,7 +17692,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -641,13 +706,13 @@ interface(`cron_manage_pid_files',`
+@@ -641,13 +707,13 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -17681,7 +17708,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -660,13 +725,13 @@ interface(`cron_anacron_domtrans_system_job',`
+@@ -660,13 +726,13 @@ interface(`cron_anacron_domtrans_system_job',`
type system_cronjob_t, anacron_exec_t;
')
@@ -17697,7 +17724,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -684,7 +749,7 @@ interface(`cron_use_system_job_fds',`
+@@ -684,7 +750,7 @@ interface(`cron_use_system_job_fds',`
########################################
## <summary>
@@ -17706,7 +17733,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -692,19 +757,17 @@ interface(`cron_use_system_job_fds',`
+@@ -692,19 +758,17 @@ interface(`cron_use_system_job_fds',`
## </summary>
## </param>
#
@@ -17730,7 +17757,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -712,18 +775,17 @@ interface(`cron_read_system_job_lib_files',`
+@@ -712,18 +776,17 @@ interface(`cron_read_system_job_lib_files',`
## </summary>
## </param>
#
@@ -17753,7 +17780,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -731,18 +793,17 @@ interface(`cron_manage_system_job_lib_files',`
+@@ -731,18 +794,17 @@ interface(`cron_manage_system_job_lib_files',`
## </summary>
## </param>
#
@@ -17775,7 +17802,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -750,86 +811,142 @@ interface(`cron_write_system_job_pipes',`
+@@ -750,86 +812,142 @@ interface(`cron_write_system_job_pipes',`
## </summary>
## </param>
#
@@ -19438,7 +19465,7 @@ index 949011e..9437dbe 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 3023be7..303af85 100644
+index 3023be7..0317731 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -19456,7 +19483,7 @@ index 3023be7..303af85 100644
')
########################################
-@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',`
+@@ -306,6 +309,30 @@ interface(`cups_stream_connect_ptal',`
########################################
## <summary>
@@ -19475,6 +19502,7 @@ index 3023be7..303af85 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 cupsd_unit_file_t:file read_file_perms;
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
+
@@ -19486,7 +19514,7 @@ index 3023be7..303af85 100644
## Read the process state (/proc/pid) of cupsd.
## </summary>
## <param name="domain">
-@@ -344,18 +370,23 @@ interface(`cups_read_state',`
+@@ -344,18 +371,23 @@ interface(`cups_read_state',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -19515,7 +19543,7 @@ index 3023be7..303af85 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -368,13 +399,45 @@ interface(`cups_admin',`
+@@ -368,13 +400,45 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
@@ -23022,7 +23050,7 @@ index 8182c48..0b9bb97 100644
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/dhcp.if b/dhcp.if
-index c697edb..31d45bf 100644
+index c697edb..954c090 100644
--- a/dhcp.if
+++ b/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
@@ -23034,7 +23062,7 @@ index c697edb..31d45bf 100644
')
########################################
-@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
+@@ -60,6 +60,31 @@ interface(`dhcpd_initrc_domtrans',`
########################################
## <summary>
@@ -23053,6 +23081,7 @@ index c697edb..31d45bf 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
+ allow $1 dhcpd_unit_file_t:service manage_service_perms;
@@ -23065,7 +23094,7 @@ index c697edb..31d45bf 100644
## All of the rules required to
## administrate an dhcpd environment.
## </summary>
-@@ -79,11 +103,16 @@ interface(`dhcpd_admin',`
+@@ -79,11 +104,16 @@ interface(`dhcpd_admin',`
gen_require(`
type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
@@ -23083,7 +23112,7 @@ index c697edb..31d45bf 100644
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dhcpd_initrc_exec_t system_r;
-@@ -97,4 +126,8 @@ interface(`dhcpd_admin',`
+@@ -97,4 +127,8 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
@@ -24160,7 +24189,7 @@ index 23ab808..84735a8 100644
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..b9895ba 100644
+index 19aa0b8..45c70c1 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -24214,7 +24243,7 @@ index 19aa0b8..b9895ba 100644
########################################
## <summary>
## Execute the dnsmasq init script in
-@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',`
+@@ -42,6 +77,49 @@ interface(`dnsmasq_initrc_domtrans',`
########################################
## <summary>
@@ -24233,6 +24262,7 @@ index 19aa0b8..b9895ba 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
+ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
@@ -24263,7 +24293,7 @@ index 19aa0b8..b9895ba 100644
## Send generic signals to dnsmasq.
## </summary>
## <param name="domain">
-@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',`
+@@ -145,15 +223,16 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -24281,7 +24311,7 @@ index 19aa0b8..b9895ba 100644
########################################
## <summary>
## Create, read, write, and delete
-@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',`
+@@ -176,7 +255,7 @@ interface(`dnsmasq_manage_pid_files',`
########################################
## <summary>
@@ -24290,7 +24320,7 @@ index 19aa0b8..b9895ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',`
+@@ -184,12 +263,12 @@ interface(`dnsmasq_manage_pid_files',`
## </summary>
## </param>
#
@@ -24304,7 +24334,7 @@ index 19aa0b8..b9895ba 100644
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +293,66 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
@@ -24385,7 +24415,7 @@ index 19aa0b8..b9895ba 100644
')
########################################
-@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +375,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -24406,7 +24436,7 @@ index 19aa0b8..b9895ba 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +395,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@@ -24692,10 +24722,10 @@ index 0000000..fd679a1
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..2a614ed
+index 0000000..114764c
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,365 @@
+@@ -0,0 +1,366 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -24923,6 +24953,7 @@ index 0000000..2a614ed
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 docker_unit_file_t:file read_file_perms;
+ allow $1 docker_unit_file_t:service manage_service_perms;
@@ -26722,10 +26753,10 @@ index 0000000..eac30a3
+/var/lib/etcd(/.*)? gen_context(system_u:object_r:etcd_var_lib_t,s0)
diff --git a/etcd.if b/etcd.if
new file mode 100644
-index 0000000..0827ab7
+index 0000000..d5386d9
--- /dev/null
+++ b/etcd.if
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,166 @@
+## <summary>A highly-available key value store for shared configuration.</summary>
+
+########################################
@@ -26840,6 +26871,7 @@ index 0000000..0827ab7
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 etcd_unit_file_t:file read_file_perms;
+ allow $1 etcd_unit_file_t:service manage_service_perms;
@@ -27830,7 +27862,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index c62c567..1893f7f 100644
+index c62c567..6460877 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
@@ -27851,7 +27883,7 @@ index c62c567..1893f7f 100644
gen_require(`
type firewalld_etc_rw_t;
')
-@@ -21,6 +21,47 @@ interface(`firewalld_read_config_files',`
+@@ -21,6 +21,48 @@ interface(`firewalld_read_config_files',`
########################################
## <summary>
@@ -27888,6 +27920,7 @@ index c62c567..1893f7f 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 firewalld_unit_file_t:file read_file_perms;
+ allow $1 firewalld_unit_file_t:service manage_service_perms;
+
@@ -27899,7 +27932,7 @@ index c62c567..1893f7f 100644
## Send and receive messages from
## firewalld over dbus.
## </summary>
-@@ -42,8 +83,8 @@ interface(`firewalld_dbus_chat',`
+@@ -42,8 +84,8 @@ interface(`firewalld_dbus_chat',`
########################################
## <summary>
@@ -27910,7 +27943,7 @@ index c62c567..1893f7f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -51,18 +92,18 @@ interface(`firewalld_dbus_chat',`
+@@ -51,18 +93,18 @@ interface(`firewalld_dbus_chat',`
## </summary>
## </param>
#
@@ -27933,7 +27966,7 @@ index c62c567..1893f7f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -79,14 +120,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
+@@ -79,14 +121,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
@@ -27955,7 +27988,7 @@ index c62c567..1893f7f 100644
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
-@@ -97,6 +142,9 @@ interface(`firewalld_admin',`
+@@ -97,6 +143,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
@@ -28744,10 +28777,10 @@ index ddb75c1..44f74e6 100644
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
-index 4498143..77bbcef 100644
+index 4498143..84a4858 100644
--- a/ftp.if
+++ b/ftp.if
-@@ -1,5 +1,66 @@
+@@ -1,5 +1,67 @@
## <summary>File transfer protocol service.</summary>
+######################################
@@ -28805,6 +28838,7 @@ index 4498143..77bbcef 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
+ allow $1 ftpd_unit_file_t:service manage_service_perms;
+
@@ -28814,7 +28848,7 @@ index 4498143..77bbcef 100644
#######################################
## <summary>
## Execute a dyntransition to run anon sftpd.
-@@ -179,8 +240,11 @@ interface(`ftp_admin',`
+@@ -179,8 +241,11 @@ interface(`ftp_admin',`
type ftpd_keytab_t;
')
@@ -28827,7 +28861,7 @@ index 4498143..77bbcef 100644
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -204,5 +268,9 @@ interface(`ftp_admin',`
+@@ -204,5 +269,9 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
@@ -29258,10 +29292,10 @@ index 0000000..98c012c
+/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
-index 0000000..04e159f
+index 0000000..d745c67
--- /dev/null
+++ b/gear.if
-@@ -0,0 +1,288 @@
+@@ -0,0 +1,289 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -29451,6 +29485,7 @@ index 0000000..04e159f
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 gear_unit_file_t:file read_file_perms;
+ allow $1 gear_unit_file_t:service manage_service_perms;
@@ -34608,10 +34643,10 @@ index 0000000..f4659d1
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
-index 0000000..3ce0ac0
+index 0000000..2277038
--- /dev/null
+++ b/gssproxy.if
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,199 @@
+
+## <summary>policy for gssproxy</summary>
+
@@ -34746,6 +34781,7 @@ index 0000000..3ce0ac0
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
@@ -35045,10 +35081,10 @@ index b46130e..e2ae3b2 100644
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
-index 6517fad..b7ca833 100644
+index 6517fad..f183748 100644
--- a/hypervkvp.if
+++ b/hypervkvp.if
-@@ -1,32 +1,134 @@
+@@ -1,32 +1,135 @@
-## <summary>HyperV key value pair (KVP).</summary>
+
+## <summary>policy for hypervkvp</summary>
@@ -35151,6 +35187,7 @@ index 6517fad..b7ca833 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 hypervkvp_unit_file_t:file read_file_perms;
+ allow $1 hypervkvp_unit_file_t:service manage_service_perms;
+
@@ -35684,10 +35721,10 @@ index ca07a87..6ea129c 100644
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
-index a0bfbd0..a3b02e6 100644
+index a0bfbd0..8dc7c3e 100644
--- a/iodine.if
+++ b/iodine.if
-@@ -2,6 +2,49 @@
+@@ -2,6 +2,50 @@
########################################
## <summary>
@@ -35725,6 +35762,7 @@ index a0bfbd0..a3b02e6 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 iodined_unit_file_t:file read_file_perms;
+ allow $1 iodined_unit_file_t:service manage_service_perms;
@@ -36363,7 +36401,7 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..a7e1562 100644
+index 1a35420..9fe1e87 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
@@ -36394,7 +36432,7 @@ index 1a35420..a7e1562 100644
## iscsid sempaphores.
## </summary>
## <param name="domain">
-@@ -80,17 +101,53 @@ interface(`iscsi_read_lib_files',`
+@@ -80,17 +101,54 @@ interface(`iscsi_read_lib_files',`
########################################
## <summary>
@@ -36435,6 +36473,7 @@ index 1a35420..a7e1562 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 iscsi_unit_file_t:file read_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
+
@@ -36453,7 +36492,7 @@ index 1a35420..a7e1562 100644
## </summary>
## </param>
## <rolecap/>
-@@ -99,16 +156,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +157,16 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -36469,6 +36508,7 @@ index 1a35420..a7e1562 100644
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 iscsi_unit_file_t:file manage_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
@@ -37852,7 +37892,7 @@ index a49ae4e..0c0e987 100644
+
+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..6043fd6 100644
+index 3a00b3a..160c575 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -37888,7 +37928,7 @@ index 3a00b3a..6043fd6 100644
#######################################
## <summary>
## Execute kdump in the kdump domain.
-@@ -37,9 +57,33 @@ interface(`kdump_initrc_domtrans',`
+@@ -37,9 +57,34 @@ interface(`kdump_initrc_domtrans',`
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
')
@@ -37909,6 +37949,7 @@ index 3a00b3a..6043fd6 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_search_unit_dirs($1)
+ allow $1 kdump_unit_file_t:file read_file_perms;
+ allow $1 kdump_unit_file_t:service all_service_perms;
@@ -37923,7 +37964,7 @@ index 3a00b3a..6043fd6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
+@@ -56,10 +101,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -37993,7 +38034,7 @@ index 3a00b3a..6043fd6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -76,10 +177,88 @@ interface(`kdump_manage_config',`
+@@ -76,10 +178,88 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -38084,7 +38125,7 @@ index 3a00b3a..6043fd6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -88,19 +267,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +268,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
@@ -38114,7 +38155,7 @@ index 3a00b3a..6043fd6 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +294,10 @@ interface(`kdump_admin',`
+@@ -110,6 +295,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -38468,10 +38509,10 @@ index 0000000..9a19f91
+/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0)
diff --git a/keepalived.if b/keepalived.if
new file mode 100644
-index 0000000..0d61849
+index 0000000..f0e0e3a
--- /dev/null
+++ b/keepalived.if
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,85 @@
+
+## <summary> keepalived - load-balancing and high-availability service</summary>
+
@@ -38510,6 +38551,7 @@ index 0000000..0d61849
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keepalived_unit_file_t:file read_file_perms;
+ allow $1 keepalived_unit_file_t:service manage_service_perms;
@@ -39937,10 +39979,10 @@ index b273d80..9b6e9bd 100644
+
+/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
-index e88fb16..f20248c 100644
+index e88fb16..ec6121a 100644
--- a/keystone.if
+++ b/keystone.if
-@@ -1,42 +1,218 @@
+@@ -1,42 +1,219 @@
-## <summary>Python implementation of the OpenStack identity service API.</summary>
+
+## <summary>policy for keystone</summary>
@@ -40120,6 +40162,7 @@ index e88fb16..f20248c 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keystone_unit_file_t:file read_file_perms;
+ allow $1 keystone_unit_file_t:service manage_service_perms;
@@ -40175,7 +40218,7 @@ index e88fb16..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 9929647..3144a89 100644
+index 9929647..c573d0e 100644
--- a/keystone.te
+++ b/keystone.te
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
@@ -40195,7 +40238,7 @@ index 9929647..3144a89 100644
#
# Local policy
#
-+allow keystone_t self:process { getsched setsched };
++allow keystone_t self:process { getsched setsched signal };
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
@@ -40341,10 +40384,10 @@ index 0000000..ccd29c0
+/etc/kmscon(/.*)? gen_context(system_u:object_r:kmscon_conf_t,s0)
diff --git a/kmscon.if b/kmscon.if
new file mode 100644
-index 0000000..ab52e25
+index 0000000..b9347fa
--- /dev/null
+++ b/kmscon.if
-@@ -0,0 +1,24 @@
+@@ -0,0 +1,25 @@
+## <summary>Terminal emulator for Linux graphical console</summary>
+
+########################################
@@ -40364,6 +40407,7 @@ index 0000000..ab52e25
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 kmscon_unit_file_t:file read_file_perms;
+ allow $1 kmscon_unit_file_t:service manage_service_perms;
+
@@ -40474,10 +40518,10 @@ index e736c45..4b1e1e4 100644
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
-index 93a64bc..3ac0b8b 100644
+index 93a64bc..af6d741 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
-@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -38,6 +38,30 @@ interface(`ksmtuned_initrc_domtrans',`
init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
')
@@ -40498,6 +40542,7 @@ index 93a64bc..3ac0b8b 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ksmtuned_unit_file_t:file read_file_perms;
+ allow $1 ksmtuned_unit_file_t:service manage_service_perms;
+
@@ -40507,7 +40552,7 @@ index 93a64bc..3ac0b8b 100644
########################################
## <summary>
## All of the rules required to
-@@ -48,30 +71,28 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -48,30 +72,28 @@ interface(`ksmtuned_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -40613,10 +40658,10 @@ index 38ecb07..451067e 100644
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/ktalk.if b/ktalk.if
-index 19777b8..55d1556 100644
+index 19777b8..cd721fd 100644
--- a/ktalk.if
+++ b/ktalk.if
-@@ -1 +1,76 @@
+@@ -1 +1,77 @@
-## <summary>KDE Talk daemon.</summary>
+
+## <summary>talk-server - daemon programs for the Internet talk </summary>
@@ -40656,6 +40701,7 @@ index 19777b8..55d1556 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ktalkd_unit_file_t:file read_file_perms;
+ allow $1 ktalkd_unit_file_t:service manage_service_perms;
@@ -41333,10 +41379,10 @@ index b7e5679..c93db33 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index 3602712..fc7b071 100644
+index 3602712..af83a5b 100644
--- a/ldap.if
+++ b/ldap.if
-@@ -1,8 +1,68 @@
+@@ -1,8 +1,69 @@
-## <summary>OpenLDAP directory server.</summary>
+## <summary>OpenLDAP directory server</summary>
+
@@ -41393,6 +41439,7 @@ index 3602712..fc7b071 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
+ allow $1 slapd_unit_file_t:service manage_service_perms;
+
@@ -41407,7 +41454,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -15,13 +75,31 @@ interface(`ldap_list_db',`
+@@ -15,13 +76,31 @@ interface(`ldap_list_db',`
type slapd_db_t;
')
@@ -41441,7 +41488,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -41,22 +119,29 @@ interface(`ldap_read_config',`
+@@ -41,22 +120,29 @@ interface(`ldap_read_config',`
########################################
## <summary>
@@ -41476,7 +41523,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -64,18 +149,13 @@ interface(`ldap_use',`
+@@ -64,18 +150,13 @@ interface(`ldap_use',`
## </summary>
## </param>
#
@@ -41498,7 +41545,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',`
+@@ -83,21 +164,19 @@ interface(`ldap_stream_connect',`
## </summary>
## </param>
#
@@ -41526,7 +41573,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +185,7 @@ interface(`ldap_tcp_connect',`
## </param>
## <param name="role">
## <summary>
@@ -41535,7 +41582,7 @@ index 3602712..fc7b071 100644
## </summary>
## </param>
## <rolecap/>
-@@ -117,11 +195,16 @@ interface(`ldap_admin',`
+@@ -117,11 +196,16 @@ interface(`ldap_admin',`
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
@@ -41553,7 +41600,7 @@ index 3602712..fc7b071 100644
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
-@@ -130,13 +213,9 @@ interface(`ldap_admin',`
+@@ -130,13 +214,9 @@ interface(`ldap_admin',`
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
@@ -41568,7 +41615,7 @@ index 3602712..fc7b071 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +223,8 @@ interface(`ldap_admin',`
+@@ -144,4 +224,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -43349,10 +43396,10 @@ index c455730..6e14667 100644
+
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
-index d314333..da30c5d 100644
+index d314333..27ede09 100644
--- a/lsm.if
+++ b/lsm.if
-@@ -1,25 +1,85 @@
+@@ -1,25 +1,86 @@
-## <summary>Storage array management library.</summary>
+
+## <summary>libStorageMgmt plug-in daemon </summary>
@@ -43414,6 +43461,7 @@ index d314333..da30c5d 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
@@ -43444,7 +43492,7 @@ index d314333..da30c5d 100644
')
allow $1 lsmd_t:process { ptrace signal_perms };
-@@ -27,4 +87,13 @@ interface(`lsmd_admin',`
+@@ -27,4 +88,13 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
@@ -45501,10 +45549,10 @@ index 0000000..767bbad
+/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
diff --git a/mip6d.if b/mip6d.if
new file mode 100644
-index 0000000..8169129
+index 0000000..861b486
--- /dev/null
+++ b/mip6d.if
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
+
+## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
+
@@ -45543,6 +45591,7 @@ index 0000000..8169129
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 mip6d_unit_file_t:file read_file_perms;
+ allow $1 mip6d_unit_file_t:service manage_service_perms;
@@ -46568,10 +46617,10 @@ index a83894c..481dca3 100644
+
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
-index b1ac8b5..9b22bea 100644
+index b1ac8b5..24782b3 100644
--- a/modemmanager.if
+++ b/modemmanager.if
-@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
+@@ -21,6 +21,31 @@ interface(`modemmanager_domtrans',`
########################################
## <summary>
@@ -46590,6 +46639,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
@@ -46602,7 +46652,7 @@ index b1ac8b5..9b22bea 100644
## Send and receive messages from
## modemmanager over dbus.
## </summary>
-@@ -39,3 +63,33 @@ interface(`modemmanager_dbus_chat',`
+@@ -39,3 +64,33 @@ interface(`modemmanager_dbus_chat',`
allow $1 modemmanager_t:dbus send_msg;
allow modemmanager_t $1:dbus send_msg;
')
@@ -47069,10 +47119,10 @@ index 0000000..7415106
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
-index 0000000..39f4a04
+index 0000000..edfd267
--- /dev/null
+++ b/motion.if
-@@ -0,0 +1,197 @@
+@@ -0,0 +1,198 @@
+
+## <summary>Detect motion using a video4linux device</summary>
+
@@ -47209,6 +47259,7 @@ index 0000000..39f4a04
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 motion_unit_file_t:file read_file_perms;
+ allow $1 motion_unit_file_t:service manage_service_perms;
@@ -50919,7 +50970,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..bc8340d 100644
+index ff1d68c..a2854c1 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -51057,11 +51108,10 @@ index ff1d68c..bc8340d 100644
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
--fs_rw_anon_inodefs_files(system_mail_t)
+ fs_rw_anon_inodefs_files(system_mail_t)
-selinux_getattr_fs(system_mail_t)
-+fs_rw_anon_inodefs_files(system_mail_t)
-
+-
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
@@ -51071,6 +51121,7 @@ index ff1d68c..bc8340d 100644
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
++userdom_dontaudit_list_user_tmp(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@@ -52033,7 +52084,7 @@ index 06f8666..4a315d5 100644
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
-index 687af38..a77dc09 100644
+index 687af38..5381f1b 100644
--- a/mysql.if
+++ b/mysql.if
@@ -1,23 +1,4 @@
@@ -52434,7 +52485,7 @@ index 687af38..a77dc09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,18 +414,22 @@ interface(`mysql_write_log',`
+@@ -374,18 +414,23 @@ interface(`mysql_write_log',`
## </summary>
## </param>
#
@@ -52449,6 +52500,7 @@ index 687af38..a77dc09 100644
- corecmd_search_bin($1)
- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 mysqld_unit_file_t:file read_file_perms;
+ allow $1 mysqld_unit_file_t:service manage_service_perms;
+
@@ -52463,7 +52515,7 @@ index 687af38..a77dc09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,39 +437,37 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -393,39 +438,37 @@ interface(`mysql_domtrans_mysql_safe',`
## </summary>
## </param>
#
@@ -52515,7 +52567,7 @@ index 687af38..a77dc09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -434,41 +476,52 @@ interface(`mysql_search_pid_files',`
+@@ -434,41 +477,52 @@ interface(`mysql_search_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -54552,7 +54604,7 @@ index 94b9734..448a7e8 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..98fdac1 100644
+index 86dc29d..3eaf32b 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -54662,7 +54714,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -104,18 +124,23 @@ interface(`networkmanager_domtrans',`
+@@ -104,18 +124,24 @@ interface(`networkmanager_domtrans',`
## </summary>
## </param>
#
@@ -54676,6 +54728,7 @@ index 86dc29d..98fdac1 100644
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
@@ -54690,7 +54743,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -155,7 +180,29 @@ interface(`networkmanager_read_state',`
+@@ -155,7 +181,29 @@ interface(`networkmanager_read_state',`
########################################
## <summary>
@@ -54721,7 +54774,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -211,9 +258,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -211,9 +259,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
@@ -54751,7 +54804,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -221,19 +287,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -221,19 +288,18 @@ interface(`networkmanager_read_lib_files',`
## </summary>
## </param>
#
@@ -54776,7 +54829,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -241,13 +306,32 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +307,32 @@ interface(`networkmanager_append_log_files',`
## </summary>
## </param>
#
@@ -54811,7 +54864,7 @@ index 86dc29d..98fdac1 100644
')
####################################
-@@ -272,14 +356,33 @@ interface(`networkmanager_stream_connect',`
+@@ -272,14 +357,33 @@ interface(`networkmanager_stream_connect',`
########################################
## <summary>
@@ -54847,7 +54900,7 @@ index 86dc29d..98fdac1 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,33 +390,132 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +391,132 @@ interface(`networkmanager_stream_connect',`
## </param>
## <rolecap/>
#
@@ -55414,10 +55467,10 @@ index 0000000..cc31b9f
+
diff --git a/ninfod.if b/ninfod.if
new file mode 100644
-index 0000000..a7f57d9
+index 0000000..409de8c
--- /dev/null
+++ b/ninfod.if
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
+
+## <summary>Respond to IPv6 Node Information Queries</summary>
+
@@ -55456,6 +55509,7 @@ index 0000000..a7f57d9
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ninfod_unit_file_t:file read_file_perms;
+ allow $1 ninfod_unit_file_t:service manage_service_perms;
@@ -55574,7 +55628,7 @@ index 8aa1bfa..cd0e015 100644
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
-index 46e55c3..6e4e061 100644
+index 46e55c3..afe399a 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
@@ -55711,7 +55765,7 @@ index 46e55c3..6e4e061 100644
')
########################################
-@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -355,8 +349,59 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@@ -55732,6 +55786,7 @@ index 46e55c3..6e4e061 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
+ allow $1 ypbind_unit_file_t:service manage_service_perms;
+
@@ -55755,6 +55810,7 @@ index 46e55c3..6e4e061 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
+ allow $1 nis_unit_file_t:service manage_service_perms;
+
@@ -55771,7 +55827,7 @@ index 46e55c3..6e4e061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -372,32 +417,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -56621,7 +56677,7 @@ index ba64485..429bd79 100644
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
-index 8f2ab09..bc2c7fe 100644
+index 8f2ab09..cd5d344 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
@@ -56850,7 +56906,7 @@ index 8f2ab09..bc2c7fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -275,8 +296,31 @@ interface(`nscd_initrc_domtrans',`
+@@ -275,8 +296,32 @@ interface(`nscd_initrc_domtrans',`
########################################
## <summary>
@@ -56871,6 +56927,7 @@ index 8f2ab09..bc2c7fe 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
+ allow $1 nscd_unit_file_t:service manage_service_perms;
+
@@ -56884,7 +56941,7 @@ index 8f2ab09..bc2c7fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -285,7 +329,7 @@ interface(`nscd_initrc_domtrans',`
+@@ -285,7 +330,7 @@ interface(`nscd_initrc_domtrans',`
## </param>
## <param name="role">
## <summary>
@@ -56893,7 +56950,7 @@ index 8f2ab09..bc2c7fe 100644
## </summary>
## </param>
## <rolecap/>
-@@ -294,10 +338,14 @@ interface(`nscd_admin',`
+@@ -294,10 +339,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
@@ -56909,7 +56966,7 @@ index 8f2ab09..bc2c7fe 100644
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -310,5 +358,7 @@ interface(`nscd_admin',`
+@@ -310,5 +359,7 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
@@ -58448,7 +58505,7 @@ index af3c91e..2d41c4c 100644
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
-index e96a309..2bacc3f 100644
+index e96a309..ef6081b 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
@@ -58497,7 +58554,7 @@ index e96a309..2bacc3f 100644
')
########################################
-@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +117,49 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -58537,6 +58594,7 @@ index e96a309..2bacc3f 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
@@ -58546,7 +58604,7 @@ index e96a309..2bacc3f 100644
########################################
## <summary>
## Read ntp drift files.
-@@ -141,8 +202,27 @@ interface(`ntp_rw_shm',`
+@@ -141,8 +203,27 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -58576,7 +58634,7 @@ index e96a309..2bacc3f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -151,28 +231,32 @@ interface(`ntp_rw_shm',`
+@@ -151,28 +232,32 @@ interface(`ntp_rw_shm',`
## </param>
## <param name="role">
## <summary>
@@ -58615,7 +58673,7 @@ index e96a309..2bacc3f 100644
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
-@@ -186,5 +270,30 @@ interface(`ntp_admin',`
+@@ -186,5 +271,30 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -58748,10 +58806,10 @@ index 3488bb0..1f97624 100644
-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
diff --git a/numad.if b/numad.if
-index 0d3c270..260275b 100644
+index 0d3c270..f307835 100644
--- a/numad.if
+++ b/numad.if
-@@ -1,39 +1,92 @@
+@@ -1,39 +1,93 @@
-## <summary>Non-Uniform Memory Alignment Daemon.</summary>
+
+## <summary>policy for numad</summary>
@@ -58791,6 +58849,7 @@ index 0d3c270..260275b 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 numad_unit_file_t:file read_file_perms;
+ allow $1 numad_unit_file_t:service all_service_perms;
@@ -58959,10 +59018,10 @@ index 379af96..fac7d7b 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..4534676 100644
+index 57c0161..c554eb6 100644
--- a/nut.if
+++ b/nut.if
-@@ -1,39 +1,59 @@
+@@ -1,39 +1,60 @@
-## <summary>Network UPS Tools </summary>
+## <summary>nut - Network UPS Tools </summary>
@@ -59041,6 +59100,7 @@ index 57c0161..4534676 100644
- files_search_etc($1)
- admin_pattern($1, nut_conf_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 nut_unit_file_t:file read_file_perms;
+ allow $1 nut_unit_file_t:service manage_service_perms;
@@ -59585,7 +59645,7 @@ index dd1d9ef..fbbe3ff 100644
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
-index c87bd2a..7de054a 100644
+index c87bd2a..4c17c99 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -1,4 +1,8 @@
@@ -59697,7 +59757,7 @@ index c87bd2a..7de054a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -105,46 +141,70 @@ interface(`oddjob_domtrans_mkhomedir',`
+@@ -105,46 +141,71 @@ interface(`oddjob_domtrans_mkhomedir',`
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
@@ -59737,6 +59797,7 @@ index c87bd2a..7de054a 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 oddjob_unit_file_t:file read_file_perms;
+ allow $1 oddjob_unit_file_t:service manage_service_perms;
@@ -61615,10 +61676,10 @@ index 0000000..51650fa
+/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/opensm.if b/opensm.if
new file mode 100644
-index 0000000..776fda7
+index 0000000..45de664
--- /dev/null
+++ b/opensm.if
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,224 @@
+
+## <summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
+
@@ -61793,6 +61854,7 @@ index 0000000..776fda7
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opensm_unit_file_t:file read_file_perms;
+ allow $1 opensm_unit_file_t:service manage_service_perms;
@@ -62187,7 +62249,7 @@ index 45d7cc5..c5b9607 100644
-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
-index 9b15730..eedd136 100644
+index 9b15730..cb00f20 100644
--- a/openvswitch.if
+++ b/openvswitch.if
@@ -1,13 +1,14 @@
@@ -62356,7 +62418,7 @@ index 9b15730..eedd136 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -40,44 +176,86 @@ interface(`openvswitch_read_pid_files',`
+@@ -40,44 +176,87 @@ interface(`openvswitch_read_pid_files',`
########################################
## <summary>
@@ -62398,6 +62460,7 @@ index 9b15730..eedd136 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 openvswitch_unit_file_t:file read_file_perms;
+ allow $1 openvswitch_unit_file_t:service manage_service_perms;
+
@@ -62590,10 +62653,10 @@ index 0000000..00d0643
+/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)
diff --git a/openwsman.if b/openwsman.if
new file mode 100644
-index 0000000..42ed4ba
+index 0000000..747853a
--- /dev/null
+++ b/openwsman.if
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,79 @@
+## <summary>WS-Management Server</summary>
+
+########################################
@@ -62631,6 +62694,7 @@ index 0000000..42ed4ba
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 openwsman_unit_file_t:file read_file_perms;
+ allow $1 openwsman_unit_file_t:service manage_service_perms;
@@ -63135,10 +63199,10 @@ index 2f0ad56..d4da0b8 100644
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/pacemaker.if b/pacemaker.if
-index 9682d9a..d47f913 100644
+index 9682d9a..f1f421f 100644
--- a/pacemaker.if
+++ b/pacemaker.if
-@@ -1,9 +1,166 @@
+@@ -1,9 +1,167 @@
-## <summary>A scalable high-availability cluster resource manager.</summary>
+## <summary>>A scalable high-availability cluster resource manager.</summary>
@@ -63293,6 +63357,7 @@ index 9682d9a..d47f913 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pacemaker_unit_file_t:file read_file_perms;
+ allow $1 pacemaker_unit_file_t:service manage_service_perms;
@@ -63308,7 +63373,7 @@ index 9682d9a..d47f913 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -19,14 +176,17 @@
+@@ -19,14 +177,17 @@
#
interface(`pacemaker_admin',`
gen_require(`
@@ -63328,7 +63393,7 @@ index 9682d9a..d47f913 100644
domain_system_change_exemption($1)
role_transition $2 pacemaker_initrc_exec_t system_r;
allow $2 system_r;
-@@ -36,4 +196,13 @@ interface(`pacemaker_admin',`
+@@ -36,4 +197,13 @@ interface(`pacemaker_admin',`
files_search_pids($1)
admin_pattern($1, pacemaker_var_run_t)
@@ -65040,10 +65105,10 @@ index 0000000..7b54c39
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if
new file mode 100644
-index 0000000..abd5dd8
+index 0000000..4d531cb
--- /dev/null
+++ b/pesign.if
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,99 @@
+
+## <summary>pesign utility for signing UEFI binaries as well as other associated tools</summary>
+
@@ -65101,6 +65166,7 @@ index 0000000..abd5dd8
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pesign_unit_file_t:file read_file_perms;
+ allow $1 pesign_unit_file_t:service manage_service_perms;
@@ -67634,7 +67700,7 @@ index d35614b..11f77ee 100644
-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0)
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/polipo.if b/polipo.if
-index ae27bb7..d00f6ba 100644
+index ae27bb7..10a7787 100644
--- a/polipo.if
+++ b/polipo.if
@@ -1,8 +1,8 @@
@@ -67685,7 +67751,7 @@ index ae27bb7..d00f6ba 100644
tunable_policy(`polipo_session_users',`
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
-@@ -52,57 +47,129 @@ template(`polipo_role',`
+@@ -52,57 +47,130 @@ template(`polipo_role',`
########################################
## <summary>
@@ -67818,6 +67884,7 @@ index ae27bb7..d00f6ba 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 polipo_unit_file_t:file read_file_perms;
+ allow $1 polipo_unit_file_t:service manage_service_perms;
+
@@ -67832,7 +67899,7 @@ index ae27bb7..d00f6ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -118,27 +185,35 @@ interface(`polipo_log_filetrans_log',`
+@@ -118,27 +186,35 @@ interface(`polipo_log_filetrans_log',`
#
interface(`polipo_admin',`
gen_require(`
@@ -70414,7 +70481,7 @@ index efcb653..ff2c96a 100644
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
-index cd8b8b9..6c73980 100644
+index cd8b8b9..2cfa88a 100644
--- a/ppp.if
+++ b/ppp.if
@@ -1,110 +1,91 @@
@@ -70801,7 +70868,7 @@ index cd8b8b9..6c73980 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -461,31 +424,62 @@ interface(`ppp_initrc_domtrans',`
+@@ -461,31 +424,63 @@ interface(`ppp_initrc_domtrans',`
########################################
## <summary>
@@ -70824,6 +70891,7 @@ index cd8b8b9..6c73980 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
+ allow $1 pppd_unit_file_t:service manage_service_perms;
+
@@ -70873,7 +70941,7 @@ index cd8b8b9..6c73980 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
-@@ -496,14 +490,26 @@ interface(`ppp_admin',`
+@@ -496,14 +491,26 @@ interface(`ppp_admin',`
admin_pattern($1, pppd_tmp_t)
logging_list_logs($1)
@@ -72366,10 +72434,10 @@ index 0000000..96a0d9f
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
-index 0000000..19c35c1
+index 0000000..44ed5ad
--- /dev/null
+++ b/prosody.if
-@@ -0,0 +1,234 @@
+@@ -0,0 +1,235 @@
+
+## <summary>policy for prosody</summary>
+
@@ -72504,6 +72572,7 @@ index 0000000..19c35c1
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 prosody_unit_file_t:file read_file_perms;
+ allow $1 prosody_unit_file_t:service manage_service_perms;
@@ -76743,10 +76812,10 @@ index 70ab68b..b985b65 100644
+/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
+/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..97bbea4 100644
+index afc0068..589a7fd 100644
--- a/quantum.if
+++ b/quantum.if
-@@ -2,41 +2,294 @@
+@@ -2,41 +2,295 @@
########################################
## <summary>
@@ -77010,6 +77079,7 @@ index afc0068..97bbea4 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 neutron_unit_file_t:file read_file_perms;
+ allow $1 neutron_unit_file_t:service manage_service_perms;
@@ -77986,10 +78056,10 @@ index d447e85..76ed794 100644
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
diff --git a/radius.if b/radius.if
-index 4460582..60cf556 100644
+index 4460582..4c66c25 100644
--- a/radius.if
+++ b/radius.if
-@@ -14,6 +14,29 @@ interface(`radius_use',`
+@@ -14,6 +14,30 @@ interface(`radius_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -78010,6 +78080,7 @@ index 4460582..60cf556 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 radiusd_unit_file_t:file read_file_perms;
+ allow $1 radiusd_unit_file_t:service manage_service_perms;
+
@@ -78019,7 +78090,7 @@ index 4460582..60cf556 100644
########################################
## <summary>
## All of the rules required to
-@@ -35,11 +58,14 @@ interface(`radius_admin',`
+@@ -35,11 +59,14 @@ interface(`radius_admin',`
gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t;
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
@@ -78036,7 +78107,7 @@ index 4460582..60cf556 100644
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -57,4 +83,9 @@ interface(`radius_admin',`
+@@ -57,4 +84,9 @@ interface(`radius_admin',`
files_list_pids($1)
admin_pattern($1, radiusd_var_run_t)
@@ -78047,7 +78118,7 @@ index 4460582..60cf556 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fe..f6923e3 100644
+index 403a4fe..870d7b3 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -78084,7 +78155,7 @@ index 403a4fe..f6923e3 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,6 +75,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,10 +75,14 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_generic_node(radiusd_t)
@@ -78094,7 +78165,12 @@ index 403a4fe..f6923e3 100644
corenet_sendrecv_radacct_server_packets(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
-@@ -97,7 +101,6 @@ domain_use_interactive_fds(radiusd_t)
+ corenet_sendrecv_radius_server_packets(radiusd_t)
++corenet_tcp_bind_radius_port(radiusd_t)
+ corenet_udp_bind_radius_port(radiusd_t)
+
+ corenet_sendrecv_snmp_client_packets(radiusd_t)
+@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
@@ -78102,7 +78178,7 @@ index 403a4fe..f6923e3 100644
files_read_etc_runtime_files(radiusd_t)
files_dontaudit_list_tmp(radiusd_t)
-@@ -109,7 +112,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
@@ -78110,7 +78186,7 @@ index 403a4fe..f6923e3 100644
miscfiles_read_generic_certs(radiusd_t)
sysnet_use_ldap(radiusd_t)
-@@ -122,6 +124,11 @@ optional_policy(`
+@@ -122,6 +125,11 @@ optional_policy(`
')
optional_policy(`
@@ -78122,7 +78198,7 @@ index 403a4fe..f6923e3 100644
logrotate_exec(radiusd_t)
')
-@@ -140,5 +147,10 @@ optional_policy(`
+@@ -140,5 +148,10 @@ optional_policy(`
')
optional_policy(`
@@ -78213,7 +78289,7 @@ index 5806046..d83ec27 100644
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index 951db7f..c0cabe8 100644
+index 951db7f..04b6dde 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
@@ -78228,7 +78304,7 @@ index 951db7f..c0cabe8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -22,34 +21,56 @@ interface(`raid_domtrans_mdadm',`
+@@ -22,34 +21,57 @@ interface(`raid_domtrans_mdadm',`
######################################
## <summary>
@@ -78280,6 +78356,7 @@ index 951db7f..c0cabe8 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 mdadm_unit_file_t:file read_file_perms;
+ allow $1 mdadm_unit_file_t:service manage_service_perms;
+
@@ -78294,7 +78371,7 @@ index 951db7f..c0cabe8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +79,112 @@ interface(`raid_run_mdadm',`
## </summary>
## </param>
#
@@ -78601,10 +78678,10 @@ index 0000000..8e31dd0
+/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
diff --git a/rasdaemon.if b/rasdaemon.if
new file mode 100644
-index 0000000..a073efd
+index 0000000..d57006d
--- /dev/null
+++ b/rasdaemon.if
-@@ -0,0 +1,156 @@
+@@ -0,0 +1,157 @@
+
+## <summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
+
@@ -78720,6 +78797,7 @@ index 0000000..a073efd
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rasdaemon_unit_file_t:file read_file_perms;
+ allow $1 rasdaemon_unit_file_t:service manage_service_perms;
@@ -79327,10 +79405,10 @@ index e9765c0..ea21331 100644
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.if b/rdisc.if
-index 170ef52..7dd9193 100644
+index 170ef52..28ccc4a 100644
--- a/rdisc.if
+++ b/rdisc.if
-@@ -18,3 +18,57 @@ interface(`rdisc_exec',`
+@@ -18,3 +18,58 @@ interface(`rdisc_exec',`
corecmd_search_bin($1)
can_exec($1, rdisc_exec_t)
')
@@ -79352,6 +79430,7 @@ index 170ef52..7dd9193 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rdisc_unit_file_t:file read_file_perms;
+ allow $1 rdisc_unit_file_t:service manage_service_perms;
@@ -79889,10 +79968,10 @@ index e240ac9..638d6b4 100644
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
-index 16c8ecb..2640ab5 100644
+index 16c8ecb..4e021ec 100644
--- a/redis.if
+++ b/redis.if
-@@ -1,9 +1,224 @@
+@@ -1,9 +1,225 @@
-## <summary>Advanced key-value store.</summary>
+## <summary>Advanced key-value store</summary>
@@ -80106,6 +80185,7 @@ index 16c8ecb..2640ab5 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
@@ -80120,7 +80200,7 @@ index 16c8ecb..2640ab5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -20,7 +235,7 @@
+@@ -20,7 +236,7 @@
interface(`redis_admin',`
gen_require(`
type redis_t, redis_initrc_exec_t, redis_var_lib_t;
@@ -80129,7 +80209,7 @@ index 16c8ecb..2640ab5 100644
')
allow $1 redis_t:process { ptrace signal_perms };
-@@ -32,11 +247,20 @@ interface(`redis_admin',`
+@@ -32,11 +248,20 @@ interface(`redis_admin',`
allow $2 system_r;
logging_search_logs($1)
@@ -80950,7 +81030,7 @@ index 47de2d6..2c625fb 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..57fad67 100644
+index c8bdea2..bf60580 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -81382,7 +81462,7 @@ index c8bdea2..57fad67 100644
')
######################################
-@@ -446,52 +556,361 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +556,362 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -81713,6 +81793,7 @@ index c8bdea2..57fad67 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 cluster_unit_file_t:file read_file_perms;
+ allow $1 cluster_unit_file_t:service manage_service_perms;
+
@@ -82452,10 +82533,10 @@ index 0000000..bf11e25
+')
diff --git a/rhev.te b/rhev.te
new file mode 100644
-index 0000000..eeee78a
+index 0000000..8b7aa12
--- /dev/null
+++ b/rhev.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,128 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -82551,6 +82632,10 @@ index 0000000..eeee78a
+')
+
+optional_policy(`
++ udev_read_db(rhev_agentd_t)
++')
++
++optional_policy(`
+ xserver_stream_connect(rhev_agentd_t)
+')
+
@@ -82733,10 +82818,10 @@ index 0000000..860a91d
+/etc/sysconfig/rhn(/.*)? gen_context(system_u:object_r:rhnsd_conf_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
-index 0000000..4c6fd7a
+index 0000000..a161c70
--- /dev/null
+++ b/rhnsd.if
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,120 @@
+## <summary>policy for rhnsd</summary>
+
+########################################
@@ -82793,6 +82878,7 @@ index 0000000..4c6fd7a
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rhnsd_unit_file_t:file read_file_perms;
+ allow $1 rhnsd_unit_file_t:service manage_service_perms;
@@ -83183,7 +83269,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..a76de40 100644
+index d32e1a2..581e801 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -83222,7 +83308,7 @@ index d32e1a2..a76de40 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,65 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,69 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -83292,6 +83378,10 @@ index d32e1a2..a76de40 100644
+optional_policy(`
+ rpm_manage_db(rhsmcertd_t)
+ rpm_signull(rhsmcertd_t)
++')
++
++optional_policy(`
++ virt_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1..23d579c 100644
@@ -83861,10 +83951,10 @@ index fa19aa8..90eb481 100644
/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/rngd.if b/rngd.if
-index 13f788f..e01572a 100644
+index 13f788f..10e2033 100644
--- a/rngd.if
+++ b/rngd.if
-@@ -2,6 +2,28 @@
+@@ -2,6 +2,29 @@
########################################
## <summary>
@@ -83882,6 +83972,7 @@ index 13f788f..e01572a 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 rngd_unit_file_t:file read_file_perms;
+ allow $1 rngd_unit_file_t:service manage_service_perms;
+
@@ -83893,7 +83984,7 @@ index 13f788f..e01572a 100644
## All of the rules required to
## administrate an rng environment.
## </summary>
-@@ -17,14 +39,18 @@
+@@ -17,14 +40,18 @@
## </param>
## <rolecap/>
#
@@ -83915,7 +84006,7 @@ index 13f788f..e01572a 100644
init_labeled_script_domtrans($1, rngd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rngd_initrc_exec_t system_r;
-@@ -32,4 +58,8 @@ interface(`rngd_admin',`
+@@ -32,4 +59,8 @@ interface(`rngd_admin',`
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
@@ -83958,10 +84049,10 @@ index 0000000..504b6e1
+/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0)
diff --git a/rolekit.if b/rolekit.if
new file mode 100644
-index 0000000..8d833ed
+index 0000000..b694846
--- /dev/null
+++ b/rolekit.if
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,125 @@
+## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
+
+########################################
@@ -84000,6 +84091,7 @@ index 0000000..8d833ed
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rolekit_unit_file_t:file read_file_perms;
+ allow $1 rolekit_unit_file_t:service manage_service_perms;
@@ -84235,7 +84327,7 @@ index a6fb30c..38a2f09 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 0bf13c2..d59aef7 100644
+index 0bf13c2..1d69728 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -84366,7 +84458,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -167,120 +178,126 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -167,120 +178,128 @@ interface(`rpc_initrc_domtrans_nfsd',`
## </summary>
## </param>
#
@@ -84381,6 +84473,7 @@ index 0bf13c2..d59aef7 100644
- corecmd_search_bin($1)
- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service manage_service_perms;
+
@@ -84523,6 +84616,7 @@ index 0bf13c2..d59aef7 100644
- allow $1 nfsd_t:tcp_socket rw_socket_perms;
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
+ allow $1 rpcd_unit_file_t:service manage_service_perms;
+
@@ -84536,7 +84630,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -312,7 +329,7 @@ interface(`rpc_udp_send_nfs',`
+@@ -312,7 +331,7 @@ interface(`rpc_udp_send_nfs',`
########################################
## <summary>
@@ -84545,7 +84639,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -326,12 +343,12 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +345,12 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -84560,7 +84654,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -339,19 +356,18 @@ interface(`rpc_search_nfs_state_data',`
+@@ -339,19 +358,18 @@ interface(`rpc_search_nfs_state_data',`
## </summary>
## </param>
#
@@ -84583,7 +84677,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -359,34 +375,54 @@ interface(`rpc_read_nfs_state_data',`
+@@ -359,34 +377,54 @@ interface(`rpc_read_nfs_state_data',`
## </summary>
## </param>
#
@@ -87104,10 +87198,10 @@ index 0000000..4552e91
+
diff --git a/rtas.if b/rtas.if
new file mode 100644
-index 0000000..0ec3302
+index 0000000..92cc49d
--- /dev/null
+++ b/rtas.if
-@@ -0,0 +1,162 @@
+@@ -0,0 +1,163 @@
+
+## <summary>Platform diagnostics report firmware events.</summary>
+
@@ -87226,6 +87320,7 @@ index 0000000..0ec3302
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
@@ -87629,7 +87724,7 @@ index b8b66ff..a93346e 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 50d07fb..bada62f 100644
+index 50d07fb..dc069c8 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
@@ -87707,7 +87802,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -77,7 +98,30 @@ interface(`samba_initrc_domtrans',`
+@@ -77,7 +98,31 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
@@ -87727,6 +87822,7 @@ index 50d07fb..bada62f 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 samba_unit_file_t:file read_file_perms;
+ allow $1 samba_unit_file_t:service manage_service_perms;
+
@@ -87739,7 +87835,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -96,9 +140,27 @@ interface(`samba_domtrans_net',`
+@@ -96,9 +141,27 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -87770,7 +87866,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -114,11 +176,56 @@ interface(`samba_domtrans_net',`
+@@ -114,11 +177,56 @@ interface(`samba_domtrans_net',`
#
interface(`samba_run_net',`
gen_require(`
@@ -87829,7 +87925,7 @@ index 50d07fb..bada62f 100644
')
########################################
-@@ -142,9 +249,8 @@ interface(`samba_domtrans_smbmount',`
+@@ -142,9 +250,8 @@ interface(`samba_domtrans_smbmount',`
########################################
## <summary>
@@ -87841,7 +87937,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -160,16 +266,17 @@ interface(`samba_domtrans_smbmount',`
+@@ -160,16 +267,17 @@ interface(`samba_domtrans_smbmount',`
#
interface(`samba_run_smbmount',`
gen_require(`
@@ -87862,7 +87958,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -184,12 +291,14 @@ interface(`samba_read_config',`
+@@ -184,12 +292,14 @@ interface(`samba_read_config',`
')
files_search_etc($1)
@@ -87878,7 +87974,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -209,8 +318,8 @@ interface(`samba_rw_config',`
+@@ -209,8 +319,8 @@ interface(`samba_rw_config',`
########################################
## <summary>
@@ -87889,7 +87985,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -231,7 +340,7 @@ interface(`samba_manage_config',`
+@@ -231,7 +341,7 @@ interface(`samba_manage_config',`
########################################
## <summary>
@@ -87898,7 +87994,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -252,7 +361,7 @@ interface(`samba_read_log',`
+@@ -252,7 +362,7 @@ interface(`samba_read_log',`
########################################
## <summary>
@@ -87907,7 +88003,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -273,7 +382,7 @@ interface(`samba_append_log',`
+@@ -273,7 +383,7 @@ interface(`samba_append_log',`
########################################
## <summary>
@@ -87916,7 +88012,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -292,7 +401,7 @@ interface(`samba_exec_log',`
+@@ -292,7 +402,7 @@ interface(`samba_exec_log',`
########################################
## <summary>
@@ -87925,7 +88021,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -311,7 +420,7 @@ interface(`samba_read_secrets',`
+@@ -311,7 +421,7 @@ interface(`samba_read_secrets',`
########################################
## <summary>
@@ -87934,7 +88030,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -330,7 +439,8 @@ interface(`samba_read_share_files',`
+@@ -330,7 +440,8 @@ interface(`samba_read_share_files',`
########################################
## <summary>
@@ -87944,7 +88040,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -343,13 +453,15 @@ interface(`samba_search_var',`
+@@ -343,13 +454,15 @@ interface(`samba_search_var',`
type samba_var_t;
')
@@ -87961,7 +88057,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -362,14 +474,15 @@ interface(`samba_read_var_files',`
+@@ -362,14 +475,15 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
@@ -87979,7 +88075,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -387,7 +500,8 @@ interface(`samba_dontaudit_write_var_files',`
+@@ -387,7 +501,8 @@ interface(`samba_dontaudit_write_var_files',`
########################################
## <summary>
@@ -87989,7 +88085,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -400,14 +514,15 @@ interface(`samba_rw_var_files',`
+@@ -400,14 +515,15 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
@@ -88007,7 +88103,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -421,33 +536,34 @@ interface(`samba_manage_var_files',`
+@@ -421,33 +537,34 @@ interface(`samba_manage_var_files',`
')
files_search_var_lib($1)
@@ -88050,7 +88146,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -462,16 +578,16 @@ interface(`samba_domtrans_smbcontrol',`
+@@ -462,16 +579,16 @@ interface(`samba_domtrans_smbcontrol',`
#
interface(`samba_run_smbcontrol',`
gen_require(`
@@ -88070,7 +88166,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -490,7 +606,7 @@ interface(`samba_domtrans_smbd',`
+@@ -490,7 +607,7 @@ interface(`samba_domtrans_smbd',`
######################################
## <summary>
@@ -88079,7 +88175,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -507,8 +623,7 @@ interface(`samba_signal_smbd',`
+@@ -507,8 +624,7 @@ interface(`samba_signal_smbd',`
########################################
## <summary>
@@ -88089,7 +88185,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -526,7 +641,7 @@ interface(`samba_dontaudit_use_fds',`
+@@ -526,7 +642,7 @@ interface(`samba_dontaudit_use_fds',`
########################################
## <summary>
@@ -88098,7 +88194,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -544,7 +659,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
+@@ -544,7 +660,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
########################################
## <summary>
@@ -88107,7 +88203,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -560,49 +675,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+@@ -560,49 +676,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
@@ -88176,7 +88272,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -618,16 +731,16 @@ interface(`samba_getattr_winbind_exec',`
+@@ -618,16 +732,16 @@ interface(`samba_getattr_winbind_exec',`
#
interface(`samba_run_winbind_helper',`
gen_require(`
@@ -88196,7 +88292,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -637,17 +750,16 @@ interface(`samba_run_winbind_helper',`
+@@ -637,17 +751,16 @@ interface(`samba_run_winbind_helper',`
#
interface(`samba_read_winbind_pid',`
gen_require(`
@@ -88218,7 +88314,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,17 +769,61 @@ interface(`samba_read_winbind_pid',`
+@@ -657,17 +770,61 @@ interface(`samba_read_winbind_pid',`
#
interface(`samba_stream_connect_winbind',`
gen_require(`
@@ -88285,7 +88381,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -676,7 +832,7 @@ interface(`samba_stream_connect_winbind',`
+@@ -676,7 +833,7 @@ interface(`samba_stream_connect_winbind',`
## </param>
## <param name="role">
## <summary>
@@ -88294,7 +88390,7 @@ index 50d07fb..bada62f 100644
## </summary>
## </param>
## <rolecap/>
-@@ -689,11 +845,28 @@ interface(`samba_admin',`
+@@ -689,11 +846,28 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
@@ -88326,7 +88422,7 @@ index 50d07fb..bada62f 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -703,23 +876,34 @@ interface(`samba_admin',`
+@@ -703,23 +877,34 @@ interface(`samba_admin',`
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
@@ -90834,7 +90930,7 @@ index 3df2a0f..9059165 100644
-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
diff --git a/sanlock.if b/sanlock.if
-index cd6c213..34b861a 100644
+index cd6c213..82a5ff0 100644
--- a/sanlock.if
+++ b/sanlock.if
@@ -1,4 +1,5 @@
@@ -90876,7 +90972,7 @@ index cd6c213..34b861a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -60,28 +59,50 @@ interface(`sanlock_manage_pid_files',`
+@@ -60,28 +59,51 @@ interface(`sanlock_manage_pid_files',`
########################################
## <summary>
@@ -90921,6 +91017,7 @@ index cd6c213..34b861a 100644
- files_search_pids($1)
- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 sanlock_unit_file_t:file read_file_perms;
+ allow $1 sanlock_unit_file_t:service manage_service_perms;
+
@@ -90936,7 +91033,7 @@ index cd6c213..34b861a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -97,21 +118,23 @@ interface(`sanlock_stream_connect',`
+@@ -97,21 +119,23 @@ interface(`sanlock_stream_connect',`
#
interface(`sanlock_admin',`
gen_require(`
@@ -91489,7 +91586,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756b..1edabdf 100644
+index 299756b..135baca 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -91595,7 +91692,7 @@ index 299756b..1edabdf 100644
')
optional_policy(`
-@@ -117,6 +133,43 @@ optional_policy(`
+@@ -117,6 +133,54 @@ optional_policy(`
# Reposd local policy
#
@@ -91621,12 +91718,15 @@ index 299756b..1edabdf 100644
+fs_tmpfs_filetrans(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, { dir file })
+
+auth_use_nsswitch(sblim_sfcbd_t)
++auth_domtrans_chkpwd(sblim_sfcbd_t)
+
+corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
++corenet_tcp_connect_http_port(sblim_sfcbd_t)
++
+corecmd_exec_shell(sblim_sfcbd_t)
+corecmd_exec_bin(sblim_sfcbd_t)
+
@@ -91636,10 +91736,18 @@ index 299756b..1edabdf 100644
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
+
++logging_send_audit_msgs(sblim_sfcbd_t)
++
+optional_policy(`
+ rpm_exec(sblim_sfcbd_t)
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
++
++optional_policy(`
++ virt_manage_config(sblim_sfcbd_t)
++ virt_stream_connect(sblim_sfcbd_t)
++ virt_search_images(sblim_sfcbd_t)
++')
diff --git a/screen.fc b/screen.fc
index e7c2cf7..435aaa6 100644
--- a/screen.fc
@@ -92586,10 +92694,10 @@ index 8185d5a..9be989a 100644
+
/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
-index d204752..31cc6e6 100644
+index d204752..85631b3 100644
--- a/sensord.if
+++ b/sensord.if
-@@ -1,35 +1,80 @@
+@@ -1,35 +1,81 @@
-## <summary>Sensor information logging daemon.</summary>
+
+## <summary>Sensor information logging daemon</summary>
@@ -92633,6 +92741,7 @@ index d204752..31cc6e6 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 sensord_unit_file_t:file read_file_perms;
+ allow $1 sensord_unit_file_t:service manage_service_perms;
+
@@ -93573,7 +93682,7 @@ index a91f33b..631dbc1 100644
-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/shutdown.if b/shutdown.if
-index d1706bf..87ab4a7 100644
+index d1706bf..3aa7c9f 100644
--- a/shutdown.if
+++ b/shutdown.if
@@ -1,30 +1,4 @@
@@ -93608,7 +93717,7 @@ index d1706bf..87ab4a7 100644
########################################
## <summary>
-@@ -43,13 +17,26 @@ interface(`shutdown_domtrans',`
+@@ -43,13 +17,27 @@ interface(`shutdown_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
@@ -93618,6 +93727,7 @@ index d1706bf..87ab4a7 100644
+
+ optional_policy(`
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ init_stream_connect($1)
+ systemd_login_reboot($1)
+ systemd_login_halt($1)
@@ -93638,7 +93748,7 @@ index d1706bf..87ab4a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -64,16 +51,62 @@ interface(`shutdown_domtrans',`
+@@ -64,16 +52,62 @@ interface(`shutdown_domtrans',`
#
interface(`shutdown_run',`
gen_require(`
@@ -93704,7 +93814,7 @@ index d1706bf..87ab4a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -81,17 +114,19 @@ interface(`shutdown_run',`
+@@ -81,17 +115,19 @@ interface(`shutdown_run',`
## </summary>
## </param>
#
@@ -94594,10 +94704,10 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..e43fdd8
+index 0000000..4f4bdb3
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,14 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
@@ -94605,13 +94715,19 @@ index 0000000..e43fdd8
+
+/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
+
-+/mnt/(.*/)?.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/home/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++/home/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
-index 0000000..94105ee
+index 0000000..5a3cb30
--- /dev/null
+++ b/snapper.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,62 @@
+
+## <summary>policy for snapperd</summary>
+
@@ -94654,12 +94770,32 @@ index 0000000..94105ee
+ allow $1 snapperd_t:dbus send_msg;
+ allow snapperd_t $1:dbus send_msg;
+')
++
++#######################################
++## <summary>
++## Allow domain to create .smapshot
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`snapper_filetrans_named_content',`
++
++ gen_require(`
++ type snapperd_data_t;
++ ')
++
++ files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots")
++')
++
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..1da64f9
+index 0000000..90903a9
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,75 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -94698,6 +94834,7 @@ index 0000000..1da64f9
+manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++snapper_filetrans_named_content(snapperd_t)
+
+domain_read_all_domains_state(snapperd_t)
+
@@ -95880,7 +96017,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..025b7d5 100644
+index cc58e35..b1878b4 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@@ -96334,7 +96471,7 @@ index cc58e35..025b7d5 100644
sendmail_stub(spamc_t)
')
-@@ -267,36 +375,38 @@ optional_policy(`
+@@ -267,36 +375,40 @@ optional_policy(`
########################################
#
@@ -96379,6 +96516,8 @@ index cc58e35..025b7d5 100644
-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
+# needed by razor
++list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
++read_lnk_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+can_exec(spamd_t, spamd_compiled_t)
@@ -96390,7 +96529,7 @@ index cc58e35..025b7d5 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +418,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +420,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -96400,7 +96539,7 @@ index cc58e35..025b7d5 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +428,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +430,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -96416,7 +96555,7 @@ index cc58e35..025b7d5 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +443,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +445,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -96520,7 +96659,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -421,21 +514,13 @@ optional_policy(`
+@@ -421,21 +516,13 @@ optional_policy(`
')
optional_policy(`
@@ -96544,7 +96683,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -443,8 +528,8 @@ optional_policy(`
+@@ -443,8 +530,8 @@ optional_policy(`
')
optional_policy(`
@@ -96554,7 +96693,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -455,7 +540,17 @@ optional_policy(`
+@@ -455,7 +542,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -96573,7 +96712,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -463,9 +558,9 @@ optional_policy(`
+@@ -463,9 +560,9 @@ optional_policy(`
')
optional_policy(`
@@ -96584,7 +96723,7 @@ index cc58e35..025b7d5 100644
')
optional_policy(`
-@@ -474,32 +569,32 @@ optional_policy(`
+@@ -474,32 +571,32 @@ optional_policy(`
########################################
#
@@ -96627,7 +96766,7 @@ index cc58e35..025b7d5 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +603,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +605,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -96672,10 +96811,10 @@ index 0000000..545f682
+/var/log/speech-dispatcher(/.*)? gen_context(system_u:object_r:speech-dispatcher_log_t,s0)
diff --git a/speech-dispatcher.if b/speech-dispatcher.if
new file mode 100644
-index 0000000..ddfed09
+index 0000000..4cb9104
--- /dev/null
+++ b/speech-dispatcher.if
-@@ -0,0 +1,142 @@
+@@ -0,0 +1,143 @@
+
+## <summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
+
@@ -96773,6 +96912,7 @@ index 0000000..ddfed09
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
+ allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
@@ -97170,7 +97310,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..f4d8c79 100644
+index a240455..de2172a 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -97220,7 +97360,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,49 +54,90 @@ interface(`sssd_initrc_domtrans',`
+@@ -56,49 +54,91 @@ interface(`sssd_initrc_domtrans',`
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
')
@@ -97241,6 +97381,7 @@ index a240455..f4d8c79 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 sssd_unit_file_t:file read_file_perms;
+ allow $1 sssd_unit_file_t:service manage_service_perms;
+
@@ -97332,7 +97473,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -107,12 +146,12 @@ interface(`sssd_write_config',`
+@@ -107,12 +147,12 @@ interface(`sssd_write_config',`
## </param>
#
interface(`sssd_manage_config',`
@@ -97350,7 +97491,7 @@ index a240455..f4d8c79 100644
')
########################################
-@@ -131,14 +170,13 @@ interface(`sssd_read_public_files',`
+@@ -131,14 +171,13 @@ interface(`sssd_read_public_files',`
')
sssd_search_lib($1)
@@ -97368,7 +97509,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -146,18 +184,36 @@ interface(`sssd_read_public_files',`
+@@ -146,18 +185,36 @@ interface(`sssd_read_public_files',`
## </summary>
## </param>
#
@@ -97409,7 +97550,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -176,8 +232,7 @@ interface(`sssd_read_pid_files',`
+@@ -176,8 +233,7 @@ interface(`sssd_read_pid_files',`
########################################
## <summary>
@@ -97419,7 +97560,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -216,8 +271,7 @@ interface(`sssd_search_lib',`
+@@ -216,8 +272,7 @@ interface(`sssd_search_lib',`
########################################
## <summary>
@@ -97429,7 +97570,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -235,6 +289,24 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -235,6 +290,24 @@ interface(`sssd_dontaudit_search_lib',`
########################################
## <summary>
@@ -97454,7 +97595,7 @@ index a240455..f4d8c79 100644
## Read sssd lib files.
## </summary>
## <param name="domain">
-@@ -297,8 +369,7 @@ interface(`sssd_dbus_chat',`
+@@ -297,8 +370,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
@@ -97464,7 +97605,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -317,8 +388,46 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +389,46 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
@@ -97513,7 +97654,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -327,7 +436,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +437,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -97522,7 +97663,7 @@ index a240455..f4d8c79 100644
## </summary>
## </param>
## <rolecap/>
-@@ -335,27 +444,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +445,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -97564,7 +97705,7 @@ index a240455..f4d8c79 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..fe72f8e 100644
+index 2d8db1f..5bc1bc1 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -97622,7 +97763,7 @@ index 2d8db1f..fe72f8e 100644
corecmd_exec_bin(sssd_t)
-@@ -83,28 +79,34 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +79,35 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -97646,6 +97787,7 @@ index 2d8db1f..fe72f8e 100644
+seutil_dontaudit_access_check_load_policy(sssd_t)
+seutil_dontaudit_access_check_setfiles(sssd_t)
+seutil_dontaudit_access_check_semanage_read_lock(sssd_t)
++seutil_dontaudit_access_check_semanage_module_store(sssd_t)
mls_file_read_to_clearance(sssd_t)
mls_socket_read_to_clearance(sssd_t)
@@ -97661,7 +97803,7 @@ index 2d8db1f..fe72f8e 100644
init_read_utmp(sssd_t)
-@@ -112,18 +114,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +115,36 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -98041,10 +98183,10 @@ index effffd0..12ca090 100644
+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
diff --git a/svnserve.if b/svnserve.if
-index 2ac91b6..dd2ac36 100644
+index 2ac91b6..a97033d 100644
--- a/svnserve.if
+++ b/svnserve.if
-@@ -1,35 +1,118 @@
+@@ -1,35 +1,119 @@
-## <summary>Server for the svn repository access method.</summary>
+
+## <summary>policy for svnserve</summary>
@@ -98105,6 +98247,7 @@ index 2ac91b6..dd2ac36 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 svnserve_unit_file_t:file read_file_perms;
+ allow $1 svnserve_unit_file_t:service manage_service_perms;
+
@@ -98275,10 +98418,10 @@ index 0000000..79e43aa
+')
diff --git a/swift.if b/swift.if
new file mode 100644
-index 0000000..6a1f575
+index 0000000..af26807
--- /dev/null
+++ b/swift.if
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,156 @@
+
+## <summary>policy for swift</summary>
+
@@ -98394,6 +98537,7 @@ index 0000000..6a1f575
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 swift_unit_file_t:file read_file_perms;
+ allow $1 swift_unit_file_t:service manage_service_perms;
+
@@ -101303,10 +101447,10 @@ index 0000000..a8385bc
+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
diff --git a/tomcat.if b/tomcat.if
new file mode 100644
-index 0000000..9abef48
+index 0000000..e5cec8f
--- /dev/null
+++ b/tomcat.if
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,396 @@
+
+## <summary>policy for tomcat</summary>
+
@@ -101650,6 +101794,7 @@ index 0000000..9abef48
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 tomcat_unit_file_t:file read_file_perms;
+ allow $1 tomcat_unit_file_t:service manage_service_perms;
+
@@ -101791,10 +101936,10 @@ index dce42ec..b6b67bf 100644
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/tor.if b/tor.if
-index 61c2e07..5e1df41 100644
+index 61c2e07..3b86095 100644
--- a/tor.if
+++ b/tor.if
-@@ -19,6 +19,29 @@ interface(`tor_domtrans',`
+@@ -19,6 +19,30 @@ interface(`tor_domtrans',`
domtrans_pattern($1, tor_exec_t, tor_t)
')
@@ -101815,6 +101960,7 @@ index 61c2e07..5e1df41 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 tor_unit_file_t:file read_file_perms;
+ allow $1 tor_unit_file_t:service manage_service_perms;
+
@@ -101824,7 +101970,7 @@ index 61c2e07..5e1df41 100644
########################################
## <summary>
## All of the rules required to
-@@ -39,12 +62,18 @@ interface(`tor_domtrans',`
+@@ -39,12 +63,18 @@ interface(`tor_domtrans',`
interface(`tor_admin',`
gen_require(`
type tor_t, tor_var_log_t, tor_etc_t;
@@ -101845,7 +101991,7 @@ index 61c2e07..5e1df41 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 tor_initrc_exec_t system_r;
-@@ -61,4 +90,13 @@ interface(`tor_admin',`
+@@ -61,4 +91,13 @@ interface(`tor_admin',`
files_list_pids($1)
admin_pattern($1, tor_var_run_t)
@@ -102464,7 +102610,7 @@ index 279e511..4f79ad6 100644
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/usbmuxd.fc b/usbmuxd.fc
-index 220f6ad..39b6acf 100644
+index 220f6ad..ccbb5da 100644
--- a/usbmuxd.fc
+++ b/usbmuxd.fc
@@ -1,3 +1,6 @@
@@ -102474,12 +102620,12 @@ index 220f6ad..39b6acf 100644
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
+
-+/var/lib/lockdown -- gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
++/var/lib/lockdown(/.*)? gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
diff --git a/usbmuxd.if b/usbmuxd.if
-index 1ec5e99..88e287d 100644
+index 1ec5e99..5b6c80b 100644
--- a/usbmuxd.if
+++ b/usbmuxd.if
-@@ -38,3 +38,66 @@ interface(`usbmuxd_stream_connect',`
+@@ -38,3 +38,67 @@ interface(`usbmuxd_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
')
@@ -102501,6 +102647,7 @@ index 1ec5e99..88e287d 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 usbmuxd_unit_file_t:file read_file_perms;
+ allow $1 usbmuxd_unit_file_t:service manage_service_perms;
+
@@ -103700,10 +103847,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..9ccc90c 100644
+index a4f20bc..88a2dc6 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,97 @@
+@@ -1,51 +1,98 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -103754,6 +103901,7 @@ index a4f20bc..9ccc90c 100644
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
@@ -103840,7 +103988,7 @@ index a4f20bc..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..c7a2d97 100644
+index facdee8..aacee65 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -104889,7 +105037,7 @@ index facdee8..c7a2d97 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +695,266 @@ interface(`virt_read_lib_files',`
+@@ -860,94 +695,267 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -104952,12 +105100,10 @@ index facdee8..c7a2d97 100644
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in virt pid
--## directories with a private type.
++')
++
++########################################
++## <summary>
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
@@ -104973,14 +105119,17 @@ index facdee8..c7a2d97 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 virtd_unit_file_t:file read_file_perms;
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in virt pid
+-## directories with a private type.
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
@@ -105000,13 +105149,12 @@ index facdee8..c7a2d97 100644
+#######################################
+## <summary>
+## Execute Sandbox Files
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
@@ -105019,14 +105167,13 @@ index facdee8..c7a2d97 100644
+#######################################
+## <summary>
+## Manage Sandbox Files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The type of the object to be created.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
--## <param name="object">
+-## <param name="private type">
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
@@ -105047,11 +105194,11 @@ index facdee8..c7a2d97 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The type of the object to be created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="object">
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
@@ -105067,16 +105214,14 @@ index facdee8..c7a2d97 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The name of the object being created.
+-## The object class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
+-## <param name="name" optional="true">
++#
+interface(`virt_mounton_sandbox_file',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ type svirt_sandbox_file_t;
+ ')
+
@@ -105088,13 +105233,17 @@ index facdee8..c7a2d97 100644
+## Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`virt_pid_filetrans',`
+interface(`virt_stream_connect_sandbox',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_run_t;
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -105150,89 +105299,72 @@ index facdee8..c7a2d97 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to write virt daemon unnamed pipes.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_dontaudit_write_pipes',`
-+ gen_require(`
-+ type virtd_t;
-+ ')
-+
-+ dontaudit $1 virtd_t:fd use;
-+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
########################################
## <summary>
-## Append virt log files.
-+## Send a sigkill to virtual machines
++## Do not audit attempts to write virt daemon unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +962,17 @@ interface(`virt_read_log',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`virt_append_log',`
-+interface(`virt_kill_svirt',`
++interface(`virt_dontaudit_write_pipes',`
gen_require(`
- type virt_log_t;
-+ attribute virt_domain;
++ type virtd_t;
')
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virt_domain:process sigkill;
++ dontaudit $1 virtd_t:fd use;
++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt log files.
-+## Send a sigkill to virtd daemon.
++## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +980,17 @@ interface(`virt_append_log',`
+@@ -955,20 +963,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
-interface(`virt_manage_log',`
-+interface(`virt_kill',`
++interface(`virt_kill_svirt',`
gen_require(`
- type virt_log_t;
-+ type virtd_t;
++ attribute virt_domain;
')
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+ allow $1 virtd_t:process sigkill;
++ allow $1 virt_domain:process sigkill;
')
########################################
## <summary>
-## Search virt image directories.
-+## Send a signal to virtd daemon.
++## Send a sigkill to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +998,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +981,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_signal',`
++interface(`virt_kill',`
gen_require(`
- attribute virt_image_type;
+ type virtd_t;
@@ -105240,26 +105372,26 @@ index facdee8..c7a2d97 100644
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virtd_t:process signal;
++ allow $1 virtd_t:process sigkill;
')
########################################
## <summary>
-## Read virt image files.
-+## Send a signal to virtual machines
++## Send a signal to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
-@@ -995,57 +1016,75 @@ interface(`virt_search_images',`
+@@ -995,36 +999,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_signal',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virtd_t;
')
- virt_search_lib($1)
@@ -105268,7 +105400,7 @@ index facdee8..c7a2d97 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virt_domain:process signal;
++ allow $1 virtd_t:process signal;
+')
- tunable_policy(`virt_use_nfs',`
@@ -105277,7 +105409,7 @@ index facdee8..c7a2d97 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
-+## Manage virt home files.
++## Send null signal to virtd daemon.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -105285,87 +105417,131 @@ index facdee8..c7a2d97 100644
+## </summary>
+## </param>
+#
-+interface(`virt_manage_home_files',`
++interface(`virt_signull',`
+ gen_require(`
-+ type virt_home_t;
++ type virtd_t;
')
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
-+')
-+
-+########################################
-+## <summary>
-+## allow domain to read
-+## virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access
-+## </summary>
-+## </param>
-+#
-+interface(`virt_read_tmpfs_files',`
-+ gen_require(`
-+ attribute virt_tmpfs_type;
- ')
-+
-+ allow $1 virt_tmpfs_type:file read_file_perms;
+- ')
++ allow $1 virtd_t:process signull;
')
########################################
## <summary>
-## Read and write all virt image
-## character files.
-+## allow domain to manage
-+## virt tmpfs files
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed access
+@@ -1032,20 +1035,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_signal_svirt',`
gen_require(`
- attribute virt_image_type;
-+ attribute virt_tmpfs_type;
++ attribute virt_domain;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ allow $1 virt_domain:process signal;
')
########################################
## <summary>
-## Create, read, write, and delete
-## svirt cache files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## Manage virt home files.
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1092,28 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1053,57 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-+interface(`virt_filetrans_home_content',`
++interface(`virt_manage_home_files',`
+ gen_require(`
+ type virt_home_t;
-+ type svirt_home_t;
+ ')
+
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt cache content.
++## allow domain to read
++## virt tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`virt_read_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file read_file_perms;
++')
++
++########################################
++## <summary>
++## allow domain to manage
++## virt tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`virt_manage_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Create .virt directory in the user home directory
++## with an correct label.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1069,21 +1111,28 @@ interface(`virt_manage_svirt_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
++interface(`virt_filetrans_home_content',`
+ gen_require(`
+- type virt_cache_t;
++ type virt_home_t;
++ type svirt_home_t;
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -105382,33 +105558,37 @@ index facdee8..c7a2d97 100644
########################################
## <summary>
-## Create, read, write, and delete
--## virt cache content.
+-## virt image files.
+## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1121,133 @@ interface(`virt_manage_svirt_cache',`
+@@ -1091,36 +1140,188 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
--interface(`virt_manage_virt_cache',`
+-interface(`virt_manage_images',`
+interface(`virt_dontaudit_read_chr_dev',`
gen_require(`
-- type virt_cache_t;
-+ attribute virt_image_type;
+- type virt_var_lib_t;
+ attribute virt_image_type;
')
-- files_search_var($1)
-- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-- manage_files_pattern($1, virt_cache_t, virt_cache_t)
-- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_type, virt_image_type)
+- manage_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
- ')
++')
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## virt image files.
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
++########################################
++## <summary>
+## Creates types and rules for a basic
+## virt_lxc process domain.
+## </summary>
@@ -105421,8 +105601,12 @@ index facdee8..c7a2d97 100644
+template(`virt_sandbox_domain_template',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
-+ ')
-+
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
@@ -105526,34 +105710,21 @@ index facdee8..c7a2d97 100644
+########################################
+## <summary>
+## Read and write to svirt_image devices.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1091,36 +1255,54 @@ interface(`virt_manage_virt_cache',`
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_images',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_rw_svirt_dev',`
- gen_require(`
-- type virt_var_lib_t;
-- attribute virt_image_type;
++ gen_require(`
+ type svirt_image_t;
- ')
-
-- virt_search_lib($1)
-- allow $1 virt_image_type:dir list_dir_perms;
-- manage_dirs_pattern($1, virt_image_type, virt_image_type)
-- manage_files_pattern($1, virt_image_type, virt_image_type)
-- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ ')
++
+ allow $1 svirt_image_t:chr_file rw_file_perms;
+')
-
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_read_nfs_symlinks($1)
++
+########################################
+## <summary>
+## Read and write to svirt_image devices.
@@ -105567,12 +105738,8 @@ index facdee8..c7a2d97 100644
+interface(`virt_rlimitinh',`
+ gen_require(`
+ type virtd_t;
- ')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
++ ')
++
+ allow $1 virtd_t:process { rlimitinh };
+')
+
@@ -105603,7 +105770,7 @@ index facdee8..c7a2d97 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1318,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1337,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -105645,27 +105812,27 @@ index facdee8..c7a2d97 100644
-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
--
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
+
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
--
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-+ admin_pattern($1, virt_file_type)
-+ admin_pattern($1, svirt_file_type)
-
+-
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+ virt_systemctl($1)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
-
+-
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
+ virt_stream_connect_sandbox($1)
@@ -107930,10 +108097,10 @@ index 0000000..c5deffb
+/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
diff --git a/vmtools.if b/vmtools.if
new file mode 100644
-index 0000000..7933d80
+index 0000000..afd0c97
--- /dev/null
+++ b/vmtools.if
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,123 @@
+## <summary>VMware Tools daemon</summary>
+
+########################################
@@ -108015,6 +108182,7 @@ index 0000000..7933d80
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 vmtools_unit_file_t:file read_file_perms;
+ allow $1 vmtools_unit_file_t:service manage_service_perms;
@@ -112001,7 +112169,7 @@ index 28ee4ca..bc37f76 100644
-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/zebra.if b/zebra.if
-index 3416401..676925c 100644
+index 3416401..e364caf 100644
--- a/zebra.if
+++ b/zebra.if
@@ -1,8 +1,8 @@
@@ -112033,7 +112201,7 @@ index 3416401..676925c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -42,10 +41,33 @@ interface(`zebra_stream_connect',`
+@@ -42,10 +41,34 @@ interface(`zebra_stream_connect',`
stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')
@@ -112054,6 +112222,7 @@ index 3416401..676925c 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 zebra_unit_file_t:file read_file_perms;
+ allow $1 zebra_unit_file_t:service manage_service_perms;
+
@@ -112069,7 +112238,7 @@ index 3416401..676925c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -54,7 +76,7 @@ interface(`zebra_stream_connect',`
+@@ -54,7 +77,7 @@ interface(`zebra_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -112078,7 +112247,7 @@ index 3416401..676925c 100644
## </summary>
## </param>
## <rolecap/>
-@@ -62,13 +84,16 @@ interface(`zebra_stream_connect',`
+@@ -62,13 +85,16 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
@@ -112098,7 +112267,7 @@ index 3416401..676925c 100644
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zebra_initrc_exec_t system_r;
-@@ -85,4 +110,8 @@ interface(`zebra_admin',`
+@@ -85,4 +111,8 @@ interface(`zebra_admin',`
files_list_pids($1)
admin_pattern($1, zebra_var_run_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f54b4e2..e8520d3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 99%{?dist}
+Release: 100%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,29 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 25 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-100
+- Add seutil_dontaudit_access_check_semanage_module_store() interface
+- Update to have all _systemctl() interface also init_reload_services()
+- Allow named_filetrans_domain to create ibus directory with correct labeling
+- Add labeling for /sbin/iw.
+- Label tcp port 5280 as ejabberd port. BZ(1059930)
+- Make /usr/bin/vncserver running as unconfined_service_t.
+- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain
+- Label /etc/docker/certs.d as cert_t
+- Allow all systemd domains to search file systems
+- I guess there can be content under /var/lib/lockdown #1167502
+- Dontaudit access check on SELinux module store for sssd
+- Update to have all _systemctl() interface also init_reload_services()
+- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working
+- Allow keystone to send a generic signal to own process.
+- Dontaudit list user_tmp files for system_mail_t
+- label virt-who as virtd_exec_t
+- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
+- Add virt_signull() interface
+- Allow .snapshots to be created in other directories, on all mountpoints
+- Add missing alias for _content_rw_t
+- Allow spamd to access razor-agent.log
+
* Thu Nov 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-99
- Allow NetworkManager stream connect on openvpn. BZ(1165110)
More information about the scm-commits
mailing list