[selinux-policy] * Fri Nov 29 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-98 - Update to have all _systemctl() inte
Lukas Vrabec
lvrabec at fedoraproject.org
Fri Nov 28 23:19:11 UTC 2014
commit cf94d6be19b963ad79484e4ee888803b3965e1a2
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Sat Nov 29 00:18:57 2014 +0100
* Fri Nov 29 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-98
- Update to have all _systemctl() interface also init_reload_services()
- Dontaudit access check on SELinux module store for sssd.
- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
policy-rawhide-contrib.patch | 826 +++++++++++++++++++++++-------------------
selinux-policy.spec | 7 +-
2 files changed, 468 insertions(+), 365 deletions(-)
---
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d8016be..a587db8 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -80,7 +80,7 @@ index 1a93dc5..f2b26f5 100644
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..2f6c3a9 100644
+index 058d908..1e92177 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -302,7 +302,7 @@ index 058d908..2f6c3a9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,10 +354,51 @@ interface(`abrt_manage_pid_files',`
+@@ -276,10 +354,52 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -341,6 +341,7 @@ index 058d908..2f6c3a9 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 abrt_unit_file_t:file manage_file_perms;
+ allow $1 abrt_unit_file_t:service manage_service_perms;
+
@@ -356,7 +357,7 @@ index 058d908..2f6c3a9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -288,39 +407,174 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +408,174 @@ interface(`abrt_manage_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -1116,10 +1117,10 @@ index f9d8d7a..0682710 100644
/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
-index bd5ec9a..a5ed692 100644
+index bd5ec9a..554177c 100644
--- a/accountsd.if
+++ b/accountsd.if
-@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',`
+@@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -1136,6 +1137,7 @@ index bd5ec9a..a5ed692 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 accountsd_unit_file_t:file read_file_perms;
+ allow $1 accountsd_unit_file_t:service manage_service_perms;
+
@@ -1907,7 +1909,7 @@ index 33d9d31..58bf182 100644
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
-index ca8d8cf..2cc5ce6 100644
+index ca8d8cf..053a30a 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
@@ -1918,7 +1920,7 @@ index ca8d8cf..2cc5ce6 100644
')
########################################
-@@ -210,51 +211,87 @@ interface(`alsa_relabel_home_files',`
+@@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',`
########################################
## <summary>
@@ -2014,6 +2016,7 @@ index ca8d8cf..2cc5ce6 100644
- files_search_var_lib($1)
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 alsa_unit_file_t:file read_file_perms;
+ allow $1 alsa_unit_file_t:service manage_service_perms;
+
@@ -2689,10 +2692,10 @@ index 0000000..219f32d
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
-index 0000000..ae5f0a3
+index 0000000..36251b9
--- /dev/null
+++ b/antivirus.if
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,325 @@
+## <summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
+
+######################################
@@ -2949,6 +2952,7 @@ index 0000000..ae5f0a3
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 antivirus_unit_file_t:file read_file_perms;
+ allow $1 antivirus_unit_file_t:service manage_service_perms;
@@ -3642,7 +3646,7 @@ index 7caefc3..3009a35 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index f6eb485..dffbc52 100644
+index f6eb485..164501c 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -4912,7 +4916,7 @@ index f6eb485..dffbc52 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1171,8 +1423,30 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1423,31 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4933,6 +4937,7 @@ index f6eb485..dffbc52 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 httpd_unit_file_t:file read_file_perms;
+ allow $1 httpd_unit_file_t:service manage_service_perms;
+
@@ -4945,7 +4950,7 @@ index f6eb485..dffbc52 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1189,18 +1463,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1464,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4974,7 +4979,7 @@ index f6eb485..dffbc52 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1210,10 +1485,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1486,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4988,7 +4993,7 @@ index f6eb485..dffbc52 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1224,9 +1499,141 @@ interface(`apache_admin',`
+@@ -1224,9 +1500,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -7484,7 +7489,7 @@ index 5ec0e13..97c204f 100644
+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..2b3352b 100644
+index f3c0aba..f6e25ed 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
@@ -7510,7 +7515,7 @@ index f3c0aba..2b3352b 100644
optional_policy(`
apache_search_sys_content($1)
-@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
+@@ -125,6 +125,50 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
## <summary>
@@ -7529,6 +7534,7 @@ index f3c0aba..2b3352b 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 apcupsd_unit_file_t:file read_file_perms;
+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
@@ -7560,7 +7566,7 @@ index f3c0aba..2b3352b 100644
## All of the rules required to
## administrate an apcupsd environment.
## </summary>
-@@ -144,11 +187,17 @@ interface(`apcupsd_admin',`
+@@ -144,11 +188,17 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
@@ -7579,7 +7585,7 @@ index f3c0aba..2b3352b 100644
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +214,11 @@ interface(`apcupsd_admin',`
+@@ -165,4 +215,11 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
@@ -7730,10 +7736,10 @@ index ce27d2f..d20377e 100644
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
diff --git a/apm.if b/apm.if
-index 1a7a97e..1d29dce 100644
+index 1a7a97e..2c7252a 100644
--- a/apm.if
+++ b/apm.if
-@@ -141,6 +141,29 @@ interface(`apm_stream_connect',`
+@@ -141,6 +141,30 @@ interface(`apm_stream_connect',`
########################################
## <summary>
@@ -7752,6 +7758,7 @@ index 1a7a97e..1d29dce 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 apmd_unit_file_t:file read_file_perms;
+ allow $1 apmd_unit_file_t:service manage_service_perms;
+
@@ -7763,7 +7770,7 @@ index 1a7a97e..1d29dce 100644
## All of the rules required to
## administrate an apm environment.
## </summary>
-@@ -163,9 +186,13 @@ interface(`apm_admin',`
+@@ -163,9 +187,13 @@ interface(`apm_admin',`
type apmd_tmp_t;
')
@@ -7943,10 +7950,10 @@ index 9ca0d0f..9a1a61f 100644
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
-index 50c9b9c..51c8cc0 100644
+index 50c9b9c..533a555 100644
--- a/arpwatch.if
+++ b/arpwatch.if
-@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
+@@ -119,6 +119,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
########################################
## <summary>
@@ -7965,6 +7972,7 @@ index 50c9b9c..51c8cc0 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 arpwatch_unit_file_t:file read_file_perms;
+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
@@ -7976,7 +7984,7 @@ index 50c9b9c..51c8cc0 100644
## All of the rules required to
## administrate an arpwatch environment.
## </summary>
-@@ -138,11 +161,16 @@ interface(`arpwatch_admin',`
+@@ -138,11 +162,16 @@ interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
type arpwatch_data_t, arpwatch_var_run_t;
@@ -7994,7 +8002,7 @@ index 50c9b9c..51c8cc0 100644
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
-@@ -156,4 +184,8 @@ interface(`arpwatch_admin',`
+@@ -156,4 +185,8 @@ interface(`arpwatch_admin',`
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
@@ -8340,7 +8348,7 @@ index 92adb37..0a2ffc6 100644
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
-index f24e369..9bce868 100644
+index f24e369..4484a98 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -8377,7 +8385,7 @@ index f24e369..9bce868 100644
## Do not audit attempts to get
## attributes of automount temporary
## directories.
-@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+@@ -134,6 +152,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
########################################
## <summary>
@@ -8396,6 +8404,7 @@ index f24e369..9bce868 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 automount_unit_file_t:file read_file_perms;
+ allow $1 automount_unit_file_t:service manage_service_perms;
+
@@ -8407,7 +8416,7 @@ index f24e369..9bce868 100644
## All of the rules required to
## administrate an automount environment.
## </summary>
-@@ -153,12 +194,16 @@ interface(`automount_admin',`
+@@ -153,12 +195,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
@@ -8426,7 +8435,7 @@ index f24e369..9bce868 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
-@@ -175,4 +220,8 @@ interface(`automount_admin',`
+@@ -175,4 +221,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
@@ -8536,10 +8545,10 @@ index e9fe2ca..4c2d076 100644
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
-index 9078c3d..bca0ac9 100644
+index 9078c3d..2f6b250 100644
--- a/avahi.if
+++ b/avahi.if
-@@ -211,6 +211,29 @@ interface(`avahi_dontaudit_search_pid',`
+@@ -211,6 +211,30 @@ interface(`avahi_dontaudit_search_pid',`
########################################
## <summary>
@@ -8558,6 +8567,7 @@ index 9078c3d..bca0ac9 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 avahi_unit_file_t:file read_file_perms;
+ allow $1 avahi_unit_file_t:service manage_service_perms;
+
@@ -8569,7 +8579,7 @@ index 9078c3d..bca0ac9 100644
## Create specified objects in generic
## pid directories with the avahi pid file type.
## </summary>
-@@ -258,12 +281,17 @@ interface(`avahi_filetrans_pid',`
+@@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
@@ -8588,7 +8598,7 @@ index 9078c3d..bca0ac9 100644
avahi_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
-@@ -274,4 +302,8 @@ interface(`avahi_admin',`
+@@ -274,4 +303,8 @@ interface(`avahi_admin',`
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
@@ -8864,10 +8874,10 @@ index fb42e35..8af0e14 100644
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
-index ec95d36..7132e1e 100644
+index ec95d36..186271b 100644
--- a/bcfg2.if
+++ b/bcfg2.if
-@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',`
+@@ -117,6 +117,32 @@ interface(`bcfg2_manage_lib_dirs',`
########################################
## <summary>
@@ -8886,6 +8896,7 @@ index ec95d36..7132e1e 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bcfg2_unit_file_t:file read_file_perms;
+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
@@ -8899,7 +8910,7 @@ index ec95d36..7132e1e 100644
## All of the rules required to
## administrate an bcfg2 environment.
## </summary>
-@@ -136,11 +161,16 @@ interface(`bcfg2_admin',`
+@@ -136,11 +162,16 @@ interface(`bcfg2_admin',`
gen_require(`
type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
type bcfg2_var_run_t;
@@ -8917,7 +8928,7 @@ index ec95d36..7132e1e 100644
bcfg2_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 bcfg2_initrc_exec_t system_r;
-@@ -151,4 +181,13 @@ interface(`bcfg2_admin',`
+@@ -151,4 +182,13 @@ interface(`bcfg2_admin',`
files_search_var_lib($1)
admin_pattern($1, bcfg2_var_lib_t)
@@ -9080,10 +9091,10 @@ index 2b9a3a1..750788c 100644
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
-index 531a8f2..67b6c3d 100644
+index 531a8f2..0b86f2f 100644
--- a/bind.if
+++ b/bind.if
-@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
+@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
########################################
## <summary>
@@ -9102,6 +9113,7 @@ index 531a8f2..67b6c3d 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 named_unit_file_t:file read_file_perms;
+ allow $1 named_unit_file_t:service manage_service_perms;
+
@@ -9113,7 +9125,7 @@ index 531a8f2..67b6c3d 100644
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
-@@ -169,6 +192,7 @@ interface(`bind_read_config',`
+@@ -169,6 +193,7 @@ interface(`bind_read_config',`
type named_conf_t;
')
@@ -9121,7 +9133,7 @@ index 531a8f2..67b6c3d 100644
read_files_pattern($1, named_conf_t, named_conf_t)
')
-@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',`
+@@ -212,6 +237,25 @@ interface(`bind_manage_config_dirs',`
########################################
## <summary>
@@ -9147,7 +9159,7 @@ index 531a8f2..67b6c3d 100644
## Search bind cache directories.
## </summary>
## <param name="domain">
-@@ -310,6 +353,27 @@ interface(`bind_read_zone',`
+@@ -310,6 +354,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
@@ -9175,7 +9187,7 @@ index 531a8f2..67b6c3d 100644
## Create, read, write, and delete
## bind zone files.
## </summary>
-@@ -344,6 +408,25 @@ interface(`bind_udp_chat_named',`
+@@ -344,6 +409,25 @@ interface(`bind_udp_chat_named',`
########################################
## <summary>
@@ -9201,7 +9213,7 @@ index 531a8f2..67b6c3d 100644
## All of the rules required to
## administrate an bind environment.
## </summary>
-@@ -364,11 +447,17 @@ interface(`bind_admin',`
+@@ -364,11 +448,17 @@ interface(`bind_admin',`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
@@ -9222,7 +9234,7 @@ index 531a8f2..67b6c3d 100644
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -384,11 +473,15 @@ interface(`bind_admin',`
+@@ -384,11 +474,15 @@ interface(`bind_admin',`
files_list_etc($1)
admin_pattern($1, { named_keytab_t named_conf_t })
@@ -9598,7 +9610,7 @@ index 2b9c7f3..0086b95 100644
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
-index c723a0a..3e8a553 100644
+index c723a0a..b23b46a 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
@@ -9655,7 +9667,7 @@ index c723a0a..3e8a553 100644
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
-@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -190,6 +218,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
## <summary>
@@ -9674,6 +9686,7 @@ index c723a0a..3e8a553 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 bluetooth_unit_file_t:file read_file_perms;
+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
@@ -9685,7 +9698,7 @@ index c723a0a..3e8a553 100644
## All of the rules required to
## administrate an bluetooth environment.
## </summary>
-@@ -210,12 +261,16 @@ interface(`bluetooth_admin',`
+@@ -210,12 +262,16 @@ interface(`bluetooth_admin',`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
@@ -9704,7 +9717,7 @@ index c723a0a..3e8a553 100644
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
-@@ -235,4 +290,8 @@ interface(`bluetooth_admin',`
+@@ -235,4 +291,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
@@ -9829,10 +9842,10 @@ index 6d3ccad..bda740a 100644
+
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
-index 02fefaa..fbcef10 100644
+index 02fefaa..308616e 100644
--- a/boinc.if
+++ b/boinc.if
-@@ -1,9 +1,165 @@
+@@ -1,9 +1,166 @@
-## <summary>Platform for computing using volunteered resources.</summary>
+## <summary>policy for boinc</summary>
@@ -9988,6 +10001,7 @@ index 02fefaa..fbcef10 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 boinc_unit_file_t:file read_file_perms;
+ allow $1 boinc_unit_file_t:service manage_service_perms;
+
@@ -10001,7 +10015,7 @@ index 02fefaa..fbcef10 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -19,26 +175,32 @@
+@@ -19,26 +176,32 @@
#
interface(`boinc_admin',`
gen_require(`
@@ -10368,10 +10382,10 @@ index 0000000..d541924
+
diff --git a/brltty.if b/brltty.if
new file mode 100644
-index 0000000..b552259
+index 0000000..968c957
--- /dev/null
+++ b/brltty.if
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
+
+## <summary>brltty is refreshable braille display driver for Linux/Unix</summary>
+
@@ -10410,6 +10424,7 @@ index 0000000..b552259
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 brltty_unit_file_t:file read_file_perms;
+ allow $1 brltty_unit_file_t:service manage_service_perms;
@@ -10700,10 +10715,10 @@ index 0000000..b5ee23b
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
-index 0000000..de66654
+index 0000000..2d2e60c
--- /dev/null
+++ b/bumblebee.if
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,122 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
@@ -10761,6 +10776,7 @@ index 0000000..de66654
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bumblebee_unit_file_t:file read_file_perms;
+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
@@ -12340,7 +12356,7 @@ index 4e4143e..d5e0260 100644
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/chronyd.if b/chronyd.if
-index 32e8265..0de4af3 100644
+index 32e8265..74fd151 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
@@ -12377,7 +12393,7 @@ index 32e8265..0de4af3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',`
+@@ -129,18 +126,62 @@ interface(`chronyd_stream_connect',`
## </summary>
## </param>
#
@@ -12407,6 +12423,7 @@ index 32e8265..0de4af3 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
+ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
@@ -12442,7 +12459,7 @@ index 32e8265..0de4af3 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',`
+@@ -148,13 +189,13 @@ interface(`chronyd_dgram_send',`
## </summary>
## </param>
#
@@ -12460,7 +12477,7 @@ index 32e8265..0de4af3 100644
')
####################################
-@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',`
+@@ -176,28 +217,38 @@ interface(`chronyd_read_key_files',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -12873,7 +12890,7 @@ index d72afcc..c53b80d 100644
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
diff --git a/clamav.if b/clamav.if
-index 4cc4a5c..99c5cca 100644
+index 4cc4a5c..a6c6322 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
@@ -12976,7 +12993,7 @@ index 4cc4a5c..99c5cca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',`
+@@ -166,21 +142,63 @@ interface(`clamav_exec_clamscan',`
## </summary>
## </param>
#
@@ -13031,6 +13048,7 @@ index 4cc4a5c..99c5cca 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 clamd_unit_file_t:file read_file_perms;
+ allow $1 clamd_unit_file_t:service manage_service_perms;
@@ -13047,7 +13065,7 @@ index 4cc4a5c..99c5cca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',`
+@@ -189,7 +207,7 @@ interface(`clamav_read_state_clamd',`
## </param>
## <param name="role">
## <summary>
@@ -13056,7 +13074,7 @@ index 4cc4a5c..99c5cca 100644
## </summary>
## </param>
## <rolecap/>
-@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',`
+@@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
@@ -13097,7 +13115,7 @@ index 4cc4a5c..99c5cca 100644
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
-@@ -217,11 +251,21 @@ interface(`clamav_admin',`
+@@ -217,11 +252,21 @@ interface(`clamav_admin',`
admin_pattern($1, clamd_var_lib_t)
logging_list_logs($1)
@@ -13926,10 +13944,10 @@ index 0000000..bb87537
+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
-index 0000000..573dcae
+index 0000000..a8a678a
--- /dev/null
+++ b/cockpit.if
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,189 @@
+## <summary>policy for cockpit</summary>
+
+########################################
@@ -14063,6 +14081,7 @@ index 0000000..573dcae
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 cockpit_unit_file_t:file read_file_perms;
+ allow $1 cockpit_unit_file_t:service manage_service_perms;
@@ -14241,10 +14260,10 @@ index 79a3abe..3237fb0 100644
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
-index 954309e..f4db2ca 100644
+index 954309e..6780142 100644
--- a/collectd.if
+++ b/collectd.if
-@@ -2,8 +2,144 @@
+@@ -2,8 +2,145 @@
########################################
## <summary>
@@ -14378,6 +14397,7 @@ index 954309e..f4db2ca 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 collectd_unit_file_t:file read_file_perms;
+ allow $1 collectd_unit_file_t:service manage_service_perms;
+
@@ -14391,7 +14411,7 @@ index 954309e..f4db2ca 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -20,13 +156,17 @@
+@@ -20,13 +157,17 @@
interface(`collectd_admin',`
gen_require(`
type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
@@ -14412,7 +14432,7 @@ index 954309e..f4db2ca 100644
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
allow $2 system_r;
-@@ -36,4 +176,9 @@ interface(`collectd_admin',`
+@@ -36,4 +177,9 @@ interface(`collectd_admin',`
files_search_var_lib($1)
admin_pattern($1, collectd_var_lib_t)
@@ -14546,7 +14566,7 @@ index 71639eb..08ab891 100644
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
-index 8e27a37..825f537 100644
+index 8e27a37..c69be28 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
@@ -14571,7 +14591,7 @@ index 8e27a37..825f537 100644
')
######################################
-@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',`
+@@ -58,3 +58,27 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
@@ -14593,6 +14613,7 @@ index 8e27a37..825f537 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 colord_unit_file_t:file read_file_perms;
+ allow $1 colord_unit_file_t:service manage_service_perms;
+
@@ -14760,10 +14781,10 @@ index ad2b696..28d1af0 100644
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
-index 881d92f..4998ee9 100644
+index 881d92f..a2d588a 100644
--- a/condor.if
+++ b/condor.if
-@@ -1,75 +1,390 @@
+@@ -1,75 +1,391 @@
-## <summary>High-Throughput Computing System.</summary>
+
+## <summary>policy for condor</summary>
@@ -15110,6 +15131,7 @@ index 881d92f..4998ee9 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 condor_unit_file_t:file read_file_perms;
+ allow $1 condor_unit_file_t:service manage_service_perms;
@@ -15192,7 +15214,7 @@ index 881d92f..4998ee9 100644
files_search_etc($1)
admin_pattern($1, condor_conf_t)
-@@ -77,8 +392,8 @@ interface(`condor_admin',`
+@@ -77,8 +393,8 @@ interface(`condor_admin',`
logging_search_logs($1)
admin_pattern($1, condor_log_t)
@@ -15203,7 +15225,7 @@ index 881d92f..4998ee9 100644
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
-@@ -88,4 +403,13 @@ interface(`condor_admin',`
+@@ -88,4 +404,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
@@ -15393,10 +15415,10 @@ index 0000000..d2f5c80
+/var/run/conmand.* -- gen_context(system_u:object_r:conman_var_run_t,s0)
diff --git a/conman.if b/conman.if
new file mode 100644
-index 0000000..54b4b04
+index 0000000..1cc5fa4
--- /dev/null
+++ b/conman.if
-@@ -0,0 +1,142 @@
+@@ -0,0 +1,143 @@
+## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
+
+########################################
@@ -15493,6 +15515,7 @@ index 0000000..54b4b04
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 conman_unit_file_t:file read_file_perms;
+ allow $1 conman_unit_file_t:service manage_service_perms;
@@ -15611,7 +15634,7 @@ index 23c9558..29e5fd3 100644
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
-index 5b830ec..0647a3b 100644
+index 5b830ec..78025c5 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
@@ -15667,7 +15690,7 @@ index 5b830ec..0647a3b 100644
## Read consolekit log files.
## </summary>
## <param name="domain">
-@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',`
+@@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
@@ -15727,6 +15750,7 @@ index 5b830ec..0647a3b 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 consolekit_unit_file_t:file read_file_perms;
+ allow $1 consolekit_unit_file_t:service manage_service_perms;
+
@@ -15841,7 +15865,7 @@ index da39f0f..6a96733 100644
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
diff --git a/corosync.if b/corosync.if
-index 694a037..b836c07 100644
+index 694a037..d859681 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
@@ -15870,7 +15894,7 @@ index 694a037..b836c07 100644
#####################################
## <summary>
## Connect to corosync over a unix
-@@ -91,29 +110,54 @@ interface(`corosync_read_log',`
+@@ -91,29 +110,55 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
@@ -15924,6 +15948,7 @@ index 694a037..b836c07 100644
- fs_search_tmpfs($1)
- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 corosync_unit_file_t:file read_file_perms;
+ allow $1 corosync_unit_file_t:service manage_service_perms;
+
@@ -15931,7 +15956,7 @@ index 694a037..b836c07 100644
')
######################################
-@@ -160,12 +204,17 @@ interface(`corosync_admin',`
+@@ -160,12 +205,17 @@ interface(`corosync_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
@@ -15951,7 +15976,7 @@ index 694a037..b836c07 100644
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
-@@ -183,4 +232,8 @@ interface(`corosync_admin',`
+@@ -183,4 +233,8 @@ interface(`corosync_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
@@ -16051,7 +16076,7 @@ index c086302..5380ab6 100644
/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 715a826..3f0c0dc 100644
+index 715a826..a1cbdb2 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,7 +2,7 @@
@@ -16152,7 +16177,7 @@ index 715a826..3f0c0dc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -73,19 +112,87 @@ interface(`couchdb_read_pid_files',`
+@@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',`
')
files_search_pids($1)
@@ -16223,6 +16248,7 @@ index 715a826..3f0c0dc 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 couchdb_unit_file_t:file read_file_perms;
+ allow $1 couchdb_unit_file_t:service manage_service_perms;
@@ -16244,7 +16270,7 @@ index 715a826..3f0c0dc 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -95,14 +202,19 @@ interface(`couchdb_read_pid_files',`
+@@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',`
#
interface(`couchdb_admin',`
gen_require(`
@@ -16265,7 +16291,7 @@ index 715a826..3f0c0dc 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -122,4 +234,13 @@ interface(`couchdb_admin',`
+@@ -122,4 +235,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -16912,7 +16938,7 @@ index ad0bae9..615a947 100644
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
-index 1303b30..615caac 100644
+index 1303b30..759412f 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
@@ -17360,7 +17386,7 @@ index 1303b30..615caac 100644
can_exec($1, crond_exec_t)
')
-@@ -376,7 +392,31 @@ interface(`cron_initrc_domtrans',`
+@@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
@@ -17380,6 +17406,7 @@ index 1303b30..615caac 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
+ allow $1 crond_unit_file_t:service manage_service_perms;
+
@@ -17393,7 +17420,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -394,7 +434,7 @@ interface(`cron_use_fds',`
+@@ -394,7 +435,7 @@ interface(`cron_use_fds',`
########################################
## <summary>
@@ -17402,7 +17429,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -412,7 +452,7 @@ interface(`cron_sigchld',`
+@@ -412,7 +453,7 @@ interface(`cron_sigchld',`
########################################
## <summary>
@@ -17411,7 +17438,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,17 +460,17 @@ interface(`cron_sigchld',`
+@@ -420,17 +461,17 @@ interface(`cron_sigchld',`
## </summary>
## </param>
#
@@ -17433,7 +17460,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -438,17 +478,17 @@ interface(`cron_setattr_log_files',`
+@@ -438,17 +479,17 @@ interface(`cron_setattr_log_files',`
## </summary>
## </param>
#
@@ -17455,7 +17482,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -456,18 +496,20 @@ interface(`cron_create_log_files',`
+@@ -456,18 +497,20 @@ interface(`cron_create_log_files',`
## </summary>
## </param>
#
@@ -17481,7 +17508,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -475,48 +517,37 @@ interface(`cron_write_log_files',`
+@@ -475,48 +518,37 @@ interface(`cron_write_log_files',`
## </summary>
## </param>
#
@@ -17541,7 +17568,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -524,18 +555,17 @@ interface(`cron_generic_log_filetrans_log',`
+@@ -524,18 +556,17 @@ interface(`cron_generic_log_filetrans_log',`
## </summary>
## </param>
#
@@ -17563,7 +17590,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -543,17 +573,17 @@ interface(`cron_read_pipes',`
+@@ -543,17 +574,17 @@ interface(`cron_read_pipes',`
## </summary>
## </param>
#
@@ -17584,7 +17611,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -561,17 +591,35 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -561,17 +592,35 @@ interface(`cron_dontaudit_write_pipes',`
## </summary>
## </param>
#
@@ -17624,7 +17651,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -589,8 +637,7 @@ interface(`cron_rw_tcp_sockets',`
+@@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',`
########################################
## <summary>
@@ -17634,7 +17661,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -608,7 +655,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
+@@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
@@ -17643,7 +17670,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -627,8 +674,26 @@ interface(`cron_search_spool',`
+@@ -627,8 +675,26 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -17672,7 +17699,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -641,13 +706,13 @@ interface(`cron_manage_pid_files',`
+@@ -641,13 +707,13 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -17688,7 +17715,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -660,13 +725,13 @@ interface(`cron_anacron_domtrans_system_job',`
+@@ -660,13 +726,13 @@ interface(`cron_anacron_domtrans_system_job',`
type system_cronjob_t, anacron_exec_t;
')
@@ -17704,7 +17731,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -684,7 +749,7 @@ interface(`cron_use_system_job_fds',`
+@@ -684,7 +750,7 @@ interface(`cron_use_system_job_fds',`
########################################
## <summary>
@@ -17713,7 +17740,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -692,19 +757,17 @@ interface(`cron_use_system_job_fds',`
+@@ -692,19 +758,17 @@ interface(`cron_use_system_job_fds',`
## </summary>
## </param>
#
@@ -17737,7 +17764,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -712,18 +775,17 @@ interface(`cron_read_system_job_lib_files',`
+@@ -712,18 +776,17 @@ interface(`cron_read_system_job_lib_files',`
## </summary>
## </param>
#
@@ -17760,7 +17787,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -731,18 +793,17 @@ interface(`cron_manage_system_job_lib_files',`
+@@ -731,18 +794,17 @@ interface(`cron_manage_system_job_lib_files',`
## </summary>
## </param>
#
@@ -17782,7 +17809,7 @@ index 1303b30..615caac 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -750,86 +811,142 @@ interface(`cron_write_system_job_pipes',`
+@@ -750,86 +812,142 @@ interface(`cron_write_system_job_pipes',`
## </summary>
## </param>
#
@@ -19445,7 +19472,7 @@ index 949011e..9437dbe 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 3023be7..303af85 100644
+index 3023be7..0317731 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -19463,7 +19490,7 @@ index 3023be7..303af85 100644
')
########################################
-@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',`
+@@ -306,6 +309,30 @@ interface(`cups_stream_connect_ptal',`
########################################
## <summary>
@@ -19482,6 +19509,7 @@ index 3023be7..303af85 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 cupsd_unit_file_t:file read_file_perms;
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
+
@@ -19493,7 +19521,7 @@ index 3023be7..303af85 100644
## Read the process state (/proc/pid) of cupsd.
## </summary>
## <param name="domain">
-@@ -344,18 +370,23 @@ interface(`cups_read_state',`
+@@ -344,18 +371,23 @@ interface(`cups_read_state',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -19522,7 +19550,7 @@ index 3023be7..303af85 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -368,13 +399,45 @@ interface(`cups_admin',`
+@@ -368,13 +400,45 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
@@ -23029,7 +23057,7 @@ index 8182c48..0b9bb97 100644
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/dhcp.if b/dhcp.if
-index c697edb..31d45bf 100644
+index c697edb..954c090 100644
--- a/dhcp.if
+++ b/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
@@ -23041,7 +23069,7 @@ index c697edb..31d45bf 100644
')
########################################
-@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
+@@ -60,6 +60,31 @@ interface(`dhcpd_initrc_domtrans',`
########################################
## <summary>
@@ -23060,6 +23088,7 @@ index c697edb..31d45bf 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_search_unit_dirs($1)
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
+ allow $1 dhcpd_unit_file_t:service manage_service_perms;
@@ -23072,7 +23101,7 @@ index c697edb..31d45bf 100644
## All of the rules required to
## administrate an dhcpd environment.
## </summary>
-@@ -79,11 +103,16 @@ interface(`dhcpd_admin',`
+@@ -79,11 +104,16 @@ interface(`dhcpd_admin',`
gen_require(`
type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
@@ -23090,7 +23119,7 @@ index c697edb..31d45bf 100644
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dhcpd_initrc_exec_t system_r;
-@@ -97,4 +126,8 @@ interface(`dhcpd_admin',`
+@@ -97,4 +127,8 @@ interface(`dhcpd_admin',`
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
@@ -24167,7 +24196,7 @@ index 23ab808..84735a8 100644
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..b9895ba 100644
+index 19aa0b8..45c70c1 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -24221,7 +24250,7 @@ index 19aa0b8..b9895ba 100644
########################################
## <summary>
## Execute the dnsmasq init script in
-@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',`
+@@ -42,6 +77,49 @@ interface(`dnsmasq_initrc_domtrans',`
########################################
## <summary>
@@ -24240,6 +24269,7 @@ index 19aa0b8..b9895ba 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
+ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
@@ -24270,7 +24300,7 @@ index 19aa0b8..b9895ba 100644
## Send generic signals to dnsmasq.
## </summary>
## <param name="domain">
-@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',`
+@@ -145,15 +223,16 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -24288,7 +24318,7 @@ index 19aa0b8..b9895ba 100644
########################################
## <summary>
## Create, read, write, and delete
-@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',`
+@@ -176,7 +255,7 @@ interface(`dnsmasq_manage_pid_files',`
########################################
## <summary>
@@ -24297,7 +24327,7 @@ index 19aa0b8..b9895ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',`
+@@ -184,12 +263,12 @@ interface(`dnsmasq_manage_pid_files',`
## </summary>
## </param>
#
@@ -24311,7 +24341,7 @@ index 19aa0b8..b9895ba 100644
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +293,66 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
@@ -24392,7 +24422,7 @@ index 19aa0b8..b9895ba 100644
')
########################################
-@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +375,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -24413,7 +24443,7 @@ index 19aa0b8..b9895ba 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +395,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@@ -24699,10 +24729,10 @@ index 0000000..fd679a1
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..2a614ed
+index 0000000..114764c
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,365 @@
+@@ -0,0 +1,366 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -24930,6 +24960,7 @@ index 0000000..2a614ed
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 docker_unit_file_t:file read_file_perms;
+ allow $1 docker_unit_file_t:service manage_service_perms;
@@ -26729,10 +26760,10 @@ index 0000000..eac30a3
+/var/lib/etcd(/.*)? gen_context(system_u:object_r:etcd_var_lib_t,s0)
diff --git a/etcd.if b/etcd.if
new file mode 100644
-index 0000000..0827ab7
+index 0000000..d5386d9
--- /dev/null
+++ b/etcd.if
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,166 @@
+## <summary>A highly-available key value store for shared configuration.</summary>
+
+########################################
@@ -26847,6 +26878,7 @@ index 0000000..0827ab7
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 etcd_unit_file_t:file read_file_perms;
+ allow $1 etcd_unit_file_t:service manage_service_perms;
@@ -27837,7 +27869,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index c62c567..1893f7f 100644
+index c62c567..6460877 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
@@ -27858,7 +27890,7 @@ index c62c567..1893f7f 100644
gen_require(`
type firewalld_etc_rw_t;
')
-@@ -21,6 +21,47 @@ interface(`firewalld_read_config_files',`
+@@ -21,6 +21,48 @@ interface(`firewalld_read_config_files',`
########################################
## <summary>
@@ -27895,6 +27927,7 @@ index c62c567..1893f7f 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 firewalld_unit_file_t:file read_file_perms;
+ allow $1 firewalld_unit_file_t:service manage_service_perms;
+
@@ -27906,7 +27939,7 @@ index c62c567..1893f7f 100644
## Send and receive messages from
## firewalld over dbus.
## </summary>
-@@ -42,8 +83,8 @@ interface(`firewalld_dbus_chat',`
+@@ -42,8 +84,8 @@ interface(`firewalld_dbus_chat',`
########################################
## <summary>
@@ -27917,7 +27950,7 @@ index c62c567..1893f7f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -51,18 +92,18 @@ interface(`firewalld_dbus_chat',`
+@@ -51,18 +93,18 @@ interface(`firewalld_dbus_chat',`
## </summary>
## </param>
#
@@ -27940,7 +27973,7 @@ index c62c567..1893f7f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -79,14 +120,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
+@@ -79,14 +121,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
@@ -27962,7 +27995,7 @@ index c62c567..1893f7f 100644
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
-@@ -97,6 +142,9 @@ interface(`firewalld_admin',`
+@@ -97,6 +143,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
@@ -28751,10 +28784,10 @@ index ddb75c1..44f74e6 100644
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
-index 4498143..77bbcef 100644
+index 4498143..84a4858 100644
--- a/ftp.if
+++ b/ftp.if
-@@ -1,5 +1,66 @@
+@@ -1,5 +1,67 @@
## <summary>File transfer protocol service.</summary>
+######################################
@@ -28812,6 +28845,7 @@ index 4498143..77bbcef 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
+ allow $1 ftpd_unit_file_t:service manage_service_perms;
+
@@ -28821,7 +28855,7 @@ index 4498143..77bbcef 100644
#######################################
## <summary>
## Execute a dyntransition to run anon sftpd.
-@@ -179,8 +240,11 @@ interface(`ftp_admin',`
+@@ -179,8 +241,11 @@ interface(`ftp_admin',`
type ftpd_keytab_t;
')
@@ -28834,7 +28868,7 @@ index 4498143..77bbcef 100644
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -204,5 +268,9 @@ interface(`ftp_admin',`
+@@ -204,5 +269,9 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
@@ -29265,10 +29299,10 @@ index 0000000..98c012c
+/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
-index 0000000..04e159f
+index 0000000..d745c67
--- /dev/null
+++ b/gear.if
-@@ -0,0 +1,288 @@
+@@ -0,0 +1,289 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -29458,6 +29492,7 @@ index 0000000..04e159f
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 gear_unit_file_t:file read_file_perms;
+ allow $1 gear_unit_file_t:service manage_service_perms;
@@ -34615,10 +34650,10 @@ index 0000000..f4659d1
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
-index 0000000..3ce0ac0
+index 0000000..2277038
--- /dev/null
+++ b/gssproxy.if
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,199 @@
+
+## <summary>policy for gssproxy</summary>
+
@@ -34753,6 +34788,7 @@ index 0000000..3ce0ac0
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
@@ -35052,10 +35088,10 @@ index b46130e..e2ae3b2 100644
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
-index 6517fad..b7ca833 100644
+index 6517fad..f183748 100644
--- a/hypervkvp.if
+++ b/hypervkvp.if
-@@ -1,32 +1,134 @@
+@@ -1,32 +1,135 @@
-## <summary>HyperV key value pair (KVP).</summary>
+
+## <summary>policy for hypervkvp</summary>
@@ -35158,6 +35194,7 @@ index 6517fad..b7ca833 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 hypervkvp_unit_file_t:file read_file_perms;
+ allow $1 hypervkvp_unit_file_t:service manage_service_perms;
+
@@ -35691,10 +35728,10 @@ index ca07a87..6ea129c 100644
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
-index a0bfbd0..a3b02e6 100644
+index a0bfbd0..8dc7c3e 100644
--- a/iodine.if
+++ b/iodine.if
-@@ -2,6 +2,49 @@
+@@ -2,6 +2,50 @@
########################################
## <summary>
@@ -35732,6 +35769,7 @@ index a0bfbd0..a3b02e6 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 iodined_unit_file_t:file read_file_perms;
+ allow $1 iodined_unit_file_t:service manage_service_perms;
@@ -36370,7 +36408,7 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..a7e1562 100644
+index 1a35420..9fe1e87 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
@@ -36401,7 +36439,7 @@ index 1a35420..a7e1562 100644
## iscsid sempaphores.
## </summary>
## <param name="domain">
-@@ -80,17 +101,53 @@ interface(`iscsi_read_lib_files',`
+@@ -80,17 +101,54 @@ interface(`iscsi_read_lib_files',`
########################################
## <summary>
@@ -36442,6 +36480,7 @@ index 1a35420..a7e1562 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 iscsi_unit_file_t:file read_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
+
@@ -36460,7 +36499,7 @@ index 1a35420..a7e1562 100644
## </summary>
## </param>
## <rolecap/>
-@@ -99,16 +156,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +157,16 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -36476,6 +36515,7 @@ index 1a35420..a7e1562 100644
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 iscsi_unit_file_t:file manage_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
@@ -37859,7 +37899,7 @@ index a49ae4e..0c0e987 100644
+
+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..6043fd6 100644
+index 3a00b3a..160c575 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -37895,7 +37935,7 @@ index 3a00b3a..6043fd6 100644
#######################################
## <summary>
## Execute kdump in the kdump domain.
-@@ -37,9 +57,33 @@ interface(`kdump_initrc_domtrans',`
+@@ -37,9 +57,34 @@ interface(`kdump_initrc_domtrans',`
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
')
@@ -37916,6 +37956,7 @@ index 3a00b3a..6043fd6 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_search_unit_dirs($1)
+ allow $1 kdump_unit_file_t:file read_file_perms;
+ allow $1 kdump_unit_file_t:service all_service_perms;
@@ -37930,7 +37971,7 @@ index 3a00b3a..6043fd6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
+@@ -56,10 +101,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -38000,7 +38041,7 @@ index 3a00b3a..6043fd6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -76,10 +177,88 @@ interface(`kdump_manage_config',`
+@@ -76,10 +178,88 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -38091,7 +38132,7 @@ index 3a00b3a..6043fd6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -88,19 +267,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +268,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
@@ -38121,7 +38162,7 @@ index 3a00b3a..6043fd6 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +294,10 @@ interface(`kdump_admin',`
+@@ -110,6 +295,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -38475,10 +38516,10 @@ index 0000000..9a19f91
+/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0)
diff --git a/keepalived.if b/keepalived.if
new file mode 100644
-index 0000000..0d61849
+index 0000000..f0e0e3a
--- /dev/null
+++ b/keepalived.if
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,85 @@
+
+## <summary> keepalived - load-balancing and high-availability service</summary>
+
@@ -38517,6 +38558,7 @@ index 0000000..0d61849
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keepalived_unit_file_t:file read_file_perms;
+ allow $1 keepalived_unit_file_t:service manage_service_perms;
@@ -39944,10 +39986,10 @@ index b273d80..9b6e9bd 100644
+
+/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
-index e88fb16..f20248c 100644
+index e88fb16..ec6121a 100644
--- a/keystone.if
+++ b/keystone.if
-@@ -1,42 +1,218 @@
+@@ -1,42 +1,219 @@
-## <summary>Python implementation of the OpenStack identity service API.</summary>
+
+## <summary>policy for keystone</summary>
@@ -40127,6 +40169,7 @@ index e88fb16..f20248c 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 keystone_unit_file_t:file read_file_perms;
+ allow $1 keystone_unit_file_t:service manage_service_perms;
@@ -40348,10 +40391,10 @@ index 0000000..ccd29c0
+/etc/kmscon(/.*)? gen_context(system_u:object_r:kmscon_conf_t,s0)
diff --git a/kmscon.if b/kmscon.if
new file mode 100644
-index 0000000..ab52e25
+index 0000000..b9347fa
--- /dev/null
+++ b/kmscon.if
-@@ -0,0 +1,24 @@
+@@ -0,0 +1,25 @@
+## <summary>Terminal emulator for Linux graphical console</summary>
+
+########################################
@@ -40371,6 +40414,7 @@ index 0000000..ab52e25
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 kmscon_unit_file_t:file read_file_perms;
+ allow $1 kmscon_unit_file_t:service manage_service_perms;
+
@@ -40481,10 +40525,10 @@ index e736c45..4b1e1e4 100644
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
-index 93a64bc..3ac0b8b 100644
+index 93a64bc..af6d741 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
-@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -38,6 +38,30 @@ interface(`ksmtuned_initrc_domtrans',`
init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
')
@@ -40505,6 +40549,7 @@ index 93a64bc..3ac0b8b 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ksmtuned_unit_file_t:file read_file_perms;
+ allow $1 ksmtuned_unit_file_t:service manage_service_perms;
+
@@ -40514,7 +40559,7 @@ index 93a64bc..3ac0b8b 100644
########################################
## <summary>
## All of the rules required to
-@@ -48,30 +71,28 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -48,30 +72,28 @@ interface(`ksmtuned_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -40620,10 +40665,10 @@ index 38ecb07..451067e 100644
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/ktalk.if b/ktalk.if
-index 19777b8..55d1556 100644
+index 19777b8..cd721fd 100644
--- a/ktalk.if
+++ b/ktalk.if
-@@ -1 +1,76 @@
+@@ -1 +1,77 @@
-## <summary>KDE Talk daemon.</summary>
+
+## <summary>talk-server - daemon programs for the Internet talk </summary>
@@ -40663,6 +40708,7 @@ index 19777b8..55d1556 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ktalkd_unit_file_t:file read_file_perms;
+ allow $1 ktalkd_unit_file_t:service manage_service_perms;
@@ -41340,10 +41386,10 @@ index b7e5679..c93db33 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index 3602712..fc7b071 100644
+index 3602712..af83a5b 100644
--- a/ldap.if
+++ b/ldap.if
-@@ -1,8 +1,68 @@
+@@ -1,8 +1,69 @@
-## <summary>OpenLDAP directory server.</summary>
+## <summary>OpenLDAP directory server</summary>
+
@@ -41400,6 +41446,7 @@ index 3602712..fc7b071 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
+ allow $1 slapd_unit_file_t:service manage_service_perms;
+
@@ -41414,7 +41461,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -15,13 +75,31 @@ interface(`ldap_list_db',`
+@@ -15,13 +76,31 @@ interface(`ldap_list_db',`
type slapd_db_t;
')
@@ -41448,7 +41495,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -41,22 +119,29 @@ interface(`ldap_read_config',`
+@@ -41,22 +120,29 @@ interface(`ldap_read_config',`
########################################
## <summary>
@@ -41483,7 +41530,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -64,18 +149,13 @@ interface(`ldap_use',`
+@@ -64,18 +150,13 @@ interface(`ldap_use',`
## </summary>
## </param>
#
@@ -41505,7 +41552,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',`
+@@ -83,21 +164,19 @@ interface(`ldap_stream_connect',`
## </summary>
## </param>
#
@@ -41533,7 +41580,7 @@ index 3602712..fc7b071 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +185,7 @@ interface(`ldap_tcp_connect',`
## </param>
## <param name="role">
## <summary>
@@ -41542,7 +41589,7 @@ index 3602712..fc7b071 100644
## </summary>
## </param>
## <rolecap/>
-@@ -117,11 +195,16 @@ interface(`ldap_admin',`
+@@ -117,11 +196,16 @@ interface(`ldap_admin',`
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
@@ -41560,7 +41607,7 @@ index 3602712..fc7b071 100644
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
-@@ -130,13 +213,9 @@ interface(`ldap_admin',`
+@@ -130,13 +214,9 @@ interface(`ldap_admin',`
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
@@ -41575,7 +41622,7 @@ index 3602712..fc7b071 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -144,4 +223,8 @@ interface(`ldap_admin',`
+@@ -144,4 +224,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -43344,10 +43391,10 @@ index c455730..6e14667 100644
+
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
-index d314333..da30c5d 100644
+index d314333..27ede09 100644
--- a/lsm.if
+++ b/lsm.if
-@@ -1,25 +1,85 @@
+@@ -1,25 +1,86 @@
-## <summary>Storage array management library.</summary>
+
+## <summary>libStorageMgmt plug-in daemon </summary>
@@ -43409,6 +43456,7 @@ index d314333..da30c5d 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
@@ -43439,7 +43487,7 @@ index d314333..da30c5d 100644
')
allow $1 lsmd_t:process { ptrace signal_perms };
-@@ -27,4 +87,13 @@ interface(`lsmd_admin',`
+@@ -27,4 +88,13 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
@@ -45496,10 +45544,10 @@ index 0000000..767bbad
+/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0)
diff --git a/mip6d.if b/mip6d.if
new file mode 100644
-index 0000000..8169129
+index 0000000..861b486
--- /dev/null
+++ b/mip6d.if
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
+
+## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
+
@@ -45538,6 +45586,7 @@ index 0000000..8169129
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 mip6d_unit_file_t:file read_file_perms;
+ allow $1 mip6d_unit_file_t:service manage_service_perms;
@@ -46563,10 +46612,10 @@ index a83894c..481dca3 100644
+
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
-index b1ac8b5..9b22bea 100644
+index b1ac8b5..24782b3 100644
--- a/modemmanager.if
+++ b/modemmanager.if
-@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
+@@ -21,6 +21,31 @@ interface(`modemmanager_domtrans',`
########################################
## <summary>
@@ -46585,6 +46634,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
@@ -46597,7 +46647,7 @@ index b1ac8b5..9b22bea 100644
## Send and receive messages from
## modemmanager over dbus.
## </summary>
-@@ -39,3 +63,33 @@ interface(`modemmanager_dbus_chat',`
+@@ -39,3 +64,33 @@ interface(`modemmanager_dbus_chat',`
allow $1 modemmanager_t:dbus send_msg;
allow modemmanager_t $1:dbus send_msg;
')
@@ -47064,10 +47114,10 @@ index 0000000..7415106
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
-index 0000000..39f4a04
+index 0000000..edfd267
--- /dev/null
+++ b/motion.if
-@@ -0,0 +1,197 @@
+@@ -0,0 +1,198 @@
+
+## <summary>Detect motion using a video4linux device</summary>
+
@@ -47204,6 +47254,7 @@ index 0000000..39f4a04
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 motion_unit_file_t:file read_file_perms;
+ allow $1 motion_unit_file_t:service manage_service_perms;
@@ -52028,7 +52079,7 @@ index 06f8666..4a315d5 100644
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
-index 687af38..a77dc09 100644
+index 687af38..5381f1b 100644
--- a/mysql.if
+++ b/mysql.if
@@ -1,23 +1,4 @@
@@ -52429,7 +52480,7 @@ index 687af38..a77dc09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,18 +414,22 @@ interface(`mysql_write_log',`
+@@ -374,18 +414,23 @@ interface(`mysql_write_log',`
## </summary>
## </param>
#
@@ -52444,6 +52495,7 @@ index 687af38..a77dc09 100644
- corecmd_search_bin($1)
- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 mysqld_unit_file_t:file read_file_perms;
+ allow $1 mysqld_unit_file_t:service manage_service_perms;
+
@@ -52458,7 +52510,7 @@ index 687af38..a77dc09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,39 +437,37 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -393,39 +438,37 @@ interface(`mysql_domtrans_mysql_safe',`
## </summary>
## </param>
#
@@ -52510,7 +52562,7 @@ index 687af38..a77dc09 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -434,41 +476,52 @@ interface(`mysql_search_pid_files',`
+@@ -434,41 +477,52 @@ interface(`mysql_search_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -54547,7 +54599,7 @@ index 94b9734..448a7e8 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..98fdac1 100644
+index 86dc29d..3eaf32b 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -54657,7 +54709,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -104,18 +124,23 @@ interface(`networkmanager_domtrans',`
+@@ -104,18 +124,24 @@ interface(`networkmanager_domtrans',`
## </summary>
## </param>
#
@@ -54671,6 +54723,7 @@ index 86dc29d..98fdac1 100644
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
@@ -54685,7 +54738,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -155,7 +180,29 @@ interface(`networkmanager_read_state',`
+@@ -155,7 +181,29 @@ interface(`networkmanager_read_state',`
########################################
## <summary>
@@ -54716,7 +54769,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -211,9 +258,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -211,9 +259,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
@@ -54746,7 +54799,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -221,19 +287,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -221,19 +288,18 @@ interface(`networkmanager_read_lib_files',`
## </summary>
## </param>
#
@@ -54771,7 +54824,7 @@ index 86dc29d..98fdac1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -241,13 +306,32 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +307,32 @@ interface(`networkmanager_append_log_files',`
## </summary>
## </param>
#
@@ -54806,7 +54859,7 @@ index 86dc29d..98fdac1 100644
')
####################################
-@@ -272,14 +356,33 @@ interface(`networkmanager_stream_connect',`
+@@ -272,14 +357,33 @@ interface(`networkmanager_stream_connect',`
########################################
## <summary>
@@ -54842,7 +54895,7 @@ index 86dc29d..98fdac1 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,33 +390,132 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +391,132 @@ interface(`networkmanager_stream_connect',`
## </param>
## <rolecap/>
#
@@ -55409,10 +55462,10 @@ index 0000000..cc31b9f
+
diff --git a/ninfod.if b/ninfod.if
new file mode 100644
-index 0000000..a7f57d9
+index 0000000..409de8c
--- /dev/null
+++ b/ninfod.if
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
+
+## <summary>Respond to IPv6 Node Information Queries</summary>
+
@@ -55451,6 +55504,7 @@ index 0000000..a7f57d9
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 ninfod_unit_file_t:file read_file_perms;
+ allow $1 ninfod_unit_file_t:service manage_service_perms;
@@ -55569,7 +55623,7 @@ index 8aa1bfa..cd0e015 100644
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
-index 46e55c3..6e4e061 100644
+index 46e55c3..afe399a 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
@@ -55706,7 +55760,7 @@ index 46e55c3..6e4e061 100644
')
########################################
-@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -355,8 +349,59 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@@ -55727,6 +55781,7 @@ index 46e55c3..6e4e061 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
+ allow $1 ypbind_unit_file_t:service manage_service_perms;
+
@@ -55750,6 +55805,7 @@ index 46e55c3..6e4e061 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
+ allow $1 nis_unit_file_t:service manage_service_perms;
+
@@ -55766,7 +55822,7 @@ index 46e55c3..6e4e061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -372,32 +417,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -56616,7 +56672,7 @@ index ba64485..429bd79 100644
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
-index 8f2ab09..bc2c7fe 100644
+index 8f2ab09..cd5d344 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
@@ -56845,7 +56901,7 @@ index 8f2ab09..bc2c7fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -275,8 +296,31 @@ interface(`nscd_initrc_domtrans',`
+@@ -275,8 +296,32 @@ interface(`nscd_initrc_domtrans',`
########################################
## <summary>
@@ -56866,6 +56922,7 @@ index 8f2ab09..bc2c7fe 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
+ allow $1 nscd_unit_file_t:service manage_service_perms;
+
@@ -56879,7 +56936,7 @@ index 8f2ab09..bc2c7fe 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -285,7 +329,7 @@ interface(`nscd_initrc_domtrans',`
+@@ -285,7 +330,7 @@ interface(`nscd_initrc_domtrans',`
## </param>
## <param name="role">
## <summary>
@@ -56888,7 +56945,7 @@ index 8f2ab09..bc2c7fe 100644
## </summary>
## </param>
## <rolecap/>
-@@ -294,10 +338,14 @@ interface(`nscd_admin',`
+@@ -294,10 +339,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
@@ -56904,7 +56961,7 @@ index 8f2ab09..bc2c7fe 100644
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -310,5 +358,7 @@ interface(`nscd_admin',`
+@@ -310,5 +359,7 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
@@ -58443,7 +58500,7 @@ index af3c91e..2d41c4c 100644
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
-index e96a309..2bacc3f 100644
+index e96a309..ef6081b 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
@@ -58492,7 +58549,7 @@ index e96a309..2bacc3f 100644
')
########################################
-@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +117,49 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -58532,6 +58589,7 @@ index e96a309..2bacc3f 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
@@ -58541,7 +58599,7 @@ index e96a309..2bacc3f 100644
########################################
## <summary>
## Read ntp drift files.
-@@ -141,8 +202,27 @@ interface(`ntp_rw_shm',`
+@@ -141,8 +203,27 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -58571,7 +58629,7 @@ index e96a309..2bacc3f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -151,28 +231,32 @@ interface(`ntp_rw_shm',`
+@@ -151,28 +232,32 @@ interface(`ntp_rw_shm',`
## </param>
## <param name="role">
## <summary>
@@ -58610,7 +58668,7 @@ index e96a309..2bacc3f 100644
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
-@@ -186,5 +270,30 @@ interface(`ntp_admin',`
+@@ -186,5 +271,30 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -58743,10 +58801,10 @@ index 3488bb0..1f97624 100644
-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
diff --git a/numad.if b/numad.if
-index 0d3c270..260275b 100644
+index 0d3c270..f307835 100644
--- a/numad.if
+++ b/numad.if
-@@ -1,39 +1,92 @@
+@@ -1,39 +1,93 @@
-## <summary>Non-Uniform Memory Alignment Daemon.</summary>
+
+## <summary>policy for numad</summary>
@@ -58786,6 +58844,7 @@ index 0d3c270..260275b 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 numad_unit_file_t:file read_file_perms;
+ allow $1 numad_unit_file_t:service all_service_perms;
@@ -58954,10 +59013,10 @@ index 379af96..fac7d7b 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
-index 57c0161..4534676 100644
+index 57c0161..c554eb6 100644
--- a/nut.if
+++ b/nut.if
-@@ -1,39 +1,59 @@
+@@ -1,39 +1,60 @@
-## <summary>Network UPS Tools </summary>
+## <summary>nut - Network UPS Tools </summary>
@@ -59036,6 +59095,7 @@ index 57c0161..4534676 100644
- files_search_etc($1)
- admin_pattern($1, nut_conf_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 nut_unit_file_t:file read_file_perms;
+ allow $1 nut_unit_file_t:service manage_service_perms;
@@ -59580,7 +59640,7 @@ index dd1d9ef..fbbe3ff 100644
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
-index c87bd2a..7de054a 100644
+index c87bd2a..4c17c99 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -1,4 +1,8 @@
@@ -59692,7 +59752,7 @@ index c87bd2a..7de054a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -105,46 +141,70 @@ interface(`oddjob_domtrans_mkhomedir',`
+@@ -105,46 +141,71 @@ interface(`oddjob_domtrans_mkhomedir',`
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
@@ -59732,6 +59792,7 @@ index c87bd2a..7de054a 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 oddjob_unit_file_t:file read_file_perms;
+ allow $1 oddjob_unit_file_t:service manage_service_perms;
@@ -61610,10 +61671,10 @@ index 0000000..51650fa
+/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/opensm.if b/opensm.if
new file mode 100644
-index 0000000..776fda7
+index 0000000..45de664
--- /dev/null
+++ b/opensm.if
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,224 @@
+
+## <summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
+
@@ -61788,6 +61849,7 @@ index 0000000..776fda7
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 opensm_unit_file_t:file read_file_perms;
+ allow $1 opensm_unit_file_t:service manage_service_perms;
@@ -62182,7 +62244,7 @@ index 45d7cc5..c5b9607 100644
-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
-index 9b15730..eedd136 100644
+index 9b15730..cb00f20 100644
--- a/openvswitch.if
+++ b/openvswitch.if
@@ -1,13 +1,14 @@
@@ -62351,7 +62413,7 @@ index 9b15730..eedd136 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -40,44 +176,86 @@ interface(`openvswitch_read_pid_files',`
+@@ -40,44 +176,87 @@ interface(`openvswitch_read_pid_files',`
########################################
## <summary>
@@ -62393,6 +62455,7 @@ index 9b15730..eedd136 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 openvswitch_unit_file_t:file read_file_perms;
+ allow $1 openvswitch_unit_file_t:service manage_service_perms;
+
@@ -62585,10 +62648,10 @@ index 0000000..00d0643
+/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0)
diff --git a/openwsman.if b/openwsman.if
new file mode 100644
-index 0000000..42ed4ba
+index 0000000..747853a
--- /dev/null
+++ b/openwsman.if
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,79 @@
+## <summary>WS-Management Server</summary>
+
+########################################
@@ -62626,6 +62689,7 @@ index 0000000..42ed4ba
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 openwsman_unit_file_t:file read_file_perms;
+ allow $1 openwsman_unit_file_t:service manage_service_perms;
@@ -63130,10 +63194,10 @@ index 2f0ad56..d4da0b8 100644
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/pacemaker.if b/pacemaker.if
-index 9682d9a..d47f913 100644
+index 9682d9a..f1f421f 100644
--- a/pacemaker.if
+++ b/pacemaker.if
-@@ -1,9 +1,166 @@
+@@ -1,9 +1,167 @@
-## <summary>A scalable high-availability cluster resource manager.</summary>
+## <summary>>A scalable high-availability cluster resource manager.</summary>
@@ -63288,6 +63352,7 @@ index 9682d9a..d47f913 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pacemaker_unit_file_t:file read_file_perms;
+ allow $1 pacemaker_unit_file_t:service manage_service_perms;
@@ -63303,7 +63368,7 @@ index 9682d9a..d47f913 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -19,14 +176,17 @@
+@@ -19,14 +177,17 @@
#
interface(`pacemaker_admin',`
gen_require(`
@@ -63323,7 +63388,7 @@ index 9682d9a..d47f913 100644
domain_system_change_exemption($1)
role_transition $2 pacemaker_initrc_exec_t system_r;
allow $2 system_r;
-@@ -36,4 +196,13 @@ interface(`pacemaker_admin',`
+@@ -36,4 +197,13 @@ interface(`pacemaker_admin',`
files_search_pids($1)
admin_pattern($1, pacemaker_var_run_t)
@@ -65035,10 +65100,10 @@ index 0000000..7b54c39
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if
new file mode 100644
-index 0000000..abd5dd8
+index 0000000..4d531cb
--- /dev/null
+++ b/pesign.if
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,99 @@
+
+## <summary>pesign utility for signing UEFI binaries as well as other associated tools</summary>
+
@@ -65096,6 +65161,7 @@ index 0000000..abd5dd8
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 pesign_unit_file_t:file read_file_perms;
+ allow $1 pesign_unit_file_t:service manage_service_perms;
@@ -67629,7 +67695,7 @@ index d35614b..11f77ee 100644
-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0)
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/polipo.if b/polipo.if
-index ae27bb7..d00f6ba 100644
+index ae27bb7..10a7787 100644
--- a/polipo.if
+++ b/polipo.if
@@ -1,8 +1,8 @@
@@ -67680,7 +67746,7 @@ index ae27bb7..d00f6ba 100644
tunable_policy(`polipo_session_users',`
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
-@@ -52,57 +47,129 @@ template(`polipo_role',`
+@@ -52,57 +47,130 @@ template(`polipo_role',`
########################################
## <summary>
@@ -67813,6 +67879,7 @@ index ae27bb7..d00f6ba 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 polipo_unit_file_t:file read_file_perms;
+ allow $1 polipo_unit_file_t:service manage_service_perms;
+
@@ -67827,7 +67894,7 @@ index ae27bb7..d00f6ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -118,27 +185,35 @@ interface(`polipo_log_filetrans_log',`
+@@ -118,27 +186,35 @@ interface(`polipo_log_filetrans_log',`
#
interface(`polipo_admin',`
gen_require(`
@@ -70409,7 +70476,7 @@ index efcb653..ff2c96a 100644
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
-index cd8b8b9..6c73980 100644
+index cd8b8b9..2cfa88a 100644
--- a/ppp.if
+++ b/ppp.if
@@ -1,110 +1,91 @@
@@ -70796,7 +70863,7 @@ index cd8b8b9..6c73980 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -461,31 +424,62 @@ interface(`ppp_initrc_domtrans',`
+@@ -461,31 +424,63 @@ interface(`ppp_initrc_domtrans',`
########################################
## <summary>
@@ -70819,6 +70886,7 @@ index cd8b8b9..6c73980 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
+ allow $1 pppd_unit_file_t:service manage_service_perms;
+
@@ -70868,7 +70936,7 @@ index cd8b8b9..6c73980 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
-@@ -496,14 +490,26 @@ interface(`ppp_admin',`
+@@ -496,14 +491,26 @@ interface(`ppp_admin',`
admin_pattern($1, pppd_tmp_t)
logging_list_logs($1)
@@ -72361,10 +72429,10 @@ index 0000000..96a0d9f
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
-index 0000000..19c35c1
+index 0000000..44ed5ad
--- /dev/null
+++ b/prosody.if
-@@ -0,0 +1,234 @@
+@@ -0,0 +1,235 @@
+
+## <summary>policy for prosody</summary>
+
@@ -72499,6 +72567,7 @@ index 0000000..19c35c1
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 prosody_unit_file_t:file read_file_perms;
+ allow $1 prosody_unit_file_t:service manage_service_perms;
@@ -76741,10 +76810,10 @@ index 70ab68b..b985b65 100644
+/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
+/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
diff --git a/quantum.if b/quantum.if
-index afc0068..97bbea4 100644
+index afc0068..589a7fd 100644
--- a/quantum.if
+++ b/quantum.if
-@@ -2,41 +2,294 @@
+@@ -2,41 +2,295 @@
########################################
## <summary>
@@ -77008,6 +77077,7 @@ index afc0068..97bbea4 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 neutron_unit_file_t:file read_file_perms;
+ allow $1 neutron_unit_file_t:service manage_service_perms;
@@ -77984,10 +78054,10 @@ index d447e85..76ed794 100644
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
diff --git a/radius.if b/radius.if
-index 4460582..60cf556 100644
+index 4460582..4c66c25 100644
--- a/radius.if
+++ b/radius.if
-@@ -14,6 +14,29 @@ interface(`radius_use',`
+@@ -14,6 +14,30 @@ interface(`radius_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -78008,6 +78078,7 @@ index 4460582..60cf556 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 radiusd_unit_file_t:file read_file_perms;
+ allow $1 radiusd_unit_file_t:service manage_service_perms;
+
@@ -78017,7 +78088,7 @@ index 4460582..60cf556 100644
########################################
## <summary>
## All of the rules required to
-@@ -35,11 +58,14 @@ interface(`radius_admin',`
+@@ -35,11 +59,14 @@ interface(`radius_admin',`
gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t;
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
@@ -78034,7 +78105,7 @@ index 4460582..60cf556 100644
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -57,4 +83,9 @@ interface(`radius_admin',`
+@@ -57,4 +84,9 @@ interface(`radius_admin',`
files_list_pids($1)
admin_pattern($1, radiusd_var_run_t)
@@ -78216,7 +78287,7 @@ index 5806046..d83ec27 100644
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index 951db7f..c0cabe8 100644
+index 951db7f..04b6dde 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
@@ -78231,7 +78302,7 @@ index 951db7f..c0cabe8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -22,34 +21,56 @@ interface(`raid_domtrans_mdadm',`
+@@ -22,34 +21,57 @@ interface(`raid_domtrans_mdadm',`
######################################
## <summary>
@@ -78283,6 +78354,7 @@ index 951db7f..c0cabe8 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 mdadm_unit_file_t:file read_file_perms;
+ allow $1 mdadm_unit_file_t:service manage_service_perms;
+
@@ -78297,7 +78369,7 @@ index 951db7f..c0cabe8 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +79,112 @@ interface(`raid_run_mdadm',`
## </summary>
## </param>
#
@@ -78604,10 +78676,10 @@ index 0000000..8e31dd0
+/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
diff --git a/rasdaemon.if b/rasdaemon.if
new file mode 100644
-index 0000000..a073efd
+index 0000000..d57006d
--- /dev/null
+++ b/rasdaemon.if
-@@ -0,0 +1,156 @@
+@@ -0,0 +1,157 @@
+
+## <summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
+
@@ -78723,6 +78795,7 @@ index 0000000..a073efd
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rasdaemon_unit_file_t:file read_file_perms;
+ allow $1 rasdaemon_unit_file_t:service manage_service_perms;
@@ -79330,10 +79403,10 @@ index e9765c0..ea21331 100644
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.if b/rdisc.if
-index 170ef52..7dd9193 100644
+index 170ef52..28ccc4a 100644
--- a/rdisc.if
+++ b/rdisc.if
-@@ -18,3 +18,57 @@ interface(`rdisc_exec',`
+@@ -18,3 +18,58 @@ interface(`rdisc_exec',`
corecmd_search_bin($1)
can_exec($1, rdisc_exec_t)
')
@@ -79355,6 +79428,7 @@ index 170ef52..7dd9193 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rdisc_unit_file_t:file read_file_perms;
+ allow $1 rdisc_unit_file_t:service manage_service_perms;
@@ -79892,10 +79966,10 @@ index e240ac9..638d6b4 100644
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
-index 16c8ecb..2640ab5 100644
+index 16c8ecb..4e021ec 100644
--- a/redis.if
+++ b/redis.if
-@@ -1,9 +1,224 @@
+@@ -1,9 +1,225 @@
-## <summary>Advanced key-value store.</summary>
+## <summary>Advanced key-value store</summary>
@@ -80109,6 +80183,7 @@ index 16c8ecb..2640ab5 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
@@ -80123,7 +80198,7 @@ index 16c8ecb..2640ab5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -20,7 +235,7 @@
+@@ -20,7 +236,7 @@
interface(`redis_admin',`
gen_require(`
type redis_t, redis_initrc_exec_t, redis_var_lib_t;
@@ -80132,7 +80207,7 @@ index 16c8ecb..2640ab5 100644
')
allow $1 redis_t:process { ptrace signal_perms };
-@@ -32,11 +247,20 @@ interface(`redis_admin',`
+@@ -32,11 +248,20 @@ interface(`redis_admin',`
allow $2 system_r;
logging_search_logs($1)
@@ -80953,7 +81028,7 @@ index 47de2d6..2c625fb 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..57fad67 100644
+index c8bdea2..bf60580 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -81385,7 +81460,7 @@ index c8bdea2..57fad67 100644
')
######################################
-@@ -446,52 +556,361 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +556,362 @@ interface(`rhcs_domtrans_qdiskd',`
########################################
## <summary>
@@ -81716,6 +81791,7 @@ index c8bdea2..57fad67 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 cluster_unit_file_t:file read_file_perms;
+ allow $1 cluster_unit_file_t:service manage_service_perms;
+
@@ -82740,10 +82816,10 @@ index 0000000..860a91d
+/etc/sysconfig/rhn(/.*)? gen_context(system_u:object_r:rhnsd_conf_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
-index 0000000..4c6fd7a
+index 0000000..a161c70
--- /dev/null
+++ b/rhnsd.if
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,120 @@
+## <summary>policy for rhnsd</summary>
+
+########################################
@@ -82800,6 +82876,7 @@ index 0000000..4c6fd7a
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rhnsd_unit_file_t:file read_file_perms;
+ allow $1 rhnsd_unit_file_t:service manage_service_perms;
@@ -83872,10 +83949,10 @@ index fa19aa8..90eb481 100644
/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/rngd.if b/rngd.if
-index 13f788f..e01572a 100644
+index 13f788f..10e2033 100644
--- a/rngd.if
+++ b/rngd.if
-@@ -2,6 +2,28 @@
+@@ -2,6 +2,29 @@
########################################
## <summary>
@@ -83893,6 +83970,7 @@ index 13f788f..e01572a 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 rngd_unit_file_t:file read_file_perms;
+ allow $1 rngd_unit_file_t:service manage_service_perms;
+
@@ -83904,7 +83982,7 @@ index 13f788f..e01572a 100644
## All of the rules required to
## administrate an rng environment.
## </summary>
-@@ -17,14 +39,18 @@
+@@ -17,14 +40,18 @@
## </param>
## <rolecap/>
#
@@ -83926,7 +84004,7 @@ index 13f788f..e01572a 100644
init_labeled_script_domtrans($1, rngd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rngd_initrc_exec_t system_r;
-@@ -32,4 +58,8 @@ interface(`rngd_admin',`
+@@ -32,4 +59,8 @@ interface(`rngd_admin',`
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
@@ -83969,10 +84047,10 @@ index 0000000..504b6e1
+/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0)
diff --git a/rolekit.if b/rolekit.if
new file mode 100644
-index 0000000..8d833ed
+index 0000000..b694846
--- /dev/null
+++ b/rolekit.if
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,125 @@
+## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
+
+########################################
@@ -84011,6 +84089,7 @@ index 0000000..8d833ed
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rolekit_unit_file_t:file read_file_perms;
+ allow $1 rolekit_unit_file_t:service manage_service_perms;
@@ -84246,7 +84325,7 @@ index a6fb30c..38a2f09 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 0bf13c2..d59aef7 100644
+index 0bf13c2..1d69728 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -84377,7 +84456,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -167,120 +178,126 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -167,120 +178,128 @@ interface(`rpc_initrc_domtrans_nfsd',`
## </summary>
## </param>
#
@@ -84392,6 +84471,7 @@ index 0bf13c2..d59aef7 100644
- corecmd_search_bin($1)
- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service manage_service_perms;
+
@@ -84534,6 +84614,7 @@ index 0bf13c2..d59aef7 100644
- allow $1 nfsd_t:tcp_socket rw_socket_perms;
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
+ allow $1 rpcd_unit_file_t:service manage_service_perms;
+
@@ -84547,7 +84628,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -312,7 +329,7 @@ interface(`rpc_udp_send_nfs',`
+@@ -312,7 +331,7 @@ interface(`rpc_udp_send_nfs',`
########################################
## <summary>
@@ -84556,7 +84637,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -326,12 +343,12 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +345,12 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -84571,7 +84652,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -339,19 +356,18 @@ interface(`rpc_search_nfs_state_data',`
+@@ -339,19 +358,18 @@ interface(`rpc_search_nfs_state_data',`
## </summary>
## </param>
#
@@ -84594,7 +84675,7 @@ index 0bf13c2..d59aef7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -359,34 +375,54 @@ interface(`rpc_read_nfs_state_data',`
+@@ -359,34 +377,54 @@ interface(`rpc_read_nfs_state_data',`
## </summary>
## </param>
#
@@ -85174,10 +85255,10 @@ index 54de77c..cb05fbf 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..576ca21 100644
+index ebe91fc..fc8f8ac 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,74 @@
+@@ -1,61 +1,75 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -85261,6 +85342,7 @@ index ebe91fc..576ca21 100644
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/lib/rpmrebuilddb.*(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
@@ -87115,10 +87197,10 @@ index 0000000..4552e91
+
diff --git a/rtas.if b/rtas.if
new file mode 100644
-index 0000000..0ec3302
+index 0000000..92cc49d
--- /dev/null
+++ b/rtas.if
-@@ -0,0 +1,162 @@
+@@ -0,0 +1,163 @@
+
+## <summary>Platform diagnostics report firmware events.</summary>
+
@@ -87237,6 +87319,7 @@ index 0000000..0ec3302
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
@@ -87640,7 +87723,7 @@ index b8b66ff..a93346e 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 50d07fb..bada62f 100644
+index 50d07fb..dc069c8 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
@@ -87718,7 +87801,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -77,7 +98,30 @@ interface(`samba_initrc_domtrans',`
+@@ -77,7 +98,31 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
@@ -87738,6 +87821,7 @@ index 50d07fb..bada62f 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 samba_unit_file_t:file read_file_perms;
+ allow $1 samba_unit_file_t:service manage_service_perms;
+
@@ -87750,7 +87834,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -96,9 +140,27 @@ interface(`samba_domtrans_net',`
+@@ -96,9 +141,27 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -87781,7 +87865,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -114,11 +176,56 @@ interface(`samba_domtrans_net',`
+@@ -114,11 +177,56 @@ interface(`samba_domtrans_net',`
#
interface(`samba_run_net',`
gen_require(`
@@ -87840,7 +87924,7 @@ index 50d07fb..bada62f 100644
')
########################################
-@@ -142,9 +249,8 @@ interface(`samba_domtrans_smbmount',`
+@@ -142,9 +250,8 @@ interface(`samba_domtrans_smbmount',`
########################################
## <summary>
@@ -87852,7 +87936,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -160,16 +266,17 @@ interface(`samba_domtrans_smbmount',`
+@@ -160,16 +267,17 @@ interface(`samba_domtrans_smbmount',`
#
interface(`samba_run_smbmount',`
gen_require(`
@@ -87873,7 +87957,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -184,12 +291,14 @@ interface(`samba_read_config',`
+@@ -184,12 +292,14 @@ interface(`samba_read_config',`
')
files_search_etc($1)
@@ -87889,7 +87973,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -209,8 +318,8 @@ interface(`samba_rw_config',`
+@@ -209,8 +319,8 @@ interface(`samba_rw_config',`
########################################
## <summary>
@@ -87900,7 +87984,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -231,7 +340,7 @@ interface(`samba_manage_config',`
+@@ -231,7 +341,7 @@ interface(`samba_manage_config',`
########################################
## <summary>
@@ -87909,7 +87993,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -252,7 +361,7 @@ interface(`samba_read_log',`
+@@ -252,7 +362,7 @@ interface(`samba_read_log',`
########################################
## <summary>
@@ -87918,7 +88002,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -273,7 +382,7 @@ interface(`samba_append_log',`
+@@ -273,7 +383,7 @@ interface(`samba_append_log',`
########################################
## <summary>
@@ -87927,7 +88011,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -292,7 +401,7 @@ interface(`samba_exec_log',`
+@@ -292,7 +402,7 @@ interface(`samba_exec_log',`
########################################
## <summary>
@@ -87936,7 +88020,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -311,7 +420,7 @@ interface(`samba_read_secrets',`
+@@ -311,7 +421,7 @@ interface(`samba_read_secrets',`
########################################
## <summary>
@@ -87945,7 +88029,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -330,7 +439,8 @@ interface(`samba_read_share_files',`
+@@ -330,7 +440,8 @@ interface(`samba_read_share_files',`
########################################
## <summary>
@@ -87955,7 +88039,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -343,13 +453,15 @@ interface(`samba_search_var',`
+@@ -343,13 +454,15 @@ interface(`samba_search_var',`
type samba_var_t;
')
@@ -87972,7 +88056,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -362,14 +474,15 @@ interface(`samba_read_var_files',`
+@@ -362,14 +475,15 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
@@ -87990,7 +88074,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -387,7 +500,8 @@ interface(`samba_dontaudit_write_var_files',`
+@@ -387,7 +501,8 @@ interface(`samba_dontaudit_write_var_files',`
########################################
## <summary>
@@ -88000,7 +88084,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -400,14 +514,15 @@ interface(`samba_rw_var_files',`
+@@ -400,14 +515,15 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
@@ -88018,7 +88102,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -421,33 +536,34 @@ interface(`samba_manage_var_files',`
+@@ -421,33 +537,34 @@ interface(`samba_manage_var_files',`
')
files_search_var_lib($1)
@@ -88061,7 +88145,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -462,16 +578,16 @@ interface(`samba_domtrans_smbcontrol',`
+@@ -462,16 +579,16 @@ interface(`samba_domtrans_smbcontrol',`
#
interface(`samba_run_smbcontrol',`
gen_require(`
@@ -88081,7 +88165,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -490,7 +606,7 @@ interface(`samba_domtrans_smbd',`
+@@ -490,7 +607,7 @@ interface(`samba_domtrans_smbd',`
######################################
## <summary>
@@ -88090,7 +88174,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -507,8 +623,7 @@ interface(`samba_signal_smbd',`
+@@ -507,8 +624,7 @@ interface(`samba_signal_smbd',`
########################################
## <summary>
@@ -88100,7 +88184,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -526,7 +641,7 @@ interface(`samba_dontaudit_use_fds',`
+@@ -526,7 +642,7 @@ interface(`samba_dontaudit_use_fds',`
########################################
## <summary>
@@ -88109,7 +88193,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -544,7 +659,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
+@@ -544,7 +660,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
########################################
## <summary>
@@ -88118,7 +88202,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -560,49 +675,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+@@ -560,49 +676,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
@@ -88187,7 +88271,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -618,16 +731,16 @@ interface(`samba_getattr_winbind_exec',`
+@@ -618,16 +732,16 @@ interface(`samba_getattr_winbind_exec',`
#
interface(`samba_run_winbind_helper',`
gen_require(`
@@ -88207,7 +88291,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -637,17 +750,16 @@ interface(`samba_run_winbind_helper',`
+@@ -637,17 +751,16 @@ interface(`samba_run_winbind_helper',`
#
interface(`samba_read_winbind_pid',`
gen_require(`
@@ -88229,7 +88313,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,17 +769,61 @@ interface(`samba_read_winbind_pid',`
+@@ -657,17 +770,61 @@ interface(`samba_read_winbind_pid',`
#
interface(`samba_stream_connect_winbind',`
gen_require(`
@@ -88296,7 +88380,7 @@ index 50d07fb..bada62f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -676,7 +832,7 @@ interface(`samba_stream_connect_winbind',`
+@@ -676,7 +833,7 @@ interface(`samba_stream_connect_winbind',`
## </param>
## <param name="role">
## <summary>
@@ -88305,7 +88389,7 @@ index 50d07fb..bada62f 100644
## </summary>
## </param>
## <rolecap/>
-@@ -689,11 +845,28 @@ interface(`samba_admin',`
+@@ -689,11 +846,28 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
@@ -88337,7 +88421,7 @@ index 50d07fb..bada62f 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -703,23 +876,34 @@ interface(`samba_admin',`
+@@ -703,23 +877,34 @@ interface(`samba_admin',`
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
@@ -90845,7 +90929,7 @@ index 3df2a0f..9059165 100644
-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
diff --git a/sanlock.if b/sanlock.if
-index cd6c213..34b861a 100644
+index cd6c213..82a5ff0 100644
--- a/sanlock.if
+++ b/sanlock.if
@@ -1,4 +1,5 @@
@@ -90887,7 +90971,7 @@ index cd6c213..34b861a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -60,28 +59,50 @@ interface(`sanlock_manage_pid_files',`
+@@ -60,28 +59,51 @@ interface(`sanlock_manage_pid_files',`
########################################
## <summary>
@@ -90932,6 +91016,7 @@ index cd6c213..34b861a 100644
- files_search_pids($1)
- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 sanlock_unit_file_t:file read_file_perms;
+ allow $1 sanlock_unit_file_t:service manage_service_perms;
+
@@ -90947,7 +91032,7 @@ index cd6c213..34b861a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -97,21 +118,23 @@ interface(`sanlock_stream_connect',`
+@@ -97,21 +119,23 @@ interface(`sanlock_stream_connect',`
#
interface(`sanlock_admin',`
gen_require(`
@@ -92608,10 +92693,10 @@ index 8185d5a..9be989a 100644
+
/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
-index d204752..31cc6e6 100644
+index d204752..85631b3 100644
--- a/sensord.if
+++ b/sensord.if
-@@ -1,35 +1,80 @@
+@@ -1,35 +1,81 @@
-## <summary>Sensor information logging daemon.</summary>
+
+## <summary>Sensor information logging daemon</summary>
@@ -92655,6 +92740,7 @@ index d204752..31cc6e6 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 sensord_unit_file_t:file read_file_perms;
+ allow $1 sensord_unit_file_t:service manage_service_perms;
+
@@ -93595,7 +93681,7 @@ index a91f33b..631dbc1 100644
-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/shutdown.if b/shutdown.if
-index d1706bf..87ab4a7 100644
+index d1706bf..3aa7c9f 100644
--- a/shutdown.if
+++ b/shutdown.if
@@ -1,30 +1,4 @@
@@ -93630,7 +93716,7 @@ index d1706bf..87ab4a7 100644
########################################
## <summary>
-@@ -43,13 +17,26 @@ interface(`shutdown_domtrans',`
+@@ -43,13 +17,27 @@ interface(`shutdown_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
@@ -93640,6 +93726,7 @@ index d1706bf..87ab4a7 100644
+
+ optional_policy(`
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ init_stream_connect($1)
+ systemd_login_reboot($1)
+ systemd_login_halt($1)
@@ -93660,7 +93747,7 @@ index d1706bf..87ab4a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -64,16 +51,62 @@ interface(`shutdown_domtrans',`
+@@ -64,16 +52,62 @@ interface(`shutdown_domtrans',`
#
interface(`shutdown_run',`
gen_require(`
@@ -93726,7 +93813,7 @@ index d1706bf..87ab4a7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -81,17 +114,19 @@ interface(`shutdown_run',`
+@@ -81,17 +115,19 @@ interface(`shutdown_run',`
## </summary>
## </param>
#
@@ -96723,10 +96810,10 @@ index 0000000..545f682
+/var/log/speech-dispatcher(/.*)? gen_context(system_u:object_r:speech-dispatcher_log_t,s0)
diff --git a/speech-dispatcher.if b/speech-dispatcher.if
new file mode 100644
-index 0000000..ddfed09
+index 0000000..4cb9104
--- /dev/null
+++ b/speech-dispatcher.if
-@@ -0,0 +1,142 @@
+@@ -0,0 +1,143 @@
+
+## <summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
+
@@ -96824,6 +96911,7 @@ index 0000000..ddfed09
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
+ allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
@@ -97221,7 +97309,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..f4d8c79 100644
+index a240455..de2172a 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -97271,7 +97359,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,49 +54,90 @@ interface(`sssd_initrc_domtrans',`
+@@ -56,49 +54,91 @@ interface(`sssd_initrc_domtrans',`
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
')
@@ -97292,6 +97380,7 @@ index a240455..f4d8c79 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 sssd_unit_file_t:file read_file_perms;
+ allow $1 sssd_unit_file_t:service manage_service_perms;
+
@@ -97383,7 +97472,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -107,12 +146,12 @@ interface(`sssd_write_config',`
+@@ -107,12 +147,12 @@ interface(`sssd_write_config',`
## </param>
#
interface(`sssd_manage_config',`
@@ -97401,7 +97490,7 @@ index a240455..f4d8c79 100644
')
########################################
-@@ -131,14 +170,13 @@ interface(`sssd_read_public_files',`
+@@ -131,14 +171,13 @@ interface(`sssd_read_public_files',`
')
sssd_search_lib($1)
@@ -97419,7 +97508,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -146,18 +184,36 @@ interface(`sssd_read_public_files',`
+@@ -146,18 +185,36 @@ interface(`sssd_read_public_files',`
## </summary>
## </param>
#
@@ -97460,7 +97549,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -176,8 +232,7 @@ interface(`sssd_read_pid_files',`
+@@ -176,8 +233,7 @@ interface(`sssd_read_pid_files',`
########################################
## <summary>
@@ -97470,7 +97559,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -216,8 +271,7 @@ interface(`sssd_search_lib',`
+@@ -216,8 +272,7 @@ interface(`sssd_search_lib',`
########################################
## <summary>
@@ -97480,7 +97569,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -235,6 +289,24 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -235,6 +290,24 @@ interface(`sssd_dontaudit_search_lib',`
########################################
## <summary>
@@ -97505,7 +97594,7 @@ index a240455..f4d8c79 100644
## Read sssd lib files.
## </summary>
## <param name="domain">
-@@ -297,8 +369,7 @@ interface(`sssd_dbus_chat',`
+@@ -297,8 +370,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
@@ -97515,7 +97604,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -317,8 +388,46 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +389,46 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
@@ -97564,7 +97653,7 @@ index a240455..f4d8c79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -327,7 +436,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +437,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -97573,7 +97662,7 @@ index a240455..f4d8c79 100644
## </summary>
## </param>
## <rolecap/>
-@@ -335,27 +444,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +445,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -97615,7 +97704,7 @@ index a240455..f4d8c79 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..fe72f8e 100644
+index 2d8db1f..5bc1bc1 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -97673,7 +97762,7 @@ index 2d8db1f..fe72f8e 100644
corecmd_exec_bin(sssd_t)
-@@ -83,28 +79,34 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +79,35 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -97697,6 +97786,7 @@ index 2d8db1f..fe72f8e 100644
+seutil_dontaudit_access_check_load_policy(sssd_t)
+seutil_dontaudit_access_check_setfiles(sssd_t)
+seutil_dontaudit_access_check_semanage_read_lock(sssd_t)
++seutil_dontaudit_access_check_semanage_module_store(sssd_t)
mls_file_read_to_clearance(sssd_t)
mls_socket_read_to_clearance(sssd_t)
@@ -97712,7 +97802,7 @@ index 2d8db1f..fe72f8e 100644
init_read_utmp(sssd_t)
-@@ -112,18 +114,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +115,36 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -98092,10 +98182,10 @@ index effffd0..12ca090 100644
+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
diff --git a/svnserve.if b/svnserve.if
-index 2ac91b6..dd2ac36 100644
+index 2ac91b6..a97033d 100644
--- a/svnserve.if
+++ b/svnserve.if
-@@ -1,35 +1,118 @@
+@@ -1,35 +1,119 @@
-## <summary>Server for the svn repository access method.</summary>
+
+## <summary>policy for svnserve</summary>
@@ -98156,6 +98246,7 @@ index 2ac91b6..dd2ac36 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 svnserve_unit_file_t:file read_file_perms;
+ allow $1 svnserve_unit_file_t:service manage_service_perms;
+
@@ -98326,10 +98417,10 @@ index 0000000..79e43aa
+')
diff --git a/swift.if b/swift.if
new file mode 100644
-index 0000000..6a1f575
+index 0000000..af26807
--- /dev/null
+++ b/swift.if
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,156 @@
+
+## <summary>policy for swift</summary>
+
@@ -98445,6 +98536,7 @@ index 0000000..6a1f575
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 swift_unit_file_t:file read_file_perms;
+ allow $1 swift_unit_file_t:service manage_service_perms;
+
@@ -101354,10 +101446,10 @@ index 0000000..a8385bc
+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
diff --git a/tomcat.if b/tomcat.if
new file mode 100644
-index 0000000..9abef48
+index 0000000..e5cec8f
--- /dev/null
+++ b/tomcat.if
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,396 @@
+
+## <summary>policy for tomcat</summary>
+
@@ -101701,6 +101793,7 @@ index 0000000..9abef48
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 tomcat_unit_file_t:file read_file_perms;
+ allow $1 tomcat_unit_file_t:service manage_service_perms;
+
@@ -101842,10 +101935,10 @@ index dce42ec..b6b67bf 100644
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/tor.if b/tor.if
-index 61c2e07..5e1df41 100644
+index 61c2e07..3b86095 100644
--- a/tor.if
+++ b/tor.if
-@@ -19,6 +19,29 @@ interface(`tor_domtrans',`
+@@ -19,6 +19,30 @@ interface(`tor_domtrans',`
domtrans_pattern($1, tor_exec_t, tor_t)
')
@@ -101866,6 +101959,7 @@ index 61c2e07..5e1df41 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 tor_unit_file_t:file read_file_perms;
+ allow $1 tor_unit_file_t:service manage_service_perms;
+
@@ -101875,7 +101969,7 @@ index 61c2e07..5e1df41 100644
########################################
## <summary>
## All of the rules required to
-@@ -39,12 +62,18 @@ interface(`tor_domtrans',`
+@@ -39,12 +63,18 @@ interface(`tor_domtrans',`
interface(`tor_admin',`
gen_require(`
type tor_t, tor_var_log_t, tor_etc_t;
@@ -101896,7 +101990,7 @@ index 61c2e07..5e1df41 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 tor_initrc_exec_t system_r;
-@@ -61,4 +90,13 @@ interface(`tor_admin',`
+@@ -61,4 +91,13 @@ interface(`tor_admin',`
files_list_pids($1)
admin_pattern($1, tor_var_run_t)
@@ -102527,10 +102621,10 @@ index 220f6ad..ccbb5da 100644
+
+/var/lib/lockdown(/.*)? gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
diff --git a/usbmuxd.if b/usbmuxd.if
-index 1ec5e99..88e287d 100644
+index 1ec5e99..5b6c80b 100644
--- a/usbmuxd.if
+++ b/usbmuxd.if
-@@ -38,3 +38,66 @@ interface(`usbmuxd_stream_connect',`
+@@ -38,3 +38,67 @@ interface(`usbmuxd_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
')
@@ -102552,6 +102646,7 @@ index 1ec5e99..88e287d 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 usbmuxd_unit_file_t:file read_file_perms;
+ allow $1 usbmuxd_unit_file_t:service manage_service_perms;
+
@@ -103892,7 +103987,7 @@ index a4f20bc..88a2dc6 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index facdee8..e52b362 100644
+index facdee8..aacee65 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -104941,7 +105036,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,94 +695,266 @@ interface(`virt_read_lib_files',`
+@@ -860,94 +695,267 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -105023,6 +105118,7 @@ index facdee8..e52b362 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 virtd_unit_file_t:file read_file_perms;
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
@@ -105237,7 +105333,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +962,17 @@ interface(`virt_append_log',`
+@@ -955,20 +963,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -105262,7 +105358,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +980,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +981,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -105285,7 +105381,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +998,35 @@ interface(`virt_search_images',`
+@@ -995,36 +999,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -105341,7 +105437,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1034,17 @@ interface(`virt_read_images',`
+@@ -1032,20 +1035,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -105366,7 +105462,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,15 +1052,57 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1053,57 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -105429,7 +105525,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1069,21 +1110,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1111,28 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
@@ -105466,7 +105562,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1139,188 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1140,188 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -105673,7 +105769,7 @@ index facdee8..e52b362 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1336,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1337,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -108000,10 +108096,10 @@ index 0000000..c5deffb
+/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
diff --git a/vmtools.if b/vmtools.if
new file mode 100644
-index 0000000..7933d80
+index 0000000..afd0c97
--- /dev/null
+++ b/vmtools.if
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,123 @@
+## <summary>VMware Tools daemon</summary>
+
+########################################
@@ -108085,6 +108181,7 @@ index 0000000..7933d80
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 vmtools_unit_file_t:file read_file_perms;
+ allow $1 vmtools_unit_file_t:service manage_service_perms;
@@ -112071,7 +112168,7 @@ index 28ee4ca..bc37f76 100644
-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/zebra.if b/zebra.if
-index 3416401..676925c 100644
+index 3416401..e364caf 100644
--- a/zebra.if
+++ b/zebra.if
@@ -1,8 +1,8 @@
@@ -112103,7 +112200,7 @@ index 3416401..676925c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -42,10 +41,33 @@ interface(`zebra_stream_connect',`
+@@ -42,10 +41,34 @@ interface(`zebra_stream_connect',`
stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')
@@ -112124,6 +112221,7 @@ index 3416401..676925c 100644
+ ')
+
+ systemd_exec_systemctl($1)
++ init_reload_services($1)
+ allow $1 zebra_unit_file_t:file read_file_perms;
+ allow $1 zebra_unit_file_t:service manage_service_perms;
+
@@ -112139,7 +112237,7 @@ index 3416401..676925c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -54,7 +76,7 @@ interface(`zebra_stream_connect',`
+@@ -54,7 +77,7 @@ interface(`zebra_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -112148,7 +112246,7 @@ index 3416401..676925c 100644
## </summary>
## </param>
## <rolecap/>
-@@ -62,13 +84,16 @@ interface(`zebra_stream_connect',`
+@@ -62,13 +85,16 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
@@ -112168,7 +112266,7 @@ index 3416401..676925c 100644
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zebra_initrc_exec_t system_r;
-@@ -85,4 +110,8 @@ interface(`zebra_admin',`
+@@ -85,4 +111,8 @@ interface(`zebra_admin',`
files_list_pids($1)
admin_pattern($1, zebra_var_run_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6ae6e08..ad77c6b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 97%{?dist}
+Release: 98%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Nov 29 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-98
+- Update to have all _systemctl() interface also init_reload_services()
+- Dontaudit access check on SELinux module store for sssd.
+- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
+
* Fri Nov 28 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-97
- Allow reading of symlinks in /etc/puppet
- Added TAGS to gitignore
More information about the scm-commits
mailing list