lvrabec pushed to selinux-policy (f20). "* Mon May 04 2015 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-200 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon May 4 16:13:57 UTC 2015
>From 12c7ae31557bf761b427bb79f46564c9a64e2734 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon, 4 May 2015 18:13:31 +0200
Subject: * Mon May 04 2015 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-200 - add
interface networkmanager_sigchld - Fix labels on new location of resolv.conf
- Add new rules to dnssec-trigger - Add mongodb port to
httpd_can_network_connect_db interface. BZ(1209180) - Added interface
files_search_all_pids - Add fixes for resolv.conf to F20
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index c5539eb..1c68fc8 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -1,5 +1,2135 @@
+diff --git a/Changelog b/Changelog
+index 5fcca55..672e632 100644
+--- a/Changelog
++++ b/Changelog
+@@ -1,216 +1,952 @@
+-* Wed Apr 24 2013 Chris PeBenito <selinux at tresys.com> - 2.20130424
+-Chris PeBenito (78):
+- Mcelog update from Guido Trentalancia.
+- Add bird contrib module from Dominick Grift.
+- Minor whitespace fix in udev.fc
+- Module version bump for udev binary location update from Sven Vermeulen.
+- clarify the file_contexts.subs_dist configuration file usage from Guido
+- Trentalancia
+- Update contrib.
+- Remove trailing / from paths
+- Module version bump for fc substitutions optimizations from Sven
+- Vermeulen.
+- Update contrib.
+- Module version bump for /run/dhcpc directory creation by dhcp from Sven
+- Vermeulen.
+- Module version bump for fc fixes in devices module from Dominick Grift.
+- Update contrib.
+- Module version bump for /dev/mei type and label from Dominick Grift.
+- Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
+- Module version bump for lost+found labeling in /var/log from Guido
+- Trentalancia.
+- Module version bump for loop-control patch.
+- Turn off all tunables by default, from Guido Trentalancia.
+- Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
+- Module version bump for various changes from Sven Vermeulen.
+- Module version bump for ports update from Dominick Grift.
+- Module version bump for Debian file context updates from Laurent
+- Bigonville.
+- Update contrib.
+- Update contrib.
+- split kmod fc into two lines.
+- Module version bump for kmod fc from Laurent Bigonville.
+- Module version bump for cfengine fc change from Dominick Grift.
+- Module verision bump for Debian cert file fc update from Laurent
+- Bigonville.
+- Module version bump for ipsec net sysctls reading from Miroslav Grepl.
+- Module version bump for srvloc port definition from Dominick Grift.
+- Rename cachefiles_dev_t to cachefiles_device_t.
+- Module version bump for cachefiles core support.
+- Module version bump for changes from Dominick Grift and Sven Vermeulen.
+- Module version bump for modutils patch from Dominick Grift.
+- Module version bump for dhcp6 ports, from Russell Coker.
+- Rearrange new xserver interfaces.
+- Rename new xserver interfaces.
+- Module version bump for xserver interfaces from Dominick Grift.
+- Move kernel_stream_connect() declaration.
+- Module version bump for kernel_stream_connect() from Dominick Grift.
+- Rename logging_search_all_log_dirs to logging_search_all_logs
+- Module version bump for minor logging and sysnet changes from Sven
+- Vermeulen.
+- Module version bump for dovecot libs from Mika Pflueger.
+- Rearrange interfaces in files, clock, and udev.
+- Module version bump for interfaces used by virt from Dominick Grift.
+- Module version bump for arping setcap from Dominick Grift.
+- Rearrange devices interfaces.
+- Module version bump/contrib sync.
+- Rearrange lines.
+- Module version bump for user home content fixes from Dominick Grift.
+- Rearrange files interfaces.
+- Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
+- Update contrib.
+- Whitespace fix in miscfiles.fc.
+- Adjust man cache interface names.
+- Module version bump for man cache from Dominick Grift.
+- Module version bump for Debian ssh-keysign location from Laurent
+- Bigonville.
+- Module version bump for userdomain portion of XDG updates from Dominick
+- Grift.
+- Module version bump for iptables fc entry from Sven Vermeulen and inn log
+- from Dominick Grift.
+- Module version bump for logging and tcpdump fixes from Sven Vermeulen.
+- Move mcs_constrained() impementation.
+- Module version bump for mcs_constrained from Dominick Grift.
+- Update contrib.
+- Module version bump from Debian changes from Laurent Bigonville.
+- Module version bump for zfs labeling from Matthew Thode.
+- Module version bump for misc updates from Sven Vermeulen.
+- Update contrib.
+- Module version bump for fixes from Dominick Grift.
+- Module version bump for Debian updates from Laurent Bigonville.
+- Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
+- Update contrib
+- Fix fc_sort.c warning uncovered by recent gcc
+- Module version bump for chfn fixes from Sven Vermeulen.
+- Add swapoff fc entry.
+- Add conntrack fc entry.
+- Update contrib.
+- Update contrib
+- Archive old Changelog for log format change.
+- Bump module versions for release.
+-
+-Dominick Grift (40):
+- There can be more than a single watchdog interface
+- Fix a suspected typo
+- Intel® Active Management Technology
+- Declare a loop control device node type and label /dev/loop-control
+- accordingly
+- Declare port types for ports used by Fedora but use /etc/services for port
+- names rather than using fedora port names. If /etc/services does not
+- have a port name for a port used by Fedora, skip for now.
+- Remove var_log_t file context spec
+- svrloc port type declaration from slpd policy module
+- Declare a cachfiles device node type
+- Implement files_create_all_files_as() for cachefilesd
+- Restricted Xwindows user domains run windows managers in the windows
+- managers domain
+- Declare a cslistener port type for phpfpm
+- Changes to the sysnetwork policy module
+- Changes to the userdomain policy module
+- Changes to the bootloader policy module
+- Changes to the modutils policy module
+- Changes to the xserver policy module
+- Changes to various policy modules
+- Changes to the kernel policy module
+- For svirt_lxc_domain
+- For svirt_lxc_domain
+- For svirt_lxc_domain
+- For virtd lxc
+- For virtd_lxc
+- For virtd_lxc
+- For virtd lxc
+- For virtd lxc
+- For virtd
+- Arping needs setcap to cap_set_proc
+- For virtd
+- Changes to the user domain policy module
+- Samhain_admin() now requires a role for the role_transition from $1 to
+- initrc_t via samhain_initrc_exec_t
+- Changes to the user domain policy module
+- Label /var/cache/man with a private man cache type for mandb
+- Create a attribute user_home_content_type and assign it to all types that
+- are classified userdom_user_home_content()
+- These two attribute are unused
+- System logger creates innd log files with a named file transition
+- Implement mcs_constrained_type
+- Changes to the init policy module
+- Changes to the userdomain policy module
+- NSCD related changes in various policy modules
+-
+-Guido Trentalancia (1):
+- add lost+found filesystem labels to support NSA security guidelines
+-
+-Laurent Bigonville (21):
+- Add Debian locations for GDM 3
+- Add Debian location for udisks helpers
+- Add insmod_exec_t label for kmod executable
+- Add Debian location for PKI files
+- Add Debian location for ssh-keysign
+- Properly label all the ssh host keys
+- Allow udev_t domain to read files labeled as consolekit_var_run_t
+- authlogin.if: Add auth_create_pam_console_data_dirs and
+- auth_pid_filetrans_pam_var_console interfaces
+- Label /etc/rc.d/init.d/x11-common as xdm_exec_t
+- Drop /etc/rc.d/init.d/xfree86-common filecontext definition
+- Label /var/run/shm as tmpfs_t for Debian
+- Label /var/run/motd.dynamic as initrc_var_run_t
+- Label /var/run/initctl as initctl_t
+- udev.if: Call files_search_pid instead of files_search_var_lib in
+- udev_manage_pid_files
+- Label executables in /usr/lib/NetworkManager/ as bin_t
+- Add support for rsyslog
+- Label var_lock_t as a mountpoint
+- Add mount_var_run_t type and allow mount_t domain to manage the files and
+- directories
+- Add initrc_t to use block_suspend capability
+- Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
+- Label nut drivers that are installed in /lib/nut on Debian as bin_t
+-
+-Matthew Thode (1):
+- Implement zfs support
+-
+-Mika Pflüger (2):
+- Debian locations of gvfs and kde4 libexec binaries in /usr/lib
+- Explicitly label dovecot libraries lib_t for debian
+-
+-Miroslav Grepl (1):
+- Allow ipsec to read kernel sysctl
+-
+-Paul Moore (1):
+- flask: add the attach_queue permission to the tun_socket object class
+-
+-Russell Coker (1):
+- Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
+- client control
+-
+-Sven Vermeulen (27):
+- New location for udevd binary
+- Use substititions for /usr/local/lib and /etc/init.d
+- DHCP client's hooks create /run/dhcpc directory
+- Introduce init_daemon_run_dir transformation
+- Use the init_daemon_run_dir interface for udev
+- Allow initrc_t to create run dirs for core modules
+- Puppet uses mount output for verification
+- Allow syslogd to create /var/lib/syslog and
+- /var/lib/misc/syslog-ng.persist
+- Gentoo's openrc does not require initrc_exec_t for runscripts anymore
+- Allow init scripts to read courier configuration
+- Allow search within postgresql var directory for the stream connect
+- interface
+- Introduce logging_getattr_all_logs interface
+- Introduce logging_search_all_log_dirs interface
+- Support flushing routing cache
+- Allow init to set attributes on device_t
+- Introduce files_manage_all_pids interface
+- Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
+- Update files_manage_generic_locks with directory permissions
+- Run ipset in iptables domain
+- tcpdump chroots into /var/lib/tcpdump
+- Remove generic log label for cron location
+- Postgresql 9.2 connects to its unix stream socket
+- lvscan creates the /run/lock/lvm directory if nonexisting (v2)
+- Allow syslogger to manage cron log files (v2)
+- Allow initrc_t to read stunnel configuration
+- Introduce exec-check interfaces for passwd binaries and useradd binaries
+- chfn_t reads in file context information and executes nscd
++- Mcelog update from Guido Trentalancia.
++- Added contrib modules:
++ bird (Dominick Grift)
+
++* Wed Jul 25 2012 Chris PeBenito <selinux at tresys.com> - 2.20120725
++- Rename epollwakeup capability2 permission to block_suspend to match the
++ corresponding kernel capability rename.
++- Udev and init changes to support /run, from Sven Vermeulen.
++- auth_use_nsswitch updates from Miroslav Grepl.
++- Mount runtime files fix from Guido Trentalancia.
++- Update Python scripts to support Python 3, from Sven Vermeulen.
++- Update capability2 object class for new wake_alarm and epollwakeup
++ capabilities.
++- SEPostgresql updates from Kohei KaiGai.
++- Simplify file contexts based on file context path substitutions, from Sven
++ Vermeulen.
++- Add optional name for kernel and system filetrans interfaces.
++- Non-auth file attribute to eliminate set expressions, from James Carter.
++- Virt updates from Sven Vermeulen.
++- Various dontaudits from Sven Vermeulen.
++- Fix base module and monolithic role declaration ordering issue now that
++ role declarations must be explicit, from Harry Ciao.
++- Added contrib modules:
++ bacula (Stan Sander/Sven Vermeulen)
++ bcfg2 (Miroslav Grepl)
++ blueman (Miroslav Grepl)
++
++* Wed Feb 15 2012 Chris PeBenito <selinux at tresys.com> - 2.20120215
++- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
++- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
++- Add userdom interfaces for user application domains, user tmp files,
++ and user tmpfs files.
++- Asterisk administration fixes from Sven Vermeulen.
++- Fix makefiles to install files with the correct DAC permissions if the
++ umask is not 022.
++- Remove deprecated support macros.
++- Remove rolemap and per-role template support.
++- Change corenetwork port declaration to apply the reserved port type
++ attribute only, when the type has ports above and below 1024.
++- Change secure_mode_policyload to disable only toggling of this Boolean
++ rather than disabling all Boolean toggling permissions.
++- Use role attributes to assist with domain transitions in interactive
++ programs.
++- Milter ports patch from Paul Howarth.
++- Separate portage fetch rules out of portage_run() and portage_domtrans()
++ from Sven Vermeulen.
++- Enhance corenetwork network_port() macro to support ports that do not have
++ a well defined port number, such as stunnel.
++- Opendkim support in dkim module from Paul Howarth.
++- Wireshark updates from Sven Vermeulen.
++- Change secure_mode_insmod to control sys_module capability rather than
++ controlling domain transitions to insmod.
++- Openrc and portage updates from Sven Vermeulen.
++- Allow user and role changes on dynamic transitions with the same
++ constraints as regular transitions.
++- New git service features from Dominick Grift.
++- Corenetwork policy size optimization from Dan Walsh.
++- Silence spurious udp_socket listen denials.
++- Fix unexpanded MLS/MCS fields in monolithic seusers file.
++- Type transition fix in Postgresql database objects from KaiGai Kohei.
++- Support for file context path substitutions (file_contexts.subs).
++- Added contrib modules:
++ glance (Dan Walsh)
++ rhsmcertd (Dan Walsh)
++ sanlock (Dan Walsh)
++ sblim (Dan Walsh)
++ uuidd (Dan Walsh)
++ vdagent (Dan Walsh)
++
++* Tue Jul 26 2011 Chris PeBenito <selinux at tresys.com> - 2.20110726
++- Fix role declarations to handle role attribute compilers.
++- Rename audioentropy module to entropyd due to haveged support.
++- Add haveged support from Sven Vermeulen.
++- Authentication file patch from Matthew Ife.
++- Add agent support to zabbix from Sven Vermeulen.
++- Cyrus file context update for Gentoo from Corentin Labbe.
++- Portage updates from Sven Vermeulen.
++- Fix init_system_domain() description, pointed out by Elia Pinto.
++- Postgresql selabel_lookup update from KaiGai Kohei.
++- Dovecot managesieve support from Mika Pfluger.
++- Semicolon after interface/template calls cleanup from Elia Pinto.
++- Gentoo courier updates from Sven Vermeulen.
++- Amavis patch for connecting to nslcd from Miroslav Grepl.
++- Shorewall patch from Miroslav Grepl.
++- Cpufreqselector dbus patch from Guido Trentalancia.
++- Cron pam_namespace and pam_loginuid support from Harry Ciao.
++- Xserver update for startx from Sven Vermeulen.
++- Fix MLS constraint for contains permission from Harry Ciao.
++- Apache user webpages fix from Dominick Grift.
++- Change default build.conf to modular policy from Stephen Smalley.
++- Xen refinement patch from Stephen Smalley.
++- Sudo timestamp file location update from Sven Vermeulen.
++- XServer keyboard event patch from Sven Vermeulen.
++- RAID uevent patch from Sven Vermeulen.
++- Gentoo ALSA init script usage patch from Sven Vermeulen.
++- LVM semaphore usage patch from Sven Vermeulen.
++- Module load request patch for insmod from Sven Vermeulen.
++- Cron default contexts fix from Harry Ciao.
++- Man page fixes from Justin Mattock.
++- Add syslog capability.
++- Support for logging in to /dev/console, from Harry Ciao.
++- Database object class updates and associated SEPostgreSQL changes from
++ KaiGai Kohei.
++- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
++- Mount updates from Harry Ciao.
++- Semanage update for MLS systems from Harry Ciao.
++- Vlock terminal use update from Harry Ciao.
++- Hadoop CDH3 updates from Paul Nuzzi.
++- Add sepgsql_contexts appconfig files from KaiGai Kohei.
++- Added modules:
++ aiccu
++ bugzilla (Dan Walsh)
++ colord (Dan Walsh)
++ cmirrord (Miroslav Grepl)
++ mediawiki (Miroslav Grepl)
++ mpd (Miroslav Grepl)
++ ncftool
++ passenger (Miroslav Grepl)
++ qpid (Dan Walsh)
++ samhain (Harry Ciao)
++ telepathy (Dominick Grift)
++ tcsd (Stephen Smalley)
++ vnstatd (Dan Walsh)
++ zarafa (Miroslav Grepl)
++
++* Mon Dec 13 2010 Chris PeBenito <selinux at tresys.com> - 2.20101213
++- Git man page from Dominick Grift.
++- Alsa and oident home content cleanup from Dominick Grift.
++- Add support for custom build options.
++- Unconditional staff and user oidentd home config access from Dominick Grift.
++- Conditional mmap_zero support from Dominick Grift.
++- Added devtmpfs support.
++- Dbadm updates from KaiGai Kohei.
++- Virtio disk file context update from Mika Pfluger.
++- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
++- Add JIT usage for freshclam.
++- Remove ethereal module since the application was renamed to wireshark.
++- Remove duplicate/redundant rules, from Russell Coker.
++- Increased default number of categories to 1024, from Russell Coker.
++- Added modules:
++ accountsd (Dan Walsh)
++ cgroup (Dominick Grift)
++ hadoop (Paul Nuzzi)
++ kdumpgui (Dan Walsh)
++ livecd (Dan Walsh)
++ mojomojo (Iain Arnell)
++ sambagui (Dan Walsh)
++ shutdown (Dan Walsh)
++ sosreport (Dan Walsh)
++ vlock (Harry Ciao)
++
++* Mon May 24 2010 Chris PeBenito <selinux at tresys.com> - 2.20100524
++- Merged a significant portion of Fedora policy.
++- Move rules from mta mailserver delivery from interface to .te to use
++ attributes.
++- Remove concept of users from terminal module interfaces since the
++ attributes are not specific to users.
++- Add non-drawing X client support, for consolekit usage.
++- Misc Gentoo fixes from Chris Richards.
++- AFS and abrt fixes from Dominick Grift.
++- Improved the XML docs of 55 most-used interfaces.
++- Apcupsd and amavis fixes from Dominick Grift.
++- Fix network_port() in corenetwork to correctly handle port ranges.
++- SE-Postgresql updates from KaiGai Kohei.
++- X object manager revisions from Eamon Walsh.
++- Added modules:
++ aisexec (Dan Walsh)
++ chronyd (Miroslav Grepl)
++ cobbler (Dominick Grift)
++ corosync (Dan Walsh)
++ dbadm (KaiGai Kohei)
++ denyhosts (Dan Walsh)
++ nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
++ likewise (Scott Salley)
++ plymouthd (Dan Walsh)
++ pyicqt (Stefan Schulze Frielinghaus)
++ rhcs (Dan Walsh)
++ rgmanager (Dan Walsh)
++ sectoolm (Miroslav Grepl)
++ usbmuxd (Dan Walsh)
++ vhostmd (Dan Walsh)
++
++* Tue Nov 17 2009 Chris PeBenito <selinux at tresys.com> - 2.20091117
++- Add separate x_pointer and x_keyboard classes inheriting from x_device.
++ From Eamon Walsh.
++- Deprecated the userdom_xwindows_client_template().
++- Misc Gentoo fixes from Corentin Labbe.
++- Debian policykit fixes from Martin Orr.
++- Fix unconfined_r use of unconfined_java_t.
++- Add missing x_device rules for XI2 functions, from Eamon Walsh.
++- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
++- Add btrfs and ext4 to labeling targets.
++- Fix infrastructure to expand macros in initrc_context when installing.
++- Handle unix_chkpwd usage by useradd and groupadd.
++- Add missing compatibility aliases for xdm_xserver*_t types.
++- Added modules:
++ abrt (Dan Walsh)
++ dkim (Stefan Schulze Frielinghaus)
++ gitosis (Miroslav Grepl)
++ gnomeclock (Dan Walsh)
++ hddtemp (Dan Walsh)
++ kdump (Dan Walsh)
++ modemmanager(Dan Walsh)
++ nslcd (Dan Walsh)
++ puppet (Craig Grube)
++ rtkit (Dan Walsh)
++ seunshare (Dan Walsh)
++ shorewall (Dan Walsh)
++ tgtd (Matthew Ife)
++ tuned (Miroslav Grepl)
++ xscreensaver (Corentin Labbe)
++
++* Thu Jul 30 2009 Chris PeBenito <selinux at tresys.com> - 2.20090730
++- Gentoo fixes for init scripts and system startup.
++- Remove read_default_t tunable.
++- Greylist milter from Paul Howarth.
++- Crack db access for su to handle password expiration, from Brandon Whalen.
++- Misc fixes for unix_update from Brandon Whalen.
++- Add x_device permissions for XI2 functions, from Eamon Walsh.
++- MLS constraints for the x_selection class, from Eamon Walsh.
++- Postgresql updates from KaiGai Kohei.
++- Milter state directory patch from Paul Howarth.
++- Add MLS constrains for ingress/egress and secmark from Paul Moore.
++- Drop write permission from fs_read_rpc_sockets().
++- Remove unused udev_runtime_t type.
++- Patch for RadSec port from Glen Turner.
++- Enable network_peer_controls policy capability from Paul Moore.
++- Btrfs xattr support from Paul Moore.
++- Add db_procedure install permission from KaiGai Kohei.
++- Add support for network interfaces with access controlled by a Boolean
++ from the CLIP project.
++- Several fixes from the CLIP project.
++- Add support for labeled Booleans.
++- Remove node definitions and change node usage to generic nodes.
++- Add kernel_service access vectors, from Stephen Smalley.
++- Added modules:
++ certmaster (Dan Walsh)
++ cpufreqselector (Dan Walsh)
++ devicekit (Dan Walsh)
++ fprintd (Dan Walsh)
++ git (Dan Walsh)
++ gpsd (Miroslav Grepl)
++ guest (Dan Walsh)
++ ifplugd (Dan Walsh)
++ lircd (Miroslav Grepl)
++ logadm (Dan Walsh)
++ pads (Dan Walsh)
++ pingd (Dan Walsh)
++ policykit (Dan Walsh)
++ pulseaudio (Dan Walsh)
++ psad (Dan Walsh)
++ portreserve (Dan Walsh)
++ sssd (Dan Walsh)
++ ulogd (Dan Walsh)
++ varnishd (Dan Walsh)
++ webadm (Dan Walsh)
++ wm (Dan Walsh)
++ xguest (Dan Walsh)
++ zosremote (Dan Walsh)
++
++* Wed Dec 10 2008 Chris PeBenito <selinux at tresys.com> - 2.20081210
++- Fix consistency of audioentropy and iscsi module naming.
++- Debian file context fix for xen from Russell Coker.
++- Xserver MLS fix from Eamon Walsh.
++- Add omapi port for dhcpcd.
++- Deprecate per-role templates and rolemap support.
++- Implement user-based access control for use as role separations.
++- Move shared library calls from individual modules to the domain module.
++- Enable open permission checks policy capability.
++- Remove hierarchy from portage module as it is not a good example of
++ hieararchy.
++- Remove enableaudit target from modular build as semodule -DB supplants it.
++- Added modules:
++ milter (Paul Howarth)
++
++* Tue Oct 14 2008 Chris PeBenito <selinux at tresys.com> - 20081014
++- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
++- Logrotate and Bind updates from Vaclav Ovsik.
++- Init script file and domain support.
++- Glibc 2.7 fix from Vaclav Ovsik.
++- Samba/winbind update from Mike Edenfield.
++- Policy size optimization with a non-security file attribute from James
++ Carter.
++- Database labeled networking update from KaiGai Kohei.
++- Several misc changes from the Fedora policy, cherry picked by David
++ Hardeman.
++- Large whitespace fix from Dominick Grift.
++- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
++- Issuing commands to upstart is over a datagram socket, not the initctl
++ named pipe. Updated init_telinit() to match.
++- Added modules:
++ cyphesis (Dan Walsh)
++ memcached (Dan Walsh)
++ oident (Dominick Grift)
++ w3c (Dan Walsh)
++
++* Wed Jul 02 2008 Chris PeBenito <selinux at tresys.com> - 20080702
++- Fix httpd_enable_homedirs to actually provide the access it is supposed to
++ provide.
++- Add unused interface/template parameter metadata in XML.
++- Patch to handle postfix data_directory from Vaclav Ovsik.
++- SE-Postgresql policy from KaiGai Kohei.
++- Patch for X.org dbus support from Martin Orr.
++- Patch for labeled networking controls in 2.6.25 from Paul Moore.
++- Module loading now requires setsched on kernel threads.
++- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
++- X application data class from Eamon Walsh and Ted Toth.
++- Move user roles into individual modules.
++- Make hald_log_t a log file.
++- Cryptsetup runs shell scripts. Patch from Martin Orr.
++- Add file for enabling policy capabilities.
++- Patch to fix leaky interface/template call depth calculator from Vaclav
++ Ovsik.
++- Added modules:
++ kerneloops (Dan Walsh)
++ kismet (Dan Walsh)
++ podsleuth (Dan Walsh)
++ prelude (Dan Walsh)
++ qemu (Dan Walsh)
++ virt (Dan Walsh)
++
++* Wed Apr 02 2008 Chris PeBenito <selinux at tresys.com> - 20080402
++- Add core Security Enhanced X Windows support.
++- Fix winbind socket connection interface for default location of the
++ sock_file.
++- Add wireshark module based on ethereal module.
++- Revise upstart support in init module to use a tunable, as upstart is now
++ used in Fedora too.
++- Add iferror.m4 rather generate it out of the Makefiles.
++- Definitions for open permisson on file and similar objects from Eric
++ Paris.
++- Apt updates for ptys and logs, from Martin Orr.
++- RPC update from Vaclav Ovsik.
++- Exim updates on Debian from Devin Carrawy.
++- Pam and samba updates from Stefan Schulze Frielinghaus.
++- Backup update on Debian from Vaclav Ovsik.
++- Cracklib update on Debian from Vaclav Ovsik.
++- Label /proc/kallsyms with system_map_t.
++- 64-bit capabilities from Stephen Smalley.
++- Labeled networking peer object class updates.
++
++* Fri Dec 14 2007 Chris PeBenito <selinux at tresys.com> - 20071214
++- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
++- Improve several tunables descriptions from Dan Walsh.
++- Patch to clean up ns switch usage in the policy from Dan Walsh.
++- More complete labeled networking infrastructure from KaiGai Kohei.
++- Add interface for libselinux constructor, for libselinux-linked
++ SELinux-enabled programs.
++- Patch to restructure user role templates to create restricted user roles
++ from Dan Walsh.
++- Russian man page translations from Andrey Markelov.
++- Remove unused types from dbus.
++- Add infrastructure for managing all user web content.
++- Deprecate some old file and dir permission set macros in favor of the
++ newer, more consistently-named macros.
++- Patch to clean up unescaped periods in several file context entries from
++ Jan-Frode Myklebust.
++- Merge shlib_t into lib_t.
++- Merge strict and targeted policies. The policy will now behave like the
++ strict policy if the unconfined module is not present. If it is, it will
++ behave like the targeted policy. Added an unconfined role to have a mix
++ of confined and unconfined users.
++- Added modules:
++ exim (Dan Walsh)
++ postfixpolicyd (Jan-Frode Myklebust)
++
++* Fri Sep 28 2007 Chris PeBenito <selinux at tresys.com> - 20070928
++- Add support for setting the unknown permissions handling.
++- Fix XML building for external reference builds and headers builds.
++- Patch to add missing requirements in userdomain interfaces from Shintaro
++ Fujiwara.
++- Add tcpd_wrapped_domain() for services that use tcp wrappers.
++- Update MLS constraints from LSPP evaluated policy.
++- Allow initrc_t file descriptors to be inherited regardless of MLS level.
++ Accordingly drop MLS permissions from daemons that inherit from any level.
++- Files and radvd updates from Stefan Schulze Frielinghaus.
++- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
++ mls_write_all_levels() and mls_read_all_levels(), for consistency.
++- Add make kernel and init ranged interfaces pass the range transition MLS
++ constraints. Also remove calls to mls_rangetrans_target() in modules that use
++ the kernel and init interfaces, since its redundant.
++- Add interfaces for all MLS attributes except X object classes.
++- Require all sensitivities and categories for MLS and MCS policies, not just
++ the low and high sensitivity and category.
++- Database userspace object manager classes from KaiGai Kohei.
++- Add third-party interface for Apache CGI.
++- Add getserv and shmemserv nscd permissions.
++- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
++- Added modules:
++ application
++ awstats (Stefan Schulze Frielinghaus)
++ bitlbee (Devin Carraway)
++ brctl (Dan Walsh)
++
++* Fri Jun 29 2007 Chris PeBenito <selinux at tresys.com> - 20070629
++- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
++ libraries module.
++- Unified labeled networking policy from Paul Moore.
++- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
++- Xen updates from Dan Walsh.
++- Filesystem updates from Dan Walsh.
++- Large samba update from Dan Walsh.
++- Drop snmpd_etc_t.
++- Confine sendmail and logrotate on targeted.
++- Tunable connection to postgresql for users from KaiGai Kohei.
++- Memprotect support patch from Stephen Smalley.
++- Add logging_send_audit_msgs() interface and deprecate
++ send_audit_msgs_pattern().
++- Openct updates patch from Dan Walsh.
++- Merge restorecon into setfiles.
++- Patch to begin separating out hald helper programs from Dan Walsh.
++- Fixes for squid, dovecot, and snmp from Dan Walsh.
++- Miscellaneous consolekit fixes from Dan Walsh.
++- Patch to have avahi use the nsswitch interface rather than individual
++ permissions from Dan Walsh.
++- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
++- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
++ to handle usage from userhelper from Dan Walsh.
++- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
++- Patch to allow slocate to getattr other filesystems and directories on those
++ filesystems from Dan Walsh.
++- Fixes for RHEL4 from the CLIP project.
++- Replace the old lrrd fc entries with munin ones.
++- Move program admin template usage out of userdom_admin_user_template() to
++ sysadm policy in userdomain.te to fix usage of the template for third
++ parties.
++- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
++ template instead of an interface.
++- Added modules:
++ amtu (Dan Walsh)
++ apcupsd (Dan Walsh)
++ rpcbind (Dan Walsh)
++ rwho (Nalin Dahyabhai)
++
++* Tue Apr 17 2007 Chris PeBenito <selinux at tresys.com> - 20070417
++- Patch for sasl's use of kerberos from Dan Walsh.
++- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
++- Man page updates from Dan Walsh.
++- Two patches from Paul Moore to for ipsec to remove redundant rules and
++ have setkey read the config file.
++- Move booleans and tunables to modules when it is only used in a single
++ module.
++- Add support for tunables and booleans local to a module.
++- Merge sbin_t and ls_exec_t into bin_t.
++- Remove disable_trans booleans.
++- Output different header sets for kernel and userland from flask headers.
++- Marked the pax class as deprecated, changed it to userland so
++ it will be removed from the kernel.
++- Stop including netfilter contexts by default.
++- Add dontaudits for init fds and console to init_daemon_domain().
++- Patch to allow gpg to create user keys dir.
++- Patch to support kvmfs from Dan Walsh.
++- Patch for misc fixes in sudo from Dan Walsh.
++- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
++- Patch for handling restart of nscd when ran from useradd, groupadd, and
++ admin passwd, from Dan Walsh.
++- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
++- Patch for setroubleshoot for validating file contexts from Dan Walsh.
++- Patch for gssd fixes from Dan Walsh.
++- Patch for lvm fixes from Dan Walsh.
++- Patch for ricci fixes from Dan Walsh.
++- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
++- Patch for kerberized telnet fixes from Dan Walsh.
++- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
++- Patch for an additional wine executable from Dan Walsh.
++- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
++ corecommands, devices, and java from Dan Walsh.
++- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
++- Patch for misc fixes to bluetooth from Dan Walsh.
++- Patch for misc fixes to kerberos from Dan Walsh.
++- Patch to start deprecating usercanread attribute from Ryan Bradetich.
++- Add dccp_socket object class which was added in kernel 2.6.20.
++- Patch for prelink relabefrom it's temp files from Dan Walsh.
++- Patch for capability fix for auditd and networking fix for syslogd from
++ Dan Walsh.
++- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
++- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
++- Patch to allow apmd to telinit from Dan Walsh.
++- Patch for additional labeling of samba files from Stefan Schulze
++ Frielinghaus.
++- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
++- Fix ptys and ttys to be device nodes.
++- Fix explicit use of httpd_t in openca_domtrans().
++- Clean up file context regexes in apache and java, from Eamon Walsh.
++- Patches from Dan Walsh:
++ Thu, 25 Jan 2007
++- Added modules:
++ consolekit (Dan Walsh)
++ fail2ban (Dan Walsh)
++ zabbix (Dan Walsh)
++
++* Tue Dec 12 2006 Chris PeBenito <selinux at tresys.com> - 20061212
++- Add policy patterns support macros. This changes the behavior of
++ the create_dir_perms and create_file_perms permission sets.
++- Association polmatch MLS constraint making unlabeled_t an exception
++ is no longer needed, patch from Venkat Yekkirala.
++- Context contains checking for PAM and cron from James Antill.
++- Add a reload target to Modules.devel and change the load
++ target to only insert modules that were changed.
++- Allow semanage to read from /root on strict non-MLS for
++ local policy modules.
++- Gentoo init script fixes for udev.
++- Allow udev to read kernel modules.inputmap.
++- Dnsmasq fixes from testing.
++- Allow kernel NFS server to getattr filesystems so df can work
++ on clients.
++- Patch from Matt Anderson for a MLS constraint exemption on a
++ file that can be written to from a subject whose range is
++ within the object's range.
++- Enhanced setransd support from Darrel Goeddel.
++- Patches from Dan Walsh:
++ Tue, 24 Oct 2006
++ Wed, 29 Nov 2006
++- Added modules:
++ aide (Matt Anderson)
++ ccs (Dan Walsh)
++ iscsi (Dan Walsh)
++ ricci (Dan Walsh)
++
++* Wed Oct 18 2006 Chris PeBenito <selinux at tresys.com> - 20061018
++- Patch from Russell Coker Thu, 5 Oct 2006
++- Move range transitions to modules.
++- Make number of MLS sensitivities, and number of MLS and MCS
++ categories configurable as build options.
++- Add role infrastructure.
++- Debian updates from Erich Schubert.
++- Add nscd_socket_use() to auth_use_nsswitch().
++- Remove old selopt rules.
++- Full support for netfilter_contexts.
++- MRTG patch for daemon operation from Stefan.
++- Add authlogin interface to abstract common access for login programs.
++- Remove setbool auditallow, except for RHEL4.
++- Change eventpollfs to task SID labeling.
++- Add key support from Michael LeMay.
++- Add ftpdctl domain to ftp, from Paul Howarth.
++- Fix build system to not move type declarations out of optionals.
++- Add gcc-config domain to portage.
++- Add packet object class and support in corenetwork.
++- Add a copy of genhomedircon for monolithic policy building, so that a
++ policycoreutils package update is not required for RHEL4 systems.
++- Add appletalk sockets for use in cups.
++- Add Make target to validate module linking.
++- Make duplicate template and interface declarations a fatal error.
++- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
++- Move xconsole_device_t from devices to xserver since it is
++ not actually a device, it is a named pipe.
++- Handle nonexistant .fc and .if files in devel Makefile by
++ automatically creating empty files.
++- Remove unused devfs_control_t.
++- Add rhel4 distro, which also implies redhat distro.
++- Remove unneeded range_transition for su_exec_t and move the
++ type declaration back to the su module.
++- Constrain transitions in MCS so unconfined_t cannot have
++ arbitrary category sets.
++- Change reiserfs from xattr filesystem to genfscon as it's xattrs
++ are currently nonfunctional.
++- Change files and filesystem modules to use their own interfaces.
++- Add user fonts to xserver.
++- Additional interfaces in corecommands, miscfiles, and userdomain
++ from Joy Latten.
++- Miscellaneous fixes from Thomas Bleher.
++- Deprecate module name as first parameter of optional_policy()
++ now that optionals are allowed everywhere.
++- Enable optional blocks in base module and monolithic policy.
++ This requires checkpolicy 1.30.1.
++- Fix vpn module declaration.
++- Numerous fixes from Dan Walsh.
++- Change build order to preserve m4 line number information so policy
++ compile errors are useful again.
++- Additional MLS interfaces from Chad Hanson.
++- Move some rules out of domain_type() and domain_base_type()
++ to the TE file, to use the domain attribute to take advantage
++ of space savings from attribute use.
++- Add global stack smashing protector rule for urandom access from
++ Petre Rodan.
++- Fix temporary rules at the bottom of portmap.
++- Updated comments in mls file from Chad Hanson.
++- Patches from Dan Walsh:
++ Fri, 17 Mar 2006
++ Wed, 29 Mar 2006
++ Tue, 11 Apr 2006
++ Fri, 14 Apr 2006
++ Tue, 18 Apr 2006
++ Thu, 20 Apr 2006
++ Tue, 02 May 2006
++ Mon, 15 May 2006
++ Thu, 18 May 2006
++ Tue, 06 Jun 2006
++ Mon, 12 Jun 2006
++ Tue, 20 Jun 2006
++ Wed, 26 Jul 2006
++ Wed, 23 Aug 2006
++ Thu, 31 Aug 2006
++ Fri, 01 Sep 2006
++ Tue, 05 Sep 2006
++ Wed, 20 Sep 2006
++ Fri, 22 Sep 2006
++ Mon, 25 Sep 2006
++- Added modules:
++ afs
++ amavis (Erich Schubert)
++ apt (Erich Schubert)
++ asterisk
++ audioentropy
++ authbind
++ backup
++ calamaris
++ cipe
++ clamav (Erich Schubert)
++ clockspeed (Petre Rodan)
++ courier
++ dante
++ dcc
++ ddclient
++ dpkg (Erich Schubert)
++ dnsmasq
++ ethereal
++ evolution
++ games
++ gatekeeper
++ gift
++ gnome (James Carter)
++ imaze
++ ircd
++ jabber
++ monop
++ mozilla
++ mplayer
++ munin
++ nagios
++ nessus
++ netlabel (Paul Moore)
++ nsd
++ ntop
++ nx
++ oav
++ oddjob (Dan Walsh)
++ openca
++ openvpn (Petre Rodan)
++ perdition
++ portslave
++ postgrey
++ pxe
++ pyzor (Dan Walsh)
++ qmail (Petre Rodan)
++ razor
++ resmgr
++ rhgb
++ rssh
++ snort
++ soundserver
++ speedtouch
++ sxid
++ thunderbird
++ tor (Erich Schubert)
++ transproxy
++ tripwire
++ uptime
++ uwimap
++ vmware
++ watchdog
++ xen (Dan Walsh)
++ xprint
++ yam
++
++* Tue Mar 07 2006 Chris PeBenito <selinux at tresys.com> - 20060307
++- Make all interface parameters required.
++- Move boot_t, system_map_t, and modules_object_t to files module,
++ and move bootloader to admin layer.
++- Add semanage policy for semodule from Dan Walsh.
++- Remove allow_execmem from targeted policy domain_base_type().
++- Add users_extra and seusers support.
++- Postfix fixes from Serge Hallyn.
++- Run python and shell directly to interpret scripts so policy
++ sources need not be executable.
++- Add desc tag XML to booleans and tunables, and add summary
++ to param XML tag, to make future translations possible.
++- Remove unused lvm_vg_t.
++- Many interface renames to improve naming consistency.
++- Merge xdm into xserver.
++- Remove kernel module reversed interfaces.
++- Add filename attribute to module XML tag and lineno attribute to
++ interface XML tag.
++- Changed QUIET build option to a yes or no option.
++- Add a Makefile used for compiling loadable modules in a
++ user's development environment, building against policy headers.
++- Add Make target for installing policy headers.
++- Separate per-userdomain template expansion from the userdomain
++ module and add infrastructure to expand templates in the modules
++ that own the template.
++- Enable secadm only for MLS policies.
++- Remove role change rules in su and sudo since this functionality has been
++ removed from these programs.
++- Add ctags Make target from Thomas Bleher.
++- Collapse commands with grep piped to sed into one sed command.
++- Fix type_change bug in term_user_pty().
++- Move ice_tmp_t from miscfiles to xserver.
++- Login fixes from Serge Hallyn.
++- Move xserver_log_t from xdm to xserver.
++- Add lpr per-userdomain policy to lpd.
++- Miscellaneous fixes from Dan Walsh.
++- Change initrc_var_run_t interface noun from script_pid to utmp,
++ for greater clarity.
++- Added modules:
++ certwatch
++ mono (Dan Walsh)
++ mrtg
++ portage
++ tvtime
++ userhelper
++ usernetctl
++ wine (Dan Walsh)
++ xserver
++
++* Tue Jan 17 2006 Chris PeBenito <selinux at tresys.com> - 20060117
++- Adds support for generating corenetwork interfaces based on attributes
++ in addition to types.
++- Permits the listing of multiple nodes in a network_node() that will be
++ given the same type.
++- Add two new permission sets for stream sockets.
++- Rename file type transition interfaces verb from create to
++ filetrans to differentiate it from create interfaces without
++ type transitions.
++- Fix expansion of interfaces from disabled modules.
++- Rsync can be long running from init,
++ added rules to allow this.
++- Add polyinstantiation build option.
++- Add setcontext to the association object class.
++- Add apache relay and db connect tunables.
++- Rename texrel_shlib_t to textrel_shlib_t.
++- Add swat to samba module.
++- Numerous miscellaneous fixes from Dan Walsh.
++- Added modules:
++ alsa
++ automount
++ cdrecord
++ daemontools (Petre Rodan)
++ ddcprobe
++ djbdns (Petre Rodan)
++ fetchmail
++ irc
++ java
++ lockdev
++ logwatch (Dan Walsh)
++ openct
++ prelink (Dan Walsh)
++ publicfile (Petre Rodan)
++ readahead
++ roundup
++ screen
++ slocate (Dan Walsh)
++ slrnpull
++ smartmon
++ sysstat
++ ucspitcp (Petre Rodan)
++ usbmodules
++ vbetool (Dan Walsh)
++
++* Wed Dec 07 2005 Chris PeBenito <selinux at tresys.com> - 20051207
++- Add unlabeled IPSEC association rule to domains with
++ networking permissions.
++- Merge systemuser back in to users, as these files
++ do not need to be split.
++- Add check for duplicate interface/template definitions.
++- Move domain, files, and corecommands modules to kernel
++ layer to resolve some layering inconsistencies.
++- Move policy build options out of Makefile into build.conf.
++- Add yppasswd to nis module.
++- Change optional_policy() to refer to the module name
++ rather than modulename.te.
++- Fix labeling targets to use installed file_contexts rather
++ than partial file_contexts in the policy source directory.
++- Fix build process to use make's internal vpath functions
++ to detect modules rather than using subshells and find.
++- Add install target for modular policy.
++- Add load target for modular policy.
++- Add appconfig dependency to the load target.
++- Miscellaneous fixes from Dan Walsh.
++- Fix corenetwork gen_context()'s to expand during the policy
++ build phase instead of during the generation phase.
++- Added policies:
++ amanda
++ avahi
++ canna
++ cyrus
++ dbskk
++ dovecot
++ distcc
++ i18n_input
++ irqbalance
++ lpd
++ networkmanager
++ pegasus
++ postfix
++ procmail
++ radius
++ rdisc
++ rpc
++ spamassassin
++ timidity
++ xdm
++ xfs
++
++* Wed Oct 19 2005 Chris PeBenito <selinux at tresys.com> - 20051019
++- Many fixes to make loadable modules build.
++- Add targets for sechecker.
++- Updated to sedoctool to read bool files and tunable
++ files separately.
++- Changed the xml tag of <boolean> to <bool> to be consistent
++ with gen_bool().
++- Modified the implementation of segenxml to use regular
++ expressions.
++- Rename context_template() to gen_context() to clarify
++ that its not a Reference Policy template, but a support
++ macro.
++- Add disable_*_trans bool support for targeted policy.
++- Add MLS module to handle MLS constraint exceptions,
++ such as reading up and writing down.
++- Fix errors uncovered by sediff.
++- Added policies:
++ anaconda
++ apache
++ apm
++ arpwatch
++ bluetooth
++ dmidecode
++ finger
++ ftp
++ kudzu
++ mailman
++ ppp
++ radvd
++ sasl
++ webalizer
++
++* Thu Sep 22 2005 Chris PeBenito <selinux at tresys.com> - 20050922
++- Make logrotate, sendmail, sshd, and rpm policies
++ unconfined in the targeted policy so no special
++ modules.conf is required.
++- Add experimental MCS support.
++- Add appconfig for MLS.
++- Add equivalents for old can_resolve(), can_ldap(), and
++ can_portmap() to sysnetwork.
++- Fix base module compile issues.
++- Added policies:
++ cpucontrol
++ cvs
++ ktalk
++ portmap
++ postgresql
++ rlogin
++ samba
++ snmp
++ stunnel
++ telnet
++ tftp
++ uucp
++ vpn
++ zebra
++
++* Wed Sep 07 2005 Chris PeBenito <selinux at tresys.com> - 20050907
++- Fix errors uncovered by sediff.
++- Doc tool will explicitly say a module does not have interfaces
++ or templates on the module page.
++- Added policies:
++ comsat
++ dbus
++ dhcp
++ dictd
++ hal
++ inn
++ ntp
++ squid
++
++* Fri Aug 26 2005 Chris PeBenito <selinux at tresys.com> - 20050826
++- Add Makefile support for building loadable modules.
++- Add genclassperms.py tool to add require blocks
++ for loadable modules.
++- Change sedoctool to make required modules part of base
++ by default, otherwise make as modules, in modules.conf.
++- Fix segenxml to handle modules with no interfaces.
++- Rename ipsec connect interface for consistency.
++- Add missing parts of unix stream socket connect interface
++ of ipsec.
++- Rename inetd connect interface for consistency.
++- Rename interface for purging contents of tmp, for clarity,
++ since it allows deletion of classes other than file.
++- Misc. cleanups.
++- Added policies:
++ acct
++ bind
++ firstboot
++ gpm
++ howl
++ ldap
++ loadkeys
++ mysql
++ privoxy
++ quota
++ rshd
++ rsync
++ su
++ sudo
++ tcpd
++ tmpreaper
++ updfstab
++
++* Tue Aug 2 2005 Chris PeBenito <selinux at tresys.com> - 20050802
++- Fix comparison bug in fc_sort.
++- Fix handling of ordered and unordered HTML lists.
++- Corenetwork now supports multiple network interfaces having the
++ same type.
++- Doc tool now creates pages for global Booleans and global tunables.
++- Doc tool now links directly to the interface/template in the
++ module page when it is selected in the interface/template index.
++- Added support for layer summaries.
++- Added policies:
++ ipsec
++ nscd
++ pcmcia
++ raid
++
++* Thu Jul 7 2005 Chris PeBenito <selinux at tresys.com> - 20050707
++- Changed xml to have modules encapsulated by layer tags, rather
++ than putting layer="foo" in the module tags. Also in the future
++ we can put a summary and description for each layer.
++- Added tool to infer interface, module, and layer tags. This will
++ now list all interfaces, even if they are missing xml docs.
++- Shortened xml tag names.
++- Added macros to declare interfaces and templates.
++- Added interface call trace.
++- Updated all xml documentation for shorter and inferred tags.
++- Doc tool now displays templates in the web pages.
++- Doc tool retains the user's settings in modules.conf and
++ tunables.conf if the files already exist.
++- Modules.conf behavior has been changed to be a list of all
++ available modules, and the user can specify if the module is
++ built as a loadable module, included in the monolithic policy,
++ or excluded.
++- Added policies:
++ fstools (fsck, mkfs, swapon, etc. tools)
++ logrotate
++ inetd
++ kerberos
++ nis (ypbind and ypserv)
++ ssh (server, client, and agent)
++ unconfined
++- Added infrastructure for targeted policy support, only missing
++ transition boolean support.
++
++* Wed Jun 15 2005 Chris PeBenito <selinux at tresys.com> - 20050615
++ - Initial release
+diff --git a/Changelog.old b/Changelog.old
+deleted file mode 100644
+index 672e632..0000000
+--- a/Changelog.old
++++ /dev/null
+@@ -1,952 +0,0 @@
+-- Mcelog update from Guido Trentalancia.
+-- Added contrib modules:
+- bird (Dominick Grift)
+-
+-* Wed Jul 25 2012 Chris PeBenito <selinux at tresys.com> - 2.20120725
+-- Rename epollwakeup capability2 permission to block_suspend to match the
+- corresponding kernel capability rename.
+-- Udev and init changes to support /run, from Sven Vermeulen.
+-- auth_use_nsswitch updates from Miroslav Grepl.
+-- Mount runtime files fix from Guido Trentalancia.
+-- Update Python scripts to support Python 3, from Sven Vermeulen.
+-- Update capability2 object class for new wake_alarm and epollwakeup
+- capabilities.
+-- SEPostgresql updates from Kohei KaiGai.
+-- Simplify file contexts based on file context path substitutions, from Sven
+- Vermeulen.
+-- Add optional name for kernel and system filetrans interfaces.
+-- Non-auth file attribute to eliminate set expressions, from James Carter.
+-- Virt updates from Sven Vermeulen.
+-- Various dontaudits from Sven Vermeulen.
+-- Fix base module and monolithic role declaration ordering issue now that
+- role declarations must be explicit, from Harry Ciao.
+-- Added contrib modules:
+- bacula (Stan Sander/Sven Vermeulen)
+- bcfg2 (Miroslav Grepl)
+- blueman (Miroslav Grepl)
+-
+-* Wed Feb 15 2012 Chris PeBenito <selinux at tresys.com> - 2.20120215
+-- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
+-- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
+-- Add userdom interfaces for user application domains, user tmp files,
+- and user tmpfs files.
+-- Asterisk administration fixes from Sven Vermeulen.
+-- Fix makefiles to install files with the correct DAC permissions if the
+- umask is not 022.
+-- Remove deprecated support macros.
+-- Remove rolemap and per-role template support.
+-- Change corenetwork port declaration to apply the reserved port type
+- attribute only, when the type has ports above and below 1024.
+-- Change secure_mode_policyload to disable only toggling of this Boolean
+- rather than disabling all Boolean toggling permissions.
+-- Use role attributes to assist with domain transitions in interactive
+- programs.
+-- Milter ports patch from Paul Howarth.
+-- Separate portage fetch rules out of portage_run() and portage_domtrans()
+- from Sven Vermeulen.
+-- Enhance corenetwork network_port() macro to support ports that do not have
+- a well defined port number, such as stunnel.
+-- Opendkim support in dkim module from Paul Howarth.
+-- Wireshark updates from Sven Vermeulen.
+-- Change secure_mode_insmod to control sys_module capability rather than
+- controlling domain transitions to insmod.
+-- Openrc and portage updates from Sven Vermeulen.
+-- Allow user and role changes on dynamic transitions with the same
+- constraints as regular transitions.
+-- New git service features from Dominick Grift.
+-- Corenetwork policy size optimization from Dan Walsh.
+-- Silence spurious udp_socket listen denials.
+-- Fix unexpanded MLS/MCS fields in monolithic seusers file.
+-- Type transition fix in Postgresql database objects from KaiGai Kohei.
+-- Support for file context path substitutions (file_contexts.subs).
+-- Added contrib modules:
+- glance (Dan Walsh)
+- rhsmcertd (Dan Walsh)
+- sanlock (Dan Walsh)
+- sblim (Dan Walsh)
+- uuidd (Dan Walsh)
+- vdagent (Dan Walsh)
+-
+-* Tue Jul 26 2011 Chris PeBenito <selinux at tresys.com> - 2.20110726
+-- Fix role declarations to handle role attribute compilers.
+-- Rename audioentropy module to entropyd due to haveged support.
+-- Add haveged support from Sven Vermeulen.
+-- Authentication file patch from Matthew Ife.
+-- Add agent support to zabbix from Sven Vermeulen.
+-- Cyrus file context update for Gentoo from Corentin Labbe.
+-- Portage updates from Sven Vermeulen.
+-- Fix init_system_domain() description, pointed out by Elia Pinto.
+-- Postgresql selabel_lookup update from KaiGai Kohei.
+-- Dovecot managesieve support from Mika Pfluger.
+-- Semicolon after interface/template calls cleanup from Elia Pinto.
+-- Gentoo courier updates from Sven Vermeulen.
+-- Amavis patch for connecting to nslcd from Miroslav Grepl.
+-- Shorewall patch from Miroslav Grepl.
+-- Cpufreqselector dbus patch from Guido Trentalancia.
+-- Cron pam_namespace and pam_loginuid support from Harry Ciao.
+-- Xserver update for startx from Sven Vermeulen.
+-- Fix MLS constraint for contains permission from Harry Ciao.
+-- Apache user webpages fix from Dominick Grift.
+-- Change default build.conf to modular policy from Stephen Smalley.
+-- Xen refinement patch from Stephen Smalley.
+-- Sudo timestamp file location update from Sven Vermeulen.
+-- XServer keyboard event patch from Sven Vermeulen.
+-- RAID uevent patch from Sven Vermeulen.
+-- Gentoo ALSA init script usage patch from Sven Vermeulen.
+-- LVM semaphore usage patch from Sven Vermeulen.
+-- Module load request patch for insmod from Sven Vermeulen.
+-- Cron default contexts fix from Harry Ciao.
+-- Man page fixes from Justin Mattock.
+-- Add syslog capability.
+-- Support for logging in to /dev/console, from Harry Ciao.
+-- Database object class updates and associated SEPostgreSQL changes from
+- KaiGai Kohei.
+-- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
+-- Mount updates from Harry Ciao.
+-- Semanage update for MLS systems from Harry Ciao.
+-- Vlock terminal use update from Harry Ciao.
+-- Hadoop CDH3 updates from Paul Nuzzi.
+-- Add sepgsql_contexts appconfig files from KaiGai Kohei.
+-- Added modules:
+- aiccu
+- bugzilla (Dan Walsh)
+- colord (Dan Walsh)
+- cmirrord (Miroslav Grepl)
+- mediawiki (Miroslav Grepl)
+- mpd (Miroslav Grepl)
+- ncftool
+- passenger (Miroslav Grepl)
+- qpid (Dan Walsh)
+- samhain (Harry Ciao)
+- telepathy (Dominick Grift)
+- tcsd (Stephen Smalley)
+- vnstatd (Dan Walsh)
+- zarafa (Miroslav Grepl)
+-
+-* Mon Dec 13 2010 Chris PeBenito <selinux at tresys.com> - 2.20101213
+-- Git man page from Dominick Grift.
+-- Alsa and oident home content cleanup from Dominick Grift.
+-- Add support for custom build options.
+-- Unconditional staff and user oidentd home config access from Dominick Grift.
+-- Conditional mmap_zero support from Dominick Grift.
+-- Added devtmpfs support.
+-- Dbadm updates from KaiGai Kohei.
+-- Virtio disk file context update from Mika Pfluger.
+-- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
+-- Add JIT usage for freshclam.
+-- Remove ethereal module since the application was renamed to wireshark.
+-- Remove duplicate/redundant rules, from Russell Coker.
+-- Increased default number of categories to 1024, from Russell Coker.
+-- Added modules:
+- accountsd (Dan Walsh)
+- cgroup (Dominick Grift)
+- hadoop (Paul Nuzzi)
+- kdumpgui (Dan Walsh)
+- livecd (Dan Walsh)
+- mojomojo (Iain Arnell)
+- sambagui (Dan Walsh)
+- shutdown (Dan Walsh)
+- sosreport (Dan Walsh)
+- vlock (Harry Ciao)
+-
+-* Mon May 24 2010 Chris PeBenito <selinux at tresys.com> - 2.20100524
+-- Merged a significant portion of Fedora policy.
+-- Move rules from mta mailserver delivery from interface to .te to use
+- attributes.
+-- Remove concept of users from terminal module interfaces since the
+- attributes are not specific to users.
+-- Add non-drawing X client support, for consolekit usage.
+-- Misc Gentoo fixes from Chris Richards.
+-- AFS and abrt fixes from Dominick Grift.
+-- Improved the XML docs of 55 most-used interfaces.
+-- Apcupsd and amavis fixes from Dominick Grift.
+-- Fix network_port() in corenetwork to correctly handle port ranges.
+-- SE-Postgresql updates from KaiGai Kohei.
+-- X object manager revisions from Eamon Walsh.
+-- Added modules:
+- aisexec (Dan Walsh)
+- chronyd (Miroslav Grepl)
+- cobbler (Dominick Grift)
+- corosync (Dan Walsh)
+- dbadm (KaiGai Kohei)
+- denyhosts (Dan Walsh)
+- nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
+- likewise (Scott Salley)
+- plymouthd (Dan Walsh)
+- pyicqt (Stefan Schulze Frielinghaus)
+- rhcs (Dan Walsh)
+- rgmanager (Dan Walsh)
+- sectoolm (Miroslav Grepl)
+- usbmuxd (Dan Walsh)
+- vhostmd (Dan Walsh)
+-
+-* Tue Nov 17 2009 Chris PeBenito <selinux at tresys.com> - 2.20091117
+-- Add separate x_pointer and x_keyboard classes inheriting from x_device.
+- From Eamon Walsh.
+-- Deprecated the userdom_xwindows_client_template().
+-- Misc Gentoo fixes from Corentin Labbe.
+-- Debian policykit fixes from Martin Orr.
+-- Fix unconfined_r use of unconfined_java_t.
+-- Add missing x_device rules for XI2 functions, from Eamon Walsh.
+-- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
+-- Add btrfs and ext4 to labeling targets.
+-- Fix infrastructure to expand macros in initrc_context when installing.
+-- Handle unix_chkpwd usage by useradd and groupadd.
+-- Add missing compatibility aliases for xdm_xserver*_t types.
+-- Added modules:
+- abrt (Dan Walsh)
+- dkim (Stefan Schulze Frielinghaus)
+- gitosis (Miroslav Grepl)
+- gnomeclock (Dan Walsh)
+- hddtemp (Dan Walsh)
+- kdump (Dan Walsh)
+- modemmanager(Dan Walsh)
+- nslcd (Dan Walsh)
+- puppet (Craig Grube)
+- rtkit (Dan Walsh)
+- seunshare (Dan Walsh)
+- shorewall (Dan Walsh)
+- tgtd (Matthew Ife)
+- tuned (Miroslav Grepl)
+- xscreensaver (Corentin Labbe)
+-
+-* Thu Jul 30 2009 Chris PeBenito <selinux at tresys.com> - 2.20090730
+-- Gentoo fixes for init scripts and system startup.
+-- Remove read_default_t tunable.
+-- Greylist milter from Paul Howarth.
+-- Crack db access for su to handle password expiration, from Brandon Whalen.
+-- Misc fixes for unix_update from Brandon Whalen.
+-- Add x_device permissions for XI2 functions, from Eamon Walsh.
+-- MLS constraints for the x_selection class, from Eamon Walsh.
+-- Postgresql updates from KaiGai Kohei.
+-- Milter state directory patch from Paul Howarth.
+-- Add MLS constrains for ingress/egress and secmark from Paul Moore.
+-- Drop write permission from fs_read_rpc_sockets().
+-- Remove unused udev_runtime_t type.
+-- Patch for RadSec port from Glen Turner.
+-- Enable network_peer_controls policy capability from Paul Moore.
+-- Btrfs xattr support from Paul Moore.
+-- Add db_procedure install permission from KaiGai Kohei.
+-- Add support for network interfaces with access controlled by a Boolean
+- from the CLIP project.
+-- Several fixes from the CLIP project.
+-- Add support for labeled Booleans.
+-- Remove node definitions and change node usage to generic nodes.
+-- Add kernel_service access vectors, from Stephen Smalley.
+-- Added modules:
+- certmaster (Dan Walsh)
+- cpufreqselector (Dan Walsh)
+- devicekit (Dan Walsh)
+- fprintd (Dan Walsh)
+- git (Dan Walsh)
+- gpsd (Miroslav Grepl)
+- guest (Dan Walsh)
+- ifplugd (Dan Walsh)
+- lircd (Miroslav Grepl)
+- logadm (Dan Walsh)
+- pads (Dan Walsh)
+- pingd (Dan Walsh)
+- policykit (Dan Walsh)
+- pulseaudio (Dan Walsh)
+- psad (Dan Walsh)
+- portreserve (Dan Walsh)
+- sssd (Dan Walsh)
+- ulogd (Dan Walsh)
+- varnishd (Dan Walsh)
+- webadm (Dan Walsh)
+- wm (Dan Walsh)
+- xguest (Dan Walsh)
+- zosremote (Dan Walsh)
+-
+-* Wed Dec 10 2008 Chris PeBenito <selinux at tresys.com> - 2.20081210
+-- Fix consistency of audioentropy and iscsi module naming.
+-- Debian file context fix for xen from Russell Coker.
+-- Xserver MLS fix from Eamon Walsh.
+-- Add omapi port for dhcpcd.
+-- Deprecate per-role templates and rolemap support.
+-- Implement user-based access control for use as role separations.
+-- Move shared library calls from individual modules to the domain module.
+-- Enable open permission checks policy capability.
+-- Remove hierarchy from portage module as it is not a good example of
+- hieararchy.
+-- Remove enableaudit target from modular build as semodule -DB supplants it.
+-- Added modules:
+- milter (Paul Howarth)
+-
+-* Tue Oct 14 2008 Chris PeBenito <selinux at tresys.com> - 20081014
+-- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
+-- Logrotate and Bind updates from Vaclav Ovsik.
+-- Init script file and domain support.
+-- Glibc 2.7 fix from Vaclav Ovsik.
+-- Samba/winbind update from Mike Edenfield.
+-- Policy size optimization with a non-security file attribute from James
+- Carter.
+-- Database labeled networking update from KaiGai Kohei.
+-- Several misc changes from the Fedora policy, cherry picked by David
+- Hardeman.
+-- Large whitespace fix from Dominick Grift.
+-- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
+-- Issuing commands to upstart is over a datagram socket, not the initctl
+- named pipe. Updated init_telinit() to match.
+-- Added modules:
+- cyphesis (Dan Walsh)
+- memcached (Dan Walsh)
+- oident (Dominick Grift)
+- w3c (Dan Walsh)
+-
+-* Wed Jul 02 2008 Chris PeBenito <selinux at tresys.com> - 20080702
+-- Fix httpd_enable_homedirs to actually provide the access it is supposed to
+- provide.
+-- Add unused interface/template parameter metadata in XML.
+-- Patch to handle postfix data_directory from Vaclav Ovsik.
+-- SE-Postgresql policy from KaiGai Kohei.
+-- Patch for X.org dbus support from Martin Orr.
+-- Patch for labeled networking controls in 2.6.25 from Paul Moore.
+-- Module loading now requires setsched on kernel threads.
+-- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
+-- X application data class from Eamon Walsh and Ted Toth.
+-- Move user roles into individual modules.
+-- Make hald_log_t a log file.
+-- Cryptsetup runs shell scripts. Patch from Martin Orr.
+-- Add file for enabling policy capabilities.
+-- Patch to fix leaky interface/template call depth calculator from Vaclav
+- Ovsik.
+-- Added modules:
+- kerneloops (Dan Walsh)
+- kismet (Dan Walsh)
+- podsleuth (Dan Walsh)
+- prelude (Dan Walsh)
+- qemu (Dan Walsh)
+- virt (Dan Walsh)
+-
+-* Wed Apr 02 2008 Chris PeBenito <selinux at tresys.com> - 20080402
+-- Add core Security Enhanced X Windows support.
+-- Fix winbind socket connection interface for default location of the
+- sock_file.
+-- Add wireshark module based on ethereal module.
+-- Revise upstart support in init module to use a tunable, as upstart is now
+- used in Fedora too.
+-- Add iferror.m4 rather generate it out of the Makefiles.
+-- Definitions for open permisson on file and similar objects from Eric
+- Paris.
+-- Apt updates for ptys and logs, from Martin Orr.
+-- RPC update from Vaclav Ovsik.
+-- Exim updates on Debian from Devin Carrawy.
+-- Pam and samba updates from Stefan Schulze Frielinghaus.
+-- Backup update on Debian from Vaclav Ovsik.
+-- Cracklib update on Debian from Vaclav Ovsik.
+-- Label /proc/kallsyms with system_map_t.
+-- 64-bit capabilities from Stephen Smalley.
+-- Labeled networking peer object class updates.
+-
+-* Fri Dec 14 2007 Chris PeBenito <selinux at tresys.com> - 20071214
+-- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
+-- Improve several tunables descriptions from Dan Walsh.
+-- Patch to clean up ns switch usage in the policy from Dan Walsh.
+-- More complete labeled networking infrastructure from KaiGai Kohei.
+-- Add interface for libselinux constructor, for libselinux-linked
+- SELinux-enabled programs.
+-- Patch to restructure user role templates to create restricted user roles
+- from Dan Walsh.
+-- Russian man page translations from Andrey Markelov.
+-- Remove unused types from dbus.
+-- Add infrastructure for managing all user web content.
+-- Deprecate some old file and dir permission set macros in favor of the
+- newer, more consistently-named macros.
+-- Patch to clean up unescaped periods in several file context entries from
+- Jan-Frode Myklebust.
+-- Merge shlib_t into lib_t.
+-- Merge strict and targeted policies. The policy will now behave like the
+- strict policy if the unconfined module is not present. If it is, it will
+- behave like the targeted policy. Added an unconfined role to have a mix
+- of confined and unconfined users.
+-- Added modules:
+- exim (Dan Walsh)
+- postfixpolicyd (Jan-Frode Myklebust)
+-
+-* Fri Sep 28 2007 Chris PeBenito <selinux at tresys.com> - 20070928
+-- Add support for setting the unknown permissions handling.
+-- Fix XML building for external reference builds and headers builds.
+-- Patch to add missing requirements in userdomain interfaces from Shintaro
+- Fujiwara.
+-- Add tcpd_wrapped_domain() for services that use tcp wrappers.
+-- Update MLS constraints from LSPP evaluated policy.
+-- Allow initrc_t file descriptors to be inherited regardless of MLS level.
+- Accordingly drop MLS permissions from daemons that inherit from any level.
+-- Files and radvd updates from Stefan Schulze Frielinghaus.
+-- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
+- mls_write_all_levels() and mls_read_all_levels(), for consistency.
+-- Add make kernel and init ranged interfaces pass the range transition MLS
+- constraints. Also remove calls to mls_rangetrans_target() in modules that use
+- the kernel and init interfaces, since its redundant.
+-- Add interfaces for all MLS attributes except X object classes.
+-- Require all sensitivities and categories for MLS and MCS policies, not just
+- the low and high sensitivity and category.
+-- Database userspace object manager classes from KaiGai Kohei.
+-- Add third-party interface for Apache CGI.
+-- Add getserv and shmemserv nscd permissions.
+-- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
+-- Added modules:
+- application
+- awstats (Stefan Schulze Frielinghaus)
+- bitlbee (Devin Carraway)
+- brctl (Dan Walsh)
+-
+-* Fri Jun 29 2007 Chris PeBenito <selinux at tresys.com> - 20070629
+-- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
+- libraries module.
+-- Unified labeled networking policy from Paul Moore.
+-- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
+-- Xen updates from Dan Walsh.
+-- Filesystem updates from Dan Walsh.
+-- Large samba update from Dan Walsh.
+-- Drop snmpd_etc_t.
+-- Confine sendmail and logrotate on targeted.
+-- Tunable connection to postgresql for users from KaiGai Kohei.
+-- Memprotect support patch from Stephen Smalley.
+-- Add logging_send_audit_msgs() interface and deprecate
+- send_audit_msgs_pattern().
+-- Openct updates patch from Dan Walsh.
+-- Merge restorecon into setfiles.
+-- Patch to begin separating out hald helper programs from Dan Walsh.
+-- Fixes for squid, dovecot, and snmp from Dan Walsh.
+-- Miscellaneous consolekit fixes from Dan Walsh.
+-- Patch to have avahi use the nsswitch interface rather than individual
+- permissions from Dan Walsh.
+-- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
+-- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
+- to handle usage from userhelper from Dan Walsh.
+-- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
+-- Patch to allow slocate to getattr other filesystems and directories on those
+- filesystems from Dan Walsh.
+-- Fixes for RHEL4 from the CLIP project.
+-- Replace the old lrrd fc entries with munin ones.
+-- Move program admin template usage out of userdom_admin_user_template() to
+- sysadm policy in userdomain.te to fix usage of the template for third
+- parties.
+-- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
+- template instead of an interface.
+-- Added modules:
+- amtu (Dan Walsh)
+- apcupsd (Dan Walsh)
+- rpcbind (Dan Walsh)
+- rwho (Nalin Dahyabhai)
+-
+-* Tue Apr 17 2007 Chris PeBenito <selinux at tresys.com> - 20070417
+-- Patch for sasl's use of kerberos from Dan Walsh.
+-- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
+-- Man page updates from Dan Walsh.
+-- Two patches from Paul Moore to for ipsec to remove redundant rules and
+- have setkey read the config file.
+-- Move booleans and tunables to modules when it is only used in a single
+- module.
+-- Add support for tunables and booleans local to a module.
+-- Merge sbin_t and ls_exec_t into bin_t.
+-- Remove disable_trans booleans.
+-- Output different header sets for kernel and userland from flask headers.
+-- Marked the pax class as deprecated, changed it to userland so
+- it will be removed from the kernel.
+-- Stop including netfilter contexts by default.
+-- Add dontaudits for init fds and console to init_daemon_domain().
+-- Patch to allow gpg to create user keys dir.
+-- Patch to support kvmfs from Dan Walsh.
+-- Patch for misc fixes in sudo from Dan Walsh.
+-- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
+-- Patch for handling restart of nscd when ran from useradd, groupadd, and
+- admin passwd, from Dan Walsh.
+-- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
+-- Patch for setroubleshoot for validating file contexts from Dan Walsh.
+-- Patch for gssd fixes from Dan Walsh.
+-- Patch for lvm fixes from Dan Walsh.
+-- Patch for ricci fixes from Dan Walsh.
+-- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
+-- Patch for kerberized telnet fixes from Dan Walsh.
+-- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
+-- Patch for an additional wine executable from Dan Walsh.
+-- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
+- corecommands, devices, and java from Dan Walsh.
+-- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
+-- Patch for misc fixes to bluetooth from Dan Walsh.
+-- Patch for misc fixes to kerberos from Dan Walsh.
+-- Patch to start deprecating usercanread attribute from Ryan Bradetich.
+-- Add dccp_socket object class which was added in kernel 2.6.20.
+-- Patch for prelink relabefrom it's temp files from Dan Walsh.
+-- Patch for capability fix for auditd and networking fix for syslogd from
+- Dan Walsh.
+-- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
+-- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
+-- Patch to allow apmd to telinit from Dan Walsh.
+-- Patch for additional labeling of samba files from Stefan Schulze
+- Frielinghaus.
+-- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
+-- Fix ptys and ttys to be device nodes.
+-- Fix explicit use of httpd_t in openca_domtrans().
+-- Clean up file context regexes in apache and java, from Eamon Walsh.
+-- Patches from Dan Walsh:
+- Thu, 25 Jan 2007
+-- Added modules:
+- consolekit (Dan Walsh)
+- fail2ban (Dan Walsh)
+- zabbix (Dan Walsh)
+-
+-* Tue Dec 12 2006 Chris PeBenito <selinux at tresys.com> - 20061212
+-- Add policy patterns support macros. This changes the behavior of
+- the create_dir_perms and create_file_perms permission sets.
+-- Association polmatch MLS constraint making unlabeled_t an exception
+- is no longer needed, patch from Venkat Yekkirala.
+-- Context contains checking for PAM and cron from James Antill.
+-- Add a reload target to Modules.devel and change the load
+- target to only insert modules that were changed.
+-- Allow semanage to read from /root on strict non-MLS for
+- local policy modules.
+-- Gentoo init script fixes for udev.
+-- Allow udev to read kernel modules.inputmap.
+-- Dnsmasq fixes from testing.
+-- Allow kernel NFS server to getattr filesystems so df can work
+- on clients.
+-- Patch from Matt Anderson for a MLS constraint exemption on a
+- file that can be written to from a subject whose range is
+- within the object's range.
+-- Enhanced setransd support from Darrel Goeddel.
+-- Patches from Dan Walsh:
+- Tue, 24 Oct 2006
+- Wed, 29 Nov 2006
+-- Added modules:
+- aide (Matt Anderson)
+- ccs (Dan Walsh)
+- iscsi (Dan Walsh)
+- ricci (Dan Walsh)
+-
+-* Wed Oct 18 2006 Chris PeBenito <selinux at tresys.com> - 20061018
+-- Patch from Russell Coker Thu, 5 Oct 2006
+-- Move range transitions to modules.
+-- Make number of MLS sensitivities, and number of MLS and MCS
+- categories configurable as build options.
+-- Add role infrastructure.
+-- Debian updates from Erich Schubert.
+-- Add nscd_socket_use() to auth_use_nsswitch().
+-- Remove old selopt rules.
+-- Full support for netfilter_contexts.
+-- MRTG patch for daemon operation from Stefan.
+-- Add authlogin interface to abstract common access for login programs.
+-- Remove setbool auditallow, except for RHEL4.
+-- Change eventpollfs to task SID labeling.
+-- Add key support from Michael LeMay.
+-- Add ftpdctl domain to ftp, from Paul Howarth.
+-- Fix build system to not move type declarations out of optionals.
+-- Add gcc-config domain to portage.
+-- Add packet object class and support in corenetwork.
+-- Add a copy of genhomedircon for monolithic policy building, so that a
+- policycoreutils package update is not required for RHEL4 systems.
+-- Add appletalk sockets for use in cups.
+-- Add Make target to validate module linking.
+-- Make duplicate template and interface declarations a fatal error.
+-- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
+-- Move xconsole_device_t from devices to xserver since it is
+- not actually a device, it is a named pipe.
+-- Handle nonexistant .fc and .if files in devel Makefile by
+- automatically creating empty files.
+-- Remove unused devfs_control_t.
+-- Add rhel4 distro, which also implies redhat distro.
+-- Remove unneeded range_transition for su_exec_t and move the
+- type declaration back to the su module.
+-- Constrain transitions in MCS so unconfined_t cannot have
+- arbitrary category sets.
+-- Change reiserfs from xattr filesystem to genfscon as it's xattrs
+- are currently nonfunctional.
+-- Change files and filesystem modules to use their own interfaces.
+-- Add user fonts to xserver.
+-- Additional interfaces in corecommands, miscfiles, and userdomain
+- from Joy Latten.
+-- Miscellaneous fixes from Thomas Bleher.
+-- Deprecate module name as first parameter of optional_policy()
+- now that optionals are allowed everywhere.
+-- Enable optional blocks in base module and monolithic policy.
+- This requires checkpolicy 1.30.1.
+-- Fix vpn module declaration.
+-- Numerous fixes from Dan Walsh.
+-- Change build order to preserve m4 line number information so policy
+- compile errors are useful again.
+-- Additional MLS interfaces from Chad Hanson.
+-- Move some rules out of domain_type() and domain_base_type()
+- to the TE file, to use the domain attribute to take advantage
+- of space savings from attribute use.
+-- Add global stack smashing protector rule for urandom access from
+- Petre Rodan.
+-- Fix temporary rules at the bottom of portmap.
+-- Updated comments in mls file from Chad Hanson.
+-- Patches from Dan Walsh:
+- Fri, 17 Mar 2006
+- Wed, 29 Mar 2006
+- Tue, 11 Apr 2006
+- Fri, 14 Apr 2006
+- Tue, 18 Apr 2006
+- Thu, 20 Apr 2006
+- Tue, 02 May 2006
+- Mon, 15 May 2006
+- Thu, 18 May 2006
+- Tue, 06 Jun 2006
+- Mon, 12 Jun 2006
+- Tue, 20 Jun 2006
+- Wed, 26 Jul 2006
+- Wed, 23 Aug 2006
+- Thu, 31 Aug 2006
+- Fri, 01 Sep 2006
+- Tue, 05 Sep 2006
+- Wed, 20 Sep 2006
+- Fri, 22 Sep 2006
+- Mon, 25 Sep 2006
+-- Added modules:
+- afs
+- amavis (Erich Schubert)
+- apt (Erich Schubert)
+- asterisk
+- audioentropy
+- authbind
+- backup
+- calamaris
+- cipe
+- clamav (Erich Schubert)
+- clockspeed (Petre Rodan)
+- courier
+- dante
+- dcc
+- ddclient
+- dpkg (Erich Schubert)
+- dnsmasq
+- ethereal
+- evolution
+- games
+- gatekeeper
+- gift
+- gnome (James Carter)
+- imaze
+- ircd
+- jabber
+- monop
+- mozilla
+- mplayer
+- munin
+- nagios
+- nessus
+- netlabel (Paul Moore)
+- nsd
+- ntop
+- nx
+- oav
+- oddjob (Dan Walsh)
+- openca
+- openvpn (Petre Rodan)
+- perdition
+- portslave
+- postgrey
+- pxe
+- pyzor (Dan Walsh)
+- qmail (Petre Rodan)
+- razor
+- resmgr
+- rhgb
+- rssh
+- snort
+- soundserver
+- speedtouch
+- sxid
+- thunderbird
+- tor (Erich Schubert)
+- transproxy
+- tripwire
+- uptime
+- uwimap
+- vmware
+- watchdog
+- xen (Dan Walsh)
+- xprint
+- yam
+-
+-* Tue Mar 07 2006 Chris PeBenito <selinux at tresys.com> - 20060307
+-- Make all interface parameters required.
+-- Move boot_t, system_map_t, and modules_object_t to files module,
+- and move bootloader to admin layer.
+-- Add semanage policy for semodule from Dan Walsh.
+-- Remove allow_execmem from targeted policy domain_base_type().
+-- Add users_extra and seusers support.
+-- Postfix fixes from Serge Hallyn.
+-- Run python and shell directly to interpret scripts so policy
+- sources need not be executable.
+-- Add desc tag XML to booleans and tunables, and add summary
+- to param XML tag, to make future translations possible.
+-- Remove unused lvm_vg_t.
+-- Many interface renames to improve naming consistency.
+-- Merge xdm into xserver.
+-- Remove kernel module reversed interfaces.
+-- Add filename attribute to module XML tag and lineno attribute to
+- interface XML tag.
+-- Changed QUIET build option to a yes or no option.
+-- Add a Makefile used for compiling loadable modules in a
+- user's development environment, building against policy headers.
+-- Add Make target for installing policy headers.
+-- Separate per-userdomain template expansion from the userdomain
+- module and add infrastructure to expand templates in the modules
+- that own the template.
+-- Enable secadm only for MLS policies.
+-- Remove role change rules in su and sudo since this functionality has been
+- removed from these programs.
+-- Add ctags Make target from Thomas Bleher.
+-- Collapse commands with grep piped to sed into one sed command.
+-- Fix type_change bug in term_user_pty().
+-- Move ice_tmp_t from miscfiles to xserver.
+-- Login fixes from Serge Hallyn.
+-- Move xserver_log_t from xdm to xserver.
+-- Add lpr per-userdomain policy to lpd.
+-- Miscellaneous fixes from Dan Walsh.
+-- Change initrc_var_run_t interface noun from script_pid to utmp,
+- for greater clarity.
+-- Added modules:
+- certwatch
+- mono (Dan Walsh)
+- mrtg
+- portage
+- tvtime
+- userhelper
+- usernetctl
+- wine (Dan Walsh)
+- xserver
+-
+-* Tue Jan 17 2006 Chris PeBenito <selinux at tresys.com> - 20060117
+-- Adds support for generating corenetwork interfaces based on attributes
+- in addition to types.
+-- Permits the listing of multiple nodes in a network_node() that will be
+- given the same type.
+-- Add two new permission sets for stream sockets.
+-- Rename file type transition interfaces verb from create to
+- filetrans to differentiate it from create interfaces without
+- type transitions.
+-- Fix expansion of interfaces from disabled modules.
+-- Rsync can be long running from init,
+- added rules to allow this.
+-- Add polyinstantiation build option.
+-- Add setcontext to the association object class.
+-- Add apache relay and db connect tunables.
+-- Rename texrel_shlib_t to textrel_shlib_t.
+-- Add swat to samba module.
+-- Numerous miscellaneous fixes from Dan Walsh.
+-- Added modules:
+- alsa
+- automount
+- cdrecord
+- daemontools (Petre Rodan)
+- ddcprobe
+- djbdns (Petre Rodan)
+- fetchmail
+- irc
+- java
+- lockdev
+- logwatch (Dan Walsh)
+- openct
+- prelink (Dan Walsh)
+- publicfile (Petre Rodan)
+- readahead
+- roundup
+- screen
+- slocate (Dan Walsh)
+- slrnpull
+- smartmon
+- sysstat
+- ucspitcp (Petre Rodan)
+- usbmodules
+- vbetool (Dan Walsh)
+-
+-* Wed Dec 07 2005 Chris PeBenito <selinux at tresys.com> - 20051207
+-- Add unlabeled IPSEC association rule to domains with
+- networking permissions.
+-- Merge systemuser back in to users, as these files
+- do not need to be split.
+-- Add check for duplicate interface/template definitions.
+-- Move domain, files, and corecommands modules to kernel
+- layer to resolve some layering inconsistencies.
+-- Move policy build options out of Makefile into build.conf.
+-- Add yppasswd to nis module.
+-- Change optional_policy() to refer to the module name
+- rather than modulename.te.
+-- Fix labeling targets to use installed file_contexts rather
+- than partial file_contexts in the policy source directory.
+-- Fix build process to use make's internal vpath functions
+- to detect modules rather than using subshells and find.
+-- Add install target for modular policy.
+-- Add load target for modular policy.
+-- Add appconfig dependency to the load target.
+-- Miscellaneous fixes from Dan Walsh.
+-- Fix corenetwork gen_context()'s to expand during the policy
+- build phase instead of during the generation phase.
+-- Added policies:
+- amanda
+- avahi
+- canna
+- cyrus
+- dbskk
+- dovecot
+- distcc
+- i18n_input
+- irqbalance
+- lpd
+- networkmanager
+- pegasus
+- postfix
+- procmail
+- radius
+- rdisc
+- rpc
+- spamassassin
+- timidity
+- xdm
+- xfs
+-
+-* Wed Oct 19 2005 Chris PeBenito <selinux at tresys.com> - 20051019
+-- Many fixes to make loadable modules build.
+-- Add targets for sechecker.
+-- Updated to sedoctool to read bool files and tunable
+- files separately.
+-- Changed the xml tag of <boolean> to <bool> to be consistent
+- with gen_bool().
+-- Modified the implementation of segenxml to use regular
+- expressions.
+-- Rename context_template() to gen_context() to clarify
+- that its not a Reference Policy template, but a support
+- macro.
+-- Add disable_*_trans bool support for targeted policy.
+-- Add MLS module to handle MLS constraint exceptions,
+- such as reading up and writing down.
+-- Fix errors uncovered by sediff.
+-- Added policies:
+- anaconda
+- apache
+- apm
+- arpwatch
+- bluetooth
+- dmidecode
+- finger
+- ftp
+- kudzu
+- mailman
+- ppp
+- radvd
+- sasl
+- webalizer
+-
+-* Thu Sep 22 2005 Chris PeBenito <selinux at tresys.com> - 20050922
+-- Make logrotate, sendmail, sshd, and rpm policies
+- unconfined in the targeted policy so no special
+- modules.conf is required.
+-- Add experimental MCS support.
+-- Add appconfig for MLS.
+-- Add equivalents for old can_resolve(), can_ldap(), and
+- can_portmap() to sysnetwork.
+-- Fix base module compile issues.
+-- Added policies:
+- cpucontrol
+- cvs
+- ktalk
+- portmap
+- postgresql
+- rlogin
+- samba
+- snmp
+- stunnel
+- telnet
+- tftp
+- uucp
+- vpn
+- zebra
+-
+-* Wed Sep 07 2005 Chris PeBenito <selinux at tresys.com> - 20050907
+-- Fix errors uncovered by sediff.
+-- Doc tool will explicitly say a module does not have interfaces
+- or templates on the module page.
+-- Added policies:
+- comsat
+- dbus
+- dhcp
+- dictd
+- hal
+- inn
+- ntp
+- squid
+-
+-* Fri Aug 26 2005 Chris PeBenito <selinux at tresys.com> - 20050826
+-- Add Makefile support for building loadable modules.
+-- Add genclassperms.py tool to add require blocks
+- for loadable modules.
+-- Change sedoctool to make required modules part of base
+- by default, otherwise make as modules, in modules.conf.
+-- Fix segenxml to handle modules with no interfaces.
+-- Rename ipsec connect interface for consistency.
+-- Add missing parts of unix stream socket connect interface
+- of ipsec.
+-- Rename inetd connect interface for consistency.
+-- Rename interface for purging contents of tmp, for clarity,
+- since it allows deletion of classes other than file.
+-- Misc. cleanups.
+-- Added policies:
+- acct
+- bind
+- firstboot
+- gpm
+- howl
+- ldap
+- loadkeys
+- mysql
+- privoxy
+- quota
+- rshd
+- rsync
+- su
+- sudo
+- tcpd
+- tmpreaper
+- updfstab
+-
+-* Tue Aug 2 2005 Chris PeBenito <selinux at tresys.com> - 20050802
+-- Fix comparison bug in fc_sort.
+-- Fix handling of ordered and unordered HTML lists.
+-- Corenetwork now supports multiple network interfaces having the
+- same type.
+-- Doc tool now creates pages for global Booleans and global tunables.
+-- Doc tool now links directly to the interface/template in the
+- module page when it is selected in the interface/template index.
+-- Added support for layer summaries.
+-- Added policies:
+- ipsec
+- nscd
+- pcmcia
+- raid
+-
+-* Thu Jul 7 2005 Chris PeBenito <selinux at tresys.com> - 20050707
+-- Changed xml to have modules encapsulated by layer tags, rather
+- than putting layer="foo" in the module tags. Also in the future
+- we can put a summary and description for each layer.
+-- Added tool to infer interface, module, and layer tags. This will
+- now list all interfaces, even if they are missing xml docs.
+-- Shortened xml tag names.
+-- Added macros to declare interfaces and templates.
+-- Added interface call trace.
+-- Updated all xml documentation for shorter and inferred tags.
+-- Doc tool now displays templates in the web pages.
+-- Doc tool retains the user's settings in modules.conf and
+- tunables.conf if the files already exist.
+-- Modules.conf behavior has been changed to be a list of all
+- available modules, and the user can specify if the module is
+- built as a loadable module, included in the monolithic policy,
+- or excluded.
+-- Added policies:
+- fstools (fsck, mkfs, swapon, etc. tools)
+- logrotate
+- inetd
+- kerberos
+- nis (ypbind and ypserv)
+- ssh (server, client, and agent)
+- unconfined
+-- Added infrastructure for targeted policy support, only missing
+- transition boolean support.
+-
+-* Wed Jun 15 2005 Chris PeBenito <selinux at tresys.com> - 20050615
+- - Initial release
diff --git a/Makefile b/Makefile
-index 85d4cfb..7bfdfc6 100644
+index ec7b5cb..7bfdfc6 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -10,7 +2140,15 @@ index 85d4cfb..7bfdfc6 100644
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SETFILES ?= $(tc_sbindir)/setfiles
XMLLINT ?= $(BINDIR)/xmllint
-@@ -249,7 +250,7 @@ seusers := $(appconf)/seusers
+@@ -97,7 +98,6 @@ support := support
+ genxml := $(PYTHON) -E $(support)/segenxml.py
+ gendoc := $(PYTHON) -E $(support)/sedoctool.py
+ genperm := $(PYTHON) -E $(support)/genclassperms.py
+-policyvers := $(PYTHON) -E $(support)/policyvers.py
+ fcsort := $(tmpdir)/fc_sort
+ setbools := $(AWK) -f $(support)/set_bools_tuns.awk
+ get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
+@@ -250,7 +250,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
@@ -19,7 +2157,7 @@ index 85d4cfb..7bfdfc6 100644
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -608,15 +609,17 @@ resetlabels:
+@@ -609,15 +609,17 @@ resetlabels:
# Clean everything
#
bare: clean
@@ -58,6 +2196,26 @@ index 313d837..ef3c532 100644
@echo "Success."
########################################
+diff --git a/Rules.monolithic b/Rules.monolithic
+index 808a539..7c4d035 100644
+--- a/Rules.monolithic
++++ b/Rules.monolithic
+@@ -5,7 +5,7 @@
+
+ # determine the policy version and current kernel version if possible
+ pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+-kv := $(shell $(policyvers))
++kv := $(shell cat /selinux/policyvers)
+
+ # dont print version warnings if we are unable to determine
+ # the currently running kernel's policy version
+diff --git a/VERSION b/VERSION
+index d060af8..37b3df8 100644
+--- a/VERSION
++++ b/VERSION
+@@ -1 +1 @@
+-2.20130424
++2.20120725
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 881a292..80110a4 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
@@ -803,7 +2961,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..33cd946 100644
+index a94b169..33cd946 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -851,17 +3009,7 @@ index 28802c5..33cd946 100644
}
# Define the access vector interpretation for controlling
-@@ -827,6 +839,9 @@ class kernel_service
-
- class tun_socket
- inherits socket
-+{
-+ attach_queue
-+}
-
- class x_pointer
- inherits x_device
-@@ -862,3 +877,20 @@ inherits database
+@@ -865,3 +877,20 @@ inherits database
implement
execute
}
@@ -1156,7 +3304,7 @@ index 216b3d1..064ec83 100644
+
') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
-index d218387..094a319 100644
+index f11e5e2..094a319 100644
--- a/policy/mls
+++ b/policy/mls
@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
@@ -1201,11 +3349,54 @@ index d218387..094a319 100644
#
# MLS policy for the process class
#
+@@ -666,42 +666,6 @@ mlsconstrain x_application_data { paste_after_confirm }
+ ( l1 dom l2 );
+
+
+-#
+-# MLS policy for the x_pointer class
+-#
+-
+-# the x_pointer "read" ops
+-mlsconstrain x_pointer { getattr use read getfocus grab }
+- (( l1 dom l2 ) or
+- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+- ( t1 == mlsxwinread ));
+-
+-# the x_pointer "write" ops (implicit single level)
+-mlsconstrain x_pointer { setattr write setfocus bell force_cursor freeze manage }
+- (( l1 eq l2 ) or
+- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- ( t1 == mlsxwinwritexinput ) or
+- ( t1 == mlsxwinwrite ));
+-
+-
+-#
+-# MLS policy for the x_keyboard class
+-#
+-
+-# the x_keyboard "read" ops
+-mlsconstrain x_keyboard { getattr use read getfocus grab }
+- (( l1 dom l2 ) or
+- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+- ( t1 == mlsxwinread ));
+-
+-# the x_keyboard "write" ops (implicit single level)
+-mlsconstrain x_keyboard { setattr write setfocus bell force_cursor freeze manage }
+- (( l1 eq l2 ) or
+- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- ( t1 == mlsxwinwritexinput ) or
+- ( t1 == mlsxwinwrite ));
+-
+-
+
+ #
+ # MLS policy for the dbus class
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..5745bb2 100644
+index 2626ebf..5745bb2 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,16 @@
+@@ -1,11 +1,16 @@
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0)
@@ -1226,6 +3417,8 @@ index 7a6f06f..5745bb2 100644
+/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index cc8df9d..34c2a4e 100644
@@ -1382,10 +3575,15 @@ index cc8df9d..34c2a4e 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index e3dbbb8..ee8e830 100644
+index 0fd5c5f..ee8e830 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
-@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2)
+@@ -1,12 +1,12 @@
+-policy_module(bootloader, 1.14.0)
++policy_module(bootloader, 1.13.2)
+
+ ########################################
+ #
# Declarations
#
@@ -1815,10 +4013,16 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 8128de8..b0a385b 100644
+index c44c359..b0a385b 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
-@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2)
+@@ -1,4 +1,4 @@
+-policy_module(netutils, 1.12.1)
++policy_module(netutils, 1.11.2)
+
+ ########################################
+ #
+@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
## <desc>
## <p>
@@ -1873,10 +4077,12 @@ index 8128de8..b0a385b 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -106,13 +109,14 @@ optional_policy(`
+@@ -106,15 +109,14 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
+-# When ping is installed with capabilities instead of setuid
+-allow ping_t self:process { getcap setcap };
+allow ping_t self:process setcap;
+
dontaudit ping_t self:capability sys_tty_config;
@@ -1891,7 +4097,7 @@ index 8128de8..b0a385b 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
-@@ -122,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -1899,7 +4105,7 @@ index 8128de8..b0a385b 100644
domain_use_interactive_fds(ping_t)
-@@ -129,14 +134,13 @@ files_read_etc_files(ping_t)
+@@ -131,14 +134,13 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
@@ -1917,7 +4123,7 @@ index 8128de8..b0a385b 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -149,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -1943,7 +4149,7 @@ index 8128de8..b0a385b 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -159,6 +177,15 @@ optional_policy(`
+@@ -161,6 +177,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -1959,7 +4165,7 @@ index 8128de8..b0a385b 100644
########################################
#
# Traceroute local policy
-@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -1967,7 +4173,7 @@ index 8128de8..b0a385b 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -1975,7 +4181,7 @@ index 8128de8..b0a385b 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -2765,10 +4971,15 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..049a211 100644
+index 1d732f1..049a211 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
+@@ -1,22 +1,22 @@
+-policy_module(usermanage, 1.19.0)
++policy_module(usermanage, 1.18.1)
+
+ ########################################
+ #
# Declarations
#
@@ -2890,7 +5101,7 @@ index d555767..049a211 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
-@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t)
+@@ -120,12 +135,13 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -2900,17 +5111,17 @@ index d555767..049a211 100644
logging_send_syslog_msg(chfn_t)
--# uses unix_chkpwd for checking passwords
--seutil_dontaudit_search_config(chfn_t)
+-seutil_read_file_contexts(chfn_t)
+userdom_manage_user_tmp_files(chfn_t)
+userdom_tmp_filetrans_user_tmp(chfn_t, { file })
userdom_use_unpriv_users_fds(chfn_t)
# user generally runs this from their home directory, so do not audit a search
- # on user home dir
+@@ -133,7 +149,13 @@ userdom_use_unpriv_users_fds(chfn_t)
userdom_dontaudit_search_user_home_content(chfn_t)
-+optional_policy(`
+ optional_policy(`
+- nscd_run(chfn_t, chfn_roles)
+ rssh_exec(chfn_t)
+')
+
@@ -2918,12 +5129,10 @@ index d555767..049a211 100644
+optional_policy(`
+ # allow to exec tmux
+ screen_exec(chfn_t)
-+')
-+
+ ')
+
########################################
- #
- # Crack local policy
-@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -212,8 +234,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -2934,7 +5143,7 @@ index d555767..049a211 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -221,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -2944,7 +5153,7 @@ index d555767..049a211 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t)
+@@ -232,14 +254,15 @@ corecmd_exec_bin(groupadd_t)
logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@@ -2963,7 +5172,7 @@ index d555767..049a211 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -253,7 +279,8 @@ optional_policy(`
+@@ -256,7 +279,8 @@ optional_policy(`
')
optional_policy(`
@@ -2973,7 +5182,7 @@ index d555767..049a211 100644
')
optional_policy(`
-@@ -270,7 +297,7 @@ optional_policy(`
+@@ -273,7 +297,7 @@ optional_policy(`
# Passwd local policy
#
@@ -2982,7 +5191,7 @@ index d555767..049a211 100644
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
-@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -2990,7 +5199,7 @@ index d555767..049a211 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -2998,7 +5207,7 @@ index d555767..049a211 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +336,38 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3042,7 +5251,7 @@ index d555767..049a211 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -335,12 +376,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +376,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -3056,27 +5265,27 @@ index d555767..049a211 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
-
- optional_policy(`
-- nscd_run(passwd_t, passwd_roles)
++
++optional_policy(`
+ gnome_exec_keyringd(passwd_t)
+ gnome_manage_cache_home_dir(passwd_t)
+ gnome_manage_generic_cache_sockets(passwd_t)
+ gnome_stream_connect_gkeyringd(passwd_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- nscd_run(passwd_t, passwd_roles)
+ #nscd_run(passwd_t, passwd_roles)
+ nscd_domtrans(passwd_t)
')
########################################
-@@ -398,9 +447,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +447,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3089,7 +5298,7 @@ index d555767..049a211 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -3097,7 +5306,7 @@ index d555767..049a211 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -423,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -3119,7 +5328,7 @@ index d555767..049a211 100644
')
########################################
-@@ -443,7 +490,8 @@ optional_policy(`
+@@ -446,7 +490,8 @@ optional_policy(`
# Useradd local policy
#
@@ -3129,7 +5338,7 @@ index d555767..049a211 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -458,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -3140,7 +5349,7 @@ index d555767..049a211 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -465,36 +517,37 @@ corecmd_exec_shell(useradd_t)
+@@ -468,36 +517,37 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3190,7 +5399,7 @@ index d555767..049a211 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +558,36 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +558,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3220,10 +5429,10 @@ index d555767..049a211 100644
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
+userdom_delete_all_user_home_content(useradd_t)
@@ -3241,7 +5450,7 @@ index d555767..049a211 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +598,12 @@ optional_policy(`
+@@ -545,7 +598,12 @@ optional_policy(`
')
optional_policy(`
@@ -3255,7 +5464,7 @@ index d555767..049a211 100644
')
optional_policy(`
-@@ -550,6 +611,11 @@ optional_policy(`
+@@ -553,6 +611,11 @@ optional_policy(`
')
optional_policy(`
@@ -3267,7 +5476,7 @@ index d555767..049a211 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +625,12 @@ optional_policy(`
+@@ -562,3 +625,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -3451,8 +5660,15 @@ index 7590165..85186a9 100644
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_mounton_fusefs(seunshare_domain)
')
+diff --git a/policy/modules/contrib b/policy/modules/contrib
+index 298b887..662a00b 160000
+--- a/policy/modules/contrib
++++ b/policy/modules/contrib
+@@ -1 +1 @@
+-Subproject commit 298b887411b663a7da40a7a465915a7352bac80d
++Subproject commit 662a00bca8f52af8056f41abd0fdec77ea835b2a
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..3656744 100644
+index 33e0f8d..3656744 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3523,8 +5739,11 @@ index 644d4d7..3656744 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +147,12 @@ ifdef(`distro_debian',`
+@@ -132,13 +145,14 @@ ifdef(`distro_debian',`
+ # /lib
+ #
+-/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -3537,7 +5756,7 @@ index 644d4d7..3656744 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -148,10 +163,12 @@ ifdef(`distro_gentoo',`
+@@ -149,10 +163,12 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3551,7 +5770,7 @@ index 644d4d7..3656744 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +184,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +184,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3559,7 +5778,7 @@ index 644d4d7..3656744 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -178,33 +196,49 @@ ifdef(`distro_gentoo',`
+@@ -179,38 +196,52 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3594,6 +5813,7 @@ index 644d4d7..3656744 100644
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3618,12 +5838,17 @@ index 644d4d7..3656744 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +249,31 @@ ifdef(`distro_gentoo',`
+-/usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -218,19 +249,31 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3657,7 +5882,7 @@ index 644d4d7..3656744 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,26 +288,39 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +288,39 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3702,7 +5927,7 @@ index 644d4d7..3656744 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -269,6 +329,7 @@ ifdef(`distro_gentoo',`
+@@ -273,6 +329,7 @@ ifdef(`distro_gentoo',`
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -3710,7 +5935,7 @@ index 644d4d7..3656744 100644
/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -276,10 +337,15 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +337,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3726,7 +5951,7 @@ index 644d4d7..3656744 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +360,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +360,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3751,7 +5976,7 @@ index 644d4d7..3656744 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +393,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +393,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3780,7 +6005,7 @@ index 644d4d7..3656744 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -342,6 +421,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +421,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3788,7 +6013,7 @@ index 644d4d7..3656744 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +463,16 @@ ifdef(`distro_suse', `
+@@ -387,11 +463,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3806,7 +6031,7 @@ index 644d4d7..3656744 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +482,12 @@ ifdef(`distro_suse', `
+@@ -401,3 +482,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4077,9 +6302,15 @@ index 9e9263a..77e6c8c 100644
+ filetrans_pattern($1, bin_t, $2, $3, $4)
+')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 43090a0..a784e8e 100644
+index 20c76cf..a784e8e 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
+@@ -1,4 +1,4 @@
+-policy_module(corecommands, 1.18.1)
++policy_module(corecommands, 1.17.3)
+
+ ########################################
+ #
@@ -13,7 +13,8 @@ attribute exec_type;
#
# bin_t is the type of files in the system bin/sbin directories.
@@ -5662,10 +7893,15 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..8a190ce 100644
+index b191055..8a190ce 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
+@@ -1,10 +1,11 @@
+-policy_module(corenetwork, 1.19.2)
++policy_module(corenetwork, 1.18.4)
+
+ ########################################
+ #
# Declarations
#
@@ -5736,7 +7972,7 @@ index 4edc40d..8a190ce 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,54 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5804,7 +8040,7 @@ index 4edc40d..8a190ce 100644
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+network_port(gear, tcp,43273,s0, udp,43273,s0)
-+network_port(gdomap, tcp,538,s0, udp,538,s0)
+ network_port(gdomap, tcp,538,s0, udp,538,s0)
network_port(gds_db, tcp,3050,s0, udp,3050,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
@@ -5814,7 +8050,7 @@ index 4edc40d..8a190ce 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5882,7 +8118,7 @@ index 4edc40d..8a190ce 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5923,7 +8159,7 @@ index 4edc40d..8a190ce 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,64 +269,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,66 +269,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5938,7 +8174,7 @@ index 4edc40d..8a190ce 100644
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
+network_port(time, tcp,37,s0, udp,37,s0)
-+network_port(redis, tcp,6379,s0)
+ network_port(redis, tcp,6379,s0)
network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -5992,6 +8228,7 @@ index 4edc40d..8a190ce 100644
+network_port(tram, tcp, 4567, s0)
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
+-network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
network_port(ups, tcp,3493,s0)
network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -6009,7 +8246,7 @@ index 4edc40d..8a190ce 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +350,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +350,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -6036,7 +8273,7 @@ index 4edc40d..8a190ce 100644
########################################
#
-@@ -330,6 +399,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +399,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6045,7 +8282,7 @@ index 4edc40d..8a190ce 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +413,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +413,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -8712,9 +10949,15 @@ index 76f285e..830c1c5 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 6529bd9..b31a5e8 100644
+index 0b1a871..b31a5e8 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
+@@ -1,4 +1,4 @@
+-policy_module(devices, 1.15.0)
++policy_module(devices, 1.14.5)
+
+ ########################################
+ #
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
#
type device_t;
@@ -9528,7 +11771,7 @@ index cf04cb5..a290c56 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..1a210d2 100644
+index b876c48..1a210d2 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9770,14 +12013,16 @@ index c2c6e05..1a210d2 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -270,3 +295,5 @@ ifndef(`distro_redhat',`
+@@ -269,5 +294,6 @@ ifndef(`distro_redhat',`
+
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+-/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..1e53061 100644
+index f962f76..255728e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10616,94 +12861,103 @@ index 64ff4d7..1e53061 100644
## Do not audit attempts to set the attributes on all mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1655,38 +2097,38 @@ interface(`files_dontaudit_search_all_mountpoints',`
+
+ ########################################
+ ## <summary>
+-## List all mount points.
++## Do not audit listing of all mount points.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_all_mountpoints',`
++interface(`files_dontaudit_list_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+- allow $1 mountpoint:dir list_dir_perms;
++ dontaudit $1 mountpoint:dir list_dir_perms;
+ ')
########################################
## <summary>
+-## Do not audit listing of all mount points.
+## Write all mount points.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_list_all_mountpoints',`
+- gen_require(`
+- attribute mountpoint;
+- ')
+interface(`files_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
-+
+
+- dontaudit $1 mountpoint:dir list_dir_perms;
+ allow $1 mountpoint:dir write;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to write to mount points.
- ## </summary>
- ## <param name="domain">
-@@ -1691,6 +2151,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ ')
+
+ ########################################
+@@ -1709,72 +2151,145 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
+-## List the contents of the root directory.
+## Do not audit attempts to unmount all mount points.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_root',`
+interface(`files_dontaudit_unmount_all_mountpoints',`
-+ gen_require(`
+ gen_require(`
+- type root_t;
+ attribute mountpoint;
-+ ')
-+
+ ')
+
+- allow $1 root_t:dir list_dir_perms;
+- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ dontaudit $1 mountpoint:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
-+## Write all file type directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_write_all_dirs',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ allow $1 file_type:dir write;
-+')
-+
-+########################################
-+## <summary>
- ## List the contents of the root directory.
- ## </summary>
- ## <param name="domain">
-@@ -1707,7 +2203,6 @@ interface(`files_list_root',`
- allow $1 root_t:dir list_dir_perms;
- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
')
--
+
########################################
## <summary>
- ## Do not audit attempts to write to / dirs.
-@@ -1718,18 +2213,17 @@ interface(`files_list_root',`
+-## Do not audit attempts to write to / dirs.
++## Write all file type directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`files_dontaudit_write_root_dirs',`
-+interface(`files_write_root_dirs',`
++interface(`files_write_all_dirs',`
gen_require(`
- type root_t;
+- type root_t;
++ attribute file_type;
')
- dontaudit $1 root_t:dir write;
-+ allow $1 root_t:dir write;
++ allow $1 file_type:dir write;
')
-###################
@@ -10711,15 +12965,59 @@ index 64ff4d7..1e53061 100644
## <summary>
-## Do not audit attempts to write
-## files in the root directory.
-+## Do not audit attempts to write to / dirs.
++## List the contents of the root directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1737,7 +2231,26 @@ interface(`files_dontaudit_write_root_dirs',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`files_dontaudit_rw_root_dir',`
++interface(`files_list_root',`
+ gen_require(`
+ type root_t;
+ ')
+
+- dontaudit $1 root_t:dir rw_dir_perms;
++ allow $1 root_t:dir list_dir_perms;
++ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
+-
+ ########################################
+ ## <summary>
+-## Create an object in the root directory, with a private
+-## type using a type transition.
++## Do not audit attempts to write to / dirs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+-## <summary>
++#
++interface(`files_write_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir write;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to write to / dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_write_root_dirs',`
+ gen_require(`
+ type root_t;
@@ -10740,13 +13038,15 @@ index 64ff4d7..1e53061 100644
+## </param>
+#
+interface(`files_dontaudit_rw_root_dir',`
- gen_require(`
- type root_t;
- ')
-@@ -1747,6 +2260,26 @@ interface(`files_dontaudit_rw_root_dir',`
-
- ########################################
- ## <summary>
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir rw_dir_perms;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to check the
+## access on root directory.
+## </summary>
@@ -10767,10 +13067,20 @@ index 64ff4d7..1e53061 100644
+
+########################################
+## <summary>
- ## Create an object in the root directory, with a private
- ## type using a type transition.
- ## </summary>
-@@ -1874,25 +2407,25 @@ interface(`files_delete_root_dir_entry',`
++## Create an object in the root directory, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
+ ## The type of the object to be created.
+ ## </summary>
+ ## </param>
+@@ -1892,25 +2407,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10802,7 +13112,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2438,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2438,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10811,7 +13121,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -1928,6 +2461,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2461,42 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10854,7 +13164,7 @@ index 64ff4d7..1e53061 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2163,6 +2732,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2732,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10879,7 +13189,7 @@ index 64ff4d7..1e53061 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2627,6 +3214,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3214,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10904,7 +13214,7 @@ index 64ff4d7..1e53061 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3303,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3303,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10912,7 +13222,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -2706,7 +3312,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3312,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10921,7 +13231,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## </param>
#
-@@ -2762,6 +3368,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3368,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10947,7 +13257,7 @@ index 64ff4d7..1e53061 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3405,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3405,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10972,7 +13282,7 @@ index 64ff4d7..1e53061 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3588,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3588,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10997,7 +13307,7 @@ index 64ff4d7..1e53061 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3628,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3628,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -11008,7 +13318,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3636,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3636,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -11030,7 +13340,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3664,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3664,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -11057,7 +13367,7 @@ index 64ff4d7..1e53061 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3701,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3701,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -11065,7 +13375,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -3080,6 +3723,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3723,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -11073,7 +13383,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -3132,6 +3776,44 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3150,6 +3776,44 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -11118,7 +13428,7 @@ index 64ff4d7..1e53061 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3205,11 +3887,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3223,11 +3887,10 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -11132,7 +13442,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3217,18 +3898,18 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3235,18 +3898,18 @@ interface(`files_delete_isid_type_dirs',`
## </summary>
## </param>
#
@@ -11155,7 +13465,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3236,17 +3917,17 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3254,12 +3917,88 @@ interface(`files_manage_isid_type_dirs',`
## </summary>
## </param>
#
@@ -11167,144 +13477,11 @@ index 64ff4d7..1e53061 100644
- allow $1 file_t:dir { search_dir_perms mounton };
+ allow $1 file_t:dir mounton;
- ')
-
- ########################################
- ## <summary>
--## Read files on new filesystems
-+## Relabelfrom all file opbjects on new filesystems
- ## that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
-@@ -3255,18 +3936,18 @@ interface(`files_mounton_isid_type_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_isid_type_files',`
-+interface(`files_relabelfrom_isid_type',`
- gen_require(`
- type file_t;
- ')
-
-- allow $1 file_t:file read_file_perms;
-+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
- ')
-
- ########################################
- ## <summary>
--## Delete files on new filesystems
--## that have not yet been labeled.
-+## Create, read, write, and delete directories
-+## on new filesystems that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3274,18 +3955,18 @@ interface(`files_read_isid_type_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_isid_type_files',`
-+interface(`files_manage_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
-- delete_files_pattern($1, file_t, file_t)
-+ allow $1 file_t:dir manage_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Delete symbolic links on new filesystems
--## that have not yet been labeled.
-+## Mount a filesystem on a directory on new filesystems
-+## that has not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3293,18 +3974,18 @@ interface(`files_delete_isid_type_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_isid_type_symlinks',`
-+interface(`files_mounton_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
-- delete_lnk_files_pattern($1, file_t, file_t)
-+ allow $1 file_t:dir { search_dir_perms mounton };
- ')
-
- ########################################
- ## <summary>
--## Delete named pipes on new filesystems
--## that have not yet been labeled.
-+## Mount a filesystem on a new chr_file
-+## that has not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3312,17 +3993,17 @@ interface(`files_delete_isid_type_symlinks',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_isid_type_fifo_files',`
-+interface(`files_mounton_isid_type_chr_file',`
- gen_require(`
-- type file_t;
-+ type unlabeled_t;
- ')
-
-- delete_fifo_files_pattern($1, file_t, file_t)
-+ allow $1 unlabeled_t:chr_file mounton;
- ')
-
- ########################################
- ## <summary>
--## Delete named sockets on new filesystems
-+## Read files on new filesystems
- ## that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
-@@ -3331,17 +4012,17 @@ interface(`files_delete_isid_type_fifo_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_isid_type_sock_files',`
-+interface(`files_read_isid_type_files',`
- gen_require(`
- type file_t;
- ')
-
-- delete_sock_files_pattern($1, file_t, file_t)
-+ allow $1 file_t:file read_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Delete block files on new filesystems
-+## Delete files on new filesystems
- ## that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
-@@ -3350,12 +4031,88 @@ interface(`files_delete_isid_type_sock_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_isid_type_blk_files',`
-+interface(`files_delete_isid_type_files',`
- gen_require(`
- type file_t;
- ')
-
-- delete_blk_files_pattern($1, file_t, file_t)
-+ delete_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
-+## Delete symbolic links on new filesystems
++## Relabelfrom all file opbjects on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -11313,18 +13490,18 @@ index 64ff4d7..1e53061 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_isid_type_symlinks',`
++interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ delete_lnk_files_pattern($1, file_t, file_t)
++ dontaudit $1 file_t:dir_file_class_set relabelfrom;
+')
+
+########################################
+## <summary>
-+## Delete named pipes on new filesystems
-+## that have not yet been labeled.
++## Create, read, write, and delete directories
++## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11332,18 +13509,18 @@ index 64ff4d7..1e53061 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_isid_type_fifo_files',`
++interface(`files_manage_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ delete_fifo_files_pattern($1, file_t, file_t)
++ allow $1 file_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
-+## Delete named sockets on new filesystems
-+## that have not yet been labeled.
++## Mount a filesystem on a directory on new filesystems
++## that has not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11351,18 +13528,18 @@ index 64ff4d7..1e53061 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_isid_type_sock_files',`
++interface(`files_mounton_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ delete_sock_files_pattern($1, file_t, file_t)
++ allow $1 file_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
-+## Delete block files on new filesystems
-+## that have not yet been labeled.
++## Mount a filesystem on a new chr_file
++## that has not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11370,16 +13547,16 @@ index 64ff4d7..1e53061 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_isid_type_blk_files',`
++interface(`files_mounton_isid_type_chr_file',`
+ gen_require(`
-+ type file_t;
++ type unlabeled_t;
+ ')
+
-+ delete_blk_files_pattern($1, file_t, file_t)
++ allow $1 unlabeled_t:chr_file mounton;
')
########################################
-@@ -3455,6 +4212,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3473,6 +4212,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -11405,7 +13582,7 @@ index 64ff4d7..1e53061 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3534,6 +4310,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4310,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
## <summary>
@@ -11433,7 +13610,7 @@ index 64ff4d7..1e53061 100644
## Search home directories root (/home).
## </summary>
## <param name="domain">
-@@ -3796,20 +4593,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4593,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -11477,7 +13654,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -4199,6 +5014,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +5014,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11650,7 +13827,7 @@ index 64ff4d7..1e53061 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4221,6 +5202,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5202,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -11677,7 +13854,7 @@ index 64ff4d7..1e53061 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +5235,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5235,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -11716,7 +13893,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## </param>
#
-@@ -4271,6 +5292,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5292,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11724,7 +13901,7 @@ index 64ff4d7..1e53061 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +5329,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5329,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11732,7 +13909,7 @@ index 64ff4d7..1e53061 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +5339,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5339,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -11741,7 +13918,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## </param>
#
-@@ -4328,6 +5351,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5351,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -11767,7 +13944,7 @@ index 64ff4d7..1e53061 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4343,6 +5385,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5385,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11775,13 +13952,12 @@ index 64ff4d7..1e53061 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,25 +5427,33 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5427,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
--## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
- ## </summary>
++## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -11790,58 +13966,26 @@ index 64ff4d7..1e53061 100644
+## This is added to support java policy.
+## </p>
+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_tmp_files',`
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_execmod_tmp',`
- gen_require(`
-- type tmp_t;
-+ attribute tmpfile;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmpfile:file execmod;
- ')
-
- ########################################
- ## <summary>
--## Read symbolic links in the tmp directory (/tmp).
-+## Manage temporary files and directories in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4410,7 +5461,25 @@ interface(`files_manage_generic_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_tmp_symlinks',`
-+interface(`files_manage_generic_tmp_files',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file execmod;
+')
+
+########################################
+## <summary>
-+## Read symbolic links in the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_generic_tmp_symlinks',`
- gen_require(`
- type tmp_t;
- ')
-@@ -4438,6 +5507,42 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -4456,6 +5507,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -11884,7 +14028,7 @@ index 64ff4d7..1e53061 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4456,6 +5561,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5561,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -11945,7 +14089,7 @@ index 64ff4d7..1e53061 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4501,7 +5660,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5660,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -11954,7 +14098,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## </param>
#
-@@ -4561,7 +5720,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5720,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11963,7 +14107,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## </param>
#
-@@ -4593,6 +5752,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5752,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@@ -12008,7 +14152,7 @@ index 64ff4d7..1e53061 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
-@@ -4646,6 +5843,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5843,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -12025,7 +14169,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -5094,6 +6301,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6301,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
## <summary>
@@ -12050,7 +14194,7 @@ index 64ff4d7..1e53061 100644
## Read system.map in the /boot directory.
## </summary>
## <param name="domain">
-@@ -5223,6 +6448,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6448,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -12075,7 +14219,7 @@ index 64ff4d7..1e53061 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5310,7 +6553,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6553,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -12084,7 +14228,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -5507,6 +6750,23 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5525,6 +6750,23 @@ interface(`files_rw_var_lib_dirs',`
rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
@@ -12108,7 +14252,7 @@ index 64ff4d7..1e53061 100644
########################################
## <summary>
## Create objects in the /var/lib directory
-@@ -5578,6 +6838,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6838,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -12134,7 +14278,7 @@ index 64ff4d7..1e53061 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6902,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6902,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -12143,7 +14287,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6910,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6910,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -12159,7 +14303,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -5654,6 +6934,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6934,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -12167,7 +14311,7 @@ index 64ff4d7..1e53061 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6961,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6961,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -12195,7 +14339,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6988,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6988,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -12212,7 +14356,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -5713,7 +7012,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7012,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -12221,7 +14365,7 @@ index 64ff4d7..1e53061 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +7045,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7045,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -12229,7 +14373,7 @@ index 64ff4d7..1e53061 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +7059,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7059,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -12238,7 +14382,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +7067,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7067,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -12273,7 +14417,7 @@ index 64ff4d7..1e53061 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +7109,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7109,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -12291,7 +14435,7 @@ index 64ff4d7..1e53061 100644
')
########################################
-@@ -5816,9 +7133,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7133,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -12302,7 +14446,7 @@ index 64ff4d7..1e53061 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +7175,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7175,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -12312,7 +14456,7 @@ index 64ff4d7..1e53061 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +7197,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7197,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -12322,7 +14466,7 @@ index 64ff4d7..1e53061 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7234,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7234,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -12332,7 +14476,7 @@ index 64ff4d7..1e53061 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +7273,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7273,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -12341,7 +14485,7 @@ index 64ff4d7..1e53061 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,33 +7293,90 @@ interface(`files_search_pids',`
+@@ -5999,10 +7293,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -12350,40 +14494,26 @@ index 64ff4d7..1e53061 100644
search_dirs_pattern($1, var_t, var_run_t)
')
--########################################
+######################################
- ## <summary>
--## Do not audit attempts to search
--## the /var/run directory.
++## <summary>
+## Add and remove entries from pid directories.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_pids',`
-- gen_require(`
-- type var_run_t;
-- ')
++## </param>
++#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
++
+ allow $1 var_run_t:dir rw_dir_perms;
- ')
-
--########################################
++')
++
+#######################################
- ## <summary>
--## List the contents of the runtime process
++## <summary>
+## Create generic pid directory.
+## </summary>
+## <param name="domain">
@@ -12401,70 +14531,100 @@ index 64ff4d7..1e53061 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to search
+@@ -6025,40 +7357,77 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
++## Do not audit attempts to search
++## the all /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
+- type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic process ID files.
++## Allow search the all /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_search_all_pids',`
+ gen_require(`
+- type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 pidfile:dir search_dir_perms;
++')
++
+########################################
+## <summary>
-+## Do not audit attempts to search
-+## the /var/run directory.
++## List the contents of the runtime process
++## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_search_pids',`
++interface(`files_list_pids',`
+ gen_require(`
-+ type var_run_t;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to search
-+## the all /var/run directory.
++## Read generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_search_all_pids',`
++interface(`files_read_generic_pids',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## List the contents of the runtime process
- ## ID directories (/var/run).
- ## </summary>
- ## <param name="domain">
-@@ -6021,7 +7390,7 @@ interface(`files_list_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- ')
-
-@@ -6040,7 +7409,7 @@ interface(`files_read_generic_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7429,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7447,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -12473,7 +14633,7 @@ index 64ff4d7..1e53061 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7491,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7509,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -12481,7 +14641,7 @@ index 64ff4d7..1e53061 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,6 +7519,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7537,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -12506,7 +14666,7 @@ index 64ff4d7..1e53061 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6164,7 +7550,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7568,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -12515,7 +14675,7 @@ index 64ff4d7..1e53061 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,55 +7617,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7635,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -12578,7 +14738,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6287,42 +7661,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7679,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -12628,7 +14788,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,18 +7697,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7715,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -12652,7 +14812,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6349,37 +7716,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7734,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -12704,7 +14864,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6387,18 +7757,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7775,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -12727,7 +14887,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6406,18 +7775,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7793,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -12751,7 +14911,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6425,19 +7794,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7812,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -12776,7 +14936,7 @@ index 64ff4d7..1e53061 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6445,55 +7813,43 @@ interface(`files_read_generic_spool',`
+@@ -6463,55 +7831,112 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -12809,55 +14969,118 @@ index 64ff4d7..1e53061 100644
-## </summary>
-## </param>
-## <param name="class">
--## <summary>
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
++## </summary>
++## <param name="domain">
+ ## <summary>
-## Object class(es) (single or set including {}) for which this
-## the transition will occur.
--## </summary>
--## </param>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
-## <param name="name" optional="true">
--## <summary>
++#
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Make the specified type a file
++## used for spool files.
++## </summary>
++## <desc>
++## <p>
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_spool_filetrans()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++## </p>
++## <p>
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++## </p>
++## </desc>
++## <param name="file_type">
+ ## <summary>
-## The name of the object being created.
--## </summary>
--## </param>
-+## <rolecap/>
++## Type of the file to be used as a
++## spool file.
+ ## </summary>
+ ## </param>
++## <infoflow type="none"/>
#
-interface(`files_spool_filetrans',`
-+interface(`files_delete_all_pids',`
++interface(`files_spool_file',`
gen_require(`
- type var_t, var_spool_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
++ attribute spoolfile;
')
-+ files_search_pids($1)
- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ files_type($1)
++ typeattribute $1 spoolfile;
')
########################################
## <summary>
-## Allow access to manage all polyinstantiated
-## directories on the system.
-+## Delete all process ID directories.
++## Create all spool sockets
## </summary>
## <param name="domain">
## <summary>
-@@ -6501,64 +7857,889 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +7944,17 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
-interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_spool_sockets',`
gen_require(`
- attribute polydir, polymember, polyparent;
- type poly_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
++ attribute spoolfile;
')
- # Need to give access to /selinux/member
@@ -12896,96 +15119,25 @@ index 64ff4d7..1e53061 100644
- corecmd_exec_bin($1)
- seutil_domtrans_setfiles($1)
- ')
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
')
########################################
## <summary>
-## Unconfined access to files.
-+## Make the specified type a file
-+## used for spool files.
++## Delete all spool sockets
## </summary>
--## <param name="domain">
-+## <desc>
-+## <p>
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+## </p>
-+## <p>
-+## Related interfaces:
-+## </p>
-+## <ul>
-+## <li>files_spool_filetrans()</li>
-+## </ul>
-+## <p>
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+## </p>
-+## <p>
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+## </p>
-+## </desc>
-+## <param name="file_type">
+ ## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Type of the file to be used as a
-+## spool file.
+@@ -6573,10 +7962,802 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
-+## <infoflow type="none"/>
#
-interface(`files_unconfined',`
-+interface(`files_spool_file',`
++interface(`files_delete_all_spool_sockets',`
gen_require(`
- attribute files_unconfined_type;
+ attribute spoolfile;
- ')
-
-- typeattribute $1 files_unconfined_type;
-+ files_type($1)
-+ typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+## <summary>
-+## Create all spool sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Delete all spool sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
@@ -13232,10 +15384,10 @@ index 64ff4d7..1e53061 100644
+interface(`files_unconfined',`
+ gen_require(`
+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
+ ')
+
+ typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+## <summary>
@@ -13781,12 +15933,17 @@ index 64ff4d7..1e53061 100644
+ ')
+
+ allow $1 etc_t:service status;
- ')
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 148d87a..b5a89ba 100644
+index 1a03abd..b5a89ba 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
-@@ -5,12 +5,16 @@ policy_module(files, 1.17.5)
+@@ -1,16 +1,20 @@
+-policy_module(files, 1.18.1)
++policy_module(files, 1.17.5)
+
+ ########################################
+ #
# Declarations
#
@@ -13894,7 +16051,7 @@ index 148d87a..b5a89ba 100644
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
-@@ -133,52 +156,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,45 +156,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
type src_t;
files_mountpoint(src_t)
@@ -13947,10 +16104,9 @@ index 148d87a..b5a89ba 100644
type var_lock_t;
+files_base_file(var_lock_t)
files_lock_file(var_lock_t)
-+files_mountpoint(var_lock_t)
+ files_mountpoint(var_lock_t)
- #
- # var_run_t is the type of /var/run, usually
+@@ -180,6 +212,7 @@ files_mountpoint(var_lock_t)
# used for pid and other runtime files.
#
type var_run_t;
@@ -13958,7 +16114,7 @@ index 148d87a..b5a89ba 100644
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
-@@ -186,7 +220,9 @@ files_mountpoint(var_run_t)
+@@ -187,7 +220,9 @@ files_mountpoint(var_run_t)
# var_spool_t is the type of /var/spool
#
type var_spool_t;
@@ -13968,7 +16124,7 @@ index 148d87a..b5a89ba 100644
########################################
#
-@@ -225,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -226,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile)
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
@@ -13982,7 +16138,7 @@ index 148d87a..b5a89ba 100644
allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..7b26d12 100644
+index d7c11a0..7b26d12 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1,9 +1,12 @@
@@ -14001,14 +16157,22 @@ index cda5588..7b26d12 100644
/dev/shm/.* <<none>>
/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
-@@ -12,5 +15,11 @@
+@@ -11,13 +14,12 @@
+ /lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
/lib/udev/devices/shm/.* <<none>>
- # for systemd systems:
--/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
--/sys/fs/cgroup/.* <<none>>
+-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+-/sys/fs/cgroup/.* <<none>>
+-
+-/sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0)
+-/sys/fs/pstore/.* <<none>>
++# for systemd systems:
+/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
-+
+
+-ifdef(`distro_debian',`
+-/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+-/var/run/shm/.* <<none>>
+-')
+/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/usr/lib/udev/devices/hugepages/.* <<none>>
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
@@ -15432,9 +17596,15 @@ index 8416beb..c6cd3eb 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..bf31a0e 100644
+index e7d1738..bf31a0e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
+@@ -1,4 +1,4 @@
+-policy_module(filesystem, 1.17.2)
++policy_module(filesystem, 1.16.2)
+
+ ########################################
+ #
@@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
@@ -15462,7 +17632,7 @@ index 9e603f5..bf31a0e 100644
type bdev_t;
fs_type(bdev_t)
-@@ -63,12 +68,18 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,15 +68,22 @@ fs_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
@@ -15480,9 +17650,14 @@ index 9e603f5..bf31a0e 100644
-type cgroup_t;
+type cgroup_t alias cgroupfs_t;
fs_type(cgroup_t)
- files_type(cgroup_t)
++files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -89,6 +100,11 @@ fs_noxattr_type(ecryptfs_t)
+-dev_associate_sysfs(cgroup_t)
++dev_associate_sysfs(cgroup_t) # only for systemd systems
+ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
+ type configfs_t;
+@@ -88,6 +100,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -15494,7 +17669,7 @@ index 9e603f5..bf31a0e 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +113,7 @@ type hugetlbfs_t;
+@@ -96,6 +113,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -15502,7 +17677,7 @@ index 9e603f5..bf31a0e 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -119,12 +136,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,17 +136,16 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
@@ -15513,14 +17688,18 @@ index 9e603f5..bf31a0e 100644
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+-type pstore_t;
+-fs_type(pstore_t)
+-files_mountpoint(pstore_t)
+-dev_associate_sysfs(pstore_t)
+-genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
+type pstorefs_t;
+fs_type(pstorefs_t)
+genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0)
-+
+
type ramfs_t;
fs_type(ramfs_t)
- files_mountpoint(ramfs_t)
-@@ -145,11 +167,6 @@ fs_type(spufs_t)
+@@ -150,11 +167,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -15532,7 +17711,7 @@ index 9e603f5..bf31a0e 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -167,6 +184,8 @@ type vxfs_t;
+@@ -172,16 +184,19 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -15541,7 +17720,10 @@ index 9e603f5..bf31a0e 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +195,8 @@ fs_type(tmpfs_t)
+ #
+ type tmpfs_t;
+-dev_associate(tmpfs_t)
+ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -15550,7 +17732,7 @@ index 9e603f5..bf31a0e 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -15559,7 +17741,7 @@ index 9e603f5..bf31a0e 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -15576,7 +17758,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..1debeb2 100644
+index e100d88..1debeb2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -15977,16 +18159,17 @@ index 649e458..1debeb2 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2632,7 +2868,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
- allow $1 unlabeled_t:association { sendto recvfrom };
+@@ -2630,6 +2866,9 @@ interface(`kernel_sendrecv_unlabeled_association',`
+ ')
- # temporary hack until labeling on packets is supported
-- allow $1 unlabeled_t:packet { send recv };
+ allow $1 unlabeled_t:association { sendto recvfrom };
++
++ # temporary hack until labeling on packets is supported
+# allow $1 unlabeled_t:packet { send recv };
')
########################################
-@@ -2670,6 +2906,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2906,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -16011,7 +18194,7 @@ index 649e458..1debeb2 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2697,6 +2951,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2951,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -16037,7 +18220,7 @@ index 649e458..1debeb2 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2806,6 +3079,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3079,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -16071,7 +18254,7 @@ index 649e458..1debeb2 100644
########################################
## <summary>
-@@ -2961,6 +3261,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3261,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -16096,7 +18279,7 @@ index 649e458..1debeb2 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2975,5 +3293,300 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3293,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -16399,9 +18582,15 @@ index 649e458..1debeb2 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..cdc610d 100644
+index 8dbab4c..cdc610d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
+@@ -1,4 +1,4 @@
+-policy_module(kernel, 1.17.1)
++policy_module(kernel, 1.16.1)
+
+ ########################################
+ #
@@ -25,6 +25,9 @@ attribute kern_unconfined;
# regular entries in proc
attribute proc_type;
@@ -16743,9 +18932,15 @@ index b08a6e8..43d504b 100644
+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
-index 5cbeb54..8067370 100644
+index 2da98c2..8067370 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
+@@ -1,4 +1,4 @@
+-policy_module(mcs, 1.3.0)
++policy_module(mcs, 1.2.1)
+
+ ########################################
+ #
@@ -11,3 +11,4 @@ attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
@@ -16759,7 +18954,7 @@ index 7be4ddf..4d4c577 100644
-# This module currently does not have any file contexts.
+/selinux -l gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 81440c5..a02d444 100644
+index 6d0811d..a02d444 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -16827,17 +19022,17 @@ index 81440c5..a02d444 100644
allow $1 security_t:filesystem getattr;
')
-@@ -220,6 +234,9 @@ interface(`selinux_search_fs',`
+@@ -220,7 +234,9 @@ interface(`selinux_search_fs',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir search_dir_perms;
')
-@@ -243,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',`
+@@ -244,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',`
########################################
## <summary>
@@ -16866,7 +19061,7 @@ index 81440c5..a02d444 100644
## Do not audit attempts to read
## generic selinuxfs entries
## </summary>
-@@ -257,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -258,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
@@ -16874,22 +19069,24 @@ index 81440c5..a02d444 100644
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
-@@ -278,6 +318,8 @@ interface(`selinux_get_enforce_mode',`
+@@ -279,7 +318,8 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
+- dev_search_sysfs($1)
+ selinux_get_fs_mount($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
-@@ -308,21 +350,9 @@ interface(`selinux_set_enforce_mode',`
+@@ -310,22 +350,9 @@ interface(`selinux_set_enforce_mode',`
gen_require(`
type security_t;
attribute can_setenforce;
- bool secure_mode_policyload;
')
+- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
@@ -16905,7 +19102,7 @@ index 81440c5..a02d444 100644
')
########################################
-@@ -339,21 +369,14 @@ interface(`selinux_load_policy',`
+@@ -342,22 +369,14 @@ interface(`selinux_load_policy',`
gen_require(`
type security_t;
attribute can_load_policy;
@@ -16913,7 +19110,7 @@ index 81440c5..a02d444 100644
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
@@ -16930,17 +19127,17 @@ index 81440c5..a02d444 100644
')
########################################
-@@ -371,6 +394,9 @@ interface(`selinux_read_policy',`
+@@ -375,7 +394,9 @@ interface(`selinux_read_policy',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 security_t:security read_policy;
-@@ -433,17 +459,16 @@ interface(`selinux_set_boolean',`
+@@ -438,19 +459,16 @@ interface(`selinux_set_boolean',`
interface(`selinux_set_generic_booleans',`
gen_require(`
type security_t;
@@ -16949,7 +19146,8 @@ index 81440c5..a02d444 100644
+ typeattribute $1 can_setbool;
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+-
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
@@ -16963,7 +19161,7 @@ index 81440c5..a02d444 100644
')
########################################
-@@ -472,23 +497,16 @@ interface(`selinux_set_all_booleans',`
+@@ -479,25 +497,16 @@ interface(`selinux_set_all_booleans',`
gen_require(`
type security_t, secure_mode_policyload_t;
attribute boolean_type;
@@ -16973,7 +19171,8 @@ index 81440c5..a02d444 100644
+ typeattribute $1 can_setbool;
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+-
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
@@ -16994,77 +19193,77 @@ index 81440c5..a02d444 100644
')
########################################
-@@ -519,6 +537,9 @@ interface(`selinux_set_parameters',`
+@@ -528,7 +537,9 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
-@@ -542,6 +563,9 @@ interface(`selinux_validate_context',`
+@@ -552,7 +563,9 @@ interface(`selinux_validate_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
-@@ -584,6 +608,9 @@ interface(`selinux_compute_access_vector',`
+@@ -595,7 +608,9 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
-@@ -605,6 +632,9 @@ interface(`selinux_compute_create_context',`
+@@ -617,7 +632,9 @@ interface(`selinux_compute_create_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
-@@ -626,6 +656,9 @@ interface(`selinux_compute_member',`
+@@ -639,7 +656,9 @@ interface(`selinux_compute_member',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
-@@ -655,6 +688,9 @@ interface(`selinux_compute_relabel_context',`
+@@ -669,7 +688,9 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
-@@ -675,6 +711,9 @@ interface(`selinux_compute_user_contexts',`
+@@ -690,7 +711,9 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
+ dev_getattr_sysfs_fs($1)
-+ dev_search_sysfs($1)
+ dev_search_sysfs($1)
+ allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
-@@ -696,4 +735,29 @@ interface(`selinux_unconfined',`
+@@ -712,4 +735,29 @@ interface(`selinux_unconfined',`
')
typeattribute $1 selinux_unconfined_type;
@@ -17095,9 +19294,15 @@ index 81440c5..a02d444 100644
')
+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index 522ab32..85f484d 100644
+index e0a973b..85f484d 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
+@@ -1,4 +1,4 @@
+-policy_module(selinux, 1.12.1)
++policy_module(selinux, 1.12.0)
+
+ ########################################
+ #
@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
attribute boolean_type;
attribute can_load_policy;
@@ -17207,7 +19412,7 @@ index 54f1827..39faa3f 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..ca6c727 100644
+index 64c4cd0..ca6c727 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -17262,10 +19467,25 @@ index 1700ef2..ca6c727 100644
dev_add_entry_generic_dirs($1)
')
-@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
- dev_filetrans($1, fixed_disk_device_t, blk_file)
- ')
+@@ -260,18 +284,55 @@ interface(`storage_manage_fixed_disk',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="filename" optional="true">
+-## <summary>
+-## Optional filename of the block device to be created
+-## </summary>
+-## </param>
+ #
+ interface(`storage_dev_filetrans_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+- dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file)
++')
++
+#######################################
+## <summary>
+## Create block devices in /dev with the fixed disk type
@@ -17306,12 +19526,10 @@ index 1700ef2..ca6c727 100644
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Create block devices in on a tmpfs filesystem with the
-@@ -290,6 +356,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
+@@ -295,6 +356,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
########################################
## <summary>
@@ -17337,7 +19555,7 @@ index 1700ef2..ca6c727 100644
## Relabel fixed disk device nodes.
## </summary>
## <param name="domain">
-@@ -711,6 +796,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -716,6 +796,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
@@ -17362,7 +19580,7 @@ index 1700ef2..ca6c727 100644
########################################
## <summary>
## Allow the caller to directly read
-@@ -808,3 +911,452 @@ interface(`storage_unconfined',`
+@@ -813,3 +911,452 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -17830,10 +20048,10 @@ index 156c333..02f5a3c 100644
+ dev_manage_generic_blk_files(fixed_disk_raw_write)
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..a3e5a1e 100644
+index 0ea25b6..a3e5a1e 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,13 @@
+@@ -14,12 +14,13 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
@@ -17843,12 +20061,13 @@ index 7d45d15..a3e5a1e 100644
+/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+-/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +43,7 @@ ifdef(`distro_gentoo',`
+@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -17857,7 +20076,7 @@ index 7d45d15..a3e5a1e 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..e3722ab 100644
+index cbb729b..e3722ab 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -18233,11 +20452,10 @@ index 771bce1..e3722ab 100644
## </summary>
## </param>
#
-@@ -1512,3 +1712,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+@@ -1513,21 +1713,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
term_dontaudit_use_all_ttys($1)
')
-+
+
+####################################
+## <summary>
+## Getattr on the virtio console.
@@ -18256,17 +20474,27 @@ index 771bce1..e3722ab 100644
+ allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
+')
+
-+#####################################
-+## <summary>
+ #####################################
+ ## <summary>
+-## Read from and write virtio console.
+## Read from and write to the virtio console.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`term_use_virtio_console',`
+ ## </param>
+ #
+ interface(`term_use_virtio_console',`
+- gen_require(`
+- type virtio_device_t;
+- ')
+-
+- dev_list_all_dev_nodes($1)
+- allow $1 virtio_device_t:chr_file rw_term_perms;
+ gen_require(`
+ type virtio_device_t;
+ ')
@@ -18669,11 +20897,17 @@ index 771bce1..e3722ab 100644
+ dev_filetrans($1, tty_device_t, chr_file, "xvc7")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc8")
+ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
-+')
+ ')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index c0b88bf..a97d7cc 100644
+index 66e116a..a97d7cc 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
+@@ -1,4 +1,4 @@
+-policy_module(terminal, 1.11.1)
++policy_module(terminal, 1.10.1)
+
+ ########################################
+ #
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
fs_type(devpts_t)
@@ -18682,7 +20916,7 @@ index c0b88bf..a97d7cc 100644
#
# devtty_t is the type of /dev/tty.
-@@ -54,5 +55,11 @@ dev_node(tty_device_t)
+@@ -54,8 +55,11 @@ dev_node(tty_device_t)
#
# usbtty_device_t is the type of /dev/usr/tty*
#
@@ -18690,12 +20924,12 @@ index c0b88bf..a97d7cc 100644
-dev_node(usbtty_device_t)
+type usbtty_device_t;
+term_tty(usbtty_device_t)
-+
+
+#
+# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
+#
-+type virtio_device_t, serial_device;
-+dev_node(virtio_device_t)
+ type virtio_device_t, serial_device;
+ dev_node(virtio_device_t)
diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
new file mode 100644
index 0000000..f310b9d
@@ -18837,10 +21071,16 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..147eab1 100644
+index 0fef1fc..147eab1 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
+@@ -1,4 +1,4 @@
+-policy_module(staff, 2.4.0)
++policy_module(staff, 2.3.1)
+
+ ########################################
+ #
+@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -19236,10 +21476,15 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..e49b8da 100644
+index 2522ca6..e49b8da 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,87 @@ policy_module(sysadm, 2.5.1)
+@@ -1,43 +1,91 @@
+-policy_module(sysadm, 2.6.1)
++policy_module(sysadm, 2.5.1)
+
+ ########################################
+ #
# Declarations
#
@@ -19422,21 +21667,18 @@ index 88d0028..e49b8da 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +217,11 @@ optional_policy(`
+@@ -156,6 +217,10 @@ optional_policy(`
')
optional_policy(`
-- fstools_run(sysadm_t, sysadm_r)
+ firewalld_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ fstools_run(sysadm_t, sysadm_r)
')
- optional_policy(`
-- git_role(sysadm_r, sysadm_t)
-+ fstools_run(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -179,6 +240,13 @@ optional_policy(`
+@@ -175,6 +240,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -19450,7 +21692,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -186,15 +254,20 @@ optional_policy(`
+@@ -182,15 +254,20 @@ optional_policy(`
')
optional_policy(`
@@ -19462,19 +21704,19 @@ index 88d0028..e49b8da 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
++ kudzu_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -214,22 +287,20 @@ optional_policy(`
+@@ -210,22 +287,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -19503,7 +21745,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -241,14 +312,28 @@ optional_policy(`
+@@ -237,14 +312,28 @@ optional_policy(`
')
optional_policy(`
@@ -19532,7 +21774,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -256,10 +341,20 @@ optional_policy(`
+@@ -252,10 +341,20 @@ optional_policy(`
')
optional_policy(`
@@ -19553,7 +21795,7 @@ index 88d0028..e49b8da 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,35 +365,41 @@ optional_policy(`
+@@ -266,35 +365,41 @@ optional_policy(`
')
optional_policy(`
@@ -19602,7 +21844,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -312,6 +413,7 @@ optional_policy(`
+@@ -308,6 +413,7 @@ optional_policy(`
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -19610,7 +21852,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -319,12 +421,20 @@ optional_policy(`
+@@ -315,12 +421,20 @@ optional_policy(`
')
optional_policy(`
@@ -19632,7 +21874,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -349,7 +459,18 @@ optional_policy(`
+@@ -345,7 +459,18 @@ optional_policy(`
')
optional_policy(`
@@ -19652,7 +21894,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -360,19 +481,15 @@ optional_policy(`
+@@ -356,19 +481,15 @@ optional_policy(`
')
optional_policy(`
@@ -19674,7 +21916,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -384,10 +501,6 @@ optional_policy(`
+@@ -380,10 +501,6 @@ optional_policy(`
')
optional_policy(`
@@ -19685,7 +21927,7 @@ index 88d0028..e49b8da 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +508,9 @@ optional_policy(`
+@@ -391,6 +508,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -19695,7 +21937,7 @@ index 88d0028..e49b8da 100644
')
optional_policy(`
-@@ -402,31 +518,34 @@ optional_policy(`
+@@ -398,31 +518,34 @@ optional_policy(`
')
optional_policy(`
@@ -19736,7 +21978,7 @@ index 88d0028..e49b8da 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +558,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +558,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19747,7 +21989,7 @@ index 88d0028..e49b8da 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +578,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +578,79 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20881,22 +23123,22 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index cdfddf4..c3271fb 100644
+index 6d77e81..c3271fb 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -1,5 +1,12 @@
- policy_module(unprivuser, 2.3.1)
-
+@@ -1,4 +1,11 @@
+-policy_module(unprivuser, 2.4.0)
++policy_module(unprivuser, 2.3.1)
++
+## <desc>
+## <p>
+## Allow unprivileged user to create and transition to svirt domains.
+## </p>
+## </desc>
+gen_tunable(unprivuser_use_svirt, false)
-+
+
# this module should be named user, but that is
# a compile error since user is a keyword.
-
@@ -12,12 +19,102 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -21424,9 +23666,15 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..19dfc1f 100644
+index 0306134..19dfc1f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
+@@ -1,4 +1,4 @@
+-policy_module(postgresql, 1.16.0)
++policy_module(postgresql, 1.15.4)
+
+ gen_require(`
+ class db_database all_db_database_perms;
@@ -19,25 +19,32 @@ gen_require(`
#
@@ -22387,10 +24635,16 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..980e658 100644
+index cc877c7..980e658 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3)
+@@ -1,4 +1,4 @@
+-policy_module(ssh, 2.4.2)
++policy_module(ssh, 2.3.3)
+
+ ########################################
+ #
+@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
#
## <desc>
@@ -22471,19 +24725,21 @@ index 5fc0391..980e658 100644
type ssh_t;
type ssh_exec_t;
-@@ -73,6 +95,11 @@ type ssh_home_t;
+@@ -73,9 +95,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
+files_poly_parent(ssh_home_t)
-+
+
+-type sshd_keytab_t;
+-files_type(sshd_keytab_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
##############################
#
-@@ -83,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -22491,7 +24747,7 @@ index 5fc0391..980e658 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -22508,7 +24764,7 @@ index 5fc0391..980e658 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -22556,7 +24812,7 @@ index 5fc0391..980e658 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -154,40 +187,46 @@ files_read_var_files(ssh_t)
+@@ -157,40 +187,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -22622,7 +24878,7 @@ index 5fc0391..980e658 100644
')
optional_policy(`
-@@ -195,6 +234,7 @@ optional_policy(`
+@@ -198,6 +234,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -22630,7 +24886,7 @@ index 5fc0391..980e658 100644
##############################
#
# ssh_keysign_t local policy
-@@ -206,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -22638,11 +24894,13 @@ index 5fc0391..980e658 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +264,56 @@ optional_policy(`
+@@ -226,39 +264,56 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
-
+-allow sshd_t sshd_keytab_t:file read_file_perms;
+-
-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
@@ -22669,6 +24927,9 @@ index 5fc0391..980e658 100644
+corenet_tcp_bind_vnc_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+-ifdef(`distro_debian',`
+- allow sshd_t self:process { getcap setcap };
+-')
+auth_exec_login_program(sshd_t)
+auth_signal_chk_passwd(sshd_t)
+
@@ -22678,7 +24939,7 @@ index 5fc0391..980e658 100644
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
-+
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -22704,7 +24965,7 @@ index 5fc0391..980e658 100644
')
optional_policy(`
-@@ -257,11 +321,28 @@ optional_policy(`
+@@ -266,12 +321,28 @@ optional_policy(`
')
optional_policy(`
@@ -22725,7 +24986,8 @@ index 5fc0391..980e658 100644
')
optional_policy(`
-- kerberos_keytab_template(sshd, sshd_t)
+- kerberos_read_keytab(sshd_t)
+- kerberos_use(sshd_t)
+ lvm_domtrans(sshd_t)
+')
+
@@ -22734,7 +24996,7 @@ index 5fc0391..980e658 100644
')
optional_policy(`
-@@ -269,6 +350,10 @@ optional_policy(`
+@@ -279,6 +350,10 @@ optional_policy(`
')
optional_policy(`
@@ -22745,7 +25007,7 @@ index 5fc0391..980e658 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +364,93 @@ optional_policy(`
+@@ -289,13 +364,93 @@ optional_policy(`
')
optional_policy(`
@@ -22839,7 +25101,7 @@ index 5fc0391..980e658 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +459,33 @@ optional_policy(`
+@@ -304,19 +459,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -22874,7 +25136,7 @@ index 5fc0391..980e658 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -322,7 +501,14 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +501,14 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
@@ -22889,7 +25151,7 @@ index 5fc0391..980e658 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +517,148 @@ optional_policy(`
+@@ -341,3 +517,148 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -23039,7 +25301,7 @@ index 5fc0391..980e658 100644
+')
+
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..696dd0e 100644
+index 8274418..696dd0e 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,36 @@
@@ -23120,13 +25382,12 @@ index d1f64a0..696dd0e 100644
# /usr
#
--/usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/gdm3? -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -23146,7 +25407,7 @@ index d1f64a0..696dd0e 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +131,51 @@ ifndef(`distro_debian',`
+@@ -92,26 +131,51 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -23175,6 +25436,7 @@ index d1f64a0..696dd0e 100644
+
+/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+-/var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -23183,7 +25445,7 @@ index d1f64a0..696dd0e 100644
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
--/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+-/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -24838,9 +27100,15 @@ index 6bf0ecc..30ca475 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..5be1645 100644
+index 8b40377..5be1645 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
+@@ -1,4 +1,4 @@
+-policy_module(xserver, 3.9.4)
++policy_module(xserver, 3.8.4)
+
+ gen_require(`
+ class x_drawable all_x_drawable_perms;
@@ -26,28 +26,59 @@ gen_require(`
#
@@ -24910,7 +27178,7 @@ index 2696452..5be1645 100644
# X Events
attribute xevent_type;
-@@ -107,44 +138,54 @@ xserver_object_types_template(remote)
+@@ -107,67 +138,85 @@ xserver_object_types_template(remote)
xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
@@ -24966,7 +27234,10 @@ index 2696452..5be1645 100644
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
userdom_user_tmp_file(xauth_tmp_t)
-@@ -154,19 +195,28 @@ files_type(xconsole_device_t)
+ # this is not actually a device, its a pipe
+ type xconsole_device_t;
+ files_type(xconsole_device_t)
+-dev_associate(xconsole_device_t)
fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)
@@ -24998,7 +27269,7 @@ index 2696452..5be1645 100644
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -174,13 +224,27 @@ files_type(xdm_var_lib_t)
+@@ -175,13 +224,27 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -25027,7 +27298,7 @@ index 2696452..5be1645 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -193,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -194,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -25046,7 +27317,7 @@ index 2696452..5be1645 100644
userdom_user_tmpfs_file(xserver_tmpfs_t)
type xsession_exec_t;
-@@ -225,21 +287,33 @@ optional_policy(`
+@@ -226,21 +287,33 @@ optional_policy(`
#
allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -25061,16 +27332,12 @@ index 2696452..5be1645 100644
-userdom_use_user_terminals(iceauth_t)
+userdom_use_inherited_user_terminals(iceauth_t)
userdom_read_user_tmp_files(iceauth_t)
--
++userdom_read_all_users_state(iceauth_t)
++userdom_home_manager(iceauth_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files(iceauth_t)
-')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(iceauth_t)
-+userdom_read_all_users_state(iceauth_t)
-+userdom_home_manager(iceauth_t)
-+
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_read_urand(iceauth_t)
+ dev_dontaudit_rw_dri(iceauth_t)
@@ -25078,7 +27345,9 @@ index 2696452..5be1645 100644
+ fs_dontaudit_list_inotifyfs(iceauth_t)
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
-+
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files(iceauth_t)
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
@@ -25089,7 +27358,7 @@ index 2696452..5be1645 100644
')
########################################
-@@ -247,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -25191,7 +27460,7 @@ index 2696452..5be1645 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +415,109 @@ optional_policy(`
+@@ -300,64 +415,109 @@ optional_policy(`
# XDM Local policy
#
@@ -25311,7 +27580,7 @@ index 2696452..5be1645 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -25344,7 +27613,7 @@ index 2696452..5be1645 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -25398,7 +27667,7 @@ index 2696452..5be1645 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +612,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +612,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -25427,7 +27696,7 @@ index 2696452..5be1645 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25476,7 +27745,7 @@ index 2696452..5be1645 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25634,7 +27903,7 @@ index 2696452..5be1645 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -25661,14 +27930,11 @@ index 2696452..5be1645 100644
')
optional_policy(`
-@@ -514,12 +874,57 @@ optional_policy(`
- ')
+@@ -519,7 +878,28 @@ optional_policy(`
+ dbus_connect_system_bus(xdm_t)
- optional_policy(`
-+ dbus_system_bus_client(xdm_t)
-+ dbus_connect_system_bus(xdm_t)
-+
-+ optional_policy(`
+ optional_policy(`
+- accountsd_dbus_chat(xdm_t)
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
@@ -25691,13 +27957,10 @@ index 2696452..5be1645 100644
+
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
-+ ')
-+')
-+
-+optional_policy(`
- # Talk to the console mouse server.
- gpm_stream_connect(xdm_t)
- gpm_setattr_gpmctl(xdm_t)
+ ')
+ ')
+
+@@ -530,6 +910,21 @@ optional_policy(`
')
optional_policy(`
@@ -25719,7 +27982,7 @@ index 2696452..5be1645 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +942,78 @@ optional_policy(`
+@@ -547,28 +942,78 @@ optional_policy(`
')
optional_policy(`
@@ -25807,7 +28070,7 @@ index 2696452..5be1645 100644
')
optional_policy(`
-@@ -570,6 +1025,14 @@ optional_policy(`
+@@ -580,6 +1025,14 @@ optional_policy(`
')
optional_policy(`
@@ -25822,7 +28085,7 @@ index 2696452..5be1645 100644
xfs_stream_connect(xdm_t)
')
-@@ -584,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -25831,7 +28094,7 @@ index 2696452..5be1645 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -25844,7 +28107,7 @@ index 2696452..5be1645 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -25860,7 +28123,7 @@ index 2696452..5be1645 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -25871,7 +28134,7 @@ index 2696452..5be1645 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -25893,7 +28156,7 @@ index 2696452..5be1645 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -651,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -25907,7 +28170,7 @@ index 2696452..5be1645 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -25939,7 +28202,7 @@ index 2696452..5be1645 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -704,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25957,7 +28220,7 @@ index 2696452..5be1645 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1206,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1206,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -25981,7 +28244,7 @@ index 2696452..5be1645 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -25990,7 +28253,7 @@ index 2696452..5be1645 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1269,44 @@ optional_policy(`
+@@ -785,16 +1269,44 @@ optional_policy(`
')
optional_policy(`
@@ -26036,7 +28299,7 @@ index 2696452..5be1645 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1315,10 @@ optional_policy(`
+@@ -803,6 +1315,10 @@ optional_policy(`
')
optional_policy(`
@@ -26047,7 +28310,7 @@ index 2696452..5be1645 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -26061,7 +28324,7 @@ index 2696452..5be1645 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -26070,7 +28333,7 @@ index 2696452..5be1645 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1358,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1358,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -26105,7 +28368,7 @@ index 2696452..5be1645 100644
')
optional_policy(`
-@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -26114,7 +28377,7 @@ index 2696452..5be1645 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1477,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -26146,7 +28409,7 @@ index 2696452..5be1645 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -26470,7 +28733,7 @@ index c6fdab7..af71c62 100644
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..ed25543 100644
+index 2479587..ed25543 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
@@ -26534,7 +28797,7 @@ index 28ad538..ed25543 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,20 +56,24 @@ ifdef(`distro_gentoo', `
+@@ -30,21 +56,24 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -26562,7 +28825,9 @@ index 28ad538..ed25543 100644
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+-/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+-/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
++/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 3efd5b6..3accfe3 100644
--- a/policy/modules/system/authlogin.if
@@ -27427,10 +29692,15 @@ index 3efd5b6..3accfe3 100644
+ allow $1 login_pgm:process sigchld;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..837948b 100644
+index 09b791d..837948b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
+@@ -1,10 +1,23 @@
+-policy_module(authlogin, 2.5.1)
++policy_module(authlogin, 2.4.2)
+
+ ########################################
+ #
# Declarations
#
@@ -27953,9 +30223,15 @@ index d475c2d..55305d5 100644
+ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
+')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index 3694bfe..7fcd27a 100644
+index edece47..7fcd27a 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
+@@ -1,4 +1,4 @@
+-policy_module(clock, 1.7.0)
++policy_module(clock, 1.6.2)
+
+ ########################################
+ #
@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
term_dontaudit_use_console(hwclock_t)
@@ -27991,7 +30267,7 @@ index 3694bfe..7fcd27a 100644
')
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..ce0abe6 100644
+index 948ce2a..ce0abe6 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@@ -28007,8 +30283,11 @@ index a97a096..ce0abe6 100644
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -35,13 +33,55 @@
+@@ -33,17 +31,57 @@
+ /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+-/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -28045,7 +30324,7 @@ index a97a096..ce0abe6 100644
+/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -28093,9 +30372,15 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..9eebe0b 100644
+index 3f48d30..9eebe0b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
+@@ -1,4 +1,4 @@
+-policy_module(fstools, 1.16.1)
++policy_module(fstools, 1.15.0)
+
+ ########################################
+ #
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
type fsadm_log_t;
logging_log_file(fsadm_log_t)
@@ -28291,9 +30576,15 @@ index e4376aa..2c98c56 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index fc38c9c..4740426 100644
+index f6743ea..4740426 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
+@@ -1,4 +1,4 @@
+-policy_module(getty, 1.10.0)
++policy_module(getty, 1.9.1)
+
+ ########################################
+ #
@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
type getty_var_run_t;
files_pid_file(getty_var_run_t)
@@ -28381,10 +30672,16 @@ index 187f04f..cf0af09 100644
interface(`hostname_exec',`
gen_require(`
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..51e9aef 100644
+index 24a7889..51e9aef 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
-@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
+@@ -1,4 +1,4 @@
+-policy_module(hostname, 1.8.1)
++policy_module(hostname, 1.8.0)
+
+ ########################################
+ #
+@@ -23,40 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
@@ -28422,6 +30719,7 @@ index f6cbda9..51e9aef 100644
-miscfiles_read_localization(hostname_t)
+-sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
@@ -28461,9 +30759,15 @@ index 40eb10c..2a0a32c 100644
corecmd_search_bin($1)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index bb5c4a6..7ebb938 100644
+index b2097e7..7ebb938 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
+@@ -1,4 +1,4 @@
+-policy_module(hotplug, 1.16.0)
++policy_module(hotplug, 1.15.1)
+
+ ########################################
+ #
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
#
@@ -28516,7 +30820,7 @@ index bb5c4a6..7ebb938 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 9a4d3a7..9d960bb 100644
+index bc0ffc8..9d960bb 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -1,6 +1,9 @@
@@ -28541,7 +30845,7 @@ index 9a4d3a7..9d960bb 100644
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', `
+@@ -42,20 +50,33 @@ ifdef(`distro_gentoo', `
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -28566,6 +30870,7 @@ index 9a4d3a7..9d960bb 100644
#
# /var
#
+-/var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
+/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0)
/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
@@ -28575,13 +30880,13 @@ index 9a4d3a7..9d960bb 100644
ifdef(`distro_debian',`
/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -73,3 +95,4 @@ ifdef(`distro_suse', `
+@@ -74,3 +95,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..6a39d34 100644
+index 79a45f6..6a39d34 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -29365,33 +31670,82 @@ index 24e7804..6a39d34 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1526,6 +1865,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1488,47 +1827,45 @@ interface(`init_use_script_ptys',`
########################################
## <summary>
-+## Manage init script
+-## Read and write inherited init script ptys.
++## Do not audit attempts to read and
++## write the init script pty.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`init_use_inherited_script_ptys',`
++interface(`init_dontaudit_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+- term_list_ptys($1)
+- allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
+-
+- init_use_fds($1)
++ dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write the init script pty.
++## Get the attributes of init script
+## status files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`init_manage_script_status_files',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+ #
+-interface(`init_dontaudit_use_script_ptys',`
++interface(`init_getattr_script_status_files',`
+ gen_require(`
+- type initrc_devpts_t;
+ type initrc_state_t;
-+ ')
-+
-+ manage_files_pattern($1, initrc_state_t, initrc_state_t)
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to read init script
+ ')
+
+- dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
++ getattr_files_pattern($1, initrc_state_t, initrc_state_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of init script
++## Manage init script
## status files.
## </summary>
-@@ -1584,6 +1942,24 @@ interface(`init_rw_script_tmp_files',`
+ ## <param name="domain">
+@@ -1537,12 +1874,12 @@ interface(`init_dontaudit_use_script_ptys',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`init_getattr_script_status_files',`
++interface(`init_manage_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+- getattr_files_pattern($1, initrc_state_t, initrc_state_t)
++ manage_files_pattern($1, initrc_state_t, initrc_state_t)
+ ')
+
+ ########################################
+@@ -1605,6 +1942,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -29416,7 +31770,7 @@ index 24e7804..6a39d34 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1656,6 +2032,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2032,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -29460,7 +31814,7 @@ index 24e7804..6a39d34 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1744,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -29469,7 +31823,7 @@ index 24e7804..6a39d34 100644
')
########################################
-@@ -1785,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -29603,7 +31957,7 @@ index 24e7804..6a39d34 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -30055,9 +32409,15 @@ index 24e7804..6a39d34 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..3b2baa7 100644
+index 17eda24..3b2baa7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -1,4 +1,4 @@
+-policy_module(init, 1.20.1)
++policy_module(init, 1.19.6)
+
+ gen_require(`
+ class passwd rootok;
@@ -11,10 +11,31 @@ gen_require(`
## <desc>
@@ -30596,19 +32956,19 @@ index dd3be8d..3b2baa7 100644
')
########################################
-@@ -225,8 +570,9 @@ optional_policy(`
+@@ -225,9 +570,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
--dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
-+allow initrc_t self:capability2 block_suspend;
+ allow initrc_t self:capability2 block_suspend;
+-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30625,7 +32985,7 @@ index dd3be8d..3b2baa7 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30668,7 +33028,7 @@ index dd3be8d..3b2baa7 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -30680,7 +33040,7 @@ index dd3be8d..3b2baa7 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +677,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +677,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -30691,7 +33051,7 @@ index dd3be8d..3b2baa7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +688,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +688,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30701,7 +33061,7 @@ index dd3be8d..3b2baa7 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -30709,7 +33069,7 @@ index dd3be8d..3b2baa7 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -30717,7 +33077,7 @@ index dd3be8d..3b2baa7 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30735,7 +33095,7 @@ index dd3be8d..3b2baa7 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30749,7 +33109,7 @@ index dd3be8d..3b2baa7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +745,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +745,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30763,7 +33123,7 @@ index dd3be8d..3b2baa7 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +758,7 @@ mls_process_read_up(initrc_t)
+@@ -387,6 +758,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30771,7 +33131,7 @@ index dd3be8d..3b2baa7 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +770,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +770,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -30779,7 +33139,7 @@ index dd3be8d..3b2baa7 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +789,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +789,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -30803,7 +33163,7 @@ index dd3be8d..3b2baa7 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +822,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +822,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -30811,7 +33171,7 @@ index dd3be8d..3b2baa7 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +856,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +856,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30822,7 +33182,7 @@ index dd3be8d..3b2baa7 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +880,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +880,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30831,7 +33191,7 @@ index dd3be8d..3b2baa7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +895,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +895,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30839,7 +33199,7 @@ index dd3be8d..3b2baa7 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +916,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +916,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30847,7 +33207,7 @@ index dd3be8d..3b2baa7 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +926,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +926,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30892,7 +33252,7 @@ index dd3be8d..3b2baa7 100644
')
optional_policy(`
-@@ -558,14 +971,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +971,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30924,7 +33284,7 @@ index dd3be8d..3b2baa7 100644
')
')
-@@ -576,6 +1006,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1006,39 @@ ifdef(`distro_suse',`
')
')
@@ -30964,7 +33324,7 @@ index dd3be8d..3b2baa7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1051,8 @@ optional_policy(`
+@@ -589,6 +1051,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30973,7 +33333,7 @@ index dd3be8d..3b2baa7 100644
')
optional_policy(`
-@@ -609,6 +1074,7 @@ optional_policy(`
+@@ -610,6 +1074,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30981,7 +33341,7 @@ index dd3be8d..3b2baa7 100644
')
optional_policy(`
-@@ -625,6 +1091,17 @@ optional_policy(`
+@@ -626,6 +1091,17 @@ optional_policy(`
')
optional_policy(`
@@ -30999,7 +33359,7 @@ index dd3be8d..3b2baa7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1118,13 @@ optional_policy(`
+@@ -642,9 +1118,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -31013,7 +33373,7 @@ index dd3be8d..3b2baa7 100644
')
optional_policy(`
-@@ -656,15 +1137,11 @@ optional_policy(`
+@@ -657,15 +1137,11 @@ optional_policy(`
')
optional_policy(`
@@ -31031,7 +33391,7 @@ index dd3be8d..3b2baa7 100644
')
optional_policy(`
-@@ -685,6 +1162,15 @@ optional_policy(`
+@@ -686,6 +1162,15 @@ optional_policy(`
')
optional_policy(`
@@ -31047,7 +33407,7 @@ index dd3be8d..3b2baa7 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1211,7 @@ optional_policy(`
+@@ -726,6 +1211,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -31055,7 +33415,7 @@ index dd3be8d..3b2baa7 100644
')
optional_policy(`
-@@ -742,7 +1229,13 @@ optional_policy(`
+@@ -743,7 +1229,13 @@ optional_policy(`
')
optional_policy(`
@@ -31070,7 +33430,7 @@ index dd3be8d..3b2baa7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1258,10 @@ optional_policy(`
+@@ -766,6 +1258,10 @@ optional_policy(`
')
optional_policy(`
@@ -31081,7 +33441,7 @@ index dd3be8d..3b2baa7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1271,20 @@ optional_policy(`
+@@ -775,10 +1271,20 @@ optional_policy(`
')
optional_policy(`
@@ -31102,7 +33462,7 @@ index dd3be8d..3b2baa7 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1293,10 @@ optional_policy(`
+@@ -787,6 +1293,10 @@ optional_policy(`
')
optional_policy(`
@@ -31113,7 +33473,7 @@ index dd3be8d..3b2baa7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1318,6 @@ optional_policy(`
+@@ -808,8 +1318,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -31122,7 +33482,7 @@ index dd3be8d..3b2baa7 100644
')
optional_policy(`
-@@ -817,6 +1326,10 @@ optional_policy(`
+@@ -818,6 +1326,10 @@ optional_policy(`
')
optional_policy(`
@@ -31133,7 +33493,7 @@ index dd3be8d..3b2baa7 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1339,12 @@ optional_policy(`
+@@ -827,10 +1339,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -31146,7 +33506,7 @@ index dd3be8d..3b2baa7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1371,35 @@ optional_policy(`
+@@ -857,12 +1371,35 @@ optional_policy(`
')
optional_policy(`
@@ -31183,7 +33543,7 @@ index dd3be8d..3b2baa7 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1409,18 @@ optional_policy(`
+@@ -872,6 +1409,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -31202,7 +33562,7 @@ index dd3be8d..3b2baa7 100644
')
optional_policy(`
-@@ -886,6 +1436,10 @@ optional_policy(`
+@@ -887,6 +1436,10 @@ optional_policy(`
')
optional_policy(`
@@ -31213,7 +33573,7 @@ index dd3be8d..3b2baa7 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1450,218 @@ optional_policy(`
+@@ -897,3 +1450,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31694,9 +34054,15 @@ index 0d4c8d3..3a3ec52 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..5338f4d 100644
+index 312cd04..5338f4d 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
+@@ -1,4 +1,4 @@
+-policy_module(ipsec, 1.14.0)
++policy_module(ipsec, 1.13.3)
+
+ ########################################
+ #
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
corecmd_shell_entry_type(ipsec_mgmt_t)
role system_r types ipsec_mgmt_t;
@@ -31986,10 +34352,10 @@ index 9e54bf9..5338f4d 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 1b93eb7..957deb0 100644
+index 73a1c4e..957deb0 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,21 +1,32 @@
+@@ -1,22 +1,32 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -32017,6 +34383,7 @@ index 1b93eb7..957deb0 100644
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -32078,9 +34445,15 @@ index c42fbc3..174cfdb 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..187eadd 100644
+index be8ed1e..187eadd 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
+@@ -1,4 +1,4 @@
+-policy_module(iptables, 1.14.0)
++policy_module(iptables, 1.13.1)
+
+ ########################################
+ #
@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -32704,9 +35077,15 @@ index 808ba93..57a68da 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..5a985c8 100644
+index 54f8fa5..5a985c8 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
+@@ -1,4 +1,4 @@
+-policy_module(libraries, 2.10.0)
++policy_module(libraries, 2.9.2)
+
+ ########################################
+ #
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
# lib_t is the type of files in the system lib directories.
#
@@ -32894,9 +35273,15 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..7b55414 100644
+index 446fa99..7b55414 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
+@@ -1,4 +1,4 @@
+-policy_module(locallogin, 1.12.0)
++policy_module(locallogin, 1.11.1)
+
+ ########################################
+ #
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
type local_login_lock_t;
files_lock_file(local_login_lock_t)
@@ -33722,10 +36107,14 @@ index 4e94884..8de26ad 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..93ce51a 100644
+index 59b04c1..93ce51a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
+@@ -1,9 +1,24 @@
+-policy_module(logging, 1.20.1)
++policy_module(logging, 1.19.6)
+
+ ########################################
#
# Declarations
#
@@ -33920,23 +36309,26 @@ index 39ea221..93ce51a 100644
mls_file_read_all_levels(klogd_t)
-@@ -354,12 +395,12 @@ optional_policy(`
+@@ -353,15 +394,13 @@ optional_policy(`
+
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
+-# sys_nice for rsyslog
# cjp: why net_admin!
--allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
# setrlimit for syslog-ng
-# getsched for syslog-ng
--allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
+-# setsched for rsyslog
+-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
+allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -367,8 +408,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,8 +408,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -33947,15 +36339,7 @@ index 39ea221..93ce51a 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -377,6 +420,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- # create/append log files.
- manage_files_pattern(syslogd_t, var_log_t, var_log_t)
- rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
-+files_search_spool(syslogd_t)
-
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,28 +430,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +430,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -33972,11 +36356,12 @@ index 39ea221..93ce51a 100644
+kernel_rw_stream_socket_perms(syslogd_t)
kernel_read_system_state(syslogd_t)
-+kernel_read_network_state(syslogd_t)
+ kernel_read_network_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
kernel_read_messages(syslogd_t)
+-kernel_read_vm_sysctls(syslogd_t)
+kernel_request_load_module(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
@@ -34000,7 +36385,7 @@ index 39ea221..93ce51a 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -417,6 +474,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +474,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -34009,7 +36394,7 @@ index 39ea221..93ce51a 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -427,9 +486,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +486,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -34037,7 +36422,7 @@ index 39ea221..93ce51a 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +518,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -447,14 +518,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -34057,7 +36442,7 @@ index 39ea221..93ce51a 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +542,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +542,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -34072,7 +36457,7 @@ index 39ea221..93ce51a 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -492,6 +573,8 @@ optional_policy(`
+@@ -497,6 +573,8 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -34081,7 +36466,7 @@ index 39ea221..93ce51a 100644
')
optional_policy(`
-@@ -502,15 +585,40 @@ optional_policy(`
+@@ -507,15 +585,40 @@ optional_policy(`
')
optional_policy(`
@@ -34122,7 +36507,7 @@ index 39ea221..93ce51a 100644
')
optional_policy(`
-@@ -521,3 +629,26 @@ optional_policy(`
+@@ -526,3 +629,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -34150,10 +36535,10 @@ index 39ea221..93ce51a 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..633e449 100644
+index 6b91740..633e449 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
+@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
@@ -34162,10 +36547,7 @@ index 879bb1e..633e449 100644
#
# /lib
#
- /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
- /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
-
+@@ -33,19 +35,23 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -34190,7 +36572,7 @@ index 879bb1e..633e449 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +95,72 @@ ifdef(`distro_gentoo',`
+@@ -89,8 +95,72 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -34265,7 +36647,7 @@ index 879bb1e..633e449 100644
#
# /var
-@@ -97,5 +168,9 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -34445,9 +36827,15 @@ index 58bc27f..f887230 100644
+')
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..b22837c 100644
+index 79048c4..b22837c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
+@@ -1,4 +1,4 @@
+-policy_module(lvm, 1.15.2)
++policy_module(lvm, 1.14.1)
+
+ ########################################
+ #
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
type clvmd_initrc_exec_t;
init_script_file(clvmd_initrc_exec_t)
@@ -34673,7 +37061,7 @@ index e8c59a5..b22837c 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -333,14 +374,30 @@ optional_policy(`
+@@ -333,16 +374,31 @@ optional_policy(`
')
optional_policy(`
@@ -34702,8 +37090,10 @@ index e8c59a5..b22837c 100644
+
+optional_policy(`
udev_read_db(lvm_t)
+- udev_read_pid_files(lvm_t)
')
+ optional_policy(`
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9fe8e01..83acb32 100644
--- a/policy/modules/system/miscfiles.fc
@@ -35028,10 +37418,14 @@ index fc28bc3..faa2281 100644
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index d6293de..8f8d80d 100644
+index 1361961..8f8d80d 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
-@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2)
+@@ -1,10 +1,9 @@
+-policy_module(miscfiles, 1.11.0)
++policy_module(miscfiles, 1.10.2)
+
+ ########################################
#
# Declarations
#
@@ -35228,10 +37622,15 @@ index 7449974..23bbbf2 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..82004c9 100644
+index 7a363b8..82004c9 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
-@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
+@@ -1,11 +1,11 @@
+-policy_module(modutils, 1.14.0)
++policy_module(modutils, 1.13.3)
+
+ ########################################
+ #
# Declarations
#
@@ -35495,10 +37894,10 @@ index 7a49e28..82004c9 100644
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..f035d9f 100644
+index a38605e..f035d9f 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,26 @@
+@@ -1,6 +1,26 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -35506,7 +37905,8 @@ index 72c746e..f035d9f 100644
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-+
+
+-/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+
@@ -35852,10 +38252,15 @@ index 4584457..8a190ae 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..d941116 100644
+index 459a0ef..d941116 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
+@@ -1,47 +1,62 @@
+-policy_module(mount, 1.16.1)
++policy_module(mount, 1.15.1)
+
+ ########################################
+ #
# Declarations
#
@@ -35891,13 +38296,8 @@ index 6a50270..d941116 100644
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
--# causes problems with interfaces when
--# this is optionally declared in monolithic
--# policy--duplicate type declaration
--type unconfined_mount_t;
--application_domain(unconfined_mount_t, mount_exec_t)
-+type mount_var_run_t;
-+files_pid_file(mount_var_run_t)
+ type mount_var_run_t;
+ files_pid_file(mount_var_run_t)
+dev_associate(mount_var_run_t)
+
+# showmount - show mount information for an NFS server
@@ -35911,7 +38311,12 @@ index 6a50270..d941116 100644
+type mount_ecryptfs_exec_t;
+application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
+role system_r types mount_ecryptfs_t;
-+
+
+-# causes problems with interfaces when
+-# this is optionally declared in monolithic
+-# policy--duplicate type declaration
+-type unconfined_mount_t;
+-application_domain(unconfined_mount_t, mount_exec_t)
+type mount_ecryptfs_tmpfs_t;
+files_tmpfs_file(mount_ecryptfs_tmpfs_t)
@@ -35931,16 +38336,20 @@ index 6a50270..d941116 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -52,15 +67,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+-rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+-files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,{ dir file })
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+dev_filetrans(mount_t, mount_var_run_t, dir)
-+
+
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
@@ -35949,15 +38358,15 @@ index 6a50270..d941116 100644
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
--kernel_dontaudit_getattr_core_if(mount_t)
+kernel_relabelfrom_unlabeled_fs(mount_t)
+kernel_manage_debugfs(mount_t)
-+kernel_setsched(mount_t)
+ kernel_setsched(mount_t)
+-kernel_dontaudit_getattr_core_if(mount_t)
+kernel_use_fds(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t)
+@@ -69,60 +93,87 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -36008,7 +38417,8 @@ index 6a50270..d941116 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
-@@ -92,28 +141,39 @@ files_list_mnt(mount_t)
+-files_list_all_mountpoints(mount_t)
++files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -36054,7 +38464,7 @@ index 6a50270..d941116 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t)
+@@ -130,16 +181,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -36078,7 +38488,7 @@ index 6a50270..d941116 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',`
+@@ -155,26 +211,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -36118,7 +38528,7 @@ index 6a50270..d941116 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +245,9 @@ optional_policy(`
+@@ -188,6 +245,9 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -36128,7 +38538,7 @@ index 6a50270..d941116 100644
')
optional_policy(`
-@@ -186,6 +255,40 @@ optional_policy(`
+@@ -195,6 +255,40 @@ optional_policy(`
')
optional_policy(`
@@ -36169,7 +38579,7 @@ index 6a50270..d941116 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +297,132 @@ optional_policy(`
+@@ -203,28 +297,132 @@ optional_policy(`
')
optional_policy(`
@@ -36185,10 +38595,10 @@ index 6a50270..d941116 100644
+optional_policy(`
+ #modutils_run_insmod(mount_t, mount_roles)
+ modutils_domtrans_insmod(mount_t)
-+ modutils_read_module_deps(mount_t)
-+')
-+
-+optional_policy(`
+ modutils_read_module_deps(mount_t)
+ ')
+
+ optional_policy(`
+ fstools_domtrans(mount_t)
+ #fstools_run(mount_t, mount_roles)
+')
@@ -37025,9 +39435,15 @@ index 3822072..270bde3 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..8dae06f 100644
+index dc46420..8dae06f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
+@@ -1,4 +1,4 @@
+-policy_module(selinuxutil, 1.17.2)
++policy_module(selinuxutil, 1.17.0)
+
+ gen_require(`
+ bool secure_mode;
@@ -11,14 +11,16 @@ gen_require(`
attribute can_write_binary_policy;
@@ -37553,7 +39969,7 @@ index ec01d0b..8dae06f 100644
')
########################################
-@@ -522,108 +598,196 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +598,196 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -37578,6 +39994,8 @@ index ec01d0b..8dae06f 100644
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-
-dev_relabel_all_dev_nodes(setfiles_t)
+-# to handle when /dev/console needs to be relabeled
+-dev_rw_generic_chr_files(setfiles_t)
-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
@@ -37587,6 +40005,7 @@ index ec01d0b..8dae06f 100644
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
+-files_dontaudit_read_all_symlinks(setfiles_t)
-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
@@ -37892,10 +40311,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..42a48b6 100644
+index 40edc18..95f4458 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,16 +17,17 @@ ifdef(`distro_debian',`
+@@ -17,23 +17,29 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -37908,7 +40327,10 @@ index 346a7cc..42a48b6 100644
+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
++/etc/resolv-secure.conf.* gen_context(system_u:object_r:net_conf_t,s0)
++/etc/\.resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -37917,7 +40339,25 @@ index 346a7cc..42a48b6 100644
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
ifdef(`distro_redhat',`
-@@ -55,6 +56,20 @@ ifdef(`distro_redhat',`
+ /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+ ')
++/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+ #
+ # /sbin
+@@ -44,6 +50,7 @@ ifdef(`distro_redhat',`
+ /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+ /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+@@ -55,6 +62,21 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -37929,6 +40369,7 @@ index 346a7cc..42a48b6 100644
+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -37938,15 +40379,15 @@ index 346a7cc..42a48b6 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -72,3 +87,6 @@ ifdef(`distro_redhat',`
- ifdef(`distro_gentoo',`
- /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+@@ -77,3 +99,6 @@ ifdef(`distro_debian',`
+ /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
-+
+
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
++
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..50b1c3c 100644
+index 2cea692..fd3a212 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -37980,7 +40421,7 @@ index 6944526..50b1c3c 100644
')
########################################
-@@ -212,7 +231,7 @@ interface(`sysnet_rw_dhcp_config',`
+@@ -231,7 +250,7 @@ interface(`sysnet_rw_dhcp_config',`
')
files_search_etc($1)
@@ -37989,7 +40430,7 @@ index 6944526..50b1c3c 100644
')
########################################
-@@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',`
+@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
type dhcpc_state_t;
')
@@ -37997,7 +40438,7 @@ index 6944526..50b1c3c 100644
read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
-@@ -271,6 +291,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -290,6 +310,43 @@ interface(`sysnet_delete_dhcpc_state',`
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
@@ -38041,7 +40482,7 @@ index 6944526..50b1c3c 100644
#######################################
## <summary>
## Set the attributes of network config files.
-@@ -292,6 +349,44 @@ interface(`sysnet_setattr_config',`
+@@ -311,6 +368,44 @@ interface(`sysnet_setattr_config',`
#######################################
## <summary>
@@ -38086,18 +40527,25 @@ index 6944526..50b1c3c 100644
## Read network config files.
## </summary>
## <desc>
-@@ -331,6 +426,7 @@ interface(`sysnet_read_config',`
+@@ -355,7 +450,10 @@ interface(`sysnet_read_config',`
+ ')
ifdef(`distro_redhat',`
++ files_search_all_pids($1)
++ init_search_pid_dirs($1)
allow $1 net_conf_t:dir list_dir_perms;
+ allow $1 net_conf_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',`
- files_etc_filetrans($1, net_conf_t, file, $2)
- ')
+@@ -438,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',`
+ ')
+ files_etc_filetrans($1, net_conf_t, file, $2)
++ files_etc_filetrans($1, net_conf_t, lnk_file, $2)
++
++')
++
+########################################
+## <summary>
+## Transition content to the type used for
@@ -38130,20 +40578,61 @@ index 6944526..50b1c3c 100644
+ ')
+
+ filetrans_pattern($1, $2, net_conf_t, $3, $4)
-+')
-+
+ ')
+
#######################################
- ## <summary>
- ## Create, read, write, and delete network config files.
-@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',`
+@@ -453,7 +587,7 @@ interface(`sysnet_etc_filetrans_config',`
+ interface(`sysnet_manage_config',`
+ gen_require(`
+ type net_conf_t;
+- ')
++ ')
+
allow $1 net_conf_t:file manage_file_perms;
+@@ -463,7 +597,41 @@ interface(`sysnet_manage_config',`
+ ')
+
ifdef(`distro_redhat',`
++ files_search_all_pids($1)
++ init_search_pid_dirs($1)
+ allow $1 net_conf_t:dir list_dir_perms;
manage_files_pattern($1, net_conf_t, net_conf_t)
++ manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
++ ')
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete network config dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_manage_config_dirs',`
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:dir manage_dir_perms;
++
++ ifdef(`distro_debian',`
++ files_search_pids($1)
++ manage_dirs_pattern($1, net_conf_t, net_conf_t)
++ ')
++
++ ifdef(`distro_redhat',`
++ files_search_all_pids($1)
++ init_search_pid_dirs($1)
++ allow $1 net_conf_t:dir list_dir_perms;
++ manage_dirs_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+
+@@ -501,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -38151,7 +40640,7 @@ index 6944526..50b1c3c 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -610,6 +779,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
## <summary>
@@ -38177,7 +40666,7 @@ index 6944526..50b1c3c 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -626,6 +814,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -38185,7 +40674,7 @@ index 6944526..50b1c3c 100644
')
########################################
-@@ -617,6 +769,26 @@ interface(`sysnet_search_dhcp_state',`
+@@ -647,6 +836,26 @@ interface(`sysnet_search_dhcp_state',`
allow $1 dhcp_state_t:dir search_dir_perms;
')
@@ -38212,7 +40701,7 @@ index 6944526..50b1c3c 100644
########################################
## <summary>
## Create DHCP state data.
-@@ -681,8 +853,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -711,8 +920,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -38221,19 +40710,21 @@ index 6944526..50b1c3c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -690,8 +860,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +927,13 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
-+ corenet_tcp_connect_dnssec_port($1)
++ corenet_tcp_connect_dnssec_port($1)
corenet_sendrecv_dns_client_packets($1)
++ files_search_all_pids($1)
++
+ miscfiles_read_generic_certs($1)
+
sysnet_read_config($1)
optional_policy(`
-@@ -720,8 +893,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +962,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -38242,7 +40733,7 @@ index 6944526..50b1c3c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -730,9 +901,14 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +970,14 @@ interface(`sysnet_use_ldap',`
# Support for LDAPS
dev_read_rand($1)
@@ -38257,7 +40748,7 @@ index 6944526..50b1c3c 100644
')
########################################
-@@ -754,7 +930,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +999,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -38265,7 +40756,7 @@ index 6944526..50b1c3c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +941,114 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1010,125 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -38335,12 +40826,23 @@ index 6944526..50b1c3c 100644
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
++ files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf")
++ files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger")
++ files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger")
++ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
++ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
+ files_etc_filetrans($1, net_conf_t, file, "ethers")
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
++ init_pid_filetrans($1, net_conf_t, dir, "network")
++
++ optional_policy(`
++ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
++ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
++ ')
+')
+
+########################################
@@ -38381,10 +40883,15 @@ index 6944526..50b1c3c 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..f94755e 100644
+index a392fc4..f94755e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
-@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
+@@ -1,10 +1,17 @@
+-policy_module(sysnetwork, 1.15.4)
++policy_module(sysnetwork, 1.14.6)
+
+ ########################################
+ #
# Declarations
#
@@ -38409,16 +40916,20 @@ index b7686d5..f94755e 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -36,18 +45,22 @@ type ifconfig_exec_t;
+@@ -36,22 +45,22 @@ type ifconfig_exec_t;
init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
+-type net_conf_t alias resolv_conf_t;
+-files_type(net_conf_t)
+type ifconfig_var_run_t;
+files_pid_file(ifconfig_var_run_t)
+files_mountpoint(ifconfig_var_run_t)
-+
- type net_conf_t alias resolv_conf_t;
--files_type(net_conf_t)
+
+-ifdef(`distro_debian',`
+- init_daemon_run_dir(net_conf_t, "network")
+-')
++type net_conf_t alias resolv_conf_t;
+files_config_file(net_conf_t)
########################################
@@ -38435,7 +40946,7 @@ index b7686d5..f94755e 100644
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -64,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -38447,7 +40958,7 @@ index b7686d5..f94755e 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+@@ -74,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -38456,7 +40967,7 @@ index b7686d5..f94755e 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -95,39 +109,40 @@ kernel_rw_net_sysctls(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
@@ -38477,10 +40988,14 @@ index b7686d5..f94755e 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+ corenet_udp_bind_all_nodes(dhcpc_t)
+ corenet_tcp_bind_dhcpc_port(dhcpc_t)
+ corenet_udp_bind_dhcpc_port(dhcpc_t)
+-corenet_udp_bind_all_unreserved_ports(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
- corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+-corenet_sendrecv_all_server_packets(dhcpc_t)
++corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
@@ -38504,7 +41019,7 @@ index b7686d5..f94755e 100644
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -137,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -38521,7 +41036,7 @@ index b7686d5..f94755e 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',`
+@@ -161,7 +180,14 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -38537,7 +41052,7 @@ index b7686d5..f94755e 100644
')
optional_policy(`
-@@ -174,10 +205,6 @@ optional_policy(`
+@@ -179,10 +205,6 @@ optional_policy(`
')
optional_policy(`
@@ -38548,7 +41063,7 @@ index b7686d5..f94755e 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -190,23 +217,36 @@ optional_policy(`
+@@ -195,23 +217,36 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -38585,7 +41100,7 @@ index b7686d5..f94755e 100644
')
optional_policy(`
-@@ -216,7 +256,11 @@ optional_policy(`
+@@ -221,7 +256,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -38598,7 +41113,7 @@ index b7686d5..f94755e 100644
')
optional_policy(`
-@@ -228,6 +272,10 @@ optional_policy(`
+@@ -233,6 +272,10 @@ optional_policy(`
')
optional_policy(`
@@ -38609,7 +41124,7 @@ index b7686d5..f94755e 100644
vmware_append_log(dhcpc_t)
')
-@@ -259,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -38634,7 +41149,7 @@ index b7686d5..f94755e 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -274,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -38667,7 +41182,7 @@ index b7686d5..f94755e 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,31 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -38688,10 +41203,11 @@ index b7686d5..f94755e 100644
seutil_use_runinit_fds(ifconfig_t)
--userdom_use_user_terminals(ifconfig_t)
+-sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
+sysnet_dns_name_resolve(ifconfig_t)
+sysnet_filetrans_named_content_ifconfig(ifconfig_t)
-+
+
+-userdom_use_user_terminals(ifconfig_t)
+userdom_use_inherited_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
@@ -38724,21 +41240,22 @@ index b7686d5..f94755e 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +427,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,12 +427,11 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
+ optional_policy(`
+- devicekit_read_pid_files(ifconfig_t)
++ dnsmasq_domtrans(ifconfig_t)
')
optional_policy(`
- hal_dontaudit_rw_pipes(ifconfig_t)
- hal_dontaudit_rw_dgram_sockets(ifconfig_t)
-+ dnsmasq_domtrans(ifconfig_t)
-+')
-+
-+optional_policy(`
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
')
optional_policy(`
-@@ -339,7 +440,15 @@ optional_policy(`
+@@ -350,7 +440,15 @@ optional_policy(`
')
optional_policy(`
@@ -38755,7 +41272,7 @@ index b7686d5..f94755e 100644
')
optional_policy(`
-@@ -360,3 +469,13 @@ optional_policy(`
+@@ -371,3 +469,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -40933,7 +43450,7 @@ index 0000000..ea7a44f
+read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
+
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 40928d8..49fd32e 100644
+index f41857e..49fd32e 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,8 @@
@@ -40964,7 +43481,7 @@ index 40928d8..49fd32e 100644
-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
--/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
+-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -40986,7 +43503,7 @@ index 40928d8..49fd32e 100644
ifdef(`distro_debian',`
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 0f64692..d7e8a01 100644
+index 9a1650d..d7e8a01 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -41191,7 +43708,7 @@ index 0f64692..d7e8a01 100644
+ role system_r;
')
-- files_search_var_lib($1)
+- files_search_pids($1)
- manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
@@ -41230,9 +43747,15 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..26bc8ba 100644
+index 39f185f..26bc8ba 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
+@@ -1,4 +1,4 @@
+-policy_module(udev, 1.16.2)
++policy_module(udev, 1.15.4)
+
+ ########################################
+ #
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -41254,7 +43777,7 @@ index a5ec88b..26bc8ba 100644
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -37,9 +38,11 @@ ifdef(`enable_mcs',`
+@@ -37,10 +38,11 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -41262,13 +43785,14 @@ index a5ec88b..26bc8ba 100644
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability2 { block_suspend compromise_kernel };
dontaudit udev_t self:capability sys_tty_config;
+-allow udev_t self:capability2 block_suspend;
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -54,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -41276,11 +43800,10 @@ index a5ec88b..26bc8ba 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -63,31 +67,41 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -64,31 +67,41 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
--# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
+allow udev_t udev_tmp_t:dir manage_dir_perms;
@@ -41296,7 +43819,8 @@ index a5ec88b..26bc8ba 100644
+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
--files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+-manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+-files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
+allow udev_t udev_var_run_t:dir mounton;
@@ -41324,7 +43848,7 @@ index a5ec88b..26bc8ba 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +112,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -99,6 +112,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -41332,7 +43856,7 @@ index a5ec88b..26bc8ba 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -106,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -107,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -41368,7 +43892,7 @@ index a5ec88b..26bc8ba 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -144,17 +167,20 @@ auth_use_nsswitch(udev_t)
+@@ -145,17 +167,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -41390,20 +43914,37 @@ index a5ec88b..26bc8ba 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -168,7 +194,11 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,24 +194,13 @@ sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
-sysnet_etc_filetrans_config(udev_t)
+-
+-userdom_dontaudit_search_user_home_content(udev_t)
+sysnet_filetrans_named_content(udev_t)
+#sysnet_etc_filetrans_config(udev_t)
-+
+
+-ifdef(`distro_debian',`
+- files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
+systemd_login_read_pid_files(udev_t)
+systemd_getattr_unit_files(udev_t)
- userdom_dontaudit_search_user_home_content(udev_t)
+- optional_policy(`
+- # for /usr/lib/avahi/avahi-daemon-check-dns.sh
+- kernel_read_vm_sysctls(udev_t)
+- corenet_udp_bind_generic_node(udev_t)
+- miscfiles_read_generic_certs(udev_t)
+- avahi_create_pid_dirs(udev_t)
+- avahi_initrc_domtrans(udev_t)
+- avahi_manage_pid_files(udev_t)
+- avahi_filetrans_pid(udev_t, dir, "avahi-daemon")
+- ')
+-')
++userdom_dontaudit_search_user_home_content(udev_t)
-@@ -179,16 +209,9 @@ ifdef(`distro_gentoo',`
+ ifdef(`distro_gentoo',`
+ # during boot, init scripts use /dev/.rcsysinit
+@@ -195,16 +209,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -41422,7 +43963,7 @@ index a5ec88b..26bc8ba 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -226,19 +249,38 @@ optional_policy(`
+@@ -242,24 +249,38 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -41431,10 +43972,12 @@ index a5ec88b..26bc8ba 100644
optional_policy(`
dbus_system_bus_client(udev_t)
-+
-+ optional_policy(`
+- dbus_use_system_bus_fds(udev_t)
+
+ optional_policy(`
+- consolekit_dbus_chat(udev_t)
+ systemd_dbus_chat_logind(udev_t)
-+ ')
+ ')
')
optional_policy(`
@@ -41461,18 +44004,21 @@ index a5ec88b..26bc8ba 100644
')
optional_policy(`
-@@ -264,6 +306,10 @@ optional_policy(`
+@@ -281,11 +302,11 @@ optional_policy(`
')
optional_policy(`
+- lvm_domtrans(udev_t)
++ mount_domtrans(udev_t)
+ ')
+
+ optional_policy(`
+- mount_domtrans(udev_t)
+ networkmanager_dbus_chat(udev_t)
-+')
-+
-+optional_policy(`
- openct_read_pid_files(udev_t)
- openct_domtrans(udev_t)
')
-@@ -278,6 +324,15 @@ optional_policy(`
+
+ optional_policy(`
+@@ -303,6 +324,15 @@ optional_policy(`
')
optional_policy(`
@@ -41488,7 +44034,7 @@ index a5ec88b..26bc8ba 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +345,7 @@ optional_policy(`
+@@ -315,6 +345,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -41523,7 +44069,7 @@ index 0abaf84..8b34dbc 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index db7aabb..01e03ec 100644
+index 5ca20a9..01e03ec 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@@ -41601,15 +44147,16 @@ index db7aabb..01e03ec 100644
# auditallow $1 self:process execstack;
')
-@@ -69,6 +73,7 @@ interface(`unconfined_domain_noaudit',`
- optional_policy(`
- # Communicate via dbusd.
- dbus_system_bus_unconfined($1)
-+ dbus_unconfined($1)
+@@ -67,6 +71,8 @@ interface(`unconfined_domain_noaudit',`
')
optional_policy(`
-@@ -122,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
++ # Communicate via dbusd.
++ dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
+ ')
+
+@@ -121,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
## </param>
#
interface(`unconfined_domain',`
@@ -41624,7 +44171,7 @@ index db7aabb..01e03ec 100644
auditallow $1 self:process execheap;
')
')
-@@ -150,7 +159,7 @@ interface(`unconfined_domain',`
+@@ -149,7 +159,7 @@ interface(`unconfined_domain',`
## </param>
#
interface(`unconfined_alias_domain',`
@@ -41633,7 +44180,7 @@ index db7aabb..01e03ec 100644
')
########################################
-@@ -176,414 +185,5 @@ interface(`unconfined_alias_domain',`
+@@ -175,414 +185,5 @@ interface(`unconfined_alias_domain',`
## </param>
#
interface(`unconfined_execmem_alias_program',`
@@ -42050,10 +44597,14 @@ index db7aabb..01e03ec 100644
+ refpolicywarn(`$0() has been deprecated.')
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 0280b32..61f19e9 100644
+index 5fe902d..61f19e9 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0)
+@@ -1,207 +1,7 @@
+-policy_module(unconfined, 3.5.1)
++policy_module(unconfined, 3.5.0)
+
+ ########################################
#
# Declarations
#
@@ -42129,40 +44680,6 @@ index 0280b32..61f19e9 100644
-')
-
-optional_policy(`
-- init_dbus_chat_script(unconfined_t)
--
-- dbus_stub(unconfined_t)
--
-- optional_policy(`
-- avahi_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- bluetooth_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- consolekit_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- cups_dbus_chat_config(unconfined_t)
-- ')
--
-- optional_policy(`
-- hal_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- networkmanager_dbus_chat(unconfined_t)
-- ')
--
-- optional_policy(`
-- oddjob_dbus_chat(unconfined_t)
-- ')
--')
--
--optional_policy(`
- firstboot_run(unconfined_t, unconfined_r)
-')
-
@@ -42232,6 +44749,10 @@ index 0280b32..61f19e9 100644
-')
-
-optional_policy(`
+- rtkit_scheduled(unconfined_t)
+-')
+-
+-optional_policy(`
- rpm_run(unconfined_t, unconfined_r)
-')
-
@@ -42254,6 +44775,10 @@ index 0280b32..61f19e9 100644
-')
-
-optional_policy(`
+- unconfined_dbus_chat(unconfined_t)
+-')
+-
+-optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-')
-
@@ -42282,14 +44807,7 @@ index 0280b32..61f19e9 100644
-unconfined_domain_noaudit(unconfined_execmem_t)
-
-optional_policy(`
-- dbus_stub(unconfined_execmem_t)
--
-- init_dbus_chat_script(unconfined_execmem_t)
- unconfined_dbus_chat(unconfined_execmem_t)
--
-- optional_policy(`
-- hal_dbus_chat(unconfined_execmem_t)
-- ')
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
@@ -42329,7 +44847,7 @@ index db75976..cb4a211 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..4ce3586 100644
+index 9dc60c6..4ce3586 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -43488,7 +46006,7 @@ index 3c5dba7..4ce3586 100644
##############################
#
# Local policy
-@@ -907,42 +1190,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1190,134 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -43583,26 +46101,27 @@ index 3c5dba7..4ce3586 100644
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
- ')
-
- optional_policy(`
-- gnome_role_template($1, $1_r, $1_t)
-+ fprintd_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
++ fprintd_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ realmd_dbus_chat($1_t)
')
optional_policy(`
-@@ -951,12 +1291,33 @@ template(`userdom_restricted_xwindows_user_template',`
+- gnome_role_template($1, $1_r, $1_t)
+ wm_role_template($1, $1_r, $1_t)
+ ')
')
optional_policy(`
@@ -43637,7 +46156,7 @@ index 3c5dba7..4ce3586 100644
')
#######################################
-@@ -990,27 +1351,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1351,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -43675,7 +46194,7 @@ index 3c5dba7..4ce3586 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1388,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1388,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -43732,21 +46251,21 @@ index 3c5dba7..4ce3586 100644
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
++ wine_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1450,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1450,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -43757,7 +46276,7 @@ index 3c5dba7..4ce3586 100644
')
')
-@@ -1082,7 +1488,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1488,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -43768,7 +46287,7 @@ index 3c5dba7..4ce3586 100644
')
##############################
-@@ -1098,6 +1506,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1506,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -43776,7 +46295,7 @@ index 3c5dba7..4ce3586 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1108,14 +1517,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1517,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -43793,7 +46312,7 @@ index 3c5dba7..4ce3586 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1131,6 +1534,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1534,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -43801,7 +46320,7 @@ index 3c5dba7..4ce3586 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1552,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1552,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -43817,7 +46336,7 @@ index 3c5dba7..4ce3586 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1571,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1571,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -43860,7 +46379,7 @@ index 3c5dba7..4ce3586 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1612,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1612,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -43869,7 +46388,7 @@ index 3c5dba7..4ce3586 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1621,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1621,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -43888,7 +46407,7 @@ index 3c5dba7..4ce3586 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1243,7 +1667,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1667,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -43897,7 +46416,7 @@ index 3c5dba7..4ce3586 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1253,6 +1677,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1677,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -43906,7 +46425,7 @@ index 3c5dba7..4ce3586 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1691,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1691,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -43918,7 +46437,7 @@ index 3c5dba7..4ce3586 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1705,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1705,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -43961,7 +46480,7 @@ index 3c5dba7..4ce3586 100644
')
optional_policy(`
-@@ -1360,14 +1790,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1790,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -43980,7 +46499,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -1408,6 +1841,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1405,6 +1841,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -44032,7 +46551,7 @@ index 3c5dba7..4ce3586 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1990,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1990,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -44064,7 +46583,7 @@ index 3c5dba7..4ce3586 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +2056,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2056,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -44079,7 +46598,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -1573,9 +2079,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2079,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -44091,7 +46610,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -1632,6 +2140,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2140,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -44134,7 +46653,7 @@ index 3c5dba7..4ce3586 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1707,10 +2251,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2251,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -44149,7 +46668,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -1744,10 +2290,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2290,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -44164,7 +46683,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -1772,7 +2320,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2320,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -44191,7 +46710,7 @@ index 3c5dba7..4ce3586 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,53 +2348,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1779,53 +2348,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -44274,7 +46793,7 @@ index 3c5dba7..4ce3586 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1848,6 +2431,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2431,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -44300,7 +46819,7 @@ index 3c5dba7..4ce3586 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2480,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,14 +2480,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -44338,7 +46857,7 @@ index 3c5dba7..4ce3586 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2520,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2520,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -44356,62 +46875,59 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -1941,7 +2568,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2568,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
-## Delete all user home content files.
+## Delete files in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file delete_file_perms;
++')
++
++########################################
++## <summary>
++## Delete all files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1949,19 +2576,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
- ## </summary>
- ## </param>
+@@ -1948,17 +2596,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
--interface(`userdom_delete_all_user_home_content_files',`
-+interface(`userdom_delete_user_home_content_files',`
+ interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
- attribute user_home_content_type;
- type user_home_dir_t;
-+ type user_home_t;
++ attribute user_home_type;
')
- userdom_search_user_home_content($1)
-- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ allow $1 user_home_t:file delete_file_perms;
+- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
++ allow $1 user_home_type:file delete_file_perms;
')
########################################
## <summary>
-## Delete files in a user home subdirectory.
-+## Delete all files in a user home subdirectory.
++## Delete sock files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2594,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2612,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
-interface(`userdom_delete_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:file delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Delete sock files in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+interface(`userdom_delete_user_home_content_sock_files',`
gen_require(`
type user_home_t;
@@ -44458,7 +46974,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -2010,8 +2689,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2689,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -44468,7 +46984,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -2027,20 +2705,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2705,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -44493,7 +47009,7 @@ index 3c5dba7..4ce3586 100644
########################################
## <summary>
-@@ -2123,7 +2795,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2795,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -44502,7 +47018,7 @@ index 3c5dba7..4ce3586 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2803,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2803,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -44526,7 +47042,7 @@ index 3c5dba7..4ce3586 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2821,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2821,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -44542,7 +47058,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -2393,11 +3063,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2390,11 +3063,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -44557,7 +47073,7 @@ index 3c5dba7..4ce3586 100644
files_search_tmp($1)
')
-@@ -2417,7 +3087,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3087,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -44566,7 +47082,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -2541,6 +3211,26 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,6 +3211,26 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -44593,7 +47109,7 @@ index 3c5dba7..4ce3586 100644
## temporary symbolic links.
## </summary>
## <param name="domain">
-@@ -2569,6 +3259,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,6 +3259,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -44621,7 +47137,7 @@ index 3c5dba7..4ce3586 100644
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
-@@ -2664,6 +3375,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3375,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -44647,7 +47163,7 @@ index 3c5dba7..4ce3586 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3410,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3410,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -44663,7 +47179,7 @@ index 3c5dba7..4ce3586 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3438,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3438,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -44672,7 +47188,7 @@ index 3c5dba7..4ce3586 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3446,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3446,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -44707,7 +47223,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -2817,6 +3564,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3564,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -44732,7 +47248,7 @@ index 3c5dba7..4ce3586 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3600,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3600,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -44775,7 +47291,7 @@ index 3c5dba7..4ce3586 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3636,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3636,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -44813,7 +47329,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -2885,8 +3681,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3681,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -44843,7 +47359,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -2958,69 +3773,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3773,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -44944,7 +47460,7 @@ index 3c5dba7..4ce3586 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3842,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3842,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -44959,7 +47475,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -3097,7 +3911,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +3911,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -44968,7 +47484,7 @@ index 3c5dba7..4ce3586 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,16 +3927,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,16 +3927,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -44990,7 +47506,7 @@ index 3c5dba7..4ce3586 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3130,35 +3946,17 @@ interface(`userdom_search_user_home_content',`
+@@ -3127,35 +3946,17 @@ interface(`userdom_search_user_home_content',`
## </summary>
## </param>
#
@@ -45029,7 +47545,7 @@ index 3c5dba7..4ce3586 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3217,7 +4015,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4015,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -45056,7 +47572,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -3272,7 +4088,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,7 +4088,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -45141,7 +47657,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -3290,7 +4182,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3287,7 +4182,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -45150,7 +47666,7 @@ index 3c5dba7..4ce3586 100644
')
########################################
-@@ -3309,6 +4201,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3306,6 +4201,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -45158,7 +47674,7 @@ index 3c5dba7..4ce3586 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4278,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4278,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -45201,7 +47717,7 @@ index 3c5dba7..4ce3586 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4334,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4334,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -45226,7 +47742,7 @@ index 3c5dba7..4ce3586 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3423,6 +4370,24 @@ interface(`userdom_create_all_users_keys',`
+@@ -3420,6 +4370,24 @@ interface(`userdom_create_all_users_keys',`
########################################
## <summary>
@@ -45251,7 +47767,7 @@ index 3c5dba7..4ce3586 100644
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4403,1664 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4403,1664 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -46917,10 +49433,16 @@ index 3c5dba7..4ce3586 100644
+ ')
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..37730c1 100644
+index f4ac38d..37730c1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
-@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
+@@ -1,4 +1,4 @@
+-policy_module(userdomain, 4.9.1)
++policy_module(userdomain, 4.8.5)
+
+ ########################################
+ #
+@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
## <desc>
## <p>
@@ -47593,3 +50115,32 @@ index b96e9b3..ff7340f 100644
QUIET ?= y
genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
+diff --git a/support/fc_sort.c b/support/fc_sort.c
+index e03ef3b..6c43035 100644
+--- a/support/fc_sort.c
++++ b/support/fc_sort.c
+@@ -1,4 +1,4 @@
+-/* Copyright 2005,2013 Tresys Technology
++/* Copyright 2005, Tresys Technology
+ *
+ * Some parts of this came from matchpathcon.c in libselinux
+ */
+@@ -523,7 +523,7 @@ int main(int argc, char *argv[])
+ fc_merge_sort(master);
+
+ /* Open the output file. */
+- if (!(out_file = fopen(output_name, "w"))) {
++ if (!(out_file = fopen(argv[2], "w"))) {
+ printf("Error: failure opening output file for write.\n");
+ return -1;
+ }
+diff --git a/support/policyvers.py b/support/policyvers.py
+deleted file mode 100644
+index 0d969a4..0000000
+--- a/support/policyvers.py
++++ /dev/null
+@@ -1,4 +0,0 @@
+-#!/usr/bin/python
+-import selinux
+-if selinux.is_selinux_enabled():
+- print selinux.security_policyvers()
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 474801e..061e335 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1,8 +1,1085 @@
+diff --git a/Changelog b/Changelog
+deleted file mode 100644
+index 8b9356a..0000000
+--- a/Changelog
++++ /dev/null
+@@ -1,1071 +0,0 @@
+-* Wed Apr 24 2013 Chris PeBenito <selinux at tresys.com> - 2.20130424
+-Chris PeBenito (18):
+- Rewrite of mcelog module from Guido Trentalancia
+- Remove unnecessary lines in mcelog.te.
+- Slight rearrangement in mcelog.te.
+- Module version bump for mcelog update from Guido Trentalancia.
+- Module version bump for ntp module fixes from Dominick Grift.
+- Module version bump for fc substitutions optimizations from Sven
+- Vermeulen.
+- Module version bump for postfix/mta misc fixes from Sven Vermeulen.
+- Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
+- Turn off all tunables by default, from Guido Trentalancia.
+- Module version bump for tunable default change.
+- Module version bump for saslauthd tcp mysql connections from Mika Flueger.
+- Move kernel request line in quota.
+- Module version bump for quota kernel module request from Mika Pflueger.
+- Module version bump for djbdns ports fixes from Russell Coker.
+- Remove stray + in keystone.te.
+- Whitespace fixes in cron.fc.
+- Module version bump for pulseaudio type_transition conflict fix from Sven
+- Vermeulen.
+- Bump module versions for release.
+-
+-Dominick Grift (889):
+- Initial BIRD Internet Routing Daemon policy
+- oident daemon fixes
+- Introduce ntp_conf_t
+- Allow ntp_admin() to manage ntp_drift_t content.
+- List etc_t directories
+- Use "Role allowed access." for consistency
+- Use permissions sets for compatibility.
+- Remove getattr permision from ntp_admin()
+- Initial Sensord policy module
+- Various block_suspend capability2 support from Fedora
+- Gitolite3 support from Fedora
+- /var/lib/sqlgrey is greylist milter data from Fedora
+- Terminal related fixes for plymouthd from Fedora Support block_suspend
+- capability2 for plymouth
+- Support minimal polkit in new location
+- Support ldap for user authentication from Fedora
+- Sanlock sends kill signals to non-root processes from Fedora Various
+- other capabilities for sanlock from Fedora
+- Initial support for sqlgrey from Fedora
+- Tor reads network sysctls from Fedora
+- GPG agent reads /dev/random from Fedora
+- Freshclam reads system and network state from Fedora
+- Execute wpa_cli in the NetworkManager_t domain for wicd from Fedora
+- lpstat.cups reads fips_enabled from Fedora
+- Initial system tap compile server policy module
+- Systemtap server admin manages stapserver_var_lib_t content
+- Telepathy Idle reads gschemas.compiled from Fedora
+- Initial slpd policy module
+- Initial lightsquid policy module
+- Initial wdmd policy module
+- Initial mailscanner policy module and some depencies.
+- Support slpd log rotation
+- Initial numad policy module
+- Open log files for append only
+- CGClear reads CGConfig files from Fedora Cosmetic changes to cgroup
+- policy module File contexts of cgroup app executables files in
+- /sbin also apply to /usr/sbin Make cgroup_admin() a bit more
+- compact
+- Initial svnserve policy module
+- Various small changes to ucspitcp
+- Initial fcoe policy module
+- Initial lldpad policy module
+- fcoemon sends to lldpad with a dgram socket
+- Initial quantum policy module
+- Initial dspam policy module
+- Module version bump for Telepathy file context spec fixes from Laurent
+- Bigonville.
+- Initial isns policy module
+- Various changes to tcs policy module
+- Initial ctdb policy module
+- Various changes to the sblim policy module and its dependencies
+- Initial polipo policy module
+- Module version bump for networkmanager fixes
+- Fixes to the polipo policy module
+- Module version bump for smartmon fixes from Laurent Bigonville.
+- Module version bump for accountsd file context spec fix from Laurent
+- Bigonville.
+- Various changes to the raid module
+- Module version bump for rtkit file context spec fix from Laurent
+- Bigonville
+- Initial couchdb policy module
+- Changes to the bind policy module
+- Initial dnssectrigger policy module
+- Initial man2html policy module
+- Initial openhpi policy module
+- Bind sends/receives http server instead of client packets conditionally
+- Two file context regular expression fixes by Eric Paris
+- Type mdadm_t is no longer a unconfined type
+- Initial pkcs policy module
+- Initial cfengine policy module
+- Initial keystone policy module
+- Initial l2tp policy module
+- Initial mongodb policy module
+- cfengine whitespace cleanup
+- Changes to the accountsservice policy module
+- Changes to the acct policy module
+- Changes to the ada policy module
+- changes to the afs policy module
+- Changes to the accountsservice policy module
+- Changes to the aiccu policy module
+- Changes to the aide policy module
+- Syntax error in afs_admin()
+- Changes to the aisexec policy module
+- Changes to the alsa policy module
+- Changes to the amanda policy module
+- Changes to the amavisd policy module and relevant dependencies
+- Changes to the amtu policy module
+- Changes to the anaconda policy module
+- Changes to the abrt policy module and relevant dependencies
+- numad sends/receives msgs from Fedora
+- Amtu executable file in installed in /usr/sbin in Fedora
+- The (usr/)? expression does not work consistently so better not use it
+- at all
+- Changes to the httpd policy module
+- Merge branch 'master' of
+- ssh://dgrift@oss.tresys.com/home/git/refpolicy-contrib
+- Fixes to the apache policy module and dependencies
+- Changes to the apcupsd policy module
+- Role attributes for lightsquid application domain
+- Changes to the mailscanner module
+- Changes to the svnserve policy module
+- Changes to the quantum policy module
+- Changes to the dspam module
+- Changes to the ctdb policy module
+- Changes to the couchdb policy module
+- Changes to the openhpid policy module
+- Changes to the keystone policy module
+- Changes to the l2tp policy module
+- Changes to the apm module and relevant dependencies
+- Changes to the arpwatch policy module
+- Changes to the apcupsd policy module
+- Changes to the abrt policy module
+- Changes to the apache policy module
+- Changes to the asterisk policy module and dependencies
+- Changes to the authbind policy module
+- Changes to the automount policy module
+- Change acpid lock file context spec
+- Changes to the avahi policy module and dependencies
+- Changes to the awstats policy module
+- Changes to the bacula policy module
+- Changes to the bcfg2 policy module
+- Changes to the apt policy module
+- Changes to the apache policy module
+- Changes to the backup module
+- Changes to the bind policy module
+- Bird module clean up
+- Fix arpwatch connected_stream_socket_perms
+- Changes to the bitlbee policy module
+- Changes to the blueman policy module
+- Changes to the bluetooth policy module
+- Changes to the brctl policy module
+- Changes to the apache policy module
+- Changes to the bugzilla policy module
+- Changes to the calamaris policy module
+- Implement lightsquid_admin()
+- Changes to the apache policy module and dependencies
+- Initial boinc policy module
+- Initial callweaver policy module
+- Changes to the canna policy module
+- Changes to the ccs policy module
+- Changes to the cdrecord policy module
+- Changes to the certmaster policy module and various role attribute fixes
+- cdrecord needs to read and write callers unix domain stream socket not
+- create it
+- Changes to the certmonger policy module and its dependencies
+- Initial cachefilesd policy module
+- Changes to the certwatch policy module
+- Changes to the chronyd policy module
+- Changes to the cipe policy module
+- Changes to the clamav policy module
+- Various network clean up
+- Add dev_rw_cachefiles() to cachefilesd policy module
+- Changes to the clockspeed policy module
+- Changes to the clogd policy module
+- Changes to the cmirrord policy module
+- Changes to the cobbler policy module
+- Changes to the colord policy module
+- Changes to the comsat policy module
+- Initial collectd policy module
+- Initial condor policy module and relevant dependencies
+- Changes to the consolekit policy module and relevant dependencies
+- Changes to the corosync policy module and relevant dependencies
+- Clean up couchdb network rules
+- Changes to the courier policy module
+- Changes to the cpucontrol policy module
+- Changes to the cpufreqselector policy module
+- Changes to the cron policy module and relevant dependencies
+- Changes to the cups policy module and relevant dependencies
+- Changes to the cvs policy module
+- Remove redundant connect avperms
+- Changes to the cyphesis policy module
+- Remove redundant rules from apache_admin()
+- Changes to the cyrus policy module
+- Changes to the daemontools policy module
+- Changes to the dante policy module
+- Modify dbadm boolean descriptions
+- Changes to the dbus policy module and its dependencies
+- Changes to the dcc policy module
+- Changes to the ddclient policy module
+- Changes to the ddcprobe policy module
+- Changes to the denyhosts policy module
+- Changes to the devicekit policy module and relevant dependencies
+- Changes to the dhcpd policy module
+- Changes tothe dictd policy module
+- Changes to the discc policy module
+- Changes to the djbdns policy module
+- Changes to the dkim policy module
+- Changes to the dmidecode policy module
+- Module bump for Laurent Bigonville trousers init script file context
+- specification fix
+- Module bump for Laurent Bigonville libvirt init script file context
+- specification fix
+- Changes to the dnsmasq policy module and relevant dependencies
+- Changes to the dovecot policy module
+- Changes to the dpkg policy module
+- Changes to the entropyd policy module
+- Changes to the evolution policy module
+- Changes to the exim policy module and relevant dependencies
+- Changes to the cron policy module
+- Changes to the fail2ban policy module
+- fcoemon XML clean up
+- Changes to the fetchmail policy module
+- Changes to the fingerd policy module
+- Initial firewalld policy module
+- Changes to the firstboot policy module
+- Changes to the fprint policy module and relevant dependencies
+- Changes to the ftp module
+- Changes to the games policy module
+- Clean up evolution and cdrecord XML
+- Changes to the gatekeeper policy module
+- Changes to the gift policy module
+- Changes to the git policy module
+- Changes to the gitosis policy module
+- Changes to the glance policy module
+- Initial glusterfs policy module
+- Add gatekeeper newline
+- Deprecate glusterd_admin() use glusterfs_admin() instead
+- Portage module version bump for autofs support by Matthew Thode and
+- clean up
+- cfengine: This location is now labeled with a cfengine private type
+- Changes to the slpd policy module
+- Changes to the gnomeclock policy module and relevant dependencies
+- Changes to the gpg policy module
+- Changes to the gpm policy module
+- Changes to the gpsd policy module and relevant dependencies
+- changes to the guest policy module
+- Changes to the gnomeclock policy module
+- Deprecate various DBUS interfaces and relevant dependencies
+- Changes to the cachefilesd policy module
+- Remove file context specification for kgpg which is a GUI frontend to
+- GPG. Domain transition to gpg_t will happen when kgpg runs gpg.
+- (rhbz#862229)
+- Initial mandb policy module
+- Changes to the hadoop policy module
+- Changes to the hald policy module
+- Changes to the hddtemp policy module
+- Changes to the howl policy module
+- changes to the mandb policy module
+- Changes to the dbus policy module
+- Changes to the rpm policy module
+- Changes to the i18n_input policy module
+- Changes to the icecast policy module
+- Changes to the ifplugd policy module
+- Changes to the imaze policy module
+- Changes to the inetd policy module and relevant dependencies
+- Changes to the innd policy module
+- Changes to the irc policy module
+- Changes to the ircd policy module
+- Changes to the irc policy module
+- Changes to the dbus policy module
+- Changes to the avahi policy module
+- Changes to the bluetooth policy module
+- Changes to the aiccu policy module
+- Changes to the bacula policy module
+- Changes to the boinc policy module
+- Changes to the bugzilla policy module
+- Changes to the ccs policy module
+- Changes to the clamav policy module
+- Changes to the cobbler policy module
+- Changes to the cyphesis policy module
+- Changes to the dante policy module
+- Changes to the dbskk policy module
+- Changes to the ddclient policy module
+- Changes to the denyhosts policy module
+- Changes to the dnssectrigger policy module
+- Changes to the dovecot policy module
+- Changes to the drbd policy module
+- Changes to the evolution policy module
+- Changes to the fail2ban policy module
+- Changes to the firewalld policy module
+- Changes to the firstboot policy module
+- Changes to the games policy module
+- Changes to the gift policy module
+- Changes to the glance policy module
+- Changes to the hald policy module
+- Changes to the dbus policy module
+- Changes to the git policy module
+- Changes to the polipo policy module
+- Changes to the firewalld policy module
+- Changes to the gpg policy module
+- Tab clean up in ircbalance file context file
+- Changes to the irqbalance policy module
+- Tab clean up in iscsi file context file
+- Changes to the iscsi policy module
+- Tab clean up in jabber file context file
+- Changes to the jabberd policy module
+- Changes to the pyicqt policy module
+- Tab clean up in java file context file
+- Changes to the java policy module
+- Changes to the dbus policy module
+- Changes to the gnome policy module
+- Changes to the apache policy module
+- Changes to the accountsd policy module
+- Changes to the alsa policy module
+- Changes to the evolution policy module
+- Changes to the bluetooth policy module
+- Changes to the games policy module
+- Changes to the gift policy module
+- Changes to the gpg policy module
+- Changes to the hadoop policy module
+- Tab clean up in kdump file context file
+- Changes to the kdump policy module
+- Changes to the gpg policy module
+- Changes to the dbus policy module
+- Changes to the evolution policy module
+- Changes to the gpm policy module
+- Version bump for evolution file context fixes by Laurent Bigonville
+- Version bump for nut file context fixes by Laurent Bigonville
+- Changes to the kdumpgui policy module
+- Tab clean up in kerberos file context file
+- Changes to the kerberos policy module and relevant dependencies
+- Changes to the kerneloops policy module
+- Tab clean up in kerberos file context file
+- Changes to the kismet policy module
+- Clean up amavis XML header
+- Initial keyboardd policy module
+- Tab clean up in ksmtuned file context file
+- Changes to the ksmtuned policy module
+- Tab clean up in ktalk file context file
+- Changes to the ktalk policy module
+- Changes to the kudzu policy module
+- Initial iodine policy module
+- Initial dirmngr policy module
+- Changes to the iodine policy module
+- Changes to the kerberos policy module
+- Changes to the kdumpgui policy module
+- Update deprecated interface calls ( gnome_read_config ->
+- gnome_read_generic_home_content )
+- Changes to the mozilla policy module
+- Changes to the thunderbird policy module
+- Changes to the l2tp policy module
+- Tab clean up in ldap file context file
+- Changes to the ldap policy module
+- Tab clean up in likewise file context file
+- Changes to the likewise policy module
+- Tab clean up in lircd file context file
+- Changes to the lircd policy module
+- Changes to the livecd policy module
+- Tab clean up in loadkeys file context file
+- Changes to the loadkeys policy module and relevant dependencies
+- Tab clean up in lockdev file context file
+- Changes to the lockdev policy module
+- Tab clean up in logrotate file context file
+- Changes to the logrotate policy module and relevant dependencies
+- Tab clean up in logwatch file context file
+- Changes to the logrotate policy module
+- Changes to the logwatch policy module
+- Tab clean up in lpd file context file
+- Changes to the lpd policy module
+- Tab clean up in cron policy module
+- Changes to the lpd policy module
+- Changes to the consolekit policy module
+- Tab fix in cron policy module
+- Tab clean up in mailman file context file
+- Changes to the mailman policy module and relevant dependencies
+- Tab clean up in mcelog file context file
+- Changes to the mcelog policy module
+- Tab clean up in mediawiki file context file
+- Mediawiki XML clean up
+- Tab clean up in memcached file context file
+- Changes to the memcached policy module
+- Changes to the apache policy module
+- Tab clean up in milter file context file
+- Changes to the milter policy module and relevant dependencies
+- Changes to the modemmanager policy module
+- Tab clean up in mojomojo file context file
+- Changes to the mojomojo policy module and relevant dependencies
+- Changes to the gpg policy module
+- Changes to the mongodb policy module
+- Changes to the mono policy module
+- Changes to the monop policy module
+- Tab clean up in mozilla file context file
+- Changes to the mozilla policy module and relevant dependencies
+- Changes to the mozilla policy module
+- Changes to the apache policy module
+- Tab clean up in mpd file context file
+- Changes to the mpd policy module
+- Tab clean up in mplayer file context file
+- Changes to the evolution policy module
+- Changes to the mplayer policy module
+- Changes to the irc policy module
+- Tab clean up in mrtg file context file
+- Changes to the mrtg policy module
+- Tab clean up in mta file context file
+- Changes to the mta policy module and relevant dependencies
+- Changes to the mta policy module and relevant dependencies
+- Get rid of mozilla_conf_t as it is unused
+- Changes to the logrotate policy module
+- Changes to the logwatch policy module
+- Changes to the java policy module
+- Changes to the apache module and relevant dependencies
+- Tab clean up in munin file context file
+- Changes to the munin policy module and relevant dependencies
+- Tab clean up in mysql file context file
+- Changes to mysqld policy module
+- Changes to various policy modules
+- Changes to the munin policy module
+- Changes to the dovecot policy module
+- Changes to various policy modules
+- Changes to the mta policy module
+- Changes to the certmonger policy module and relavant dependencies
+- Tab clean up in nagios file context file
+- Changes to the nagios policy module and relevant dependencies
+- Changes to the modutils policy module
+- Tab cleanup in the nessus file context file
+- Changes to the nessus policy module
+- Tab clean up in the network manager file context file
+- Changes to the networkmanager policy module and relevant dependencies
+- Changes to the mozilla policy module
+- Changes to the cobbler policy module
+- Initial rngd policy module
+- Tab clean up in the nis file context file
+- Changes to the nis policy module
+- Tab clean up in the nscd file context file
+- Changes to the nscd policy module
+- Tab clean up in the nsd file context file
+- Changes to the nsd policy module
+- Tab clean up in the nslcd file context file
+- Changes to the nslcd policy module
+- Tab clean up in the ntop file context file
+- Changes to the ntop policy module
+- Tab clean up in the ntp file context file
+- Changes to the ntp policy module
+- Changes to the numad policy module
+- Tab clean up in the nut file context file
+- Changes to the nut policy module
+- Tab clean up in the nx file context file
+- Changes to the nx policy module
+- Changes to the oav policy module
+- Initial obex policy module
+- Tab clean up in the oddjob file context file
+- Tab clean up in gpg policy module
+- Changes to the oddjob policy module
+- Changes to the mozilla policy module
+- Initial pacemaker policy module
+- Tab clean up in the oidentd file context file
+- Changes to the oident policy module
+- Tab clean up in the openca file context file
+- Changes to the openca policy module
+- Tab clean up in the openct file context file
+- Changes to the openct policy module
+- Tab clean up in the openvpn file context file
+- Changes to the openvpn policy module
+- Tab clean up in the pads file context file
+- Changes to the pads policy module
+- Tab clean up in the passenger file context file
+- Changes to the passenger policy module and relevant dependencies
+- Tab clean up in the pcmcia file context file
+- Changes to the pcmcia policy module
+- Tab clean up in the pcscd file context file
+- Changes to the pcscd policy module and relevant dependencies
+- Tab clean up in the pegasus file context file
+- Changes to the pegasus policy module
+- Tab clean up in the perdition file context file
+- Changes to the perdition policy module
+- Tab clean up in the pingd file context file
+- Changes to the pingd policy module
+- Changes to the plymouthd policy module
+- Changes to the mozilla policy module
+- Changes to the plymouth policy module
+- Tab clean up in the podsleuth file context file
+- Changes to the podsleuth policy module
+- Tab clean up in the policykit file context file
+- Changes to the policykit policy module and relevant dependencies
+- Tab clean up in the portage file context file
+- Changes to the portage policy module
+- Tab clean up in the portmap file context file
+- Changes to the portmap policy module
+- Tab clean up in the portreserve file context file
+- Changes to the portreserve policy module
+- Tab clean up in the portslave file context file
+- Changes to the portslave policy module and relevant dependencies
+- Tab clean up in the postfix file context file
+- Changes to the postfix policy module and relevant dependencies
+- Fixes to various policy modules
+- Tab clean up in the postfixpolicyd file context file
+- Changes to the postfixpolicyd policy module
+- Tab clean up in the postgrey file context file
+- Changes to the postgrey policy module
+- Tab clean up in the ppp file context file
+- Changes to the ppp policy module and relevant dependencies
+- Tab clean up in the prelink file context file
+- Changes to the prelink policy module and relevant dependencies
+- Tab clean up in the prelude file context file
+- Changes to the prelude policy module
+- Tab clean up in the privoxy file context file
+- Changes to the privoxy policy module
+- Tab clean up in the procmail file context file
+- Changes to the procmail policy module
+- Tab clean up in the psad file context file
+- Changes to the psad policy module
+- Changes to the ptchown policy module
+- Tab clean up in the publicfile file context file
+- Changes to the publicfile policy module
+- Fix a fatal syntax error in mozilla_plugin_role()
+- Changes to the plymouth policy module
+- Changes to the policykit policy module
+- Module version bump for fixes in shorewall, fail2ban and portage policy
+- modules by Sven Vermeulen
+- Tab clean up in the puppet file context file
+- Changes to ther puppet policy module and relevant dependencies
+- Initial pwauth policy module
+- Tab clean up in the pxe file context file
+- Changes to the pxe policy module
+- Tab clean up in the pyzor file context file
+- Changes to the pyzor policy module
+- Tab clean up in the qemu file context file
+- Changes to the qemu policy module
+- Tab clean up in the virt file context file
+- Changes to the virt policy module and relevant depedencies
+- Changes to the virt policy module
+- Changes to the cron policy module
+- Changes to the qemu policy module
+- Changes to the virt policy module
+- Epylog wants sys_nice and setsched
+- Tab clean up in the qmail file context file
+- Changes to the qmail policy module
+- Tab clean up in the qpid file context file
+- Changes to the qpid policy module
+- Tab clean up in the quota file context file
+- Changes to the quota policy module and relevant dependencies
+- Initial rabbitmq policy module
+- Tab clean up in the radius file context file
+- Changes to the radius policy module
+- Tab clean up in the radvd file context file
+- Changes to the radvd policy module
+- Changes to the raid policy module
+- Tab clean up in the razor file context file
+- Changes to the razor policy module and relevant dependencies
+- Smokeping cgi needs to run ping with a domain transition Remove
+- redundant socket create already provided by
+- sysnet_dns_name_resolve()
+- Changes to the virt policy module
+- Changes to the apache policy module
+- Changes to the gnome policy module
+- Changes to the rdisc policy mpdule
+- Changes to the readahead policy module
+- Changes to the remotelogin policy module
+- Tab clean up in the resmgr file context file
+- Changes to the resmgr policy module
+- Tab clean up in the rgmanager file context file
+- Changes to the rgmanager policy module
+- Initial Realmd policy module and relevant dependencies
+- Fix resmgrd init script file context specification
+- Changes to the cups policy module
+- automount reads overcommit_memory
+- Changes to the networkmanager policy module
+- Freshclam manages amavis spool content
+- Changes to the tftp policy module
+- Changes to the cobbler policy module
+- Tab clean up in the rhcs file context file
+- Changes to the rhcs policy module and relevant dependencies
+- Tab clean up in the rhgb file context file
+- Changes to the rhgb policy module
+- Tab clean up in the rhsmcertd file context file
+- Changes to the rhsmcertd policy module
+- Tab clean up in the ricci file context file
+- Changes to the ricci policy module
+- Tab clean up in the rlogin file context file
+- Changes to the rlogin policy module
+- Tab clean up in the roundup file context file
+- Changes to the roundup policy module
+- Changes to the remotelogin policy module
+- Changes to the apache policy module
+- Changes to the awstats policy module
+- fix puppet_admin() need to require types that it uses
+- Replace wrong type in puppet_admin()
+- Fix a syntax error in ricci_domtrans()
+- Catch all rpcbind content in /var/run
+- Changes to the cups policy module
+- Tab clean up in the rpc file context file
+- Changes to the rpc policy module
+- Tab clean up in the rpcbind file context file
+- Changes to the rpcbind policy module
+- Tab clean up in the rpm file context file
+- Changes to the rpm policy module and depedencies
+- Changes to the rshd policy module
+- Changes to the virt policy module
+- Changes to the rssh policy module
+- Tab clean up in the rsync file context file
+- Fix a typo in apache XML
+- Changes to the rsync policy module
+- Changes to the rtkit policy module
+- Tab clean up in the rwho file context file
+- Changes to the rwho policy module
+- Reads /proc/sys/kernel/random/poolsize
+- Tab clean up in the samba file context file
+- Changes to the samba policy module and relevant dependencies
+- Tab clean up in the sambagui file context file
+- Changes to the sambagui policy module
+- Initial firewallgui policy module
+- Tab clean up in the samhain file context file
+- Changes to the samhain policy module
+- Tab clean up in the sanlock file context file
+- Changes to the sanlock policy module and relevant dependencies
+- Tab clean up in the sasl file context file
+- Changes to the sasl policy module
+- Chnages to the sblim policy module
+- Tab clean up in the screen file context file
+- Changes to the screen policy module
+- Tab clean up in the sectoolm file context file
+- Changes to firewallgui policy module
+- Changes to the sectoolm policy module
+- Tab clean up in the sendmail file context file
+- Changes to the sendmail policy module and relevant dependencies
+- Tab clean up in the setroubleshoot file context file
+- Changes to the setroubleshoot policy module
+- Tab clean up in the shorewall file context file
+- Changes to the shorewall policy module
+- Tab clean up in the shutdown file context file
+- Changes to the shutdown policy module and relevant dependencies
+- Tab clean up in the slocate file context file
+- Changes to the slocate policy module and relevant dependencies
+- These domains transition to shutdown domain now so they no longer need
+- direct access
+- Re-add missing network rule in screen policy module
+- fail2ban server sets scheduler
+- shutdown XML clean up
+- libvirtd sets kernel scheduler
+- mongod reads cpuinfo_max_freq
+- Changes to the slrnpull policy module
+- Tab clean up in the smartmon file context file
+- Changes to the smartmon policy module
+- Tab clean up in the smokeping file context file
+- Changes to the smokeping policy module
+- Tab clean up in the smoltclient file context file
+- Changes to the smoltclient policy module
+- Tab clean up in the snmp file context file
+- Changes to the snmp policy module
+- Tab clean up in the snort file context file
+- Changes to the snort policy module
+- Changes to the sosreport policy module and relevant dependencies
+- Tab clean up in the soundserver file context file
+- Changes to the soundserver policy module
+- Tab clean up in the spamassassin file context file
+- Changes to the spamassassin policy module and relevant dependendies
+- spamassassin_role callers create ~/.spamd with the spamd_home_t user
+- home type instead
+- Re-add sys_admin capability that was lost with porting from Fedora
+- Move mailscanner content to mailscanner module
+- Changes to the speedtouch policy module
+- Tab clean up in the squid file context file
+- Changes to the squid policy module
+- Changes to the sssd policy module
+- Tab clean up in the stunnel file context file
+- Changes to the stunnel policy module
+- Tab clean up in the sxid file context file
+- Changes to the sxid policy module
+- Tab clean up in the sysstat file context file
+- Changes to the sysstat policy module
+- Tab clean up in the tcpd file context file
+- Changes to the tcpd policy module
+- Changes to the tcsd policy module
+- Tab clean up in the telepathy file context file
+- Changes to the telepathy policy module
+- Tab clean up in the telnet file context file
+- Changes to the telnet policy module
+- Tab clean up in the tftp file context file
+- Changes to the tftp policy module
+- Tab clean up in the tgtd file context file
+- Changes to the tgtd policy module
+- Tab clean up in the thunderbird file context file
+- Changes to the thunderbird policy module
+- Catch /var/log/cron directory as well
+- Dovecot module version bump for fixes by Sven Vermeulen
+- Portage module version bump for fixes by Sven Vermeulen
+- Cron module version bump for fixes by Sven Vermeulen
+- Changes to the exim policy module
+- Entropyd reads /proc/meminfo
+- Blueman reads tmp_t directories
+- Do not audit attempts by cups config to read tmp_t directories
+- Do not audit attempts by fail2ban to read tmp_t directories
+- Do not audit attempts by firewalld to read tmp_t directories
+- Gnomeclock reads urandom and realtime clock
+- Kdumpctl needs sys_chroot capability
+- Various kdumpgui fixes from Fedora
+- Do not audit attempts by logwatch to read tmp_t directories
+- Catch all alias files
+- Refine aliases file transition with names
+- Realmd dbus chat policykit and networkmanager from Fedora
+- Do not audit attempts by tuned to read tmp_t directories
+- Changes to the timidity policy module
+- Tab clean up in the tmpreaper file context file
+- Changes to the tmpreaper policy module and relevant dependencies
+- Tab clean up in the tor file context file
+- Changes to the tor policy module
+- Changes to the transproxy policy module
+- Tab clean up in the tripwire file context file
+- Changes to the tripwire policy module
+- Tab clean up in the tuned file context file
+- Changes to the tuned policy module
+- Tab clean up in the tvtime file context file
+- Changes to the tvtime policy module
+- Changes to the tzdata policy module
+- Changes to the ucspitcp policy module
+- Tab clean up in the ulogd file context file
+- Changes to the ulogd policy module
+- Tab clean up in the uml file context file
+- Changes to the uml policy module
+- Make it so that irc clients can also get attributes of cifs, nfs, fuse
+- and other file systems
+- Changes to the updfstab policy module
+- Changes to the uptime policy module
+- Tab clean up in the usbmodules file context file
+- Changes to the usbmodule policy module
+- Changes to the usbmuxd policy module
+- Tab clean up in the userhelper file context file
+- Screen sends child terminated signals to all interactive fd domains
+- Changes to the userhelper policy module and relevant dependencies
+- Changes to the virt policy module
+- Module version bump for fail2ban changes by Sven Vermeulen
+- Changes to the rpm policy module
+- fix smartmon init script file context specification
+- Changes to the usernetctl policy module
+- Tab clean up in the uucp file context file
+- Changes to the uucp policy module
+- Changes to the virt policy module
+- Tab clean up in the uuid file context file
+- Changes to the uuidd policy module
+- Tab clean up in the uwimap file context file
+- Changes to the uwimap policy module
+- Tab clean up in the varnishd file context file
+- Changes to the varnishd policy module
+- Changes to the vbetool policy module
+- Tab clean up in the vdagent file context file
+- Changes to the vdagent policy module
+- Tab clean up in the vhostmd file context file
+- Changes to the vhostmd policy module
+- Changes to the vlock policy module
+- Tab clean up in the vmware file context file
+- Changes to the vmware policy module
+- Tab clean up in the vnstatd file context file
+- Changes to the vnstatd policy module
+- Tab clean up in the vpn file context file
+- Changes to the vpnc policy module
+- Tab clean up in the w3c file context file
+- Changes to the w3c policy module
+- Tab clean up in the watchdog file context file
+- Changes to the watchdog policy module
+- Changes to the wdmd policy module
+- Changes to the webadm policy modules
+- Changes to the webalizer policy module
+- White space fix in apache policy module
+- Changes to the wine policy module
+- Tab clean up in the wireshark file context file
+- Changes to the wireshark policy module
+- Tab clean up in the wm file context file
+- Changes to the wm policy module
+- Changes to the inn policy module
+- Move man cache file type to miscfiles
+- Changes to the inn policy module
+- More accurate dbadm boolean descriptions
+- mysql_admin() has access to ~/.my.cnf files
+- Tab clean up in the xen file context file
+- Changes to the xen policy module and relevant dependencies
+- Tab clean up in the xfs file context file
+- Changes to the xfs policy module
+- Changes to the xguest policy module and relevant dependencies
+- Changes to the xprint policy module
+- Changes to the xscreensaver policy module
+- Tab clean up in the yam file context file
+- Changes to the yam policy module
+- Tab clean up in the zabbix file context file
+- Changes to the zabbix policy module
+- Tab clean up in the zarafa file context file
+- Changes to the zarafa policy module
+- Tab clean up in the zebra file context file
+- Changes to the zebra policy module
+- Changes to the zosremote policy module
+- Changes to the mysql policy module
+- Tab clean up in the pulseaudio file context file
+- Changes to the pulseaudio policy module and relevant dependencies
+- Changes to the pulseaudio policy module
+- One chown too many
+- Changes to the mplayer policy module
+- The prelink cron script now runs in its own domain
+- Initial smstools policy module
+- Initial openvswitch policy module and relevant dependencies
+- Reads pcsd pid files
+- Reads random device
+- winbind manages smbd pid sock files from Fedora
+- Changes to the bind policy module
+- CG rules daemon reads all sysctls
+- Runs consoletype and searches nfs state data from Fedora
+- Support munin unbound plugin from Fedora
+- Zabbix sends signals from Fedora
+- Blueman sets scheduler and sends signals from Fedora
+- pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead
+- Module version bumps for fixes in portage and virt modules by Sven
+- Vermeulen
+- Policy module version bumps for various changes by Sven Vermeulen
+- Changes to the openvpn policy module
+- Module version bumps for various fixes by Sven Vermeulen
+- Changes to the mandb policy module
+- Changes to the tmpreaper policy module
+- Changes to the munin policy module
+- Changes to the rngd policy module
+- Changes to the awstats policy module and relevant dependencies
+- Changes to the apache policy module
+- Changes to various policy modules
+- Changes to the abrt policy module
+- Changes to the passenger policy module and relevant depedencies
+- Changes to the pegagus policy module
+- Changes to the mta policy module
+- Changes to the fetchmail policy module
+- Changes to the bitlbee policy module
+- Changes to the blueman policy module and relevant dependencies
+- Changes to the amavis policy module
+- Changes to the userhelper policy module
+- Changes to the blueman policy module
+- Changes to the squid policy module
+- Changes to the sblim policy module
+- Changes to the kdumpgui policy module
+- Changes to the mailman policy module
+- Changes to the realmd policy module
+- Changes to the raid policy module
+- Changes to the samba policy module
+- Changes to the various policy modules
+- Changes to the snmp policy module
+- Changes to the spamassassin policy module
+- Changes to the sssd policy module
+- Changes to the l2tpd policy module
+- Changes to the shorewall policy module
+- Changes to the xen policy module
+- Changes to the tftp policy modules
+- Changes to the accountsd policy module
+- Changes to the tgtd policy module
+- Changes to the corosync policy module
+- Changes to the kdump policy module
+- Changes to the openvswitch policy module
+- Changes to the mpd policy module
+- Changes to the mozilla policy module
+- Changes to the zarafa policy module
+- Changes to the boinc policy module
+- Changes to the setroubleshoot policy module
+- Changes to the dspam policy module
+- Changes to the rgrmanager policy module and relevant dependencies
+- Changes to the svnserve policy module
+- Changes to the virt policy module
+- Changes to the prelink policy module
+- Changes to the apache policy module
+- Changes to the gnomeclock policy module
+- Changes to various policy modules
+- Changes to the pegagus policy module
+- Changes to the shorewall policy module
+- Changes to the kerberos policy module
+- Changes to the rhcs policy module
+- Changes to the irc policy module
+- Changes to the clamav policy module
+- Changes to the mrtg policy module
+- Changes to the munin policy module
+- Changes to the amavis policy module
+- Changes to the ppp policy module
+- Initial jockey policy module
+- Module version bumps for "several named transition for directories
+- created in /var/run by initscripts" in various modules by Laurent
+- Bigonville
+- Module version bumps for fixes in various modules by Laurent Bigonville
+- Module version bump for changes to the consolekit policy module by
+- Laurent Bigonville
+- Changes to the stunnel policy module
+- Module version bumps for fixes in various modules by Sven Vermeulen
+- Changes to the virt policy module
+- Changes to the apache policy module
+- Changes to the wm policy module
+- Changes to the samba policy module
+- Changes to the certmonger policy module
+- Changes to the mozilla policy module
+- Changes to the corosync policy module
+- Changes to the pacemaker policy module
+- Changes to the tuned policy module
+- Changes to the cups module and relevant dependencies
+- Changes to the rhsmcertd policy module
+- Changes to the lpd policy module
+- Changes to the munin policy module
+- Changes to the ntp policy module
+- Changes to the tor policy module
+- Changes to the firewalld policy module
+- Changes to the dspam policy module
+- Changes to the setroubleshoot policy module
+- Changes to the condor policy module
+- Changes to the kerberos policy module
+- Changes to the passenger policy module
+- Changes to the ppp policy module
+- Changes to the the dkim policy module
+- Changes to the abrt policy module
+- Changes to the lircd policy module
+- Changes to the dkim policy module
+- Changes to the virt policy module
+- Changes to the munin policy module
+- Changes to the dovecot policy module
+- Changes to the cobbler policy module
+- Changes to the userhelper policy module
+- Changes to the logwatch policy module
+- Changes to the wdmd policy module and relevant dependencies
+- Changes to the nscd policy module and relevant dependencies
+- Changes to the dbus policy module
+- Module version bumps for fixes in various policy modules by Laurent
+- Bigonville
+- Changes to the cups policy module
+- Changes to the dbus policy module
+- Changes to the apcupsd policy module
+- Remove redundant net_bind_service capabilities in various modules
+- Changes to the virt policy module
+- Changes to the puppet policy module
+- Module version bumps for fixes in various policy module by Sven
+- Vermeulen
+- Module version bumps for file context fixes in various policy modules by
+- Laurent Bigonville
+- Make httpd_manage_all_user_content() do what it advertises
+- Add more networking rules to mplayer policy module for compatibility
+- Fix fcronsighup file context. Should be crontab_exec_t as per previous
+- spec
+- Module version bumps for changes in various modules by Sven Vermeulen
+- Move asterisk_exec() and modify XML header
+- Consolekit creates /var/run/console directories with a type transition
+- unconditionally
+- Module version bump in consolekit policy module for changes by Sven
+- Vermeulen
+- The imaplogin executable file should be courier_pop_exec_t according to
+- existing file context specification
+- Module version bump for changes to the fail2ban policy module by Sven
+- Vermeulen
+- Modules version bumps for changes in various policy modules by Sven
+- Vermeulen
+-
+-Laurent Bigonville (28):
+- Add Debian locations for Telepathy connection managers
+- Label telepathy-rakia as telepathy-sofiasip
+- Allow smartd daemon to write in /var/lib/smartmontools directory
+- Add Debian location for smartd daemon initscript
+- Add Debian location for accounts-daemon daemon
+- Add Debian location for rtkit-daemon daemon
+- Add Debian location for tcsd init script
+- Add Debian location for libvirtd init script
+- Add Debian location for evolution executables
+- Add Debian locationis for nut executables and configuration files
+- Add several named transition for directories created in /var/run by
+- initscripts
+- Run packagekit under apt_t context on Debian distribution
+- Add proper label for colord daemon in debian
+- Allow the system dbus to search cgroup directories
+- Allow virtd_t context to read sysctl_crypto_t
+- Allow colord_t context to read sysctl_crypto_t
+- Add proper label for gconfd-2 daemon in Debian
+- Ensure that consolekit can create /var/run/console directory on Debian
+- Properly label nm-dispatcher.action on Debian
+- policykit.fc: Properly label polkit-agent-helper-1 on Debian
+- cups.fc: Properly label cups-pk-helper-mechanism on Debian
+- Allow pcscd the fsetid capability
+- Allow networkmanager_t to read crypto_sysctl_t
+- Allow virsh_t context to read sysctl_crypto_t
+- Allow cupsd_t to read cupsd_log_t
+- gnomeclock.fc: Properly label gsd-datetime-mechanism in Debian
+- ptchown.fc: Properly label pt_chown executable in Debian
+- Label /usr/bin/kvm as qemu_exec_t
+-
+-Matthew Thode (2):
+- added autofs support and nsswitch support
+- removing refrences to named_var_lib_t as it doesn't exist anymore for
+- bind.if
+-
+-Mika Pflüger (3):
+- Allow saslauthd_t to talk to mysqld via TCP
+- Quota policy adjustments: * Allow quota_t to load kernel modules
+- Debian locations for dovecot deliver and dovecot auth.
+-
+-Russell Coker (1):
+- Fix djbdns ports
+-
+-Sven Vermeulen (75):
+- Update with new substitutions
+- Mark the pid directory as a pid directory
+- Add in transitions for queue types when the queues are created
+- Fix typo in interface postfix_exec_postqueue
+- Allow maildelivery to use dotlock files in the mail spool
+- Allow postfix local to change ownership of mailfiles
+- Use libexec location for postfix binaries
+- Allow initrc_t to create run dirs for contrib modules
+- Update logwatch location in file context
+- Sandbox is an inherent part of the portage inner workings
+- Fix startup issue with fail2ban-client
+- Be able to get output from fail2ban-client
+- Ignore searches when ran from the user home directory
+- Shorewall admins execute shorewall too
+- Shorewall needs sys_admin capability for manipulating network stack
+- Be able to display dovecot errors
+- Remove transition to ldconfig
+- Adding interfaces for handling cron log files
+- Fail2ban client checks state of log files before telling the server
+- Support mysql init script
+- Support initial creation of mysql database files
+- Portage fetch domain needs to access certificates
+- Make samba domtrans optional in virt
+- Fix typo in tunable declaration for fcron_crond
+- Introducing cron_manage_log_files interface
+- Introduce dontaudit interfaces for leaked fd and unix stream sockets
+- Dontaudit attempts by system_mail_t to use leaked fd or stream sockets
+- Support at service
+- Additional postfix admin requirements
+- Reintroduce postfix_var_run_t for pid directory and fowner capability
+- Postfix deferred queue should not mark mails as postfix_spool_maildrop_t
+- Running qemu with SDL support requires more xserver-related privileges
+- Fix typo in clockspeed comment
+- Support openvpn status file
+- Asterisk voicemail messages are generated from tmp
+- Make rtkit calls optional
+- Gentoo installs dovecot certs in /etc/ssl/dovecot
+- Moving sandbox code to sandbox section (v2)
+- Allow sandbox to log violations
+- Use rw_fifo_file_perms
+- Apache should not depend on gpg
+- Named init script creates rundir
+- Add ~/.maildir as a valid maildir destination
+- Support stunnel_read_config for startup
+- Updates on stunnel policy
+- More .maildir fixes
+- Mark make.profile entry as portage_conf_t (v2)
+- Move mta call (coding style)
+- Changes to puppet domain
+- Allow rpc admin to run exportfs
+- Grant sys_admin capability to puppet
+- Puppet module helper scripts are puppet_var_lib_t
+- Support netlink_route_socket creation for puppet
+- Puppet initscript creates /run/puppet
+- Puppet runs statfs against selinuxfs
+- mplayer streams HTTP resources
+- fcron and fcronsighup binaries are moved
+- Asterisk needs to search through logs
+- Denial in mail log on node bind
+- Fix typo in mcelog_admin (missing bracket)
+- Add in contexts for fcron rm.systab and systab.tmp
+- Remove pulseaudio filename_trans conflict
+- Allow asterisk admins to execute asterisk binary directly
+- Support tagfiles for consolekit
+- ConsoleKit needs to read the dbus machine-id
+- File context updates for courier-imap
+- Update on file contexts for OpenLDAP
+- Update on file contexts for wpa_supplicant
+- Allow IRC clients to read certificates
+- Allow reading /proc/self for fail2ban due to FAM support
+- Update file contexts for puppet
+- Support ~/.tmux.conf as tmux configuration file
+- Add setuid/setgid capability to ulogd_t
+- Support tmux control socket
+- Postfix creates defer(red) queue locations
+-
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..b5f4f9a 100644
+index 1a93dc5..b5f4f9a 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,48 @@
+@@ -1,31 +1,48 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -31,6 +1108,7 @@ index e4f84de..b5f4f9a 100644
-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
@@ -568,16 +1646,16 @@ index 058d908..cf17e67 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..1dc58bb 100644
+index eb50f07..1dc58bb 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
--policy_module(abrt, 1.3.4)
+-policy_module(abrt, 1.4.1)
+policy_module(abrt, 1.2.0)
########################################
#
-@@ -6,105 +6,134 @@ policy_module(abrt, 1.3.4)
+@@ -6,118 +6,134 @@ policy_module(abrt, 1.4.1)
#
## <desc>
@@ -595,18 +1673,23 @@ index cc43d25..1dc58bb 100644
## <desc>
-## <p>
--## Determine whether ABRT can run in
--## the abrt_handle_event_t domain to
--## handle ABRT event scripts.
+-## Determine whether abrt-handle-upload
+-## can modify public files used for public file
+-## transfer services in /var/spool/abrt-upload/.
-## </p>
+## <p>
+## Allow abrt-handle-upload to modify public files
+## used for public file transfer services in /var/spool/abrt-upload/.
+## </p>
-+## </desc>
-+gen_tunable(abrt_upload_watch_anon_write, true)
-+
-+## <desc>
+ ## </desc>
+ gen_tunable(abrt_upload_watch_anon_write, true)
+
+ ## <desc>
+-## <p>
+-## Determine whether ABRT can run in
+-## the abrt_handle_event_t domain to
+-## handle ABRT event scripts.
+-## </p>
+## <p>
+## Allow ABRT to run in abrt_handle_event_t domain
+## to handle ABRT event scripts
@@ -718,13 +1801,15 @@ index cc43d25..1dc58bb 100644
+abrt_basic_types_template(abrt_watch_log)
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+-type abrt_upload_watch_t, abrt_domain;
+-type abrt_upload_watch_exec_t;
++# Support for abrt-upload-watch
++abrt_basic_types_template(abrt_upload_watch)
+ init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
-')
-+# Support for abrt-upload-watch
-+abrt_basic_types_template(abrt_upload_watch)
-+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
-+
+type abrt_upload_watch_tmp_t;
+files_tmp_file(abrt_upload_watch_tmp_t)
@@ -756,7 +1841,7 @@ index cc43d25..1dc58bb 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +141,30 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,23 +141,30 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -789,7 +1874,7 @@ index cc43d25..1dc58bb 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +173,14 @@ corecmd_exec_shell(abrt_t)
+@@ -150,16 +173,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -808,7 +1893,7 @@ index cc43d25..1dc58bb 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +197,43 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +197,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -842,9 +1927,9 @@ index cc43d25..1dc58bb 100644
+logging_read_syslog_pid(abrt_t)
+
+auth_use_nsswitch(abrt_t)
-+
-+init_read_utmp(abrt_t)
++init_read_utmp(abrt_t)
++
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
@@ -855,7 +1940,7 @@ index cc43d25..1dc58bb 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +241,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +241,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -872,7 +1957,7 @@ index cc43d25..1dc58bb 100644
')
optional_policy(`
-@@ -209,6 +253,20 @@ optional_policy(`
+@@ -222,6 +253,20 @@ optional_policy(`
')
optional_policy(`
@@ -893,7 +1978,7 @@ index cc43d25..1dc58bb 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -221,6 +279,11 @@ optional_policy(`
+@@ -234,6 +279,11 @@ optional_policy(`
')
optional_policy(`
@@ -905,7 +1990,7 @@ index cc43d25..1dc58bb 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -230,6 +293,7 @@ optional_policy(`
+@@ -243,6 +293,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -913,7 +1998,7 @@ index cc43d25..1dc58bb 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +304,21 @@ optional_policy(`
+@@ -253,9 +304,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -936,7 +2021,7 @@ index cc43d25..1dc58bb 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +329,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +329,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -951,7 +2036,7 @@ index cc43d25..1dc58bb 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -959,7 +2044,7 @@ index cc43d25..1dc58bb 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -980,7 +2065,7 @@ index cc43d25..1dc58bb 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +378,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +378,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1007,7 +2092,7 @@ index cc43d25..1dc58bb 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1021,7 +2106,7 @@ index cc43d25..1dc58bb 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +432,11 @@ optional_policy(`
+@@ -343,10 +432,11 @@ optional_policy(`
#######################################
#
@@ -1035,7 +2120,7 @@ index cc43d25..1dc58bb 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +455,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,46 +455,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1105,7 +2190,7 @@ index cc43d25..1dc58bb 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +521,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,27 +521,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1117,14 +2202,12 @@ index cc43d25..1dc58bb 100644
#######################################
#
--# Global local policy
+-# Upload watch local policy
+# abrt-upload-watch local policy
#
--kernel_read_system_state(abrt_domain)
+allow abrt_upload_watch_t self:capability { dac_override chown };
-
--files_read_etc_files(abrt_domain)
++
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -1134,33 +2217,38 @@ index cc43d25..1dc58bb 100644
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
-+corecmd_exec_bin(abrt_upload_watch_t)
-+
+ corecmd_exec_bin(abrt_upload_watch_t)
+
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
-
--logging_send_syslog_msg(abrt_domain)
++
+auth_read_passwd(abrt_upload_watch_t)
-
--miscfiles_read_localization(abrt_domain)
-+tunable_policy(`abrt_upload_watch_anon_write',`
++
+ tunable_policy(`abrt_upload_watch_anon_write',`
+- miscfiles_manage_public_files(abrt_upload_watch_t)
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(abrt_upload_watch_t)
-+')
-+
-+#######################################
-+#
+ ')
+
+ #######################################
+ #
+-# Global local policy
+# Local policy for all abrt domain
-+#
-+
+ #
+
+-kernel_read_system_state(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
-+
-+files_read_etc_files(abrt_domain)
+
+ files_read_etc_files(abrt_domain)
+-
+-logging_send_syslog_msg(abrt_domain)
+-
+-miscfiles_read_localization(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
--- a/accountsd.fc
@@ -1232,10 +2320,14 @@ index bd5ec9a..a5ed692 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 313b33f..6e0a894 100644
+index 3593510..6e0a894 100644
--- a/accountsd.te
+++ b/accountsd.te
-@@ -4,6 +4,10 @@ gen_require(`
+@@ -1,9 +1,13 @@
+-policy_module(accountsd, 1.1.0)
++policy_module(accountsd, 1.0.6)
+
+ gen_require(`
class passwd all_passwd_perms;
')
@@ -1271,18 +2363,16 @@ index 313b33f..6e0a894 100644
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
-@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t)
+@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
-+logging_list_logs(accountsd_t)
+ logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
- logging_set_loginuid(accountsd_t)
-
-@@ -65,9 +73,16 @@ optional_policy(`
+@@ -66,9 +73,16 @@ optional_policy(`
')
optional_policy(`
@@ -1344,9 +2434,15 @@ index 81280d0..bc4038b 100644
domain_system_change_exemption($1)
role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
-index 1a1c91a..d538827 100644
+index 8b9ad83..d538827 100644
--- a/acct.te
+++ b/acct.te
+@@ -1,4 +1,4 @@
+-policy_module(acct, 1.6.0)
++policy_module(acct, 1.5.1)
+
+ ########################################
+ #
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
dev_read_sysfs(acct_t)
dev_read_urand(acct_t)
@@ -1374,9 +2470,15 @@ index 1a1c91a..d538827 100644
userdom_dontaudit_use_unpriv_user_fds(acct_t)
diff --git a/ada.te b/ada.te
-index 8b5ad06..8ce8f26 100644
+index 8d42c97..8ce8f26 100644
--- a/ada.te
+++ b/ada.te
+@@ -1,4 +1,4 @@
+-policy_module(ada, 1.5.0)
++policy_module(ada, 1.4.1)
+
+ ########################################
+ #
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
allow ada_t self:process { execstack execmem };
@@ -1437,9 +2539,15 @@ index 3b41be6..97d99f9 100644
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
-index 6690cdf..7726644 100644
+index 90ce637..7726644 100644
--- a/afs.te
+++ b/afs.te
+@@ -1,4 +1,4 @@
+-policy_module(afs, 1.9.0)
++policy_module(afs, 1.8.2)
+
+ ########################################
+ #
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
@@ -1613,9 +2721,15 @@ index 3b5dcb9..fbe187f 100644
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
-index 72c33c2..7564732 100644
+index 5d2b90e..7564732 100644
--- a/aiccu.te
+++ b/aiccu.te
+@@ -1,4 +1,4 @@
+-policy_module(aiccu, 1.1.0)
++policy_module(aiccu, 1.0.2)
+
+ ########################################
+ #
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_sendrecv_generic_if(aiccu_t)
@@ -1652,15 +2766,18 @@ index 72c33c2..7564732 100644
sysnet_domtrans_ifconfig(aiccu_t)
')
diff --git a/aide.fc b/aide.fc
-index df6e4d0..4b99c25 100644
+index b2f47de..4b99c25 100644
--- a/aide.fc
+++ b/aide.fc
-@@ -3,4 +3,4 @@
- /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+@@ -1,7 +1,6 @@
+-/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+ /usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+
+-/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
++/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
--/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
-+/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+ /var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
@@ -1681,9 +2798,15 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 4b28ab3..a8e2f01 100644
+index 03831e6..a8e2f01 100644
--- a/aide.te
+++ b/aide.te
+@@ -1,4 +1,4 @@
+-policy_module(aide, 1.7.1)
++policy_module(aide, 1.6.1)
+
+ ########################################
+ #
@@ -10,6 +10,7 @@ attribute_role aide_roles;
type aide_t;
type aide_exec_t;
@@ -1752,9 +2875,15 @@ index a2997fa..861cebd 100644
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
-index 196f7cf..3b5354f 100644
+index 4e4f063..3b5354f 100644
--- a/aisexec.te
+++ b/aisexec.te
+@@ -1,4 +1,4 @@
+-policy_module(aisexec, 1.2.0)
++policy_module(aisexec, 1.1.1)
+
+ ########################################
+ #
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
kernel_read_system_state(aisexec_t)
@@ -1959,10 +3088,20 @@ index 0000000..a95a4ad
+')
+
diff --git a/alsa.fc b/alsa.fc
-index 5de1e01..6620b08 100644
+index 33d9d31..6620b08 100644
--- a/alsa.fc
+++ b/alsa.fc
-@@ -19,4 +19,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+@@ -1,9 +1,5 @@
+ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+
+-ifdef(`distro_debian',`
+-/\.config(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+-')
+-
+ /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+ /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+@@ -23,4 +19,10 @@ ifdef(`distro_debian',`
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@@ -1975,7 +3114,7 @@ index 5de1e01..6620b08 100644
+
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
-index 708b743..cc78465 100644
+index ca8d8cf..cc78465 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
@@ -1986,7 +3125,7 @@ index 708b743..cc78465 100644
')
########################################
-@@ -210,49 +211,85 @@ interface(`alsa_relabel_home_files',`
+@@ -210,68 +211,85 @@ interface(`alsa_relabel_home_files',`
########################################
## <summary>
@@ -2001,6 +3140,11 @@ index 708b743..cc78465 100644
## </summary>
## </param>
-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+#
+interface(`alsa_read_lib',`
+ gen_require(`
@@ -2017,40 +3161,43 @@ index 708b743..cc78465 100644
+## </summary>
+## <param name="domain">
## <summary>
--## Class of the object being created.
+-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
-+#
+ #
+-interface(`alsa_home_filetrans_alsa_home',`
+interface(`alsa_filetrans_home_content',`
-+ gen_require(`
-+ type alsa_home_t;
-+ ')
-+
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read Alsa lib files.
+## Transition to alsa named content
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The name of the object being created.
+-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
--interface(`alsa_home_filetrans_alsa_home',`
+-interface(`alsa_read_lib',`
+interface(`alsa_filetrans_named_content',`
gen_require(`
- type alsa_home_t;
++ type alsa_home_t;
+ type alsa_etc_rw_t;
-+ type alsa_var_lib_t;
+ type alsa_var_lib_t;
')
-- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+- files_search_var_lib($1)
+- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
@@ -2059,9 +3206,10 @@ index 708b743..cc78465 100644
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
')
- ########################################
+-#########################################
++########################################
## <summary>
--## Read Alsa lib files.
+-## Write Alsa lib files.
+## Execute alsa server in the alsa domain.
## </summary>
## <param name="domain">
@@ -2071,7 +3219,7 @@ index 708b743..cc78465 100644
## </summary>
## </param>
#
--interface(`alsa_read_lib',`
+-interface(`alsa_write_lib',`
+interface(`alsa_systemctl',`
gen_require(`
- type alsa_var_lib_t;
@@ -2080,7 +3228,7 @@ index 708b743..cc78465 100644
')
- files_search_var_lib($1)
-- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+- write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ systemd_exec_systemctl($1)
+ allow $1 alsa_unit_file_t:file read_file_perms;
+ allow $1 alsa_unit_file_t:service manage_service_perms;
@@ -2088,10 +3236,16 @@ index 708b743..cc78465 100644
+ ps_process_pattern($1, alsa_t)
')
diff --git a/alsa.te b/alsa.te
-index cda6d20..e1c91b5 100644
+index 4b153f1..e1c91b5 100644
--- a/alsa.te
+++ b/alsa.te
-@@ -15,22 +15,32 @@ role alsa_roles types alsa_t;
+@@ -1,4 +1,4 @@
+-policy_module(alsa, 1.12.2)
++policy_module(alsa, 1.11.4)
+
+ ########################################
+ #
+@@ -15,25 +15,32 @@ role alsa_roles types alsa_t;
type alsa_etc_rw_t;
files_config_file(alsa_etc_rw_t)
@@ -2101,6 +3255,9 @@ index cda6d20..e1c91b5 100644
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
+-type alsa_tmpfs_t;
+-files_tmpfs_file(alsa_tmpfs_t)
+-
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
@@ -2126,7 +3283,7 @@ index cda6d20..e1c91b5 100644
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
-@@ -43,6 +53,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+@@ -46,28 +53,31 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
can_exec(alsa_t, alsa_exec_t)
@@ -2136,7 +3293,11 @@ index cda6d20..e1c91b5 100644
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
-@@ -51,7 +64,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+
+-allow alsa_t alsa_tmpfs_t:file manage_file_perms;
+-fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
+-
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
@@ -2150,15 +3311,17 @@ index cda6d20..e1c91b5 100644
corecmd_exec_bin(alsa_t)
-@@ -59,7 +78,6 @@ dev_read_sound(alsa_t)
+-dev_getattr_fs(alsa_t)
+ dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
+-dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
-files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
term_dontaudit_use_console(alsa_t)
-@@ -72,8 +90,6 @@ init_use_fds(alsa_t)
+@@ -80,35 +90,10 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@@ -2167,6 +3330,33 @@ index cda6d20..e1c91b5 100644
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
+
+-ifdef(`distro_debian',`
+- term_dontaudit_use_unallocated_ttys(alsa_t)
+-
+- # Gnome 3.4 bug
+- dev_associate(alsa_tmpfs_t)
+-
+- allow alsa_t self:capability kill;
+-
+- manage_lnk_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+- files_root_filetrans(alsa_t, alsa_var_lib_t, dir, ".config")
+-
+- fs_list_tmpfs(alsa_t)
+-
+- optional_policy(`
+- dbus_read_lib_files(alsa_t)
+- ')
+-
+- optional_policy(`
+- pulseaudio_run(alsa_t, system_r)
+- pulseaudio_tmpfs_content(alsa_tmpfs_t)
+- ')
+-')
+-
+ optional_policy(`
+ hal_use_fds(alsa_t)
+ hal_write_log(alsa_t)
diff --git a/amanda.fc b/amanda.fc
index 7f4dfbc..e5c9f45 100644
--- a/amanda.fc
@@ -2188,9 +3378,15 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index ed45974..f367ba0 100644
+index 519051c..f367ba0 100644
--- a/amanda.te
+++ b/amanda.te
+@@ -1,4 +1,4 @@
+-policy_module(amanda, 1.15.0)
++policy_module(amanda, 1.14.2)
+
+ #######################################
+ #
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
roleattribute system_r amanda_recover_roles;
@@ -2350,9 +3546,15 @@ index 60d4f8c..18ef077 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index ab55ba7..a95b541 100644
+index 91fa72a..a95b541 100644
--- a/amavis.te
+++ b/amavis.te
+@@ -1,4 +1,4 @@
+-policy_module(amavis, 1.15.0)
++policy_module(amavis, 1.14.3)
+
+ ########################################
+ #
@@ -39,7 +39,7 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
@@ -2435,10 +3637,26 @@ index ab55ba7..a95b541 100644
postfix_read_config(amavis_t)
postfix_list_spool(amavis_t)
')
+diff --git a/amtu.fc b/amtu.fc
+index b21a14a..67e5f70 100644
+--- a/amtu.fc
++++ b/amtu.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/amtu -- gen_context(system_u:object_r:amtu_initrc_exec_t,s0)
+
+ /usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
++
+ /usr/sbin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
diff --git a/amtu.te b/amtu.te
-index c960f92..486e9ed 100644
+index 16d0d66..486e9ed 100644
--- a/amtu.te
+++ b/amtu.te
+@@ -1,4 +1,4 @@
+-policy_module(amtu, 1.3.0)
++policy_module(amtu, 1.2.3)
+
+ ########################################
+ #
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
files_manage_boot_files(amtu_t)
@@ -2524,10 +3742,14 @@ index 14a61b7..21bbf36 100644
+')
+
diff --git a/anaconda.te b/anaconda.te
-index 6f1384c..f226596 100644
+index aa44abf..f226596 100644
--- a/anaconda.te
+++ b/anaconda.te
-@@ -4,6 +4,10 @@ gen_require(`
+@@ -1,9 +1,13 @@
+-policy_module(anaconda, 1.7.0)
++policy_module(anaconda, 1.6.1)
+
+ gen_require(`
class passwd all_passwd_perms;
')
@@ -3255,10 +4477,10 @@ index 0000000..cb58319
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..044b13d 100644
+index 7caefc3..044b13d 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,214 @@
+@@ -1,162 +1,214 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3563,7 +4785,7 @@ index 550a69e..044b13d 100644
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3573,6 +4795,7 @@ index 550a69e..044b13d 100644
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3612,7 +4835,7 @@ index 550a69e..044b13d 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 83e899c..fca846b 100644
+index f6eb485..fca846b 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3777,11 +5000,11 @@ index 83e899c..fca846b 100644
- ')
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
++
++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
-+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
-+
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
@@ -4013,12 +5236,10 @@ index 83e899c..fca846b 100644
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read and
--## write httpd unix domain stream sockets.
++')
++
++########################################
++## <summary>
+## Allow attempts to read and write Apache
+## unix domain stream sockets.
+## </summary>
@@ -4034,10 +5255,12 @@ index 83e899c..fca846b 100644
+ ')
+
+ allow $1 httpd_t:unix_stream_socket { getattr read write };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write httpd unix domain stream sockets.
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
## </summary>
@@ -4505,31 +5728,11 @@ index 83e899c..fca846b 100644
-########################################
+######################################
-+## <summary>
-+## Allow the specified domain to read
-+## apache system content rw files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`apache_read_sys_content_rw_files',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
-+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to read
-+## apache system content rw dirs.
++## apache system content rw files.
## </summary>
## <param name="domain">
## <summary>
@@ -4539,12 +5742,32 @@ index 83e899c..fca846b 100644
+## <rolecap/>
#
-interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_dirs',`
++interface(`apache_read_sys_content_rw_files',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to read
++## apache system content rw dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_read_sys_content_rw_dirs',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@@ -4723,16 +5946,18 @@ index 83e899c..fca846b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1070,13 +1273,22 @@ interface(`apache_search_sys_scripts',`
- ## <rolecap/>
+@@ -1071,18 +1274,21 @@ interface(`apache_search_sys_scripts',`
#
interface(`apache_manage_all_user_content',`
-- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
-- apache_manage_all_content($1)
-+ gen_require(`
+ gen_require(`
+- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
+- type httpd_user_htaccess_t, httpd_user_script_exec_t;
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
+- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
@@ -4749,7 +5974,7 @@ index 83e899c..fca846b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1094,7 +1306,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1100,7 +1306,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@@ -4759,7 +5984,7 @@ index 83e899c..fca846b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1111,10 +1324,29 @@ interface(`apache_read_tmp_files',`
+@@ -1117,10 +1324,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4791,7 +6016,7 @@ index 83e899c..fca846b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1127,7 +1359,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1133,7 +1359,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4800,7 +6025,7 @@ index 83e899c..fca846b 100644
')
########################################
-@@ -1136,6 +1368,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1142,6 +1368,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@@ -4810,7 +6035,7 @@ index 83e899c..fca846b 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1400,30 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1400,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4843,16 +6068,16 @@ index 83e899c..fca846b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1183,18 +1440,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1440,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
-- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
+- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
-- type httpd_initrc_exec_t, httpd_suexec_t;
+- type httpd_initrc_exec_t, httpd_keytab_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -4872,12 +6097,12 @@ index 83e899c..fca846b 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1462,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1462,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
-- admin_pattern($1, { httpd_config_t httpd_keytab_t })
+- admin_pattern($1, { httpd_keytab_t httpd_config_t })
+ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
@@ -4886,7 +6111,7 @@ index 83e899c..fca846b 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1476,141 @@ interface(`apache_admin',`
+@@ -1224,9 +1476,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -5033,11 +6258,11 @@ index 83e899c..fca846b 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..0cbe4c8 100644
+index 6649962..17c4c9a 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,381 @@
--policy_module(apache, 2.6.10)
+@@ -1,300 +1,381 @@
+-policy_module(apache, 2.7.2)
+policy_module(apache, 2.4.0)
+
+#
@@ -5535,12 +6760,14 @@ index 1a82e29..0cbe4c8 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
+-type httpd_keytab_t;
+-files_type(httpd_keytab_t)
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
-+
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -5567,7 +6794,7 @@ index 1a82e29..0cbe4c8 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5580,7 +6807,7 @@ index 1a82e29..0cbe4c8 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t;
+@@ -314,9 +393,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5602,7 +6829,7 @@ index 1a82e29..0cbe4c8 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -326,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -5622,7 +6849,7 @@ index 1a82e29..0cbe4c8 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -346,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5674,7 +6901,7 @@ index 1a82e29..0cbe4c8 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +484,37 @@ allow httpd_t self:shm create_shm_perms;
+@@ -381,30 +484,37 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5699,8 +6926,9 @@ index 1a82e29..0cbe4c8 100644
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+-allow httpd_t httpd_keytab_t:file read_file_perms;
+can_exec(httpd_t, httpd_exec_t)
-+
+
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
@@ -5717,7 +6945,7 @@ index 1a82e29..0cbe4c8 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5739,7 +6967,7 @@ index 1a82e29..0cbe4c8 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5813,10 +7041,10 @@ index 1a82e29..0cbe4c8 100644
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
-
++
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
-+
+
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
@@ -5918,6 +7146,7 @@ index 1a82e29..0cbe4c8 100644
- corenet_sendrecv_oracledb_client_packets(httpd_t)
- corenet_tcp_connect_oracledb_port(httpd_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_t)
++ corenet_tcp_connect_mongod_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
@@ -5978,7 +7207,7 @@ index 1a82e29..0cbe4c8 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -6038,7 +7267,7 @@ index 1a82e29..0cbe4c8 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +796,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +797,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6129,7 +7358,7 @@ index 1a82e29..0cbe4c8 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +843,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +844,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6210,7 +7439,7 @@ index 1a82e29..0cbe4c8 100644
')
optional_policy(`
-@@ -744,24 +896,32 @@ optional_policy(`
+@@ -749,24 +897,32 @@ optional_policy(`
')
optional_policy(`
@@ -6249,7 +7478,7 @@ index 1a82e29..0cbe4c8 100644
')
optional_policy(`
-@@ -770,6 +930,10 @@ optional_policy(`
+@@ -775,6 +931,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6260,19 +7489,28 @@ index 1a82e29..0cbe4c8 100644
')
optional_policy(`
-@@ -781,34 +945,58 @@ optional_policy(`
+@@ -786,35 +946,58 @@ optional_policy(`
')
optional_policy(`
+- kerberos_manage_host_rcache(httpd_t)
+- kerberos_read_keytab(httpd_t)
+- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
+- kerberos_use(httpd_t)
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans_web(httpd_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- ldap_stream_connect(httpd_t)
+ gssproxy_stream_connect(httpd_t)
+')
-+
+
+- tunable_policy(`httpd_can_network_connect_ldap',`
+- ldap_tcp_connect(httpd_t)
+- ')
+optional_policy(`
+ ipa_search_lib(httpd_t)
+')
@@ -6289,21 +7527,14 @@ index 1a82e29..0cbe4c8 100644
+')
+
+optional_policy(`
- kerberos_keytab_template(httpd, httpd_t)
-- kerberos_manage_host_rcache(httpd_t)
-- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
-- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
++ kerberos_keytab_template(httpd, httpd_t)
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ # needed by FreeIPA
- ldap_stream_connect(httpd_t)
--
-- tunable_policy(`httpd_can_network_connect_ldap',`
-- ldap_tcp_connect(httpd_t)
-- ')
++ ldap_stream_connect(httpd_t)
+ ldap_read_certs(httpd_t)
')
@@ -6330,7 +7561,7 @@ index 1a82e29..0cbe4c8 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +1004,18 @@ optional_policy(`
+@@ -822,8 +1005,18 @@ optional_policy(`
')
optional_policy(`
@@ -6349,7 +7580,7 @@ index 1a82e29..0cbe4c8 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +1024,7 @@ optional_policy(`
+@@ -832,6 +1025,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6357,7 +7588,7 @@ index 1a82e29..0cbe4c8 100644
')
optional_policy(`
-@@ -836,20 +1035,40 @@ optional_policy(`
+@@ -842,20 +1036,40 @@ optional_policy(`
')
optional_policy(`
@@ -6404,7 +7635,7 @@ index 1a82e29..0cbe4c8 100644
')
optional_policy(`
-@@ -857,19 +1076,35 @@ optional_policy(`
+@@ -863,19 +1077,35 @@ optional_policy(`
')
optional_policy(`
@@ -6440,7 +7671,7 @@ index 1a82e29..0cbe4c8 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1112,173 @@ optional_policy(`
+@@ -883,65 +1113,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6636,7 +7867,7 @@ index 1a82e29..0cbe4c8 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1287,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1288,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6791,7 +8022,7 @@ index 1a82e29..0cbe4c8 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1371,106 @@ optional_policy(`
+@@ -1083,172 +1372,106 @@ optional_policy(`
')
')
@@ -6813,11 +8044,11 @@ index 1a82e29..0cbe4c8 100644
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-+allow httpd_sys_script_t self:process getsched;
-
+-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
++allow httpd_sys_script_t self:process getsched;
+
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6963,7 +8194,8 @@ index 1a82e29..0cbe4c8 100644
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -6989,8 +8221,7 @@ index 1a82e29..0cbe4c8 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -7028,7 +8259,7 @@ index 1a82e29..0cbe4c8 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1478,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1479,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7125,7 +8356,7 @@ index 1a82e29..0cbe4c8 100644
########################################
#
-@@ -1315,8 +1553,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1554,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7142,7 +8373,7 @@ index 1a82e29..0cbe4c8 100644
')
########################################
-@@ -1324,49 +1569,38 @@ optional_policy(`
+@@ -1330,49 +1570,38 @@ optional_policy(`
# User content local policy
#
@@ -7207,7 +8438,7 @@ index 1a82e29..0cbe4c8 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1610,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1611,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7434,9 +8665,15 @@ index f3c0aba..cbe3d4a 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..a813b6c 100644
+index 080bc4d..a813b6c 100644
--- a/apcupsd.te
+++ b/apcupsd.te
+@@ -1,4 +1,4 @@
+-policy_module(apcupsd, 1.9.0)
++policy_module(apcupsd, 1.8.4)
+
+ ########################################
+ #
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
@@ -7590,9 +8827,15 @@ index 1a7a97e..1d29dce 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 3590e2f..1d8a844 100644
+index 7fd431b..1d8a844 100644
--- a/apm.te
+++ b/apm.te
+@@ -1,4 +1,4 @@
+-policy_module(apm, 1.12.0)
++policy_module(apm, 1.11.4)
+
+ ########################################
+ #
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
type apmd_var_run_t;
files_pid_file(apmd_var_run_t)
@@ -7686,11 +8929,54 @@ index 3590e2f..1d8a844 100644
')
optional_policy(`
+diff --git a/apt.fc b/apt.fc
+index 7b20801..1fd6888 100644
+--- a/apt.fc
++++ b/apt.fc
+@@ -1,11 +1,9 @@
+-/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
+-
+ ifndef(`distro_redhat',`
+ /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
+ /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
+ /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+-/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
+ /usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
++/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
+ /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
+ /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+ ')
diff --git a/apt.if b/apt.if
-index e2414c4..970736b 100644
+index cde81d2..970736b 100644
--- a/apt.if
+++ b/apt.if
-@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
+@@ -21,25 +21,6 @@ interface(`apt_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute the apt in the caller domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`apt_exec',`
+- gen_require(`
+- type apt_exec_t;
+- ')
+-
+- corecmd_search_bin($1)
+- can_exec($1, apt_exec_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Execute apt programs in the apt domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -171,7 +152,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
@@ -7700,10 +8986,24 @@ index e2414c4..970736b 100644
')
diff --git a/apt.te b/apt.te
-index e2d8d52..d82403c 100644
+index efa8530..d82403c 100644
--- a/apt.te
+++ b/apt.te
-@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t)
+@@ -1,4 +1,4 @@
+-policy_module(apt, 1.8.1)
++policy_module(apt, 1.7.5)
+
+ ########################################
+ #
+@@ -77,15 +77,12 @@ files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+ allow apt_t apt_var_log_t:file manage_file_perms;
+ logging_log_filetrans(apt_t, apt_var_log_t, file)
+
+-can_exec(apt_t, apt_exec_t)
+-
+ kernel_read_system_state(apt_t)
+ kernel_read_kernel_sysctls(apt_t)
+
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
@@ -7711,7 +9011,14 @@ index e2d8d52..d82403c 100644
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
corenet_tcp_sendrecv_generic_node(apt_t)
-@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t)
+@@ -94,45 +91,37 @@ corenet_tcp_sendrecv_all_ports(apt_t)
+ corenet_sendrecv_all_client_packets(apt_t)
+ corenet_tcp_connect_all_ports(apt_t)
+
+-dev_list_sysfs(apt_t)
+ dev_read_urand(apt_t)
+
+ domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
@@ -7737,10 +9044,22 @@ index e2d8d52..d82403c 100644
sysnet_read_config(apt_t)
-userdom_use_user_terminals(apt_t)
+-
+-optional_policy(`
+- backup_manage_store_files(apt_t)
+-')
+userdom_use_inherited_user_terminals(apt_t)
optional_policy(`
cron_system_entry(apt_t, apt_exec_t)
+ ')
+
+ optional_policy(`
+- dbus_system_domain(apt_t, apt_exec_t)
++ dbus_system_domain(apt_t, apt_exec_t)
+ ')
+
+ optional_policy(`
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0f..9a1a61f 100644
--- a/arpwatch.fc
@@ -7815,9 +9134,15 @@ index 50c9b9c..51c8cc0 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
-index fa18c76..fd6911a 100644
+index 2d7bf34..fd6911a 100644
--- a/arpwatch.te
+++ b/arpwatch.te
+@@ -1,4 +1,4 @@
+-policy_module(arpwatch, 1.11.0)
++policy_module(arpwatch, 1.10.4)
+
+ ########################################
+ #
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
@@ -7878,36 +9203,10 @@ index fa18c76..fd6911a 100644
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
-index 7268a04..6ffd87d 100644
+index 2077053..6ffd87d 100644
--- a/asterisk.if
+++ b/asterisk.if
-@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',`
- domtrans_pattern($1, asterisk_exec_t, asterisk_t)
- ')
-
-+######################################
-+## <summary>
-+## Execute asterisk in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`asterisk_exec',`
-+ gen_require(`
-+ type asterisk_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, asterisk_exec_t)
-+')
-+
- #####################################
- ## <summary>
- ## Connect to asterisk over a unix domain.
-@@ -105,9 +124,13 @@ interface(`asterisk_admin',`
+@@ -124,16 +124,18 @@ interface(`asterisk_admin',`
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
@@ -7922,10 +9221,23 @@ index 7268a04..6ffd87d 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- asterisk_exec($1)
+-
+ files_list_tmp($1)
+ admin_pattern($1, asterisk_tmp_t)
+
diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..4f8a8a5 100644
+index 7e41350..4f8a8a5 100644
--- a/asterisk.te
+++ b/asterisk.te
+@@ -1,4 +1,4 @@
+-policy_module(asterisk, 1.12.1)
++policy_module(asterisk, 1.11.3)
+
+ ########################################
+ #
@@ -19,7 +19,7 @@ type asterisk_log_t;
logging_log_file(asterisk_log_t)
@@ -7935,25 +9247,22 @@ index 5439f1c..4f8a8a5 100644
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
-@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
- read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
- read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
-
--append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
--create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
--setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-+manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-+manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+@@ -54,12 +54,12 @@ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+
+ manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+ manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
+logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+-files_spool_filetrans(asterisk_t, asterisk_spool_t, { dir file })
+files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
-@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
@@ -7967,7 +9276,7 @@ index 5439f1c..4f8a8a5 100644
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
+@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
@@ -7975,7 +9284,7 @@ index 5439f1c..4f8a8a5 100644
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
+@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@@ -7983,8 +9292,11 @@ index 5439f1c..4f8a8a5 100644
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
-@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
+@@ -147,11 +145,8 @@ fs_search_auto_mountpoints(asterisk_t)
+
+ auth_use_nsswitch(asterisk_t)
+-logging_search_logs(asterisk_t)
logging_send_syslog_msg(asterisk_t)
-miscfiles_read_localization(asterisk_t)
@@ -7992,6 +9304,16 @@ index 5439f1c..4f8a8a5 100644
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
+diff --git a/authbind.te b/authbind.te
+index dd9d215..a194e01 100644
+--- a/authbind.te
++++ b/authbind.te
+@@ -1,4 +1,4 @@
+-policy_module(authbind, 1.3.0)
++policy_module(authbind, 1.2.1)
+
+ ########################################
+ #
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 0000000..4579cfe
@@ -8187,7 +9509,7 @@ index 92adb37..0a2ffc6 100644
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
-index 089430a..b0bed70 100644
+index f24e369..b0bed70 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -8254,10 +9576,11 @@ index 089430a..b0bed70 100644
## All of the rules required to
## administrate an automount environment.
## </summary>
-@@ -153,11 +194,16 @@ interface(`automount_admin',`
+@@ -153,20 +194,21 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
+- type automount_keytab_t;
+ type automount_unit_file_t;
')
@@ -8272,7 +9595,15 @@ index 089430a..b0bed70 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
-@@ -171,4 +217,8 @@ interface(`automount_admin',`
+ allow $2 system_r;
+
+- files_list_etc($1)
+- admin_pattern($1, automount_keytab_t)
+-
+ files_list_var($1)
+ admin_pattern($1, automount_lock_t)
+
+@@ -175,4 +217,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
@@ -8282,16 +9613,35 @@ index 089430a..b0bed70 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index a579c3b..11dbe9d 100644
+index 27d2f40..11dbe9d 100644
--- a/automount.te
+++ b/automount.te
-@@ -22,12 +22,16 @@ type automount_tmp_t;
+@@ -1,4 +1,4 @@
+-policy_module(automount, 1.14.1)
++policy_module(automount, 1.13.3)
+
+ ########################################
+ #
+@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t)
+ type automount_initrc_exec_t;
+ init_script_file(automount_initrc_exec_t)
+
+-type automount_keytab_t;
+-files_type(automount_keytab_t)
++type automount_var_run_t;
++files_pid_file(automount_var_run_t)
+
+ type automount_lock_t;
+ files_lock_file(automount_lock_t)
+@@ -22,15 +22,16 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
+-type automount_var_run_t;
+-files_pid_file(automount_var_run_t)
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
-+
+
########################################
#
# Local policy
@@ -8303,7 +9653,16 @@ index a579c3b..11dbe9d 100644
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
-@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
+@@ -39,8 +40,6 @@ allow automount_t self:rawip_socket create_socket_perms;
+
+ can_exec(automount_t, automount_exec_t)
+
+-allow automount_t automount_keytab_t:file read_file_perms;
+-
+ allow automount_t automount_lock_t:file manage_file_perms;
+ files_lock_filetrans(automount_t, automount_lock_t, file)
+
+@@ -67,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
@@ -8311,7 +9670,7 @@ index a579c3b..11dbe9d 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -86,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
+@@ -91,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
@@ -8319,7 +9678,7 @@ index a579c3b..11dbe9d 100644
files_getattr_default_dirs(automount_t)
files_getattr_home_dir(automount_t)
files_getattr_isid_type_dirs(automount_t)
-@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -101,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
@@ -8327,7 +9686,7 @@ index a579c3b..11dbe9d 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -108,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t)
+@@ -113,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t)
fs_mount_all_fs(automount_t)
fs_mount_autofs(automount_t)
fs_read_nfs_files(automount_t)
@@ -8335,7 +9694,7 @@ index a579c3b..11dbe9d 100644
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
-@@ -130,15 +134,18 @@ auth_use_nsswitch(automount_t)
+@@ -135,22 +134,24 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -8358,7 +9717,15 @@ index a579c3b..11dbe9d 100644
fstools_domtrans(automount_t)
')
-@@ -160,3 +167,8 @@ optional_policy(`
+ optional_policy(`
++ kerberos_keytab_template(automount, automount_t)
+ kerberos_read_config(automount_t)
+- kerberos_read_keytab(automount_t)
+- kerberos_use(automount_t)
+ kerberos_dontaudit_write_config(automount_t)
+ ')
+
+@@ -166,3 +167,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
@@ -8380,49 +9747,142 @@ index e9fe2ca..4c2d076 100644
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
-index aebe7cb..33fe57b 100644
+index 9078c3d..33fe57b 100644
--- a/avahi.if
+++ b/avahi.if
-@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',`
+@@ -21,25 +21,6 @@ interface(`avahi_domtrans',`
+
########################################
## <summary>
- ## Connect to avahi using a unix
--$$ stream socket.
-+## stream socket.
+-## Execute avahi init scripts in the
+-## init script domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`avahi_initrc_domtrans',`
+- gen_require(`
+- type avahi_initrc_exec_t;
+- ')
+-
+- init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Send generic signals to avahi.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',`
+@@ -135,63 +116,6 @@ interface(`avahi_stream_connect',`
+
+ ########################################
+ ## <summary>
+-## Create avahi pid directories.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`avahi_create_pid_dirs',`
+- gen_require(`
+- type avahi_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- allow $1 avahi_var_run_t:dir create_dir_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Set attributes of avahi pid directories.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`avahi_setattr_pid_dirs',`
+- gen_require(`
+- type avahi_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- allow $1 avahi_var_run_t:dir setattr_dir_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Create, read, and write avahi pid files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`avahi_manage_pid_files',`
+- gen_require(`
+- type avahi_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Do not audit attempts to search
+ ## avahi pid directories.
+ ## </summary>
+@@ -211,31 +135,25 @@ interface(`avahi_dontaudit_search_pid',`
########################################
## <summary>
+-## Create specified objects in generic
+-## pid directories with the avahi pid file type.
+## Execute avahi server in the avahi domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`avahi_filetrans_pid',`
+interface(`avahi_systemctl',`
-+ gen_require(`
+ gen_require(`
+- type avahi_var_run_t;
+ type avahi_t;
+ type avahi_unit_file_t;
-+ ')
-+
+ ')
+
+- files_pid_filetrans($1, avahi_var_run_t, $2, $3)
+ systemd_exec_systemctl($1)
+ allow $1 avahi_unit_file_t:file read_file_perms;
+ allow $1 avahi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, avahi_t)
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to
- ## administrate an avahi environment.
- ## </summary>
-@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',`
+ ')
+
+ ########################################
+@@ -258,13 +176,18 @@ interface(`avahi_filetrans_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
@@ -8434,14 +9894,16 @@ index aebe7cb..33fe57b 100644
+ allow $1 avahi_t:process signal_perms;
ps_process_pattern($1, avahi_t)
+- avahi_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 avahi_t:process ptrace;
+ ')
+
- init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
-@@ -169,4 +197,8 @@ interface(`avahi_admin',`
+ allow $2 system_r;
+@@ -274,4 +197,8 @@ interface(`avahi_admin',`
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
@@ -8451,9 +9913,15 @@ index aebe7cb..33fe57b 100644
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
-index 60e76be..f1f2bcf 100644
+index b8355b3..f1f2bcf 100644
--- a/avahi.te
+++ b/avahi.te
+@@ -1,4 +1,4 @@
+-policy_module(avahi, 1.14.1)
++policy_module(avahi, 1.13.2)
+
+ ########################################
+ #
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
@@ -8512,9 +9980,15 @@ index 60e76be..f1f2bcf 100644
')
diff --git a/awstats.te b/awstats.te
-index d6ab824..116176d 100644
+index c1b16c3..116176d 100644
--- a/awstats.te
+++ b/awstats.te
+@@ -1,4 +1,4 @@
+-policy_module(awstats, 1.5.0)
++policy_module(awstats, 1.4.4)
+
+ ########################################
+ #
@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
dev_read_urand(awstats_t)
@@ -8549,10 +10023,54 @@ index d6ab824..116176d 100644
files_search_var_lib(httpd_awstats_script_t)
-
-apache_read_log(httpd_awstats_script_t)
+diff --git a/backup.fc b/backup.fc
+index 349c26f..075621d 100644
+--- a/backup.fc
++++ b/backup.fc
+@@ -1,5 +1,4 @@
+ /etc/cron\.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0)
+-/etc/cron\.daily/passwd -- gen_context(system_u:object_r:backup_exec_t,s0)
+ /etc/cron\.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0)
+
+ /var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)
+diff --git a/backup.if b/backup.if
+index fe3f740..894810e 100644
+--- a/backup.if
++++ b/backup.if
+@@ -45,23 +45,3 @@ interface(`backup_run',`
+ backup_domtrans($1)
+ roleattribute $2 backup_roles;
+ ')
+-
+-########################################
+-## <summary>
+-## Create, read, and write backup
+-## store files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`backup_manage_store_files',`
+- gen_require(`
+- type backup_store_t;
+- ')
+-
+- files_search_var($1)
+- manage_files_pattern($1, backup_store_t, backup_store_t)
+-')
diff --git a/backup.te b/backup.te
-index d6ceef4..c10d39c 100644
+index 7811450..c10d39c 100644
--- a/backup.te
+++ b/backup.te
+@@ -1,4 +1,4 @@
+-policy_module(backup, 1.6.2)
++policy_module(backup, 1.5.2)
+
+ ########################################
+ #
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
@@ -8583,9 +10101,15 @@ index dcd774e..c240ffa 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index 3beba2f..a6d4fb0 100644
+index f16b000..a6d4fb0 100644
--- a/bacula.te
+++ b/bacula.te
+@@ -1,4 +1,4 @@
+-policy_module(bacula, 1.2.0)
++policy_module(bacula, 1.1.1)
+
+ ########################################
+ #
@@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t;
# Local policy
#
@@ -8716,9 +10240,15 @@ index ec95d36..7132e1e 100644
+ ')
')
diff --git a/bcfg2.te b/bcfg2.te
-index 536ec3c..271b976 100644
+index c3fd7b1..271b976 100644
--- a/bcfg2.te
+++ b/bcfg2.te
+@@ -1,4 +1,4 @@
+-policy_module(bcfg2, 1.1.0)
++policy_module(bcfg2, 1.0.1)
+
+ ########################################
+ #
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
type bcfg2_var_lib_t;
files_type(bcfg2_var_lib_t)
@@ -8864,7 +10394,7 @@ index 2b9a3a1..750788c 100644
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
-index 866a1e2..43b445c 100644
+index 531a8f2..43b445c 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -8985,12 +10515,13 @@ index 866a1e2..43b445c 100644
## All of the rules required to
## administrate an bind environment.
## </summary>
-@@ -362,12 +445,20 @@ interface(`bind_udp_chat_named',`
+@@ -362,13 +445,20 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_cache_t, named_zone_t, named_initrc_exec_t;
- type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+- type named_keytab_t;
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
@@ -9010,15 +10541,18 @@ index 866a1e2..43b445c 100644
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -383,11 +474,15 @@ interface(`bind_admin',`
- files_list_etc($1)
- admin_pattern($1, named_conf_t)
+@@ -382,7 +472,9 @@ interface(`bind_admin',`
+ admin_pattern($1, named_log_t)
-+ admin_pattern($1, named_keytab_t)
+ files_list_etc($1)
+- admin_pattern($1, { named_keytab_t named_conf_t })
++ admin_pattern($1, named_conf_t)
+
++ admin_pattern($1, named_keytab_t)
+
files_list_var($1)
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
-
+@@ -390,5 +482,7 @@ interface(`bind_admin',`
files_list_pids($1)
admin_pattern($1, named_var_run_t)
@@ -9028,9 +10562,15 @@ index 866a1e2..43b445c 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 076ffee..93ffa1d 100644
+index 1241123..93ffa1d 100644
--- a/bind.te
+++ b/bind.te
+@@ -1,4 +1,4 @@
+-policy_module(bind, 1.13.1)
++policy_module(bind, 1.12.8)
+
+ ########################################
+ #
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
init_system_domain(named_t, named_checkconf_exec_t)
@@ -9040,17 +10580,18 @@ index 076ffee..93ffa1d 100644
files_mountpoint(named_conf_t)
# for secondary zone files
-@@ -44,6 +44,9 @@ files_type(named_cache_t)
+@@ -44,8 +44,8 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
+-type named_keytab_t;
+-files_type(named_keytab_t)
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
-+
+
type named_log_t;
logging_log_file(named_log_t)
-
-@@ -68,8 +71,9 @@ role ndc_roles types ndc_t;
+@@ -71,8 +71,9 @@ role ndc_roles types ndc_t;
# Local policy
#
@@ -9061,9 +10602,12 @@ index 076ffee..93ffa1d 100644
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
-@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+@@ -87,11 +88,9 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+ manage_files_pattern(named_t, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
- can_exec(named_t, named_exec_t)
+-allow named_t named_keytab_t:file read_file_perms;
++can_exec(named_t, named_exec_t)
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
@@ -9072,7 +10616,16 @@ index 076ffee..93ffa1d 100644
logging_log_filetrans(named_t, named_log_t, file)
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
-@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
+@@ -103,8 +102,6 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })
+
+-can_exec(named_t, named_exec_t)
+-
+ allow named_t named_zone_t:dir list_dir_perms;
+ read_files_pattern(named_t, named_zone_t, named_zone_t)
+ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -115,7 +112,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
@@ -9080,7 +10633,7 @@ index 076ffee..93ffa1d 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -144,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
@@ -9088,7 +10641,7 @@ index 076ffee..93ffa1d 100644
domain_use_interactive_fds(named_t)
-@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -9104,15 +10657,18 @@ index 076ffee..93ffa1d 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -183,6 +194,7 @@ optional_policy(`
+@@ -187,8 +193,8 @@ optional_policy(`
+ ')
optional_policy(`
- kerberos_keytab_template(named, named_t)
+- kerberos_read_keytab(named_t)
+- kerberos_use(named_t)
++ kerberos_keytab_template(named, named_t)
+ kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25")
')
optional_policy(`
-@@ -209,7 +221,8 @@ optional_policy(`
+@@ -215,7 +221,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9122,7 +10678,7 @@ index 076ffee..93ffa1d 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9134,7 +10690,7 @@ index 076ffee..93ffa1d 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -236,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9144,7 +10700,7 @@ index 076ffee..93ffa1d 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -251,7 +266,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +266,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -9154,9 +10710,15 @@ index 076ffee..93ffa1d 100644
userdom_use_user_terminals(ndc_t)
diff --git a/bird.te b/bird.te
-index d4d71ec..f53b135 100644
+index 1d60c27..f53b135 100644
--- a/bird.te
+++ b/bird.te
+@@ -1,4 +1,4 @@
+-policy_module(bird, 1.1.0)
++policy_module(bird, 1.0.2)
+
+ ########################################
+ #
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
corenet_tcp_sendrecv_bgp_port(bird_t)
@@ -9185,9 +10747,15 @@ index e73fb79..2badfc0 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
-index ac8c91e..48a96b7 100644
+index f5c1a48..48a96b7 100644
--- a/bitlbee.te
+++ b/bitlbee.te
+@@ -1,4 +1,4 @@
+-policy_module(bitlbee, 1.5.0)
++policy_module(bitlbee, 1.4.4)
+
+ ########################################
+ #
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
@@ -9272,10 +10840,16 @@ index 16ec525..1dd4059 100644
########################################
diff --git a/blueman.te b/blueman.te
-index bc5c984..63a4b1d 100644
+index 3a5032e..63a4b1d 100644
--- a/blueman.te
+++ b/blueman.te
-@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
+@@ -1,4 +1,4 @@
+-policy_module(blueman, 1.1.0)
++policy_module(blueman, 1.0.4)
+
+ ########################################
+ #
+@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
type blueman_t;
type blueman_exec_t;
@@ -9501,9 +11075,15 @@ index c723a0a..aa3283e 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..a4110db 100644
+index 851769e..a4110db 100644
--- a/bluetooth.te
+++ b/bluetooth.te
+@@ -1,4 +1,4 @@
+-policy_module(bluetooth, 3.5.0)
++policy_module(bluetooth, 3.4.5)
+
+ ########################################
+ #
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
@@ -9573,7 +11153,7 @@ index 6f09d24..a4110db 100644
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
-@@ -130,8 +143,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@@ -9583,11 +11163,8 @@ index 6f09d24..a4110db 100644
+
optional_policy(`
dbus_system_bus_client(bluetooth_t)
-+ dbus_connect_system_bus(bluetooth_t)
-
- optional_policy(`
- cups_dbus_chat(bluetooth_t)
-@@ -199,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
+ dbus_connect_system_bus(bluetooth_t)
+@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
@@ -9838,33 +11415,33 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..b326c23 100644
+index 687d4c4..b326c23 100644
--- a/boinc.te
+++ b/boinc.te
-@@ -1,11 +1,20 @@
--policy_module(boinc, 1.0.3)
+@@ -1,4 +1,4 @@
+-policy_module(boinc, 1.1.1)
+policy_module(boinc, 1.0.0)
########################################
#
- # Declarations
- #
+@@ -7,12 +7,14 @@ policy_module(boinc, 1.1.1)
--type boinc_t;
-+## <desc>
-+## <p>
+ ## <desc>
+ ## <p>
+-## Determine whether boinc can execmem/execstack.
+## Allow boinc_domain execmem/execstack.
-+## </p>
-+## </desc>
-+gen_tunable(boinc_execmem, true)
-+
+ ## </p>
+ ## </desc>
+ gen_tunable(boinc_execmem, true)
+
+-type boinc_t;
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -21,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -28,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -10044,7 +11621,7 @@ index 7c92aa1..b326c23 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +154,69 @@ init_read_utmp(boinc_t)
+@@ -137,59 +154,69 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -10052,16 +11629,19 @@ index 7c92aa1..b326c23 100644
-miscfiles_read_localization(boinc_t)
+modutils_dontaudit_exec_insmod(boinc_t)
--optional_policy(`
-- mta_send_mail(boinc_t)
+-tunable_policy(`boinc_execmem',`
+- allow boinc_t self:process { execstack execmem };
-')
+xserver_stream_connect(boinc_t)
optional_policy(`
-- sysnet_dns_name_resolve(boinc_t)
-+ mta_send_mail(boinc_t)
+ mta_send_mail(boinc_t)
')
+-optional_policy(`
+- sysnet_dns_name_resolve(boinc_t)
+-')
+-
########################################
#
-# Project local policy
@@ -10134,9 +11714,15 @@ index 7c92aa1..b326c23 100644
+ unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
-index bcd1e87..6294955 100644
+index c5a9113..6294955 100644
--- a/brctl.te
+++ b/brctl.te
+@@ -1,4 +1,4 @@
+-policy_module(brctl, 1.7.0)
++policy_module(brctl, 1.6.2)
+
+ ########################################
+ #
@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
domain_use_interactive_fds(brctl_t)
@@ -10211,10 +11797,16 @@ index 1b22262..bf0cefa 100644
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
-index 41f8251..57f094e 100644
+index 18623e3..57f094e 100644
--- a/bugzilla.te
+++ b/bugzilla.te
-@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
+@@ -1,4 +1,4 @@
+-policy_module(bugzilla, 1.1.0)
++policy_module(bugzilla, 1.0.4)
+
+ ########################################
+ #
+@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.1.0)
apache_content_template(bugzilla)
@@ -10576,11 +12168,11 @@ index 8de2ab9..3b41945 100644
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')
diff --git a/cachefilesd.te b/cachefilesd.te
-index 581c8ef..2d9508e 100644
+index a3760bc..2d9508e 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,144 @@
--policy_module(cachefilesd, 1.0.1)
+-policy_module(cachefilesd, 1.1.0)
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
@@ -10760,9 +12352,15 @@ index cd9c528..ba793b7 100644
')
diff --git a/calamaris.te b/calamaris.te
-index f4f21d3..de28437 100644
+index 7e57460..de28437 100644
--- a/calamaris.te
+++ b/calamaris.te
+@@ -1,4 +1,4 @@
+-policy_module(calamaris, 1.8.0)
++policy_module(calamaris, 1.7.2)
+
+ ########################################
+ #
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
@@ -10793,9 +12391,15 @@ index f4f21d3..de28437 100644
optional_policy(`
diff --git a/callweaver.te b/callweaver.te
-index 528051e..44e5b7d 100644
+index 0e5be4c..44e5b7d 100644
--- a/callweaver.te
+++ b/callweaver.te
+@@ -1,4 +1,4 @@
+-policy_module(callweaver, 1.1.0)
++policy_module(callweaver, 1.0.2)
+
+ ########################################
+ #
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
auth_use_nsswitch(callweaver_t)
@@ -10821,9 +12425,15 @@ index 400db07..f416e22 100644
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
-index 4ec0626..32b7796 100644
+index 9fe6162..32b7796 100644
--- a/canna.te
+++ b/canna.te
+@@ -1,4 +1,4 @@
+-policy_module(canna, 1.12.0)
++policy_module(canna, 1.11.1)
+
+ ########################################
+ #
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
@@ -10883,9 +12493,15 @@ index 5ded72d..cb94e5e 100644
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
-index b85b53b..476aaa3 100644
+index 658134d..476aaa3 100644
--- a/ccs.te
+++ b/ccs.te
+@@ -1,4 +1,4 @@
+-policy_module(ccs, 1.6.0)
++policy_module(ccs, 1.5.2)
+
+ ########################################
+ #
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
@@ -10946,9 +12562,15 @@ index fbc20f6..4de4a00 100644
ps_process_pattern($2, cdrecord_t)
')
diff --git a/cdrecord.te b/cdrecord.te
-index 55fb26a..a7555c0 100644
+index 16883c9..a7555c0 100644
--- a/cdrecord.te
+++ b/cdrecord.te
+@@ -1,4 +1,4 @@
+-policy_module(cdrecord, 2.6.0)
++policy_module(cdrecord, 2.5.2)
+
+ ########################################
+ #
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
domain_interactive_fd(cdrecord_t)
domain_use_interactive_fds(cdrecord_t)
@@ -11008,9 +12630,15 @@ index 0c53b18..ef29f6e 100644
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
-index bf82163..2b571c7 100644
+index 4a87873..2b571c7 100644
--- a/certmaster.te
+++ b/certmaster.te
+@@ -1,4 +1,4 @@
+-policy_module(certmaster, 1.3.0)
++policy_module(certmaster, 1.2.1)
+
+ ########################################
+ #
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
@@ -11067,9 +12695,15 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..3a07ee5 100644
+index 550b287..3a07ee5 100644
--- a/certmonger.te
+++ b/certmonger.te
+@@ -1,4 +1,4 @@
+-policy_module(certmonger, 1.2.0)
++policy_module(certmonger, 1.1.5)
+
+ ########################################
+ #
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
@@ -11211,9 +12845,15 @@ index 2354e21..3a07ee5 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..1a4bd9c 100644
+index 171fafb..1a4bd9c 100644
--- a/certwatch.te
+++ b/certwatch.te
+@@ -1,4 +1,4 @@
+-policy_module(certwatch, 1.8.0)
++policy_module(certwatch, 1.7.2)
+
+ ########################################
+ #
@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
@@ -11366,9 +13006,15 @@ index a731122..5279d4e 100644
')
+
diff --git a/cfengine.te b/cfengine.te
-index 8af5bbe..168f01f 100644
+index fbe3ad9..168f01f 100644
--- a/cfengine.te
+++ b/cfengine.te
+@@ -1,4 +1,4 @@
+-policy_module(cfengine, 1.1.0)
++policy_module(cfengine, 1.0.2)
+
+ ########################################
+ #
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
@@ -11423,9 +13069,15 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index fdee107..a4c2efb 100644
+index 80a88a2..a4c2efb 100644
--- a/cgroup.te
+++ b/cgroup.te
+@@ -1,4 +1,4 @@
+-policy_module(cgroup, 1.2.0)
++policy_module(cgroup, 1.1.3)
+
+ ########################################
+ #
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
@@ -12094,9 +13746,15 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..d0c8001 100644
+index e5b621c..d0c8001 100644
--- a/chronyd.te
+++ b/chronyd.te
+@@ -1,4 +1,4 @@
+-policy_module(chronyd, 1.2.0)
++policy_module(chronyd, 1.1.4)
+
+ ########################################
+ #
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
@@ -12410,9 +14068,15 @@ index 0000000..f257547
+')
+
diff --git a/cipe.te b/cipe.te
-index 28c8475..9b86dd1 100644
+index a0aa693..9b86dd1 100644
--- a/cipe.te
+++ b/cipe.te
+@@ -1,4 +1,4 @@
+-policy_module(cipe, 1.6.0)
++policy_module(cipe, 1.5.1)
+
+ ########################################
+ #
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
@@ -12701,9 +14365,15 @@ index 4cc4a5c..99c5cca 100644
+
')
diff --git a/clamav.te b/clamav.te
-index 8e1fef9..c8c9a5a 100644
+index ce3836a..c8c9a5a 100644
--- a/clamav.te
+++ b/clamav.te
+@@ -1,4 +1,4 @@
+-policy_module(clamav, 1.11.0)
++policy_module(clamav, 1.10.6)
+
+ ## <desc>
+ ## <p>
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
@@ -12844,9 +14514,15 @@ index 8e1fef9..c8c9a5a 100644
')
diff --git a/clockspeed.te b/clockspeed.te
-index b59c592..4b8cddc 100644
+index d3e2a67..4b8cddc 100644
--- a/clockspeed.te
+++ b/clockspeed.te
+@@ -1,4 +1,4 @@
+-policy_module(clockspeed, 1.6.0)
++policy_module(clockspeed, 1.5.1)
+
+ ########################################
+ #
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
@@ -12887,9 +14563,15 @@ index b59c592..4b8cddc 100644
optional_policy(`
daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
-index 29782b8..685edff 100644
+index 4a5b3d1..685edff 100644
--- a/clogd.te
+++ b/clogd.te
+@@ -1,4 +1,4 @@
+-policy_module(clogd, 1.1.0)
++policy_module(clogd, 1.0.1)
+
+ ########################################
+ #
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
logging_send_syslog_msg(clogd_t)
@@ -13347,9 +15029,15 @@ index cc4e7cb..f348d27 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..e4c023c 100644
+index bbdd396..e4c023c 100644
--- a/cmirrord.te
+++ b/cmirrord.te
+@@ -1,4 +1,4 @@
+-policy_module(cmirrord, 1.1.0)
++policy_module(cmirrord, 1.0.1)
+
+ ########################################
+ #
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
@@ -13464,9 +15152,15 @@ index c223f81..8b567c1 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..3a38b11 100644
+index 5f306dd..3a38b11 100644
--- a/cobbler.te
+++ b/cobbler.te
+@@ -1,4 +1,4 @@
+-policy_module(cobbler, 1.2.0)
++policy_module(cobbler, 1.1.4)
+
+ ########################################
+ #
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -14170,10 +15864,16 @@ index 6471fa8..f8b4a5b 100644
+
+auth_read_passwd(httpd_collectd_script_t)
diff --git a/colord.fc b/colord.fc
-index 717ea0b..22e0385 100644
+index 71639eb..22e0385 100644
--- a/colord.fc
+++ b/colord.fc
-@@ -4,5 +4,7 @@
+@@ -1,11 +1,10 @@
+-/usr/lib/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+-/usr/lib/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+-
+ /usr/lib/[^/]*/colord/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+ /usr/lib/[^/]*/colord/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
@@ -14235,10 +15935,16 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..3547d05 100644
+index 9f2dfb2..3547d05 100644
--- a/colord.te
+++ b/colord.te
-@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
+@@ -1,4 +1,4 @@
+-policy_module(colord, 1.1.0)
++policy_module(colord, 1.0.2)
+
+ ########################################
+ #
+@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
type colord_t;
type colord_exec_t;
dbus_system_domain(colord_t, colord_exec_t)
@@ -14271,7 +15977,7 @@ index 09f18e2..3547d05 100644
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
+@@ -74,52 +81,52 @@ dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
@@ -14298,22 +16004,25 @@ index 09f18e2..3547d05 100644
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
-@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t)
+ storage_read_scsi_generic(colord_t)
+ storage_write_scsi_generic(colord_t)
+-init_read_state(colord_t)
+-
auth_use_nsswitch(colord_t)
+-logging_send_syslog_msg(colord_t)
+init_read_state(colord_t)
-+
- logging_send_syslog_msg(colord_t)
-miscfiles_read_localization(colord_t)
-+systemd_read_logind_sessions_files(colord_t)
++logging_send_syslog_msg(colord_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
-')
--
++systemd_read_logind_sessions_files(colord_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
@@ -14326,6 +16035,7 @@ index 09f18e2..3547d05 100644
optional_policy(`
cups_read_config(colord_t)
cups_read_rw_config(colord_t)
+- cups_read_state(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
+ cups_read_state(colord_t)
@@ -14338,10 +16048,12 @@ index 09f18e2..3547d05 100644
')
optional_policy(`
-@@ -133,3 +143,16 @@ optional_policy(`
+@@ -135,5 +142,17 @@ optional_policy(`
+
optional_policy(`
udev_read_db(colord_t)
- ')
+- udev_read_pid_files(colord_t)
++')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
@@ -14354,11 +16066,17 @@ index 09f18e2..3547d05 100644
+
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
-+')
+ ')
diff --git a/comsat.te b/comsat.te
-index 3f6e4dc..88c4f19 100644
+index c63cf85..88c4f19 100644
--- a/comsat.te
+++ b/comsat.te
+@@ -1,4 +1,4 @@
+-policy_module(comsat, 1.8.0)
++policy_module(comsat, 1.7.1)
+
+ ########################################
+ #
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
@@ -14383,16 +16101,18 @@ index 3f6e4dc..88c4f19 100644
mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
-index 23dc348..c4450f7 100644
+index ad2b696..c4450f7 100644
--- a/condor.fc
+++ b/condor.fc
-@@ -1,4 +1,5 @@
+@@ -1,6 +1,5 @@
+-/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
+-
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
-@@ -8,6 +9,8 @@
+@@ -10,6 +9,8 @@
/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
@@ -14402,10 +16122,10 @@ index 23dc348..c4450f7 100644
/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
diff --git a/condor.if b/condor.if
-index 3fe3cb8..e979b3d 100644
+index 881d92f..e979b3d 100644
--- a/condor.if
+++ b/condor.if
-@@ -1,81 +1,396 @@
+@@ -1,84 +1,396 @@
-## <summary>High-Throughput Computing System.</summary>
+
+## <summary>policy for condor</summary>
@@ -14646,10 +16366,15 @@ index 3fe3cb8..e979b3d 100644
#
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
-+ gen_require(`
+ gen_require(`
+- attribute condor_domain;
+- type condor_initrc_exec_config_t, condor_log_t;
+- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
+ type condor_var_lib_t;
-+ ')
-+
+ ')
+
+- allow $1 condor_domain:process { ptrace signal_perms };
+ files_search_var_lib($1)
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
@@ -14722,15 +16447,10 @@ index 3fe3cb8..e979b3d 100644
+## </param>
+#
+interface(`condor_read_pid_files',`
- gen_require(`
-- attribute condor_domain;
-- type condor_initrc_exec_config_t, condor_log_t;
-- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-- type condor_var_run_t, condor_startd_tmp_t;
++ gen_require(`
+ type condor_var_run_t;
- ')
-
-- allow $1 condor_domain:process { ptrace signal_perms };
++ ')
++
+ files_search_pids($1)
+ allow $1 condor_var_run_t:file read_file_perms;
+')
@@ -14758,7 +16478,11 @@ index 3fe3cb8..e979b3d 100644
+
ps_process_pattern($1, condor_domain)
+')
-+
+
+- init_labeled_script_domtrans($1, condor_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 condor_initrc_exec_t system_r;
+- allow $2 system_r;
+#######################################
+## <summary>
+## Read and write condor_startd server TCP sockets.
@@ -14774,10 +16498,8 @@ index 3fe3cb8..e979b3d 100644
+ type condor_startd_t;
+ ')
-- init_labeled_script_domtrans($1, condor_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 condor_initrc_exec_t system_r;
-- allow $2 system_r;
+- files_search_etc($1)
+- admin_pattern($1, condor_conf_t)
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
@@ -14842,7 +16564,7 @@ index 3fe3cb8..e979b3d 100644
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
-@@ -85,4 +400,13 @@ interface(`condor_admin',`
+@@ -88,4 +400,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
@@ -14857,20 +16579,27 @@ index 3fe3cb8..e979b3d 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..8fb887d 100644
+index ce9f040..8fb887d 100644
--- a/condor.te
+++ b/condor.te
-@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
+@@ -1,4 +1,4 @@
+-policy_module(condor, 1.0.1)
++policy_module(condor, 1.0.0)
+
+ ########################################
+ #
+@@ -34,8 +34,8 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
+-type condor_conf_t;
+-files_config_file(condor_conf_t)
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
-+
+
type condor_log_t;
logging_log_file(condor_log_t)
-
-@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t)
+@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
type condor_var_run_t;
files_pid_file(condor_var_run_t)
@@ -14880,7 +16609,7 @@ index 3f2b672..8fb887d 100644
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
-@@ -57,15 +63,21 @@ condor_domain_template(startd)
+@@ -60,12 +63,18 @@ condor_domain_template(startd)
# Global local policy
#
@@ -14895,19 +16624,14 @@ index 3f2b672..8fb887d 100644
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
-+
+
+-rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
--append_files_pattern(condor_domain, condor_log_t, condor_log_t)
--create_files_pattern(condor_domain, condor_log_t, condor_log_t)
--getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
-+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
- logging_log_filetrans(condor_domain, condor_log_t, { dir file })
-
- manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+ manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
+@@ -86,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
allow condor_domain condor_master_t:process signull;
allow condor_domain condor_master_t:tcp_socket getattr;
@@ -14925,19 +16649,18 @@ index 3f2b672..8fb887d 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +116,9 @@ dev_read_rand(condor_domain)
+@@ -109,9 +116,7 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain)
+-
+-miscfiles_read_localization(condor_domain)
+auth_read_passwd(condor_domain)
--miscfiles_read_localization(condor_domain)
-+sysnet_dns_name_resolve(condor_domain)
+ sysnet_dns_name_resolve(condor_domain)
- tunable_policy(`condor_tcp_network_connect',`
- corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +135,7 @@ optional_policy(`
+@@ -130,7 +135,7 @@ optional_policy(`
# Master local policy
#
@@ -14946,7 +16669,7 @@ index 3f2b672..8fb887d 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -14957,7 +16680,7 @@ index 3f2b672..8fb887d 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -14966,7 +16689,7 @@ index 3f2b672..8fb887d 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -14975,7 +16698,7 @@ index 3f2b672..8fb887d 100644
#####################################
#
# Negotiator local policy
-@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -14984,17 +16707,15 @@ index 3f2b672..8fb887d 100644
######################################
#
# Procd local policy
-@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+@@ -192,6 +207,7 @@ allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace
- allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+ allow condor_procd_t condor_domain:process sigkill;
--allow condor_procd_t condor_startd_t:process sigkill;
-+allow condor_procd_t condor_domain:process sigkill;
+
-
domain_read_all_domains_state(condor_procd_t)
-@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+ #######################################
+@@ -206,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -15003,7 +16724,7 @@ index 3f2b672..8fb887d 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -15012,7 +16733,7 @@ index 3f2b672..8fb887d 100644
#####################################
#
# Startd local policy
-@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -15025,7 +16746,7 @@ index 3f2b672..8fb887d 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +273,7 @@ optional_policy(`
+@@ -254,3 +273,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -15389,9 +17110,15 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..580dff0 100644
+index bd18063..580dff0 100644
--- a/consolekit.te
+++ b/consolekit.te
+@@ -1,4 +1,4 @@
+-policy_module(consolekit, 1.9.0)
++policy_module(consolekit, 1.8.4)
+
+ ########################################
+ #
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
@@ -15421,14 +17148,14 @@ index 5f0c793..580dff0 100644
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-@@ -54,37 +56,36 @@ dev_read_sysfs(consolekit_t)
+@@ -54,42 +56,44 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
-files_read_usr_files(consolekit_t)
- # needs to read /var/lib/dbus/machine-id
++# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
@@ -15441,9 +17168,11 @@ index 5f0c793..580dff0 100644
auth_use_nsswitch(consolekit_t)
auth_manage_pam_console_data(consolekit_t)
auth_write_login_records(consolekit_t)
-
-+init_read_utmp(consolekit_t)
+-auth_create_pam_console_data_dirs(consolekit_t)
+-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+
++init_read_utmp(consolekit_t)
+
logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)
@@ -15458,17 +17187,25 @@ index 5f0c793..580dff0 100644
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
--')
+userdom_home_reader(consolekit_t)
++
++optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
+ ')
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(consolekit_t)
-+optional_policy(`
-+ cron_read_system_job_lib_files(consolekit_t)
++ifdef(`distro_debian',`
++ auth_create_pam_console_data_dirs(consolekit_t)
++ auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
')
- ifdef(`distro_debian',`
-@@ -112,13 +113,6 @@ optional_policy(`
+ optional_policy(`
+- dbus_read_lib_files(consolekit_t)
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+
+ optional_policy(`
+@@ -109,13 +113,6 @@ optional_policy(`
')
')
@@ -15615,9 +17352,15 @@ index 694a037..b836c07 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
-index eeea48d..691ca11 100644
+index d5aa1e4..691ca11 100644
--- a/corosync.te
+++ b/corosync.te
+@@ -1,4 +1,4 @@
+-policy_module(corosync, 1.1.0)
++policy_module(corosync, 1.0.7)
+
+ ########################################
+ #
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
type corosync_var_run_t;
files_pid_file(corosync_var_run_t)
@@ -15710,33 +17453,50 @@ index c086302..5d94628 100644
+
+/usr/lib/erlang/lib/couch-.*/priv/couchjs -- gen_context(system_u:object_r:couchdb_js_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
-index 83d6744..3f0c0dc 100644
+index 715a826..3f0c0dc 100644
--- a/couchdb.if
+++ b/couchdb.if
-@@ -2,6 +2,44 @@
+@@ -2,7 +2,7 @@
########################################
## <summary>
+-## Read couchdb log files.
+## Allow to read couchdb log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_read_log_files',`
-+ gen_require(`
-+ type couchdb_log_t;
-+ ')
-+
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
+ type couchdb_log_t;
+ ')
+
+- logging_search_logs($1)
+ files_search_var_lib($1)
-+ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+')
-+
-+########################################
-+## <summary>
+ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read, write, and create couchdb lib files.
+## Allow to read couchdb lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`couchdb_manage_lib_files',`
++interface(`couchdb_read_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
+
+ ########################################
+ ## <summary>
+-## Read couchdb config files.
++## All of the rules required to
++## administrate an couchdb environment.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -15744,25 +17504,6 @@ index 83d6744..3f0c0dc 100644
+## </summary>
+## </param>
+#
-+interface(`couchdb_read_lib_files',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to
- ## administrate an couchdb environment.
- ## </summary>
-@@ -10,6 +48,151 @@
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+#
+interface(`couchdb_manage_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
@@ -15794,38 +17535,30 @@ index 83d6744..3f0c0dc 100644
+########################################
+## <summary>
+## Allow to read couchdb conf files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_read_conf_files',`
-+ gen_require(`
-+ type couchdb_conf_t;
-+ ')
-+
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
+ type couchdb_conf_t;
+ ')
+
+- files_search_etc($1)
+ files_search_var_lib($1)
-+ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
-+')
-+
-+########################################
-+## <summary>
+ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read couchdb pid files.
+## Read couchdb PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_read_pid_files',`
-+ gen_require(`
-+ type couchdb_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -73,19 +112,87 @@ interface(`couchdb_read_pid_files',`
+ ')
+
+ files_search_pids($1)
+- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
@@ -15870,17 +17603,20 @@ index 83d6744..3f0c0dc 100644
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an couchdb environment.
+## Execute couchdb server in the couchdb domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+#
+interface(`couchdb_systemctl',`
+ gen_require(`
@@ -15910,7 +17646,7 @@ index 83d6744..3f0c0dc 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -19,14 +202,19 @@
+@@ -95,14 +202,19 @@ interface(`couchdb_read_pid_files',`
#
interface(`couchdb_admin',`
gen_require(`
@@ -15931,7 +17667,7 @@ index 83d6744..3f0c0dc 100644
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +234,13 @@ interface(`couchdb_admin',`
+@@ -122,4 +234,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
@@ -15946,9 +17682,15 @@ index 83d6744..3f0c0dc 100644
+ ')
')
diff --git a/couchdb.te b/couchdb.te
-index 503adab..509e73c 100644
+index ae1c1b1..509e73c 100644
--- a/couchdb.te
+++ b/couchdb.te
+@@ -1,4 +1,4 @@
+-policy_module(couchdb, 1.1.1)
++policy_module(couchdb, 1.0.2)
+
+ ########################################
+ #
@@ -27,6 +27,13 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
@@ -16031,11 +17773,18 @@ index 503adab..509e73c 100644
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
-index 8a4b596..cbecde8 100644
+index 2f017a0..cbecde8 100644
--- a/courier.fc
+++ b/courier.fc
-@@ -9,17 +9,18 @@
+@@ -4,24 +4,23 @@
+ /usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
+ /usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+-/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+-/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
@@ -16238,9 +17987,15 @@ index 10f820f..acdb179 100644
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
diff --git a/courier.te b/courier.te
-index 77bb077..1499c3f 100644
+index ae3bc70..1499c3f 100644
--- a/courier.te
+++ b/courier.te
+@@ -1,4 +1,4 @@
+-policy_module(courier, 1.14.0)
++policy_module(courier, 1.13.2)
+
+ ########################################
+ #
@@ -18,7 +18,7 @@ type courier_etc_t;
files_config_file(courier_etc_t)
@@ -16319,9 +18074,15 @@ index 77bb077..1499c3f 100644
########################################
#
diff --git a/cpucontrol.te b/cpucontrol.te
-index 2f1aad6..155a337 100644
+index af72c4e..155a337 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
+@@ -1,4 +1,4 @@
+-policy_module(cpucontrol, 1.4.0)
++policy_module(cpucontrol, 1.3.2)
+
+ ########################################
+ #
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
init_use_fds(cpucontrol_domain)
init_use_script_ptys(cpucontrol_domain)
@@ -16356,9 +18117,15 @@ index 2f1aad6..155a337 100644
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
-index a3bbc21..7fd7d8f 100644
+index 6cedb87..7fd7d8f 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
+@@ -1,4 +1,4 @@
+-policy_module(cpufreqselector, 1.4.0)
++policy_module(cpufreqselector, 1.3.1)
+
+ ########################################
+ #
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
# Local policy
#
@@ -16393,47 +18160,79 @@ index a3bbc21..7fd7d8f 100644
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cron.fc b/cron.fc
-index 6e76215..a665f12 100644
+index ad0bae9..a665f12 100644
--- a/cron.fc
+++ b/cron.fc
-@@ -3,6 +3,9 @@
- /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+@@ -1,66 +1,74 @@
+-/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
+-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
++/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-+
- /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
- /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
-@@ -12,9 +15,7 @@
- /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
- /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
--/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
--
--/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+-/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
++/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
- /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-
- /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-@@ -27,13 +28,23 @@
-
- /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
--/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
-
--/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
++/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
+-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
++/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
- #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
- /var/spool/cron/[^/]* -- <<none>>
++#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
++/var/spool/cron/[^/]* -- <<none>>
--/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+-/var/spool/cron/[^/]* -- <<none>>
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+')
-+
+
+-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <<none>>
@@ -16444,31 +18243,39 @@ index 6e76215..a665f12 100644
/var/spool/cron/crontabs/.* -- <<none>>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -44,18 +55,20 @@
+-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/fcron/.* <<none>>
++/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/fcron/.* <<none>>
+ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
ifdef(`distro_debian',`
--/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/atjobs/[^/]* -- <<none>>
--/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
')
ifdef(`distro_gentoo',`
--/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
')
-ifdef(`distro_suse',`
--/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
--/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
@@ -17436,11 +19243,11 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..439a761 100644
+index 7de3859..439a761 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
--policy_module(cron, 2.5.10)
+-policy_module(cron, 2.6.3)
+policy_module(cron, 2.2.1)
gen_require(`
@@ -17679,7 +19486,7 @@ index 28e1b86..439a761 100644
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,73 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -17750,7 +19557,7 @@ index 28e1b86..439a761 100644
+# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
-+files_read_all_locks(crond_t)
+ files_read_all_locks(crond_t)
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
@@ -17783,7 +19590,7 @@ index 28e1b86..439a761 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t)
+@@ -312,41 +250,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -17846,7 +19653,7 @@ index 28e1b86..439a761 100644
')
optional_policy(`
-@@ -353,102 +297,136 @@ optional_policy(`
+@@ -354,118 +297,149 @@ optional_policy(`
')
optional_policy(`
@@ -17944,6 +19751,7 @@ index 28e1b86..439a761 100644
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
+-allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -18014,7 +19822,10 @@ index 28e1b86..439a761 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t)
+-allow system_cronjob_t crond_tmp_t:file { read write };
+-
+ kernel_read_kernel_sysctls(system_cronjob_t)
+ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -18027,7 +19838,7 @@ index 28e1b86..439a761 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -18035,7 +19846,7 @@ index 28e1b86..439a761 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +470,20 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -18050,15 +19861,18 @@ index 28e1b86..439a761 100644
-mls_file_read_to_clearance(system_cronjob_t)
-
+-init_domtrans_script(system_cronjob_t)
+-init_read_utmp(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
- init_domtrans_script(system_cronjob_t)
++init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
+
+@@ -516,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -18088,7 +19902,7 @@ index 28e1b86..439a761 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,27 +523,26 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -18100,25 +19914,30 @@ index 28e1b86..439a761 100644
+ apache_manage_lib(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ bind_read_config(system_cronjob_t)
')
optional_policy(`
-@@ -546,10 +543,6 @@ optional_policy(`
+- cyrus_manage_data(system_cronjob_t)
++ bind_read_config(system_cronjob_t)
+ ')
optional_policy(`
- dbus_system_bus_client(system_cronjob_t)
+- dbus_system_bus_client(system_cronjob_t)
-
- optional_policy(`
- networkmanager_dbus_chat(system_cronjob_t)
- ')
++ cyrus_manage_data(system_cronjob_t)
+ ')
+
+ optional_policy(`
+- devicekit_read_pid_files(system_cronjob_t)
+- devicekit_append_inherited_log_files(system_cronjob_t)
++ dbus_system_bus_client(system_cronjob_t)
')
optional_policy(`
-@@ -581,6 +574,7 @@ optional_policy(`
+@@ -591,6 +574,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -18126,24 +19945,22 @@ index 28e1b86..439a761 100644
')
optional_policy(`
-@@ -588,15 +582,23 @@ optional_policy(`
+@@ -598,7 +582,23 @@ optional_policy(`
')
optional_policy(`
-- postfix_read_config(system_cronjob_t)
+ networkmanager_dbus_chat(system_cronjob_t)
- ')
-
- optional_policy(`
-+ postfix_read_config(system_cronjob_t)
++')
++
++optional_policy(`
+ postfix_read_config(system_cronjob_t)
+')
+
+optional_policy(`
- prelink_delete_cache(system_cronjob_t)
- prelink_manage_lib(system_cronjob_t)
- prelink_manage_log(system_cronjob_t)
- prelink_read_cache(system_cronjob_t)
-- prelink_relabelfrom_lib(system_cronjob_t)
++ prelink_delete_cache(system_cronjob_t)
++ prelink_manage_lib(system_cronjob_t)
++ prelink_manage_log(system_cronjob_t)
++ prelink_read_cache(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
+')
+
@@ -18152,7 +19969,7 @@ index 28e1b86..439a761 100644
')
optional_policy(`
-@@ -606,6 +608,7 @@ optional_policy(`
+@@ -608,6 +608,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -18160,7 +19977,7 @@ index 28e1b86..439a761 100644
')
optional_policy(`
-@@ -613,12 +616,24 @@ optional_policy(`
+@@ -615,12 +616,24 @@ optional_policy(`
')
optional_policy(`
@@ -18187,7 +20004,7 @@ index 28e1b86..439a761 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -18221,7 +20038,7 @@ index 28e1b86..439a761 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -18311,31 +20128,30 @@ index 28e1b86..439a761 100644
+# Unconfined cronjobs local policy
#
- optional_policy(`
-- type unconfined_cronjob_t;
-- domain_type(unconfined_cronjob_t)
-- domain_cron_exemption_target(unconfined_cronjob_t)
+-type unconfined_cronjob_t;
+-domain_type(unconfined_cronjob_t)
+-domain_cron_exemption_target(unconfined_cronjob_t)
-
+-dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+-
+-tunable_policy(`cron_userdomain_transition',`
+- dontaudit crond_t unconfined_cronjob_t:process transition;
+- dontaudit crond_t unconfined_cronjob_t:fd use;
+- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
+-',`
++optional_policy(`
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
-+ allow crond_t unconfined_cronjob_t:process transition;
- dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
-+ allow crond_t unconfined_cronjob_t:fd use;
-
- unconfined_domain(unconfined_cronjob_t)
+ allow crond_t unconfined_cronjob_t:process transition;
++ dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ allow crond_t unconfined_cronjob_t:fd use;
+- allow crond_t unconfined_cronjob_t:key manage_key_perms;
++
++ unconfined_domain(unconfined_cronjob_t)
+')
-
-- tunable_policy(`cron_userdomain_transition',`
-- dontaudit crond_t unconfined_cronjob_t:process transition;
-- dontaudit crond_t unconfined_cronjob_t:fd use;
-- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
-- ',`
-- allow crond_t unconfined_cronjob_t:process transition;
-- allow crond_t unconfined_cronjob_t:fd use;
-- allow crond_t unconfined_cronjob_t:key manage_key_perms;
-- ')
++
+##############################
+#
+# crontab common policy
@@ -18394,9 +20210,10 @@ index 28e1b86..439a761 100644
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit crontab_domain crond_t:process signal;
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- unconfined_domain(unconfined_cronjob_t)
+ ssh_dontaudit_use_ptys(crontab_domain)
+')
+
@@ -18716,9 +20533,15 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..7725178 100644
+index 001b502..7725178 100644
--- a/ctdb.te
+++ b/ctdb.te
+@@ -1,4 +1,4 @@
+-policy_module(ctdb, 1.1.0)
++policy_module(ctdb, 1.0.3)
+
+ ########################################
+ #
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
type ctdbd_var_lib_t;
files_type(ctdbd_var_lib_t)
@@ -18947,7 +20770,7 @@ index 949011e..9437dbe 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 06da9a0..c18145d 100644
+index 3023be7..c18145d 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -18965,37 +20788,39 @@ index 06da9a0..c18145d 100644
')
########################################
-@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',`
+@@ -306,22 +309,25 @@ interface(`cups_stream_connect_ptal',`
########################################
## <summary>
+-## Read the process state (/proc/pid) of cupsd.
+## Execute cupsd server in the cupsd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`cups_read_state',`
+interface(`cupsd_systemctl',`
-+ gen_require(`
-+ type cupsd_t;
+ gen_require(`
+ type cupsd_t;
+ type cupsd_unit_file_t;
-+ ')
-+
+ ')
+
+- allow $1 cupsd_t:dir search_dir_perms;
+- allow $1 cupsd_t:file read_file_perms;
+- allow $1 cupsd_t:lnk_file read_lnk_file_perms;
+ systemd_exec_systemctl($1)
+ allow $1 cupsd_unit_file_t:file read_file_perms;
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cupsd_t)
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to
- ## administrate an cups environment.
- ## </summary>
-@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',`
+ ')
+
+ ########################################
+@@ -344,18 +350,23 @@ interface(`cups_read_state',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -19024,7 +20849,7 @@ index 06da9a0..c18145d 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -348,13 +379,64 @@ interface(`cups_admin',`
+@@ -368,13 +379,64 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
@@ -19095,10 +20920,15 @@ index 06da9a0..c18145d 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..e694e2f 100644
+index c91813c..e694e2f 100644
--- a/cups.te
+++ b/cups.te
-@@ -5,19 +5,31 @@ policy_module(cups, 1.15.9)
+@@ -1,23 +1,35 @@
+-policy_module(cups, 1.16.2)
++policy_module(cups, 1.15.9)
+
+ ########################################
+ #
# Declarations
#
@@ -19264,15 +21094,8 @@ index 9f34c2e..e694e2f 100644
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -133,28 +166,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
- files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
-
- manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-+manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
@@ -19299,7 +21122,7 @@ index 9f34c2e..e694e2f 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -19311,7 +21134,7 @@ index 9f34c2e..e694e2f 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -19336,7 +21159,7 @@ index 9f34c2e..e694e2f 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -19344,7 +21167,7 @@ index 9f34c2e..e694e2f 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
+@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -19366,7 +21189,7 @@ index 9f34c2e..e694e2f 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
-@@ -235,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -19375,7 +21198,7 @@ index 9f34c2e..e694e2f 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -19397,19 +21220,18 @@ index 9f34c2e..e694e2f 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
-+userdom_dontaudit_search_user_home_content(cupsd_t)
-+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
-
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
++userdom_dontaudit_search_user_home_content(cupsd_t)
++
+tunable_policy(`cups_execmem',`
+ allow cupsd_t self:process { execmem execstack };
+')
+
-+
+
optional_policy(`
apm_domtrans_client(cupsd_t)
- ')
-@@ -275,6 +320,8 @@ optional_policy(`
+@@ -272,6 +320,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -19418,7 +21240,7 @@ index 9f34c2e..e694e2f 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +332,10 @@ optional_policy(`
+@@ -282,8 +332,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -19429,7 +21251,7 @@ index 9f34c2e..e694e2f 100644
')
')
-@@ -299,8 +348,8 @@ optional_policy(`
+@@ -296,8 +348,8 @@ optional_policy(`
')
optional_policy(`
@@ -19439,7 +21261,7 @@ index 9f34c2e..e694e2f 100644
')
optional_policy(`
-@@ -309,7 +358,6 @@ optional_policy(`
+@@ -306,7 +358,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -19447,7 +21269,7 @@ index 9f34c2e..e694e2f 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +385,11 @@ optional_policy(`
+@@ -334,7 +385,11 @@ optional_policy(`
')
optional_policy(`
@@ -19460,7 +21282,7 @@ index 9f34c2e..e694e2f 100644
')
########################################
-@@ -345,12 +397,11 @@ optional_policy(`
+@@ -342,12 +397,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -19476,7 +21298,7 @@ index 9f34c2e..e694e2f 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -19497,7 +21319,7 @@ index 9f34c2e..e694e2f 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -19518,7 +21340,7 @@ index 9f34c2e..e694e2f 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -19530,7 +21352,7 @@ index 9f34c2e..e694e2f 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +488,12 @@ optional_policy(`
+@@ -449,9 +488,12 @@ optional_policy(`
')
optional_policy(`
@@ -19544,7 +21366,7 @@ index 9f34c2e..e694e2f 100644
')
optional_policy(`
-@@ -490,10 +529,6 @@ optional_policy(`
+@@ -487,10 +529,6 @@ optional_policy(`
# Lpd local policy
#
@@ -19555,7 +21377,7 @@ index 9f34c2e..e694e2f 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +546,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,28 +546,16 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -19568,18 +21390,24 @@ index 9f34c2e..e694e2f 100644
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
-+corenet_tcp_bind_printer_port(cupsd_lpd_t)
-+corenet_tcp_connect_printer_port(cupsd_lpd_t)
- corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
-
+-corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
+-
+-corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
+ corenet_tcp_bind_printer_port(cupsd_lpd_t)
+-corenet_tcp_sendrecv_printer_port(cupsd_lpd_t)
+-
+-corenet_sendrecv_printer_client_packets(cupsd_lpd_t)
+ corenet_tcp_connect_printer_port(cupsd_lpd_t)
+-
-dev_read_urand(cupsd_lpd_t)
-dev_read_rand(cupsd_lpd_t)
-
-fs_getattr_xattr_fs(cupsd_lpd_t)
--
++corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
+
files_search_home(cupsd_lpd_t)
- auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +563,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -19589,7 +21417,7 @@ index 9f34c2e..e694e2f 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +573,6 @@ optional_policy(`
+@@ -550,7 +573,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -19597,7 +21425,7 @@ index 9f34c2e..e694e2f 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -19719,17 +21547,15 @@ index 9f34c2e..e694e2f 100644
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
-+userdom_home_manager(cups_pdf_t)
-
- optional_policy(`
+-
+-optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
-+ gnome_read_config(cups_pdf_t)
- ')
-
+-')
+-
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
@@ -19738,18 +21564,20 @@ index 9f34c2e..e694e2f 100644
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
--
--optional_policy(`
++userdom_home_manager(cups_pdf_t)
+
+ optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
--')
--
++ gnome_read_config(cups_pdf_t)
+ ')
+
-optional_policy(`
- udev_read_db(hplip_t)
-')
########################################
#
-@@ -731,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -19757,7 +21585,7 @@ index 9f34c2e..e694e2f 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -19771,7 +21599,7 @@ index 9f34c2e..e694e2f 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -19780,7 +21608,7 @@ index 9f34c2e..e694e2f 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +665,4 @@ optional_policy(`
+@@ -773,3 +665,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -19797,7 +21625,7 @@ index 75c8be9..9dcffb2 100644
/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
diff --git a/cvs.if b/cvs.if
-index 9fa7ffb..089c8d4 100644
+index 64775fd..089c8d4 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
@@ -19849,12 +21677,10 @@ index 9fa7ffb..089c8d4 100644
## All of the rules required to
## administrate an cvs environment
## </summary>
-@@ -59,12 +95,18 @@ interface(`cvs_exec',`
- interface(`cvs_admin',`
+@@ -60,19 +96,22 @@ interface(`cvs_admin',`
gen_require(`
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
-- type cvs_data_t, cvs_var_run_t;
-+ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ type cvs_home_t;
')
@@ -19870,7 +21696,15 @@ index 9fa7ffb..089c8d4 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
-@@ -78,4 +120,7 @@ interface(`cvs_admin',`
+ allow $2 system_r;
+
+- files_search_etc($1)
+- admin_pattern($1, cvs_keytab_t)
+-
+ files_list_tmp($1)
+ admin_pattern($1, cvs_tmp_t)
+
+@@ -81,4 +120,7 @@ interface(`cvs_admin',`
files_list_pids($1)
admin_pattern($1, cvs_var_run_t)
@@ -19879,10 +21713,16 @@ index 9fa7ffb..089c8d4 100644
+ admin_pattern($1, cvs_home_t)
')
diff --git a/cvs.te b/cvs.te
-index 53fc3af..d7cdaaf 100644
+index 0f77550..d7cdaaf 100644
--- a/cvs.te
+++ b/cvs.te
-@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
+@@ -1,4 +1,4 @@
+-policy_module(cvs, 1.10.2)
++policy_module(cvs, 1.9.1)
+
+ ########################################
+ #
+@@ -11,12 +11,12 @@ policy_module(cvs, 1.10.2)
## password files.
## </p>
## </desc>
@@ -19892,11 +21732,21 @@ index 53fc3af..d7cdaaf 100644
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+-init_daemon_domain(cvs_t, cvs_exec_t)
+init_domain(cvs_t, cvs_exec_t)
application_executable_file(cvs_exec_t)
type cvs_data_t; # customizable
-@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t)
+@@ -25,32 +25,32 @@ files_type(cvs_data_t)
+ type cvs_initrc_exec_t;
+ init_script_file(cvs_initrc_exec_t)
+
+-type cvs_keytab_t;
+-files_type(cvs_keytab_t)
+-
+ type cvs_tmp_t;
+ files_tmp_file(cvs_tmp_t)
+
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
@@ -19913,30 +21763,46 @@ index 53fc3af..d7cdaaf 100644
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-
+-allow cvs_t self:tcp_socket { accept listen };
++
+userdom_search_user_home_dirs(cvs_t)
+allow cvs_t cvs_home_t:file read_file_perms;
-+
+
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
-@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t)
- corecmd_exec_bin(cvs_t)
- corecmd_exec_shell(cvs_t)
-+corenet_all_recvfrom_netlabel(cvs_t)
-+corenet_tcp_sendrecv_generic_if(cvs_t)
+-allow cvs_t cvs_keytab_t:file read_file_perms;
+-
+ manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })
+@@ -62,17 +62,17 @@ kernel_read_kernel_sysctls(cvs_t)
+ kernel_read_system_state(cvs_t)
+ kernel_read_network_state(cvs_t)
+
+-corenet_all_recvfrom_unlabeled(cvs_t)
++corecmd_exec_bin(cvs_t)
++corecmd_exec_shell(cvs_t)
++
+ corenet_all_recvfrom_netlabel(cvs_t)
+ corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
-+corenet_tcp_sendrecv_generic_node(cvs_t)
+ corenet_tcp_sendrecv_generic_node(cvs_t)
+-
+-corenet_sendrecv_cvs_server_packets(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
-+corenet_tcp_bind_cvs_port(cvs_t)
-+
+ corenet_tcp_bind_cvs_port(cvs_t)
+-corenet_tcp_sendrecv_cvs_port(cvs_t)
+-
+-corecmd_exec_bin(cvs_t)
+-corecmd_exec_shell(cvs_t)
+
dev_read_urand(cvs_t)
- files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t)
+@@ -86,26 +86,23 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@@ -19958,16 +21824,31 @@ index 53fc3af..d7cdaaf 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -103,4 +117,5 @@ optional_policy(`
+
+ optional_policy(`
++ kerberos_keytab_template(cvs, cvs_t)
+ kerberos_read_config(cvs_t)
+- kerberos_read_keytab(cvs_t)
+- kerberos_use(cvs_t)
+ kerberos_dontaudit_write_config(cvs_t)
+ ')
+
+@@ -120,4 +117,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/cyphesis.te b/cyphesis.te
-index 916427f..556f1ac 100644
+index 77ffc73..556f1ac 100644
--- a/cyphesis.te
+++ b/cyphesis.te
+@@ -1,4 +1,4 @@
+-policy_module(cyphesis, 1.3.0)
++policy_module(cyphesis, 1.2.2)
+
+ ########################################
+ #
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
corecmd_search_bin(cyphesis_t)
corecmd_getattr_bin_files(cyphesis_t)
@@ -19991,7 +21872,7 @@ index 916427f..556f1ac 100644
optional_policy(`
diff --git a/cyrus.if b/cyrus.if
-index 6508280..a2860e3 100644
+index 83bfda6..a2860e3 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
@@ -20020,8 +21901,11 @@ index 6508280..a2860e3 100644
########################################
## <summary>
## Connect to Cyrus using a unix
-@@ -63,9 +82,13 @@ interface(`cyrus_admin',`
+@@ -61,20 +80,20 @@ interface(`cyrus_admin',`
+ gen_require(`
+ type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
type cyrus_var_run_t, cyrus_initrc_exec_t;
+- type cyrus_keytab_t;
')
- allow $1 cyrus_t:process { ptrace signal_perms };
@@ -20035,11 +21919,35 @@ index 6508280..a2860e3 100644
init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_list_etc($1)
+- admin_pattern($1, cyrus_keytab_t)
+-
+ files_list_tmp($1)
+ admin_pattern($1, cyrus_tmp_t)
+
diff --git a/cyrus.te b/cyrus.te
-index 395f97c..bf8db3c 100644
+index 4283f2d..bf8db3c 100644
--- a/cyrus.te
+++ b/cyrus.te
-@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
+@@ -1,4 +1,4 @@
+-policy_module(cyrus, 1.13.1)
++policy_module(cyrus, 1.12.2)
+
+ ########################################
+ #
+@@ -12,9 +12,6 @@ init_daemon_domain(cyrus_t, cyrus_exec_t)
+ type cyrus_initrc_exec_t;
+ init_script_file(cyrus_initrc_exec_t)
+
+-type cyrus_keytab_t;
+-files_type(cyrus_keytab_t)
+-
+ type cyrus_tmp_t;
+ files_tmp_file(cyrus_tmp_t)
+
+@@ -29,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
# Local policy
#
@@ -20048,7 +21956,16 @@ index 395f97c..bf8db3c 100644
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
-@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t)
+@@ -44,8 +41,6 @@ allow cyrus_t self:unix_dgram_socket sendto;
+ allow cyrus_t self:unix_stream_socket { accept connectto listen };
+ allow cyrus_t self:tcp_socket { accept listen };
+
+-allow cyrus_t cyrus_keytab_t:file read_file_perms;
+-
+ manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
+@@ -63,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
@@ -20056,7 +21973,7 @@ index 395f97c..bf8db3c 100644
corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_generic_if(cyrus_t)
corenet_tcp_sendrecv_generic_node(cyrus_t)
-@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
+@@ -76,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -20066,7 +21983,7 @@ index 395f97c..bf8db3c 100644
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
-@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -95,8 +92,6 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
@@ -20075,7 +21992,7 @@ index 395f97c..bf8db3c 100644
fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)
-@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
+@@ -107,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
@@ -20083,18 +22000,21 @@ index 395f97c..bf8db3c 100644
miscfiles_read_generic_certs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
-@@ -116,6 +115,10 @@ optional_policy(`
+@@ -121,8 +115,11 @@ optional_policy(`
')
optional_policy(`
+- kerberos_read_keytab(cyrus_t)
+- kerberos_use(cyrus_t)
+ dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
- kerberos_keytab_template(cyrus, cyrus_t)
++ kerberos_keytab_template(cyrus, cyrus_t)
')
-@@ -128,8 +131,8 @@ optional_policy(`
+ optional_policy(`
+@@ -134,8 +131,8 @@ optional_policy(`
')
optional_policy(`
@@ -20115,9 +22035,15 @@ index 3b3d9a0..6c8106a 100644
')
+
diff --git a/daemontools.te b/daemontools.te
-index 0165962..2569147 100644
+index ee1b4aa..2569147 100644
--- a/daemontools.te
+++ b/daemontools.te
+@@ -1,4 +1,4 @@
+-policy_module(daemontools, 1.3.0)
++policy_module(daemontools, 1.2.1)
+
+ ########################################
+ #
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
allow svc_multilog_t svc_start_t:fd use;
allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
@@ -20165,9 +22091,15 @@ index 0165962..2569147 100644
-
-miscfiles_read_localization(svc_start_t)
diff --git a/dante.te b/dante.te
-index 98a2d6a..fff0987 100644
+index 5a5e290..fff0987 100644
--- a/dante.te
+++ b/dante.te
+@@ -1,4 +1,4 @@
+-policy_module(dante, 1.9.0)
++policy_module(dante, 1.8.2)
+
+ ########################################
+ #
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
domain_use_interactive_fds(dante_t)
@@ -20177,9 +22109,15 @@ index 98a2d6a..fff0987 100644
fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
-index a67870a..f7c0e61 100644
+index b60c464..f7c0e61 100644
--- a/dbadm.te
+++ b/dbadm.te
+@@ -1,4 +1,4 @@
+-policy_module(dbadm, 1.1.0)
++policy_module(dbadm, 1.0.1)
+
+ ########################################
+ #
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
role dbadm_r;
@@ -20213,10 +22151,23 @@ index a67870a..f7c0e61 100644
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
+diff --git a/dbskk.fc b/dbskk.fc
+index 6fb8fea..7af2590 100644
+--- a/dbskk.fc
++++ b/dbskk.fc
+@@ -1 +1,2 @@
++
+ /usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/dbskk.te b/dbskk.te
-index 188e2e6..719583e 100644
+index f55c420..719583e 100644
--- a/dbskk.te
+++ b/dbskk.te
+@@ -1,4 +1,4 @@
+-policy_module(dbskk, 1.6.0)
++policy_module(dbskk, 1.5.1)
+
+ ########################################
+ #
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
@@ -20280,7 +22231,7 @@ index dda905b..ccd0ba9 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..8cc440f 100644
+index 62d22cb..8cc440f 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -20742,7 +22693,7 @@ index afcf3a2..8cc440f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -349,19 +362,18 @@ interface(`dbus_read_config',`
+@@ -349,20 +362,18 @@ interface(`dbus_read_config',`
## </summary>
## </param>
#
@@ -20756,6 +22707,7 @@ index afcf3a2..8cc440f 100644
- files_search_var_lib($1)
- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+- read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ allow $1 system_dbusd_t:dbus send_msg;
')
@@ -20767,7 +22719,7 @@ index afcf3a2..8cc440f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -369,26 +381,20 @@ interface(`dbus_read_lib_files',`
+@@ -370,26 +381,20 @@ interface(`dbus_read_lib_files',`
## </summary>
## </param>
#
@@ -20800,7 +22752,7 @@ index afcf3a2..8cc440f 100644
## <param name="domain">
## <summary>
## Type to be used as a domain.
-@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +402,67 @@ interface(`dbus_manage_lib_files',`
## </param>
## <param name="entry_point">
## <summary>
@@ -20910,7 +22862,7 @@ index afcf3a2..8cc440f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',`
## </summary>
## </param>
#
@@ -20934,7 +22886,7 @@ index afcf3a2..8cc440f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',`
## </summary>
## </param>
#
@@ -21061,7 +23013,7 @@ index afcf3a2..8cc440f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -596,28 +570,49 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +570,49 @@ interface(`dbus_use_system_bus_fds',`
## </summary>
## </param>
#
@@ -21120,11 +23072,11 @@ index afcf3a2..8cc440f 100644
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..2ead441 100644
+index c9998c8..2ead441 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
--policy_module(dbus, 1.18.8)
+-policy_module(dbus, 1.19.0)
+policy_module(dbus, 1.17.0)
gen_require(`
@@ -21500,8 +23452,8 @@ index 2c2e7e1..2ead441 100644
# Unconfined access to this module
#
--allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
--allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
+-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
+-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
@@ -21531,9 +23483,15 @@ index a5c21e0..4639421 100644
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/dcc.te b/dcc.te
-index 15d908f..cecb0da 100644
+index 353fa4a..cecb0da 100644
--- a/dcc.te
+++ b/dcc.te
+@@ -1,4 +1,4 @@
+-policy_module(dcc, 1.12.0)
++policy_module(dcc, 1.11.1)
+
+ ########################################
+ #
@@ -45,7 +45,7 @@ type dcc_var_t;
files_type(dcc_var_t)
@@ -21703,9 +23661,15 @@ index 5606b40..cd18cf2 100644
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
-index 0b4b8b9..2efb435 100644
+index a4caa1b..2efb435 100644
--- a/ddclient.te
+++ b/ddclient.te
+@@ -1,4 +1,4 @@
+-policy_module(ddclient, 1.10.0)
++policy_module(ddclient, 1.9.2)
+
+ ########################################
+ #
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
# Declarations
#
@@ -21758,9 +23722,15 @@ index 0b4b8b9..2efb435 100644
sysnet_exec_ifconfig(ddclient_t)
sysnet_dns_name_resolve(ddclient_t)
diff --git a/ddcprobe.te b/ddcprobe.te
-index ceb9bf4..2496e02 100644
+index 8fa4bb9..2496e02 100644
--- a/ddcprobe.te
+++ b/ddcprobe.te
+@@ -1,4 +1,4 @@
+-policy_module(ddcprobe, 1.3.0)
++policy_module(ddcprobe, 1.2.1)
+
+ ########################################
+ #
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
dev_read_raw_memory(ddcprobe_t)
dev_wx_raw_memory(ddcprobe_t)
@@ -21813,9 +23783,15 @@ index a7326da..c87b5b7 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
-index bcb9770..7f0c21f 100644
+index 583a527..7f0c21f 100644
--- a/denyhosts.te
+++ b/denyhosts.te
+@@ -1,4 +1,4 @@
+-policy_module(denyhosts, 1.1.0)
++policy_module(denyhosts, 1.0.2)
+
+ ########################################
+ #
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
#
# Local policy
@@ -21863,7 +23839,7 @@ index bcb9770..7f0c21f 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.if b/devicekit.if
-index d294865..3b4f593 100644
+index 8ce99ff..3b4f593 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
@@ -21917,56 +23893,122 @@ index d294865..3b4f593 100644
')
########################################
-@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',`
+@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
########################################
## <summary>
-## Send generic signals to devicekit power.
+## Use file descriptors for devicekit_disk.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`devicekit_signal_power',`
+interface(`devicekit_use_fds_disk',`
-+ gen_require(`
+ gen_require(`
+- type devicekit_power_t;
+ type devicekit_disk_t;
-+ ')
-+
+ ')
+
+- allow $1 devicekit_power_t:process signal;
+ allow $1 devicekit_disk_t:fd use;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Send and receive messages from
+-## devicekit power over dbus.
+## Dontaudit Send and receive messages from
+## devicekit disk over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`devicekit_dbus_chat_power',`
+interface(`devicekit_dontaudit_dbus_chat_disk',`
-+ gen_require(`
+ gen_require(`
+- type devicekit_power_t;
+ type devicekit_disk_t;
-+ class dbus send_msg;
-+ ')
-+
+ class dbus send_msg;
+ ')
+
+- allow $1 devicekit_power_t:dbus send_msg;
+- allow devicekit_power_t $1:dbus send_msg;
+ dontaudit $1 devicekit_disk_t:dbus send_msg;
+ dontaudit devicekit_disk_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Use and inherit devicekit power
+-## file descriptors.
+## Send signal devicekit power
## </summary>
## <param name="domain">
## <summary>
-@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',`
- allow devicekit_power_t $1:dbus send_msg;
+@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`devicekit_use_fds_power',`
++interface(`devicekit_signal_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+- allow $1 devicekit_power_t:fd use;
++ allow $1 devicekit_power_t:process signal;
+ ')
+
+ ########################################
+ ## <summary>
+-## Append inherited devicekit log files.
++## Send and receive messages from
++## devicekit power over dbus.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -149,40 +165,56 @@ interface(`devicekit_use_fds_power',`
+ ## </summary>
+ ## </param>
+ #
++interface(`devicekit_dbus_chat_power',`
++ gen_require(`
++ type devicekit_power_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 devicekit_power_t:dbus send_msg;
++ allow devicekit_power_t $1:dbus send_msg;
++')
++
++#######################################
++## <summary>
++## Append inherited devicekit log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+ interface(`devicekit_append_inherited_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+- logging_search_logs($1)
+- allow $1 devicekit_var_log_t:file { getattr_file_perms append };
+-
+- devicekit_use_fds_power($1)
++ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
')
-########################################
@@ -21974,44 +24016,26 @@ index d294865..3b4f593 100644
## <summary>
-## Create, read, write, and delete
-## devicekit log files.
-+## Append inherited devicekit log files.
++## Do not audit attempts to write the devicekit
++## log files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
## </param>
#
-interface(`devicekit_manage_log_files',`
-+interface(`devicekit_append_inherited_log_files',`
++interface(`devicekit_dontaudit_rw_log',`
gen_require(`
type devicekit_var_log_t;
')
- logging_search_logs($1)
- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
-+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Do not audit attempts to write the devicekit
-+## log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_dontaudit_rw_log',`
-+ gen_require(`
-+ type devicekit_var_log_t;
-+ ')
-+
+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
')
@@ -22022,7 +24046,7 @@ index d294865..3b4f593 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',`
+@@ -190,13 +222,13 @@ interface(`devicekit_manage_log_files',`
## </summary>
## </param>
#
@@ -22040,7 +24064,7 @@ index d294865..3b4f593 100644
')
########################################
-@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',`
+@@ -220,11 +252,30 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -22072,7 +24096,7 @@ index d294865..3b4f593 100644
## Domain allowed access.
## </summary>
## </param>
-@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',`
+@@ -235,22 +286,59 @@ interface(`devicekit_manage_pid_files',`
')
files_search_pids($1)
@@ -22136,7 +24160,7 @@ index d294865..3b4f593 100644
## </summary>
## </param>
## <rolecap/>
-@@ -219,21 +347,48 @@ interface(`devicekit_admin',`
+@@ -259,21 +347,48 @@ interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
@@ -22195,10 +24219,16 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..cd1d88d 100644
+index 77a5003..cd1d88d 100644
--- a/devicekit.te
+++ b/devicekit.te
-@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
+@@ -1,4 +1,4 @@
+-policy_module(devicekit, 1.3.1)
++policy_module(devicekit, 1.2.1)
+
+ ########################################
+ #
+@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
type devicekit_t;
type devicekit_exec_t;
@@ -22240,7 +24270,7 @@ index ff933af..cd1d88d 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,15 +79,15 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@@ -22253,7 +24283,12 @@ index ff933af..cd1d88d 100644
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
-@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+ kernel_read_system_state(devicekit_disk_t)
+-kernel_read_vm_sysctls(devicekit_disk_t)
+ kernel_request_load_module(devicekit_disk_t)
+ kernel_setsched(devicekit_disk_t)
+
+@@ -99,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -22262,7 +24297,7 @@ index ff933af..cd1d88d 100644
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
-@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -117,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
@@ -22272,7 +24307,7 @@ index ff933af..cd1d88d 100644
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
-@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -135,18 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -22281,9 +24316,10 @@ index ff933af..cd1d88d 100644
auth_use_nsswitch(devicekit_disk_t)
--miscfiles_read_localization(devicekit_disk_t)
-+logging_send_syslog_msg(devicekit_disk_t)
+ logging_send_syslog_msg(devicekit_disk_t)
+-miscfiles_read_localization(devicekit_disk_t)
+-
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
@@ -22293,7 +24329,7 @@ index ff933af..cd1d88d 100644
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -167,6 +170,7 @@ optional_policy(`
+@@ -170,6 +170,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
@@ -22301,7 +24337,7 @@ index ff933af..cd1d88d 100644
')
optional_policy(`
-@@ -180,6 +184,11 @@ optional_policy(`
+@@ -183,25 +184,35 @@ optional_policy(`
')
optional_policy(`
@@ -22312,8 +24348,10 @@ index ff933af..cd1d88d 100644
+optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
+- udev_read_pid_files(devicekit_disk_t)
')
-@@ -188,12 +197,19 @@ optional_policy(`
+
+ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -22334,7 +24372,11 @@ index ff933af..cd1d88d 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+-allow devicekit_power_t self:unix_stream_socket create_socket_perms;
+ allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+@@ -212,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -22345,7 +24387,14 @@ index ff933af..cd1d88d 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -241,27 +250,22 @@ dev_rw_generic_chr_files(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
+ dev_read_rand(devicekit_power_t)
+-dev_getattr_all_blk_files(devicekit_power_t)
+ dev_getattr_all_chr_files(devicekit_power_t)
+
+ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -22360,24 +24409,28 @@ index ff933af..cd1d88d 100644
auth_use_nsswitch(devicekit_power_t)
+-init_all_labeled_script_domtrans(devicekit_power_t)
+-init_read_utmp(devicekit_power_t)
+-
-miscfiles_read_localization(devicekit_power_t)
+seutil_exec_setfiles(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +282,11 @@ optional_policy(`
-
- optional_policy(`
- cron_initrc_domtrans(devicekit_power_t)
-+ cron_systemctl(devicekit_power_t)
+@@ -277,6 +281,12 @@ optional_policy(`
')
optional_policy(`
++ cron_initrc_domtrans(devicekit_power_t)
++ cron_systemctl(devicekit_power_t)
++')
++
++optional_policy(`
+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +317,11 @@ optional_policy(`
+@@ -307,8 +317,11 @@ optional_policy(`
')
optional_policy(`
@@ -22390,7 +24443,15 @@ index ff933af..cd1d88d 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -341,3 +359,9 @@ optional_policy(`
+@@ -337,7 +350,6 @@ optional_policy(`
+
+ optional_policy(`
+ udev_read_db(devicekit_power_t)
+- udev_manage_pid_files(devicekit_power_t)
+ ')
+
+ optional_policy(`
+@@ -347,3 +359,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -22401,16 +24462,24 @@ index ff933af..cd1d88d 100644
+')
+
diff --git a/dhcp.fc b/dhcp.fc
-index 7956248..333d214 100644
+index 8182c48..333d214 100644
--- a/dhcp.fc
+++ b/dhcp.fc
-@@ -1,4 +1,6 @@
+@@ -1,8 +1,10 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
- /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+-/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
++/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+-/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+-/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
++/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
++/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+
+-/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
++/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/dhcp.if b/dhcp.if
index c697edb..31d45bf 100644
--- a/dhcp.if
@@ -22483,9 +24552,15 @@ index c697edb..31d45bf 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index c93c3db..5d61f10 100644
+index 98a24b9..5d61f10 100644
--- a/dhcp.te
+++ b/dhcp.te
+@@ -1,4 +1,4 @@
+-policy_module(dhcp, 1.11.0)
++policy_module(dhcp, 1.10.1)
+
+ ########################################
+ #
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)
@@ -22576,9 +24651,15 @@ index 3cc3494..cb0a1f4 100644
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
-index fd4a602..43b800a 100644
+index 433d3c5..43b800a 100644
--- a/dictd.te
+++ b/dictd.te
+@@ -1,4 +1,4 @@
+-policy_module(dictd, 1.8.0)
++policy_module(dictd, 1.7.1)
+
+ ########################################
+ #
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
@@ -23397,9 +25478,15 @@ index 24d8c74..1790ec5 100644
')
diff --git a/distcc.te b/distcc.te
-index b441a4d..83fb340 100644
+index 898b2f4..83fb340 100644
--- a/distcc.te
+++ b/distcc.te
+@@ -1,4 +1,4 @@
+-policy_module(distcc, 1.9.0)
++policy_module(distcc, 1.8.2)
+
+ ########################################
+ #
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
@@ -23446,9 +25533,15 @@ index 671d3c0..6d36c95 100644
#####################################
diff --git a/djbdns.te b/djbdns.te
-index 463d290..df50e4c 100644
+index 87ca536..df50e4c 100644
--- a/djbdns.te
+++ b/djbdns.te
+@@ -1,4 +1,4 @@
+-policy_module(djbdns, 1.6.0)
++policy_module(djbdns, 1.5.3)
+
+ ########################################
+ #
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
files_search_var(djbdns_domain)
@@ -23472,6 +25565,25 @@ index 5818418..674367b 100644
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+diff --git a/dkim.te b/dkim.te
+index 6a73d60..0d2eb21 100644
+--- a/dkim.te
++++ b/dkim.te
+@@ -1,4 +1,4 @@
+-policy_module(dkim, 1.2.0)
++policy_module(dkim, 1.1.3)
+
+ ########################################
+ #
+@@ -13,8 +13,6 @@ init_script_file(dkim_milter_initrc_exec_t)
+ type dkim_milter_private_key_t;
+ files_type(dkim_milter_private_key_t)
+
+-init_daemon_run_dir(dkim_milter_data_t, "opendkim")
+-
+ ########################################
+ #
+ # Local policy
diff --git a/dmidecode.if b/dmidecode.if
index 41c3f67..653a1ec 100644
--- a/dmidecode.if
@@ -23503,11 +25615,30 @@ index 41c3f67..653a1ec 100644
## <summary>
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
-index c947c2c..8d4d843 100644
+index aa0ef6e..8d4d843 100644
--- a/dmidecode.te
+++ b/dmidecode.te
-@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t)
+@@ -1,4 +1,4 @@
+-policy_module(dmidecode, 1.5.1)
++policy_module(dmidecode, 1.4.1)
+ ########################################
+ #
+@@ -20,15 +20,17 @@ role dmidecode_roles types dmidecode_t;
+
+ allow dmidecode_t self:capability sys_rawio;
+
+-dev_read_raw_memory(dmidecode_t)
+ dev_read_sysfs(dmidecode_t)
++dev_read_raw_memory(dmidecode_t)
+
+-domain_use_interactive_fds(dmidecode_t)
++mls_file_read_all_levels(dmidecode_t)
+
+ files_list_usr(dmidecode_t)
+
+-mls_file_read_all_levels(dmidecode_t)
+-
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
@@ -23802,9 +25933,15 @@ index 19aa0b8..b9895ba 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..34a4c71 100644
+index 37a3b7b..34a4c71 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
+@@ -1,4 +1,4 @@
+-policy_module(dnsmasq, 1.10.0)
++policy_module(dnsmasq, 1.9.3)
+
+ ########################################
+ #
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
@@ -23891,19 +26028,22 @@ index ba14bcf..34a4c71 100644
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
-index 0000000..9e231a8
+index 0000000..1714fa6
--- /dev/null
+++ b/dnssec.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,6 @@
++/usr/lib/systemd/system/dnssec-triggerd.* -- gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
++
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
++/usr/libexec/dnssec-trigger-script -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
-index 0000000..a952041
+index 0000000..457d4dd
--- /dev/null
+++ b/dnssec.if
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,85 @@
+
+## <summary>policy for dnssec_trigger</summary>
+
@@ -23944,6 +26084,27 @@ index 0000000..a952041
+ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
++########################################
++## <summary>
++## Manage dnssec_trigger PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dnssec_trigger_manage_pid_files',`
++ gen_require(`
++ type dnssec_trigger_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++ manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++ manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++')
++
+
+########################################
+## <summary>
@@ -23970,10 +26131,10 @@ index 0000000..a952041
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..7f0943f
+index 0000000..64f1a64
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,68 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -23985,6 +26146,9 @@ index 0000000..7f0943f
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
++type dnssec_trigger_unit_file_t;
++systemd_unit_file(dnssec_trigger_unit_file_t)
++
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
@@ -24018,6 +26182,7 @@ index 0000000..7f0943f
+domain_use_interactive_fds(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
++files_dontaudit_list_tmp(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
@@ -24025,6 +26190,7 @@ index 0000000..7f0943f
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
++sysnet_filetrans_named_content(dnssec_trigger_t)
+
+optional_policy(`
+ bind_domtrans(dnssec_trigger_t)
@@ -24032,11 +26198,21 @@ index 0000000..7f0943f
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
++optional_policy(`
++ networkmanager_stream_connect(dnssec_trigger_t)
++ networkmanager_sigchld(dnssec_trigger_t)
+
++')
diff --git a/dnssectrigger.te b/dnssectrigger.te
-index ef36d73..fddd51f 100644
+index c7bb4e7..fddd51f 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
+@@ -1,4 +1,4 @@
+-policy_module(dnssectrigger, 1.1.0)
++policy_module(dnssectrigger, 1.0.1)
+
+ ########################################
+ #
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
logging_send_syslog_msg(dnssec_triggerd_t)
@@ -24815,7 +26991,7 @@ index c880070..4448055 100644
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
-index dbcac59..f3e446c 100644
+index d5badb7..f3e446c 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
@@ -24975,7 +27151,7 @@ index dbcac59..f3e446c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -132,21 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,22 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',`
## </param>
## <param name="role">
## <summary>
@@ -24991,6 +27167,7 @@ index dbcac59..f3e446c 100644
- type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
- type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
- type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
+- type dovecot_keytab_t;
+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
@@ -25006,9 +27183,12 @@ index dbcac59..f3e446c 100644
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -156,20 +195,25 @@ interface(`dovecot_admin',`
+@@ -155,22 +193,27 @@ interface(`dovecot_admin',`
+ allow $2 system_r;
+
files_list_etc($1)
- admin_pattern($1, dovecot_etc_t)
+- admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
++ admin_pattern($1, dovecot_etc_t)
- logging_list_logs($1)
- admin_pattern($1, dovecot_var_log_t)
@@ -25039,16 +27219,16 @@ index dbcac59..f3e446c 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..38bfca8 100644
+index 0aabc7e..38bfca8 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
--policy_module(dovecot, 1.15.6)
+-policy_module(dovecot, 1.16.1)
+policy_module(dovecot, 1.14.0)
########################################
#
-@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6)
+@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
attribute dovecot_domain;
@@ -25073,7 +27253,14 @@ index a7bfaf0..38bfca8 100644
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
-@@ -42,11 +39,12 @@ type dovecot_passwd_t;
+@@ -38,18 +35,16 @@ files_config_file(dovecot_etc_t)
+ type dovecot_initrc_exec_t;
+ init_script_file(dovecot_initrc_exec_t)
+
+-type dovecot_keytab_t;
+-files_type(dovecot_keytab_t)
+-
+ type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_spool_t;
@@ -25087,7 +27274,7 @@ index a7bfaf0..38bfca8 100644
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
-@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t)
+@@ -59,20 +54,18 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
@@ -25113,7 +27300,7 @@ index a7bfaf0..38bfca8 100644
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
-@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain)
+@@ -81,39 +74,46 @@ dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
@@ -25148,7 +27335,8 @@ index a7bfaf0..38bfca8 100644
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-+
+
+-allow dovecot_t dovecot_keytab_t:file read_file_perms;
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
@@ -25173,7 +27361,7 @@ index a7bfaf0..38bfca8 100644
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -125,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
@@ -25230,7 +27418,7 @@ index a7bfaf0..38bfca8 100644
init_getattr_utmp(dovecot_t)
-@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t)
+@@ -171,37 +161,29 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
@@ -25243,6 +27431,12 @@ index a7bfaf0..38bfca8 100644
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(dovecot_t)
+- fs_manage_cifs_files(dovecot_t)
+- fs_manage_cifs_symlinks(dovecot_t)
+-')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
@@ -25252,20 +27446,13 @@ index a7bfaf0..38bfca8 100644
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(dovecot_t)
-- fs_manage_cifs_files(dovecot_t)
-- fs_manage_cifs_symlinks(dovecot_t)
-+optional_policy(`
-+ mta_manage_home_rw(dovecot_t)
-+ mta_manage_spool(dovecot_t)
- ')
-
optional_policy(`
- kerberos_keytab_template(dovecot, dovecot_t)
- kerberos_manage_host_rcache(dovecot_t)
+- kerberos_read_keytab(dovecot_t)
- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
-+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
+- kerberos_use(dovecot_t)
++ mta_manage_home_rw(dovecot_t)
++ mta_manage_spool(dovecot_t)
')
optional_policy(`
@@ -25273,27 +27460,29 @@ index a7bfaf0..38bfca8 100644
- mta_manage_mail_home_rw_content(dovecot_t)
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
-+ gnome_manage_data(dovecot_t)
++ kerberos_keytab_template(dovecot, dovecot_t)
++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
')
optional_policy(`
- postgresql_stream_connect(dovecot_t)
-+ postfix_manage_private_sockets(dovecot_t)
-+ postfix_search_spool(dovecot_t)
++ gnome_manage_data(dovecot_t)
')
optional_policy(`
-- postfix_manage_private_sockets(dovecot_t)
-- postfix_search_spool(dovecot_t)
-+ postgresql_stream_connect(dovecot_t)
+@@ -210,6 +192,11 @@ optional_policy(`
')
optional_policy(`
++ postgresql_stream_connect(dovecot_t)
++')
++
++optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +214,65 @@ optional_policy(`
+@@ -227,46 +214,65 @@ optional_policy(`
########################################
#
@@ -25368,7 +27557,7 @@ index a7bfaf0..38bfca8 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +283,30 @@ optional_policy(`
+@@ -277,15 +283,30 @@ optional_policy(`
')
optional_policy(`
@@ -25400,7 +27589,7 @@ index a7bfaf0..38bfca8 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -295,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -25462,13 +27651,92 @@ index a7bfaf0..38bfca8 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +362,6 @@ optional_policy(`
+@@ -332,5 +362,6 @@ optional_policy(`
')
optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_deliver_t)
')
+diff --git a/dpkg.fc b/dpkg.fc
+index eec3c48..751c251 100644
+--- a/dpkg.fc
++++ b/dpkg.fc
+@@ -1,5 +1,3 @@
+-/etc/cron\.daily/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+-
+ /usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+ /usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+ /usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+diff --git a/dpkg.if b/dpkg.if
+index fdc06d6..9aa68a6 100644
+--- a/dpkg.if
++++ b/dpkg.if
+@@ -21,25 +21,6 @@ interface(`dpkg_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute the dkpg in the caller domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dpkg_exec',`
+- gen_require(`
+- type dpkg_exec_t;
+- ')
+-
+- corecmd_search_bin($1)
+- can_exec($1, dpkg_exec_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Execute dpkg_script programs in
+ ## the dpkg_script domain.
+ ## </summary>
+diff --git a/dpkg.te b/dpkg.te
+index 50af48c..998d765 100644
+--- a/dpkg.te
++++ b/dpkg.te
+@@ -1,4 +1,4 @@
+-policy_module(dpkg, 1.10.1)
++policy_module(dpkg, 1.10.0)
+
+ ########################################
+ #
+@@ -137,7 +137,7 @@ storage_raw_read_fixed_disk(dpkg_t)
+
+ auth_dontaudit_read_shadow(dpkg_t)
+
+-init_all_labeled_script_domtrans(dpkg_t)
++init_domtrans_script(dpkg_t)
+ init_use_script_ptys(dpkg_t)
+
+ libs_exec_ld_so(dpkg_t)
+@@ -161,10 +161,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- backup_manage_store_files(dpkg_t)
+-')
+-
+-optional_policy(`
+ cron_system_entry(dpkg_t, dpkg_exec_t)
+ ')
+
+@@ -276,7 +272,7 @@ term_use_all_terms(dpkg_script_t)
+ auth_dontaudit_getattr_shadow(dpkg_script_t)
+ files_manage_non_auth_files(dpkg_script_t)
+
+-init_all_labeled_script_domtrans(dpkg_script_t)
++init_domtrans_script(dpkg_script_t)
+ init_use_script_fds(dpkg_script_t)
+
+ libs_exec_ld_so(dpkg_script_t)
diff --git a/drbd.fc b/drbd.fc
index 671a3fb..c781675 100644
--- a/drbd.fc
@@ -25625,9 +27893,15 @@ index 9a21639..26c5986 100644
')
+
diff --git a/drbd.te b/drbd.te
-index 8e5ee54..bdd8883 100644
+index f2516cc..bdd8883 100644
--- a/drbd.te
+++ b/drbd.te
+@@ -1,4 +1,4 @@
+-policy_module(drbd, 1.1.0)
++policy_module(drbd, 1.0.1)
+
+ ########################################
+ #
@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
allow drbd_t self:fifo_file rw_fifo_file_perms;
allow drbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -25949,9 +28223,15 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
-index 266cb8f..b619351 100644
+index ef62363..b619351 100644
--- a/dspam.te
+++ b/dspam.te
+@@ -1,4 +1,4 @@
+-policy_module(dspam, 1.1.0)
++policy_module(dspam, 1.0.5)
+
+ ########################################
+ #
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
allow dspam_t self:capability net_admin;
@@ -26025,11 +28305,27 @@ index 266cb8f..b619351 100644
+optional_policy(`
+ procmail_domtrans(dspam_t)
+')
+diff --git a/entropyd.fc b/entropyd.fc
+index ee38542..c698711 100644
+--- a/entropyd.fc
++++ b/entropyd.fc
+@@ -4,4 +4,4 @@
+ /usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+
+ /var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+-/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
++/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --git a/entropyd.te b/entropyd.te
-index a0da189..dc22b89 100644
+index b8b8328..dc22b89 100644
--- a/entropyd.te
+++ b/entropyd.te
-@@ -12,7 +12,7 @@ policy_module(entropyd, 1.7.2)
+@@ -1,4 +1,4 @@
+-policy_module(entropyd, 1.8.0)
++policy_module(entropyd, 1.7.2)
+
+ ########################################
+ #
+@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
## the entropy feeds.
## </p>
## </desc>
@@ -26069,9 +28365,15 @@ index 597f305..8520653 100644
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
diff --git a/evolution.te b/evolution.te
-index 94fb625..3742ee1 100644
+index c99e07c..3742ee1 100644
--- a/evolution.te
+++ b/evolution.te
+@@ -1,4 +1,4 @@
+-policy_module(evolution, 2.4.0)
++policy_module(evolution, 2.3.7)
+
+ ########################################
+ #
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
@@ -26113,21 +28415,8 @@ index 94fb625..3742ee1 100644
fs_search_auto_mountpoints(evolution_server_t)
-diff --git a/exim.fc b/exim.fc
-index dc0254b..9df498d 100644
---- a/exim.fc
-+++ b/exim.fc
-@@ -3,6 +3,8 @@
- /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
- /usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
-
-+/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
-+
- /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
-
- /var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/exim.if b/exim.if
-index 6041113..4a8d053 100644
+index 9bbc690..4a8d053 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
@@ -26252,52 +28541,7 @@ index 6041113..4a8d053 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -225,6 +241,44 @@ interface(`exim_manage_spool_files',`
-
- ########################################
- ## <summary>
-+## Read exim var lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_read_var_lib_files',`
-+ gen_require(`
-+ type exim_var_lib_t;
-+ ')
-+
-+ read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, and write exim var lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_manage_var_lib_files',`
-+ gen_require(`
-+ type exim_var_lib_t;
-+ ')
-+
-+ manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to
- ## administrate an exim environment.
- ## </summary>
-@@ -238,22 +292,29 @@ interface(`exim_manage_spool_files',`
+@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
## Role allowed access.
## </summary>
## </param>
@@ -26305,9 +28549,8 @@ index 6041113..4a8d053 100644
#
interface(`exim_admin',`
gen_require(`
- type exim_t, exim_spool_t, exim_log_t;
- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
-+ type exim_keytab_t;
+@@ -285,10 +300,14 @@ interface(`exim_admin',`
+ type exim_keytab_t;
')
- allow $1 exim_t:process { ptrace signal_perms };
@@ -26323,31 +28566,21 @@ index 6041113..4a8d053 100644
domain_system_change_exemption($1)
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
-
-+ files_search_etc($1)
-+ admin_pattern($1, exim_keytab_t)
-+
- files_search_spool($1)
- admin_pattern($1, exim_spool_t)
-
diff --git a/exim.te b/exim.te
-index 19325ce..5495c90 100644
+index 4086c51..5495c90 100644
--- a/exim.te
+++ b/exim.te
-@@ -1,4 +1,4 @@
--policy_module(exim, 1.5.4)
-+policy_module(exim, 1.6.1)
-
- ########################################
- #
-@@ -45,11 +45,14 @@ mta_agent_executable(exim_exec_t)
+@@ -45,9 +45,6 @@ mta_agent_executable(exim_exec_t)
type exim_initrc_exec_t;
init_script_file(exim_initrc_exec_t)
-+type exim_var_lib_t;
-+files_type(exim_var_lib_t)
-+
- type exim_log_t;
+-type exim_keytab_t;
+-files_type(exim_keytab_t)
+-
+ type exim_var_lib_t;
+ files_type(exim_var_lib_t)
+
+@@ -55,7 +52,7 @@ type exim_log_t;
logging_log_file(exim_log_t)
type exim_spool_t;
@@ -26356,31 +28589,17 @@ index 19325ce..5495c90 100644
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
-@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
- type exim_var_run_t;
- files_pid_file(exim_var_run_t)
-
-+ifdef(`distro_debian',`
-+ init_daemon_run_dir(exim_var_run_t, "exim4")
-+')
-+
- ########################################
- #
- # Local policy
-@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+@@ -78,8 +75,6 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
allow exim_t self:tcp_socket { accept listen };
-+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
-+
- append_files_pattern(exim_t, exim_log_t, exim_log_t)
- create_files_pattern(exim_t, exim_log_t, exim_log_t)
- setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
-@@ -88,13 +97,13 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
-
- can_exec(exim_t, exim_exec_t)
+-allow exim_t exim_keytab_t:file read_file_perms;
+-
+ manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
-+kernel_read_crypto_sysctls(exim_t)
+ append_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -105,11 +100,10 @@ can_exec(exim_t, exim_exec_t)
+ kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
@@ -26392,15 +28611,7 @@ index 19325ce..5495c90 100644
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
-@@ -123,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
-
- dev_read_rand(exim_t)
- dev_read_urand(exim_t)
-+dev_read_sysfs(exim_t)
-
- domain_use_interactive_fds(exim_t)
-
-@@ -135,10 +145,10 @@ fs_getattr_xattr_fs(exim_t)
+@@ -151,10 +145,10 @@ fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)
auth_use_nsswitch(exim_t)
@@ -26412,7 +28623,7 @@ index 19325ce..5495c90 100644
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
-@@ -154,9 +164,9 @@ tunable_policy(`exim_can_connect_db',`
+@@ -170,9 +164,9 @@ tunable_policy(`exim_can_connect_db',`
corenet_sendrecv_mssql_client_packets(exim_t)
corenet_tcp_connect_mssql_port(exim_t)
corenet_tcp_sendrecv_mssql_port(exim_t)
@@ -26425,7 +28636,7 @@ index 19325ce..5495c90 100644
')
tunable_policy(`exim_read_user_files',`
-@@ -170,13 +180,14 @@ tunable_policy(`exim_manage_user_files',`
+@@ -186,8 +180,8 @@ tunable_policy(`exim_manage_user_files',`
')
optional_policy(`
@@ -26436,17 +28647,12 @@ index 19325ce..5495c90 100644
')
optional_policy(`
- cron_read_pipes(exim_t)
- cron_rw_system_job_pipes(exim_t)
-+ cron_use_system_job_fds(exim_t)
- ')
-
- optional_policy(`
-@@ -188,12 +199,7 @@ optional_policy(`
+@@ -205,13 +199,7 @@ optional_policy(`
')
optional_policy(`
-- kerberos_keytab_template(exim, exim_t)
+- kerberos_read_keytab(exim_t)
+- kerberos_use(exim_t)
-')
-
-optional_policy(`
@@ -26456,7 +28662,7 @@ index 19325ce..5495c90 100644
')
optional_policy(`
-@@ -218,6 +224,7 @@ optional_policy(`
+@@ -236,6 +224,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -26731,10 +28937,16 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..4acb314 100644
+index cf0e567..4acb314 100644
--- a/fail2ban.te
+++ b/fail2ban.te
-@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
+@@ -1,4 +1,4 @@
+-policy_module(fail2ban, 1.5.0)
++policy_module(fail2ban, 1.4.9)
+
+ ########################################
+ #
+@@ -37,13 +37,11 @@ role fail2ban_client_roles types fail2ban_client_t;
#
allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
@@ -26743,7 +28955,13 @@ index 0872e50..4acb314 100644
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
allow fail2ban_t self:tcp_socket { accept listen };
-@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
+
+-read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
+-
+ append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+ create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+ setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+@@ -67,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -26751,7 +28969,7 @@ index 0872e50..4acb314 100644
corenet_all_recvfrom_netlabel(fail2ban_t)
corenet_tcp_sendrecv_generic_if(fail2ban_t)
corenet_tcp_sendrecv_generic_node(fail2ban_t)
-@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t)
+@@ -82,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t)
domain_dontaudit_read_all_domains_state(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
@@ -26759,7 +28977,7 @@ index 0872e50..4acb314 100644
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
-@@ -90,24 +88,38 @@ fs_getattr_all_fs(fail2ban_t)
+@@ -92,24 +88,38 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
@@ -26802,7 +29020,7 @@ index 0872e50..4acb314 100644
iptables_domtrans(fail2ban_t)
')
-@@ -116,6 +128,10 @@ optional_policy(`
+@@ -118,6 +128,10 @@ optional_policy(`
')
optional_policy(`
@@ -26813,7 +29031,7 @@ index 0872e50..4acb314 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -129,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -26849,9 +29067,15 @@ index 0872e50..4acb314 100644
+ apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
-index 79b9273..28dec44 100644
+index ce358fb..28dec44 100644
--- a/fcoe.te
+++ b/fcoe.te
+@@ -1,4 +1,4 @@
+-policy_module(fcoe, 1.1.0)
++policy_module(fcoe, 1.0.1)
+
+ ########################################
+ #
@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t)
# Local policy
#
@@ -26889,7 +29113,7 @@ index 79b9273..28dec44 100644
+ networkmanager_dgram_send(fcoemon_t)
+')
diff --git a/fetchmail.fc b/fetchmail.fc
-index 2486e2a..fef9bff 100644
+index 133b8ee..fef9bff 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
@@ -26902,7 +29126,7 @@ index 2486e2a..fef9bff 100644
/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
--/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+-/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
@@ -26929,9 +29153,15 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..2e94f0e 100644
+index 742559a..2e94f0e 100644
--- a/fetchmail.te
+++ b/fetchmail.te
+@@ -1,4 +1,4 @@
+-policy_module(fetchmail, 1.13.2)
++policy_module(fetchmail, 1.12.2)
+
+ ########################################
+ #
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
#
# Local policy
@@ -26953,7 +29183,7 @@ index f0388cb..2e94f0e 100644
manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
--files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
+-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { file dir })
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir})
+
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
@@ -26999,9 +29229,15 @@ index f0388cb..2e94f0e 100644
optional_policy(`
procmail_domtrans(fetchmail_t)
diff --git a/finger.te b/finger.te
-index af4b6d7..92245bf 100644
+index 35da09d..92245bf 100644
--- a/finger.te
+++ b/finger.te
+@@ -1,4 +1,4 @@
+-policy_module(finger, 1.10.0)
++policy_module(finger, 1.9.1)
+
+ ########################################
+ #
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
@@ -27046,32 +29282,31 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..1893f7f 100644
+index c62c567..1893f7f 100644
--- a/firewalld.if
+++ b/firewalld.if
-@@ -2,6 +2,66 @@
+@@ -2,7 +2,7 @@
########################################
## <summary>
+-## Read firewalld configuration files.
+## Read firewalld config
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -10,7 +10,7 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`firewalld_read_config_files',`
+interface(`firewalld_read_config',`
-+ gen_require(`
-+ type firewalld_etc_rw_t;
-+ ')
-+
-+ files_search_etc($1)
-+ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
-+')
-+
-+########################################
-+## <summary>
+ gen_require(`
+ type firewalld_etc_rw_t;
+ ')
+@@ -21,6 +21,47 @@ interface(`firewalld_read_config_files',`
+
+ ########################################
+ ## <summary>
+## Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
@@ -27116,37 +29351,41 @@ index 5cf6ac6..1893f7f 100644
## Send and receive messages from
## firewalld over dbus.
## </summary>
-@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
+@@ -42,8 +83,8 @@ interface(`firewalld_dbus_chat',`
########################################
## <summary>
--## All of the rules required to
--## administrate an firewalld environment.
+-## Do not audit attempts to read, snd
+-## write firewalld temporary files.
+## Dontaudit attempts to write
+## firewalld tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -51,18 +92,18 @@ interface(`firewalld_dbus_chat',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`firewalld_dontaudit_rw_tmp_files',`
+interface(`firewalld_dontaudit_write_tmp_files',`
-+ gen_require(`
-+ type firewalld_tmp_t;
-+ ')
-+
+ gen_require(`
+ type firewalld_tmp_t;
+ ')
+
+- dontaudit $1 firewalld_tmp_t:file { read write };
+ dontaudit $1 firewalld_tmp_t:file write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an firewalld environment.
+## All of the rules required to administrate
+## an firewalld environment
## </summary>
## <param name="domain">
## <summary>
-@@ -41,14 +120,18 @@ interface(`firewalld_dbus_chat',`
+@@ -79,14 +120,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
@@ -27168,7 +29407,7 @@ index 5cf6ac6..1893f7f 100644
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
-@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
+@@ -97,6 +142,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
@@ -27181,32 +29420,42 @@ index 5cf6ac6..1893f7f 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..bacc80c 100644
+index 98072a3..bacc80c 100644
--- a/firewalld.te
+++ b/firewalld.te
-@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
- type firewalld_var_run_t;
- files_pid_file(firewalld_var_run_t)
+@@ -1,4 +1,4 @@
+-policy_module(firewalld, 1.1.1)
++policy_module(firewalld, 1.0.6)
+ ########################################
+ #
+@@ -18,17 +18,22 @@ files_config_file(firewalld_etc_rw_t)
+ type firewalld_var_log_t;
+ logging_log_file(firewalld_var_log_t)
+
++type firewalld_var_run_t;
++files_pid_file(firewalld_var_run_t)
++
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
-+type firewalld_tmp_t;
-+files_tmp_file(firewalld_tmp_t)
-+
+ type firewalld_tmp_t;
+ files_tmp_file(firewalld_tmp_t)
+
+-type firewalld_var_run_t;
+-files_pid_file(firewalld_var_run_t)
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
-+
+
########################################
#
# Local policy
#
-
-+allow firewalld_t self:capability { dac_override net_admin };
+ allow firewalld_t self:capability { dac_override net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
- allow firewalld_t self:unix_stream_socket { accept listen };
-@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
+@@ -37,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
@@ -27214,29 +29463,28 @@ index c8014f8..bacc80c 100644
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
-@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
- allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
- logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+@@ -46,10 +52,15 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
-+manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
-+files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
+ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+ files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
+-allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+allow firewalld_t firewalld_tmp_t:file execute;
+
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
+allow firewalld_t firewalld_tmpfs_t:file execute;
-+
+
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+can_exec(firewalld_t, firewalld_var_run_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-+kernel_rw_net_sysctls(firewalld_t)
-
- corecmd_exec_bin(firewalld_t)
+@@ -59,24 +70,20 @@ corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
-@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t)
+
+ dev_read_urand(firewalld_t)
+-dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -27262,7 +29510,7 @@ index c8014f8..bacc80c 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,9 +102,17 @@ optional_policy(`
+@@ -95,6 +102,10 @@ optional_policy(`
')
optional_policy(`
@@ -27273,13 +29521,20 @@ index c8014f8..bacc80c 100644
iptables_domtrans(firewalld_t)
')
- optional_policy(`
- modutils_domtrans_insmod(firewalld_t)
+@@ -103,5 +114,5 @@ optional_policy(`
')
-+
-+optional_policy(`
+
+ optional_policy(`
+- networkmanager_read_state(firewalld_t)
+ NetworkManager_read_state(firewalld_t)
-+')
+ ')
+diff --git a/firewallgui.fc b/firewallgui.fc
+index 94ab048..ef1f43d 100644
+--- a/firewallgui.fc
++++ b/firewallgui.fc
+@@ -1 +1 @@
+-/usr/share/system-config-firewall/system-config-firewall-mechanism\.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
++/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
@@ -27292,9 +29547,15 @@ index e6866d1..941f4ef 100644
+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
')
diff --git a/firewallgui.te b/firewallgui.te
-index c5ceab1..86b8098 100644
+index 2094546..86b8098 100644
--- a/firewallgui.te
+++ b/firewallgui.te
+@@ -1,4 +1,4 @@
+-policy_module(firewallgui, 1.1.0)
++policy_module(firewallgui, 1.0.1)
+
+ ########################################
+ #
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
dev_read_sysfs(firewallgui_t)
dev_read_urand(firewallgui_t)
@@ -27462,11 +29723,11 @@ index 280f875..f3a67c9 100644
## <param name="domain">
## <summary>
diff --git a/firstboot.te b/firstboot.te
-index c12c067..a415012 100644
+index 5010f04..a415012 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
--policy_module(firstboot, 1.12.3)
+-policy_module(firstboot, 1.13.0)
+policy_module(firstboot, 1.12.0)
gen_require(`
@@ -27599,9 +29860,15 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..2cbb61f 100644
+index 92a6479..2cbb61f 100644
--- a/fprintd.te
+++ b/fprintd.te
+@@ -1,4 +1,4 @@
+-policy_module(fprintd, 1.2.0)
++policy_module(fprintd, 1.1.1)
+
+ ########################################
+ #
@@ -20,23 +20,28 @@ files_type(fprintd_var_lib_t)
allow fprintd_t self:capability sys_nice;
allow fprintd_t self:process { getsched setsched signal sigkill };
@@ -27978,7 +30245,7 @@ index ddb75c1..44f74e6 100644
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
-index d062080..97fb494 100644
+index 4498143..97fb494 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,66 @@
@@ -28048,8 +30315,11 @@ index d062080..97fb494 100644
#######################################
## <summary>
## Execute a dyntransition to run anon sftpd.
-@@ -178,8 +239,11 @@ interface(`ftp_admin',`
+@@ -176,11 +237,13 @@ interface(`ftp_admin',`
+ type ftpd_etc_t, ftpd_lock_t, sftpd_t;
+ type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
type ftpd_initrc_exec_t, ftpdctl_tmp_t;
+- type ftpd_keytab_t;
')
- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
@@ -28061,7 +30331,16 @@ index d062080..97fb494 100644
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -203,5 +267,9 @@ interface(`ftp_admin',`
+@@ -193,7 +256,7 @@ interface(`ftp_admin',`
+ admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
+
+ files_list_etc($1)
+- admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
++ admin_pattern($1, ftpd_etc_t)
+
+ files_list_var($1)
+ admin_pattern($1, ftpd_lock_t)
+@@ -204,5 +267,9 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
@@ -28072,10 +30351,16 @@ index d062080..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..de8e914 100644
+index 36838c2..de8e914 100644
--- a/ftp.te
+++ b/ftp.te
-@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
+@@ -1,4 +1,4 @@
+-policy_module(ftp, 1.15.1)
++policy_module(ftp, 1.14.1)
+
+ ########################################
+ #
+@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
## be labeled public_content_rw_t.
## </p>
## </desc>
@@ -28118,17 +30403,23 @@ index e50f33c..de8e914 100644
## <desc>
## <p>
-@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
+@@ -124,8 +131,8 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
+-type ftpd_keytab_t;
+-files_type(ftpd_keytab_t)
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
-+
+
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
+@@ -179,11 +186,12 @@ allow ftpd_t self:key manage_key_perms;
+
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
+-allow ftpd_t ftpd_keytab_t:file read_file_perms;
+-
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -28138,7 +30429,7 @@ index e50f33c..de8e914 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -193,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+@@ -198,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
@@ -28165,7 +30456,7 @@ index e50f33c..de8e914 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -224,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -28179,7 +30470,7 @@ index e50f33c..de8e914 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -245,7 +258,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +258,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -28187,7 +30478,7 @@ index e50f33c..de8e914 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +266,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +266,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -28245,7 +30536,7 @@ index e50f33c..de8e914 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,22 +329,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,22 +329,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -28273,16 +30564,19 @@ index e50f33c..de8e914 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -360,7 +387,7 @@ optional_policy(`
+@@ -364,9 +386,8 @@ optional_policy(`
+ optional_policy(`
selinux_validate_context(ftpd_t)
- kerberos_keytab_template(ftpd, ftpd_t)
+- kerberos_read_keytab(ftpd_t)
- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
+- kerberos_use(ftpd_t)
++ kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
')
optional_policy(`
-@@ -410,21 +437,20 @@ optional_policy(`
+@@ -416,21 +437,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -28306,7 +30600,7 @@ index e50f33c..de8e914 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -437,23 +463,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -443,23 +463,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -28347,7 +30641,7 @@ index e50f33c..de8e914 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,21 +512,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -481,21 +512,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -28401,9 +30695,15 @@ index e2a3e0d..50ebd40 100644
+ manage_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/games.te b/games.te
-index 572fb12..879c59a 100644
+index e5b15fb..879c59a 100644
--- a/games.te
+++ b/games.te
+@@ -1,4 +1,4 @@
+-policy_module(games, 2.3.0)
++policy_module(games, 2.2.4)
+
+ ########################################
+ #
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
logging_send_syslog_msg(games_srv_t)
@@ -28448,9 +30748,15 @@ index 572fb12..879c59a 100644
')
diff --git a/gatekeeper.te b/gatekeeper.te
-index fc3b036..10a1bbe 100644
+index 2820368..10a1bbe 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
+@@ -1,4 +1,4 @@
+-policy_module(gatekeeper, 1.8.0)
++policy_module(gatekeeper, 1.7.1)
+
+ ########################################
+ #
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
@@ -28475,6 +30781,135 @@ index fc3b036..10a1bbe 100644
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+diff --git a/gdomap.fc b/gdomap.fc
+deleted file mode 100644
+index 0735238..0000000
+--- a/gdomap.fc
++++ /dev/null
+@@ -1,7 +0,0 @@
+-/etc/default/gdomap -- gen_context(system_u:object_r:gdomap_conf_t,s0)
+-
+-/etc/rc\.d/init\.d/gdomap -- gen_context(system_u:object_r:gdomap_initrc_exec_t,s0)
+-
+-/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
+-
+-/var/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
+diff --git a/gdomap.if b/gdomap.if
+deleted file mode 100644
+index 7d6b6b7..0000000
+--- a/gdomap.if
++++ /dev/null
+@@ -1,58 +0,0 @@
+-## <summary>GNUstep distributed object mapper.</summary>
+-
+-########################################
+-## <summary>
+-## Read gdomap configuration files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`gdomap_read_config',`
+- gen_require(`
+- type gdomap_conf_t;
+- ')
+-
+- files_search_etc($1)
+- allow $1 gdomap_conf_t:file read_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an gdomap environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`gdomap_admin',`
+- gen_require(`
+- type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t;
+- type gdomap_var_run_t;
+- ')
+-
+- allow $1 gdomap_t:process { ptrace signal_perms };
+- ps_process_pattern($1, gdomap_t)
+-
+- init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 gdomap_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, gdomap_conf_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, gdomap_var_run_t)
+-')
+diff --git a/gdomap.te b/gdomap.te
+deleted file mode 100644
+index db7b56c..0000000
+--- a/gdomap.te
++++ /dev/null
+@@ -1,46 +0,0 @@
+-policy_module(gdomap, 1.0.1)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type gdomap_t;
+-type gdomap_exec_t;
+-init_daemon_domain(gdomap_t, gdomap_exec_t)
+-
+-type gdomap_initrc_exec_t;
+-init_script_file(gdomap_initrc_exec_t)
+-
+-type gdomap_conf_t;
+-files_config_file(gdomap_conf_t)
+-
+-type gdomap_var_run_t;
+-files_pid_file(gdomap_var_run_t)
+-
+-########################################
+-#
+-# Local policy
+-#
+-
+-allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid };
+-allow gdomap_t self:tcp_socket { listen accept };
+-
+-allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+-files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
+-
+-corenet_sendrecv_gdomap_server_packets(gdomap_t)
+-corenet_tcp_bind_generic_node(gdomap_t)
+-corenet_tcp_bind_gdomap_port(gdomap_t)
+-corenet_tcp_sendrecv_gdomap_port(gdomap_t)
+-corenet_udp_bind_generic_node(gdomap_t)
+-corenet_udp_bind_gdomap_port(gdomap_t)
+-corenet_udp_sendrecv_gdomap_port(gdomap_t)
+-
+-domain_use_interactive_fds(gdomap_t)
+-
+-files_search_tmp(gdomap_t)
+-
+-auth_use_nsswitch(gdomap_t)
+-
+-logging_send_syslog_msg(gdomap_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
index 0000000..98c012c
@@ -29163,9 +31598,15 @@ index 0000000..e61eed9
+ pcscd_stream_connect(geoclue_t)
+')
diff --git a/gift.te b/gift.te
-index 395238e..af76abb 100644
+index 8a820fa..af76abb 100644
--- a/gift.te
+++ b/gift.te
+@@ -1,4 +1,4 @@
+-policy_module(gift, 2.4.0)
++policy_module(gift, 2.3.4)
+
+ ########################################
+ #
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
userdom_dontaudit_read_user_home_content_files(gift_t)
@@ -29257,9 +31698,15 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..6acc1f0 100644
+index dc49c71..6acc1f0 100644
--- a/git.te
+++ b/git.te
+@@ -1,4 +1,4 @@
+-policy_module(git, 1.3.2)
++policy_module(git, 1.2.3)
+
+ ########################################
+ #
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
## <desc>
@@ -29275,7 +31722,13 @@ index 93b0301..6acc1f0 100644
## Determine whether Git system daemon
## can search home directories.
## </p>
-@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
+@@ -87,16 +79,15 @@ apache_content_template(git)
+ type git_system_t, git_daemon;
+ type gitd_exec_t;
+ inetd_service_domain(git_system_t, gitd_exec_t)
+-init_daemon_domain(git_system_t, gitd_exec_t)
+
+ type git_session_t, git_daemon;
userdom_user_application_domain(git_session_t, gitd_exec_t)
role git_session_roles types git_session_t;
@@ -29288,7 +31741,7 @@ index 93b0301..6acc1f0 100644
userdom_user_home_content(git_user_content_t)
########################################
-@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -110,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -29297,7 +31750,7 @@ index 93b0301..6acc1f0 100644
corenet_all_recvfrom_netlabel(git_session_t)
corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
-@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -130,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_sendrecv_all_ports(git_session_t)
')
@@ -29308,19 +31761,25 @@ index 93b0301..6acc1f0 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
-@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -158,15 +149,10 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+-corenet_all_recvfrom_unlabeled(git_system_t)
+-corenet_all_recvfrom_netlabel(git_system_t)
+-corenet_tcp_sendrecv_generic_if(git_system_t)
+-corenet_tcp_sendrecv_generic_node(git_system_t)
+-corenet_tcp_bind_generic_node(git_system_t)
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
-+
-+corenet_tcp_bind_git_port(git_system_t)
-+
+
+-corenet_sendrecv_git_server_packets(git_system_t)
+ corenet_tcp_bind_git_port(git_system_t)
+-corenet_tcp_sendrecv_git_port(git_system_t)
+
files_search_var_lib(git_system_t)
- auth_use_nsswitch(git_system_t)
-@@ -165,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
+@@ -176,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
@@ -29331,7 +31790,7 @@ index 93b0301..6acc1f0 100644
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -248,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -259,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',`
fs_dontaudit_read_nfs_files(httpd_git_script_t)
')
@@ -29343,7 +31802,7 @@ index 93b0301..6acc1f0 100644
########################################
#
# Git global policy
-@@ -255,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -266,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -29358,9 +31817,15 @@ index 93b0301..6acc1f0 100644
-miscfiles_read_localization(git_daemon)
diff --git a/gitosis.te b/gitosis.te
-index 3194b76..d3acb1a 100644
+index 582db0a..d3acb1a 100644
--- a/gitosis.te
+++ b/gitosis.te
+@@ -1,4 +1,4 @@
+-policy_module(gitosis, 1.4.0)
++policy_module(gitosis, 1.3.2)
+
+ ########################################
+ #
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
dev_read_urand(gitosis_t)
@@ -29441,10 +31906,15 @@ index 9eacb2c..2769682 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index e0a4f46..2d17fe6 100644
+index 5cd0909..2d17fe6 100644
--- a/glance.te
+++ b/glance.te
-@@ -5,10 +5,16 @@ policy_module(glance, 1.0.2)
+@@ -1,14 +1,20 @@
+-policy_module(glance, 1.1.0)
++policy_module(glance, 1.0.2)
+
+ ########################################
+ #
# Declarations
#
@@ -30062,11 +32532,11 @@ index 05233c8..0000000
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
-index fd02acc..0000000
+index 4e95c7e..0000000
--- a/glusterfs.te
+++ /dev/null
-@@ -1,102 +0,0 @@
--policy_module(glusterfs, 1.0.1)
+@@ -1,105 +0,0 @@
+-policy_module(glusterfs, 1.1.2)
-
-########################################
-#
@@ -30093,7 +32563,7 @@ index fd02acc..0000000
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
--files_type(glusterd_var_lib_t);
+-files_type(glusterd_var_lib_t)
-
-########################################
-#
@@ -30123,7 +32593,8 @@ index fd02acc..0000000
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
--files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
+-manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
@@ -30159,6 +32630,8 @@ index fd02acc..0000000
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
+-domain_read_all_domains_state(glusterd_t)
+-
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
@@ -30243,10 +32716,10 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..ba8cb38 100644
+index ab09d61..ba8cb38 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,123 +1,157 @@
+@@ -1,125 +1,157 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
@@ -30435,15 +32908,15 @@ index d03fd43..ba8cb38 100644
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
-+
-+ optional_policy(`
+
+ optional_policy(`
+- gnome_dbus_chat_gkeyringd($1, $3)
+ telepathy_mission_control_read_state($1_gkeyringd_t)
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
-+ ')
-+ ')
-+')
+ ')
+ ')
+ ')
-- gnome_dbus_chat_gkeyringd($1, $3)
+#######################################
+## <summary>
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
@@ -30468,11 +32941,11 @@ index d03fd43..ba8cb38 100644
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
- ')
++ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- ')
-
++')
++
########################################
## <summary>
-## Execute gconf in the caller domain.
@@ -30480,7 +32953,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -125,18 +159,18 @@ template(`gnome_role_template',`
+@@ -127,18 +159,18 @@ template(`gnome_role_template',`
## </summary>
## </param>
#
@@ -30504,7 +32977,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +178,114 @@ interface(`gnome_exec_gconf',`
## </summary>
## </param>
#
@@ -30661,7 +33134,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
## </summary>
## </param>
#
@@ -30688,7 +33161,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
## </summary>
## </param>
#
@@ -30796,7 +33269,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
## </summary>
## </param>
#
@@ -30820,7 +33293,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -354,22 +424,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +424,18 @@ interface(`gnome_manage_config',`
## </summary>
## </param>
#
@@ -30848,7 +33321,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
## </summary>
## </param>
#
@@ -30910,7 +33383,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +481,18 @@ interface(`gnome_home_filetrans',`
## </summary>
## </param>
#
@@ -30933,7 +33406,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary>
## </param>
#
@@ -30961,7 +33434,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -473,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
@@ -30988,7 +33461,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -496,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -498,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
## </summary>
## </param>
#
@@ -31086,7 +33559,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -577,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -579,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',`
## </param>
## <param name="private_type">
## <summary>
@@ -31101,7 +33574,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -591,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -593,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary>
## </param>
#
@@ -31126,7 +33599,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -610,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
@@ -31224,7 +33697,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -657,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
+@@ -659,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
## </summary>
## </param>
#
@@ -31306,7 +33779,7 @@ index d03fd43..ba8cb38 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -704,12 +778,985 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +778,985 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@@ -32298,11 +34771,11 @@ index d03fd43..ba8cb38 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..ea1115c 100644
+index 63893eb..ea1115c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
--policy_module(gnome, 2.2.5)
+-policy_module(gnome, 2.3.0)
+policy_module(gnome, 2.2.0)
##############################
@@ -32618,21 +35091,22 @@ index 20f726b..ea1115c 100644
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
-index b687443..e4c1b83 100644
+index f9ba8cd..e4c1b83 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
-@@ -1,5 +1,9 @@
+@@ -1,7 +1,9 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-+
+
+-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
--/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+-/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702..25c7ab8 100644
--- a/gnomeclock.if
@@ -32692,11 +35166,11 @@ index 3f55702..25c7ab8 100644
## <param name="domain">
## <summary>
diff --git a/gnomeclock.te b/gnomeclock.te
-index 6d79eb5..c728009 100644
+index 7cd7435..c728009 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -1,86 +1,99 @@
--policy_module(gnomeclock, 1.0.5)
+-policy_module(gnomeclock, 1.1.0)
+policy_module(gnomeclock, 1.0.0)
########################################
@@ -33141,11 +35615,11 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 44cf341..2153214 100644
+index 0e97e82..2153214 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
--policy_module(gpg, 2.7.3)
+-policy_module(gpg, 2.8.0)
+policy_module(gpg, 2.6.0)
########################################
@@ -33665,9 +36139,15 @@ index 44cf341..2153214 100644
+ miscfiles_manage_public_files(gpg_web_t)
')
diff --git a/gpm.te b/gpm.te
-index 3226f52..68b2eb8 100644
+index 69734fd..68b2eb8 100644
--- a/gpm.te
+++ b/gpm.te
+@@ -1,4 +1,4 @@
+-policy_module(gpm, 1.9.0)
++policy_module(gpm, 1.8.2)
+
+ ########################################
+ #
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
init_script_file(gpm_initrc_exec_t)
@@ -33699,9 +36179,15 @@ index 3226f52..68b2eb8 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..3085534 100644
+index fe3895e..3085534 100644
--- a/gpsd.te
+++ b/gpsd.te
+@@ -1,4 +1,4 @@
+-policy_module(gpsd, 1.2.0)
++policy_module(gpsd, 1.1.1)
+
+ ########################################
+ #
@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
#
@@ -34025,9 +36511,15 @@ index 0000000..bbd5979
+ kerberos_manage_host_rcache(gssproxy_t)
+')
diff --git a/guest.te b/guest.te
-index d928711..93d2d83 100644
+index 19cdbe1..93d2d83 100644
--- a/guest.te
+++ b/guest.te
+@@ -1,4 +1,4 @@
+-policy_module(guest, 1.3.0)
++policy_module(guest, 1.2.1)
+
+ ########################################
+ #
@@ -20,4 +20,4 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
@@ -34035,9 +36527,15 @@ index d928711..93d2d83 100644
-#gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/hadoop.te b/hadoop.te
-index e62bcb7..f44ad99 100644
+index e151378..f44ad99 100644
--- a/hadoop.te
+++ b/hadoop.te
+@@ -1,4 +1,4 @@
+-policy_module(hadoop, 1.3.0)
++policy_module(hadoop, 1.2.5)
+
+ ########################################
+ #
@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
domain_use_interactive_fds(hadoop_t)
@@ -34071,10 +36569,44 @@ index e62bcb7..f44ad99 100644
fs_getattr_xattr_fs(zookeeper_server_t)
+diff --git a/hal.fc b/hal.fc
+index c9f4520..2899bad 100644
+--- a/hal.fc
++++ b/hal.fc
+@@ -1,5 +1,5 @@
+-/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+ /etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
++/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+ /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+
+@@ -9,14 +9,14 @@
+ /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
+ /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+ /usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
++/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+
+ /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+-/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+
+ /var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+
+-/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
++/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+
+ /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+
diff --git a/hal.te b/hal.te
-index 0801fe1..85b6f3e 100644
+index bbccc79..85b6f3e 100644
--- a/hal.te
+++ b/hal.te
+@@ -1,4 +1,4 @@
+-policy_module(hal, 1.15.0)
++policy_module(hal, 1.14.5)
+
+ ########################################
+ #
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
# Common local policy
#
@@ -34111,9 +36643,15 @@ index 1728071..77e71ea 100644
domain_system_change_exemption($1)
role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
-index 18d76bb..588c964 100644
+index 9e11b98..588c964 100644
--- a/hddtemp.te
+++ b/hddtemp.te
+@@ -1,4 +1,4 @@
+-policy_module(hddtemp, 1.2.0)
++policy_module(hddtemp, 1.1.1)
+
+ ########################################
+ #
@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
@@ -34138,9 +36676,15 @@ index 18d76bb..588c964 100644
-miscfiles_read_localization(hddtemp_t)
diff --git a/howl.te b/howl.te
-index e207823..4e0f8ba 100644
+index b9e60ec..4e0f8ba 100644
--- a/howl.te
+++ b/howl.te
+@@ -1,4 +1,4 @@
+-policy_module(howl, 1.10.0)
++policy_module(howl, 1.9.1)
+
+ ########################################
+ #
@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
@@ -34159,13 +36703,14 @@ index e207823..4e0f8ba 100644
userdom_dontaudit_search_user_home_dirs(howl_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
-new file mode 100644
-index 0000000..e2ae3b2
---- /dev/null
+index b46130e..e2ae3b2 100644
+--- a/hypervkvp.fc
+++ b/hypervkvp.fc
-@@ -0,0 +1,10 @@
+@@ -1,3 +1,10 @@
+-/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
-+
+
+-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
+
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
@@ -34175,11 +36720,11 @@ index 0000000..e2ae3b2
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
-new file mode 100644
-index 0000000..b7ca833
---- /dev/null
+index 6517fad..b7ca833 100644
+--- a/hypervkvp.if
+++ b/hypervkvp.if
-@@ -0,0 +1,134 @@
+@@ -1,32 +1,134 @@
+-## <summary>HyperV key value pair (KVP).</summary>
+
+## <summary>policy for hypervkvp</summary>
+
@@ -34240,17 +36785,20 @@ index 0000000..b7ca833
+ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an hypervkvp environment.
+## Create, read, write, and delete
+## hypervkvp lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`hypervkvp_manage_lib_files',`
+ gen_require(`
@@ -34290,13 +36838,16 @@ index 0000000..b7ca833
+## an hypervkvp environment
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`hypervkvp_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`hypervkvp_admin',`
+ gen_require(`
+- type hypervkvpd_t, hypervkvpd_initrc_exec_t;
+ type hypervkvp_t;
+ type hypervkvp_unit_file_t;
+ ')
@@ -34306,29 +36857,35 @@ index 0000000..b7ca833
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hypervkvp_t:process ptrace;
-+ ')
-+
+ ')
+
+- allow $1 hypervkvpd_t:process { ptrace signal_perms };
+- ps_process_pattern($1, hypervkvpd_t)
+ hypervkvp_manage_lib_files($1)
-+
+
+- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 hypervkvpd_initrc_exec_t system_r;
+- allow $2 system_r;
+ hypervkvp_systemctl($1)
+ admin_pattern($1, hypervkvp_unit_file_t)
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
-+')
+ ')
diff --git a/hypervkvp.te b/hypervkvp.te
-new file mode 100644
-index 0000000..97144bc
---- /dev/null
+index 4eb7041..97144bc 100644
+--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -0,0 +1,79 @@
-+policy_module(hypervkvp, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
+@@ -5,24 +5,75 @@ policy_module(hypervkvp, 1.0.0)
+ # Declarations
+ #
+
+-type hypervkvpd_t;
+-type hypervkvpd_exec_t;
+-init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+attribute hyperv_domain;
-+
+
+-type hypervkvpd_initrc_exec_t;
+-init_script_file(hypervkvpd_initrc_exec_t)
+type hypervkvp_t, hyperv_domain;
+type hypervkvp_exec_t;
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
@@ -34348,9 +36905,10 @@ index 0000000..97144bc
+
+type hypervvssd_unit_file_t;
+systemd_unit_file(hypervvssd_unit_file_t)
-+
-+########################################
-+#
+
+ ########################################
+ #
+-# Local policy
+# hyperv domain local policy
+#
+
@@ -34366,10 +36924,12 @@ index 0000000..97144bc
+dev_read_sysfs(hyperv_domain)
+
+########################################
-+#
+ #
+# hypervkvp local policy
-+#
-+
+ #
+
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
@@ -34384,7 +36944,8 @@ index 0000000..97144bc
+logging_send_syslog_msg(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
-+
+
+-logging_send_syslog_msg(hypervkvpd_t)
+userdom_dontaudit_search_admin_dir(hypervkvp_t)
+
+optional_policy(`
@@ -34395,14 +36956,22 @@ index 0000000..97144bc
+#
+# hypervvssd local policy
+#
-+
+
+-miscfiles_read_localization(hypervkvpd_t)
+allow hypervvssd_t self:capability sys_admin;
-+
+
+-sysnet_dns_name_resolve(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
-index 3bed8fa..a738d7f 100644
+index 369a056..a738d7f 100644
--- a/i18n_input.te
+++ b/i18n_input.te
+@@ -1,4 +1,4 @@
+-policy_module(i18n_input, 1.9.0)
++policy_module(i18n_input, 1.8.1)
+
+ ########################################
+ #
@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
@@ -34461,9 +37030,15 @@ index 580b533..c267cea 100644
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
-index ac6f9d5..bd3a837 100644
+index a9e573a..bd3a837 100644
--- a/icecast.te
+++ b/icecast.te
+@@ -1,4 +1,4 @@
+-policy_module(icecast, 1.2.0)
++policy_module(icecast, 1.1.1)
+
+ ########################################
+ #
@@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t)
dev_read_urand(icecast_t)
dev_read_rand(icecast_t)
@@ -34491,9 +37066,15 @@ index 8999899..96909ae 100644
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff --git a/ifplugd.te b/ifplugd.te
-index 6910e49..c4a9fcb 100644
+index b0546b4..c4a9fcb 100644
--- a/ifplugd.te
+++ b/ifplugd.te
+@@ -1,4 +1,4 @@
+-policy_module(ifplugd, 1.1.0)
++policy_module(ifplugd, 1.0.1)
+
+ ########################################
+ #
@@ -10,7 +10,7 @@ type ifplugd_exec_t;
init_daemon_domain(ifplugd_t, ifplugd_exec_t)
@@ -34519,9 +37100,15 @@ index 6910e49..c4a9fcb 100644
sysnet_domtrans_ifconfig(ifplugd_t)
diff --git a/imaze.te b/imaze.te
-index 05387d1..08a489c 100644
+index 1eb24d8..08a489c 100644
--- a/imaze.te
+++ b/imaze.te
+@@ -1,4 +1,4 @@
+-policy_module(imaze, 1.8.0)
++policy_module(imaze, 1.7.1)
+
+ ########################################
+ #
@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
kernel_read_kernel_sysctls(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
@@ -34539,6 +37126,21 @@ index 05387d1..08a489c 100644
userdom_use_unpriv_users_fds(imazesrv_t)
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
+diff --git a/inetd.fc b/inetd.fc
+index 0374509..2a5a686 100644
+--- a/inetd.fc
++++ b/inetd.fc
+@@ -5,8 +5,9 @@
+ /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+ /usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
++/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+ /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+-/usr/sbin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
++/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+
+ /var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
+
diff --git a/inetd.if b/inetd.if
index fbb54e7..05c3777 100644
--- a/inetd.if
@@ -34557,9 +37159,15 @@ index fbb54e7..05c3777 100644
########################################
diff --git a/inetd.te b/inetd.te
-index 1a5ed62..420305b 100644
+index c6450df..420305b 100644
--- a/inetd.te
+++ b/inetd.te
+@@ -1,4 +1,4 @@
+-policy_module(inetd, 1.13.0)
++policy_module(inetd, 1.12.2)
+
+ ########################################
+ #
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -34709,9 +37317,15 @@ index eb87f23..d3d32c3 100644
init_labeled_script_domtrans($1, innd_initrc_exec_t)
diff --git a/inn.te b/inn.te
-index 5aab5d0..5967395 100644
+index d39f0cc..5967395 100644
--- a/inn.te
+++ b/inn.te
+@@ -1,4 +1,4 @@
+-policy_module(inn, 1.11.0)
++policy_module(inn, 1.10.3)
+
+ ########################################
+ #
@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
type news_spool_t;
@@ -34822,15 +37436,9 @@ index a0bfbd0..a3b02e6 100644
## administrate an iodined environment
## </summary>
diff --git a/iodine.te b/iodine.te
-index 94ec5f8..6cbbf7d 100644
+index d443fee..6cbbf7d 100644
--- a/iodine.te
+++ b/iodine.te
-@@ -1,4 +1,4 @@
--policy_module(iodine, 1.0.2)
-+policy_module(iodine, 1.1.0)
-
- ########################################
- #
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
@@ -35087,9 +37695,15 @@ index ac00fb0..36ef2e5 100644
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index ecad9c7..abf0b2d 100644
+index 2636503..abf0b2d 100644
--- a/irc.te
+++ b/irc.te
+@@ -1,4 +1,4 @@
+-policy_module(irc, 2.3.1)
++policy_module(irc, 2.2.3)
+
+ ########################################
+ #
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
userdom_user_home_content(irc_home_t)
@@ -35165,10 +37779,11 @@ index ecad9c7..abf0b2d 100644
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,15 +122,18 @@ auth_use_nsswitch(irc_t)
+@@ -106,17 +122,18 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
+-miscfiles_read_generic_certs(irc_t)
-miscfiles_read_localization(irc_t)
userdom_use_user_terminals(irc_t)
@@ -35182,11 +37797,12 @@ index ecad9c7..abf0b2d 100644
+userdom_use_inherited_user_terminals(irc_t)
tunable_policy(`irc_use_any_tcp_ports',`
+- allow irc_t self:tcp_socket { accept listen };
+ allow irc_t self:tcp_socket create_stream_socket_perms;
corenet_sendrecv_all_server_packets(irc_t)
corenet_tcp_bind_all_unreserved_ports(irc_t)
corenet_sendrecv_all_client_packets(irc_t)
-@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -124,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -35282,9 +37898,15 @@ index ade9803..3620c9a 100644
files_search_var_lib($1)
diff --git a/ircd.te b/ircd.te
-index e9f746e..40e440c 100644
+index efaf4b1..40e440c 100644
--- a/ircd.te
+++ b/ircd.te
+@@ -1,4 +1,4 @@
+-policy_module(ircd, 1.8.0)
++policy_module(ircd, 1.7.1)
+
+ ########################################
+ #
@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_exec_bin(ircd_t)
@@ -35303,22 +37925,30 @@ index e9f746e..40e440c 100644
userdom_dontaudit_search_user_home_dirs(ircd_t)
diff --git a/irqbalance.te b/irqbalance.te
-index c5a8112..947efe0 100644
+index e1f302d..947efe0 100644
--- a/irqbalance.te
+++ b/irqbalance.te
-@@ -22,6 +22,12 @@ files_pid_file(irqbalance_var_run_t)
+@@ -1,4 +1,4 @@
+-policy_module(irqbalance, 1.6.0)
++policy_module(irqbalance, 1.5.1)
+
+ ########################################
+ #
+@@ -22,7 +22,13 @@ files_pid_file(irqbalance_var_run_t)
allow irqbalance_t self:capability { setpcap net_admin };
dontaudit irqbalance_t self:capability sys_tty_config;
+-allow irqbalance_t self:process { getcap getsched setcap signal_perms };
+
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit irqbalance_t self:capability sys_module;
+')
+
- allow irqbalance_t self:process { getcap setcap signal_perms };
++allow irqbalance_t self:process { getcap setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;
+ manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
@@ -35,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
dev_read_sysfs(irqbalance_t)
@@ -35477,9 +38107,15 @@ index 1a35420..a7e1562 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..b25cfd0 100644
+index ca020fa..b25cfd0 100644
--- a/iscsi.te
+++ b/iscsi.te
+@@ -1,4 +1,4 @@
+-policy_module(iscsi, 1.9.0)
++policy_module(iscsi, 1.8.2)
+
+ ########################################
+ #
@@ -9,8 +9,8 @@ type iscsid_t;
type iscsid_exec_t;
init_daemon_domain(iscsid_t, iscsid_exec_t)
@@ -35629,7 +38265,7 @@ index 59ad3b3..bd02cc8 100644
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/jabber.if b/jabber.if
-index 16b1666..01673a4 100644
+index 7eb3811..01673a4 100644
--- a/jabber.if
+++ b/jabber.if
@@ -1,29 +1,76 @@
@@ -35823,7 +38459,7 @@ index 16b1666..01673a4 100644
role_transition $2 jabberd_initrc_exec_t system_r;
allow $2 system_r;
-- files_search_locks($1))
+- files_search_locks($1)
- admin_pattern($1, jabberd_lock_t)
-
- logging_search_logs($1)
@@ -35840,11 +38476,11 @@ index 16b1666..01673a4 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
-index bb12c90..62d511b 100644
+index af67c36..62d511b 100644
--- a/jabber.te
+++ b/jabber.te
@@ -1,4 +1,4 @@
--policy_module(jabber, 1.9.1)
+-policy_module(jabber, 1.10.0)
+policy_module(jabber, 1.8.0)
########################################
@@ -36060,10 +38696,16 @@ index bb12c90..62d511b 100644
-auth_use_nsswitch(jabberd_router_t)
+sysnet_read_config(jabberd_domain)
diff --git a/java.te b/java.te
-index b3fcfbb..5459aa3 100644
+index a7ae153..5459aa3 100644
--- a/java.te
+++ b/java.te
-@@ -11,7 +11,7 @@ policy_module(java, 2.6.3)
+@@ -1,4 +1,4 @@
+-policy_module(java, 2.7.0)
++policy_module(java, 2.6.3)
+
+ ########################################
+ #
+@@ -11,7 +11,7 @@ policy_module(java, 2.7.0)
## its stack executable.
## </p>
## </desc>
@@ -37106,11 +39748,11 @@ index 3a00b3a..21efcc4 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index 70f3007..58bd992 100644
+index 715fc21..58bd992 100644
--- a/kdump.te
+++ b/kdump.te
@@ -1,4 +1,4 @@
--policy_module(kdump, 1.2.3)
+-policy_module(kdump, 1.3.0)
+policy_module(kdump, 1.2.0)
#######################################
@@ -37314,11 +39956,11 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..12ff296 100644
+index 2990962..12ff296 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -1,83 +1,92 @@
--policy_module(kdumpgui, 1.1.4)
+-policy_module(kdumpgui, 1.2.0)
+policy_module(kdumpgui, 1.1.0)
########################################
@@ -37706,7 +40348,7 @@ index 4fe75fd..b029c28 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..b573f79 100644
+index f6c00d8..b573f79 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -37887,98 +40529,62 @@ index f9de9fc..b573f79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
+@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## kerberos home files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`kerberos_manage_krb5_home_files',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file manage_file_perms;
--')
--
--########################################
--## <summary>
--## Relabel kerberos home files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`kerberos_relabel_krb5_home_files',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file relabel_file_perms;
--')
--
--########################################
--## <summary>
--## Create objects in user home
--## directories with the krb5 home type.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--## <param name="object_class">
--## <summary>
--## Class of the object being created.
--## </summary>
--## </param>
--## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
--#
--interface(`kerberos_home_filetrans_krb5_home',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
--')
--
--########################################
--## <summary>
--## Read kerberos key table files.
+## Read the kerberos key table.
## </summary>
## <param name="domain">
## <summary>
-@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`kerberos_manage_krb5_home_files',`
++interface(`kerberos_read_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file manage_file_perms;
++ files_search_etc($1)
++ allow $1 krb5_keytab_t:file read_file_perms;
+ ')
########################################
## <summary>
--## Read and write kerberos key table files.
+-## Relabel kerberos home files.
+## Read/Write the kerberos key table.
## </summary>
## <param name="domain">
## <summary>
-@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
+@@ -210,322 +206,329 @@ interface(`kerberos_manage_krb5_home_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_relabel_krb5_home_files',`
++interface(`kerberos_rw_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file relabel_file_perms;
++ files_search_etc($1)
++ allow $1 krb5_keytab_t:file rw_file_perms;
+ ')
########################################
## <summary>
--## Create, read, write, and delete
--## kerberos key table files.
+-## Create objects in user home
+-## directories with the krb5 home type.
+## Create keytab file in /etc
## </summary>
## <param name="domain">
@@ -37986,27 +40592,6 @@ index f9de9fc..b573f79 100644
## Domain allowed access.
## </summary>
## </param>
--#
--interface(`kerberos_manage_keytab_files',`
-- gen_require(`
-- type krb5_keytab_t;
-- ')
--
-- files_search_etc($1)
-- allow $1 krb5_keytab_t:file manage_file_perms;
--')
--
--########################################
--## <summary>
--## Create specified objects in generic
--## etc directories with the kerberos
--## keytab file type.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
@@ -38015,139 +40600,193 @@ index f9de9fc..b573f79 100644
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
-@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
- type krb5_keytab_t;
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_home_filetrans_krb5_home',`
++interface(`kerberos_etc_filetrans_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
')
-- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
')
########################################
## <summary>
--## Create a derived type for kerberos
--## keytab files.
+-## Read kerberos key table files.
+## Create a derived type for kerberos keytab
## </summary>
- ## <param name="prefix">
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
+ ## <param name="domain">
## <summary>
-@@ -354,21 +255,21 @@ interface(`kerberos_etc_filetrans_keytab',`
+ ## Domain allowed access.
+ ## </summary>
## </param>
+-## <rolecap/>
#
- template(`kerberos_keytab_template',`
+-interface(`kerberos_read_keytab',`
+- gen_require(`
+- type krb5_keytab_t;
+- ')
++template(`kerberos_keytab_template',`
+ gen_require(`
+ attribute kerberos_keytab_domain;
+ ')
-- ########################################
-- #
-- # Declarations
-- #
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file read_file_perms;
+ typeattribute $2 kerberos_keytab_domain;
-
- type $1_keytab_t;
- files_type($1_keytab_t)
-
-- ########################################
-- #
-- # Policy
-- #
++
++ type $1_keytab_t;
++ files_type($1_keytab_t)
++
+ allow $2 self:process setfscreate;
+ allow $2 $1_keytab_t:file read_file_perms;
-
-- allow $2 $1_keytab_t:file read_file_perms;
++
+ seutil_read_file_contexts($2)
+ seutil_read_config($2)
+ selinux_get_enforce_mode($2)
-
- kerberos_read_keytab($2)
- kerberos_use($2)
-@@ -376,7 +277,26 @@ template(`kerberos_keytab_template',`
++
++ kerberos_read_keytab($2)
++ kerberos_use($2)
+ ')
########################################
## <summary>
--## Read kerberos kdc configuration files.
+-## Read and write kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`kerberos_rw_keytab',`
+- gen_require(`
+- type krb5_keytab_t;
+- ')
+interface(`kerberos_keytab_domains',`
+ gen_require(`
+ attribute kerberos_keytab_domain;
+ ')
-+
+
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file rw_file_perms;
+ typeattribute $1 kerberos_keytab_domain;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
-@@ -396,8 +316,7 @@ interface(`kerberos_read_kdc_config',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`kerberos_manage_keytab_files',`
++interface(`kerberos_read_kdc_config',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 krb5_keytab_t:file manage_file_perms;
++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ ')
########################################
## <summary>
--## Create, read, write, and delete
--## kerberos host rcache files.
+-## Create specified objects in generic
+-## etc directories with the kerberos
+-## keytab file type.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
-@@ -411,34 +330,99 @@ interface(`kerberos_manage_host_rcache',`
- type krb5_host_rcache_t;
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
++## <rolecap/>
+ #
+-interface(`kerberos_etc_filetrans_keytab',`
++interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5_host_rcache_t;
')
+- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
- domain_obj_id_change_exemption($1)
-
-- tunable_policy(`allow_kerberos',`
++ domain_obj_id_change_exemption($1)
++
+ tunable_policy(`kerberos_enabled',`
- allow $1 self:process setfscreate;
-
- selinux_validate_context($1)
-
- seutil_read_file_contexts($1)
-
++ allow $1 self:process setfscreate;
++
++ selinux_validate_context($1)
++
++ seutil_read_file_contexts($1)
++
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
- files_search_tmp($1)
-- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
++ files_search_tmp($1)
++ ')
')
########################################
## <summary>
--## Create objects in generic temporary
--## directories with the kerberos host
--## rcache type.
+-## Create a derived type for kerberos
+-## keytab files.
+## All of the rules required to administrate
+## an kerberos environment
## </summary>
- ## <param name="domain">
+-## <param name="prefix">
++## <param name="domain">
## <summary>
--## Domain allowed to transition.
+-## The prefix to be used for deriving type names.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="object_class">
+-## <param name="domain">
+## <param name="role">
## <summary>
--## Class of the object being created.
+-## Domain allowed access.
+## The role to be allowed to manage the kerberos domain.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-template(`kerberos_keytab_template',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- kerberos_read_keytab($2)
+- kerberos_use($2)
+interface(`kerberos_admin',`
+ gen_require(`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
@@ -38196,36 +40835,120 @@ index f9de9fc..b573f79 100644
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read kerberos kdc configuration files.
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
++## <param name="name" optional="true">
+## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`kerberos_read_kdc_config',`
++interface(`kerberos_tmp_filetrans_host_rcache',`
+ gen_require(`
+- type krb5kdc_conf_t;
++ type krb5_host_rcache_t;
+ ')
+
+- files_search_etc($1)
+- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## kerberos host rcache files.
++## read kerberos homedir content (.k5login)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`kerberos_manage_host_rcache',`
++interface(`kerberos_read_home_content',`
+ gen_require(`
+- type krb5_host_rcache_t;
++ type krb5_home_t;
+ ')
+
+- domain_obj_id_change_exemption($1)
+-
+- tunable_policy(`allow_kerberos',`
+- allow $1 self:process setfscreate;
+-
+- selinux_validate_context($1)
+-
+- seutil_read_file_contexts($1)
+-
+- files_search_tmp($1)
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
+- ')
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in generic temporary
+-## directories with the kerberos host
+-## rcache type.
++## create kerberos content in the in the /root directory
++## with an correct label.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
- ## <param name="name" optional="true">
-@@ -452,12 +436,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
- type krb5_host_rcache_t;
+ #
+-interface(`kerberos_tmp_filetrans_host_rcache',`
++interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
+- type krb5_host_rcache_t;
++ type krb5_home_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
')
########################################
## <summary>
-## Connect to krb524 service.
-+## read kerberos homedir content (.k5login)
++## Transition to kerberos named content
## </summary>
## <param name="domain">
## <summary>
-@@ -465,82 +450,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+-## Domain allowed access.
++## Domain allowed access.
## </summary>
## </param>
#
@@ -38240,43 +40963,27 @@ index f9de9fc..b573f79 100644
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
-+interface(`kerberos_read_home_content',`
++interface(`kerberos_filetrans_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, krb5_home_t, krb5_home_t)
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
')
########################################
## <summary>
-## All of the rules required to
-## administrate an kerberos environment.
-+## create kerberos content in the in the /root directory
-+## with an correct label.
++## Transition to kerberos named content
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
+-## Domain allowed access.
+-## </summary>
+-## </param>
-## <param name="role">
-+#
-+interface(`kerberos_filetrans_admin_home_content',`
-+ gen_require(`
-+ type krb5_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+')
-+
-+########################################
-+## <summary>
-+## Transition to kerberos named content
-+## </summary>
-+## <param name="domain">
- ## <summary>
+-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
@@ -38284,14 +40991,14 @@ index f9de9fc..b573f79 100644
-## <rolecap/>
#
-interface(`kerberos_admin',`
-+interface(`kerberos_filetrans_home_content',`
++interface(`kerberos_filetrans_named_content',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
-- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ type krb5_home_t;
++ type krb5kdc_principal_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
@@ -38319,27 +41026,10 @@ index f9de9fc..b573f79 100644
-
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+')
-
+-
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
-+########################################
-+## <summary>
-+## Transition to kerberos named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kerberos_filetrans_named_content',`
-+ gen_require(`
-+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-+ type krb5kdc_principal_t;
-+ ')
-
+-
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
@@ -38366,16 +41056,16 @@ index f9de9fc..b573f79 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..31ad037 100644
+index 8833d59..31ad037 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
--policy_module(kerberos, 1.11.7)
+-policy_module(kerberos, 1.12.0)
+policy_module(kerberos, 1.11.0)
########################################
#
-@@ -6,11 +6,13 @@ policy_module(kerberos, 1.11.7)
+@@ -6,11 +6,13 @@ policy_module(kerberos, 1.12.0)
#
## <desc>
@@ -38767,9 +41457,15 @@ index 714448f..fa0c994 100644
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
diff --git a/kerneloops.te b/kerneloops.te
-index 1101985..7f1061d 100644
+index bcdb295..7f1061d 100644
--- a/kerneloops.te
+++ b/kerneloops.te
+@@ -1,4 +1,4 @@
+-policy_module(kerneloops, 1.5.0)
++policy_module(kerneloops, 1.4.1)
+
+ ########################################
+ #
@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
domain_use_interactive_fds(kerneloops_t)
@@ -38840,9 +41536,15 @@ index 8982b91..6134ef2 100644
+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
')
diff --git a/keyboardd.te b/keyboardd.te
-index adfe3dc..a60b664 100644
+index 628b78b..a60b664 100644
--- a/keyboardd.te
+++ b/keyboardd.te
+@@ -1,4 +1,4 @@
+-policy_module(keyboardd, 1.1.0)
++policy_module(keyboardd, 1.0.1)
+
+ ########################################
+ #
@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
files_manage_etc_runtime_files(keyboardd_t)
@@ -38867,7 +41569,7 @@ index b273d80..6a07210 100644
+
+/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
-index d3e7fc9..f20248c 100644
+index e88fb16..f20248c 100644
--- a/keystone.if
+++ b/keystone.if
@@ -1,42 +1,218 @@
@@ -39091,8 +41793,7 @@ index d3e7fc9..f20248c 100644
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
-- files_search_var_lib($1
-+ files_search_var_lib($1)
+ files_search_var_lib($1)
admin_pattern($1, keystone_var_lib_t)
- files_search_tmp($1)
@@ -39106,9 +41807,15 @@ index d3e7fc9..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 3494d9b..6009a94 100644
+index 9929647..6009a94 100644
--- a/keystone.te
+++ b/keystone.te
+@@ -1,4 +1,4 @@
+-policy_module(keystone, 1.1.0)
++policy_module(keystone, 1.0.1)
+
+ ########################################
+ #
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
type keystone_var_lib_t;
files_type(keystone_var_lib_t)
@@ -39207,9 +41914,15 @@ index aa2a337..7ff229f 100644
files_search_var_lib($1)
admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
-index ea64ed5..e60f701 100644
+index 8ad0d4d..e60f701 100644
--- a/kismet.te
+++ b/kismet.te
+@@ -1,4 +1,4 @@
+-policy_module(kismet, 1.7.0)
++policy_module(kismet, 1.6.1)
+
+ ########################################
+ #
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
@@ -39257,7 +41970,7 @@ index e736c45..4b1e1e4 100644
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
-index c530214..3ac0b8b 100644
+index 93a64bc..3ac0b8b 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
@@ -39313,15 +42026,15 @@ index c530214..3ac0b8b 100644
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
+-
+- allow $1 ksmtuned_t:process { ptrace signal_perms };
+ allow $1 ksmtuned_t:process signal_perms;
-+ ps_process_pattern($1, ksmtuned_t)
+ ps_process_pattern($1, ksmtuned_t)
-- allow $1 ksmtuned_t:process { ptrace signal_perms };
-- ps_process_pattern(ksmtumed_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ksmtuned_t:process ptrace;
+ ')
-
++
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
@@ -39333,10 +42046,15 @@ index c530214..3ac0b8b 100644
+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
')
diff --git a/ksmtuned.te b/ksmtuned.te
-index c1539b5..fd0a17f 100644
+index 8eef134..fd0a17f 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
-@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.0.1)
+@@ -1,14 +1,31 @@
+-policy_module(ksmtuned, 1.1.1)
++policy_module(ksmtuned, 1.0.1)
+
+ ########################################
+ #
# Declarations
#
@@ -39478,13 +42196,20 @@ index 19777b8..55d1556 100644
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..f932c32 100644
+index c5548c5..f932c32 100644
--- a/ktalk.te
+++ b/ktalk.te
-@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
+@@ -1,4 +1,4 @@
+-policy_module(ktalk, 1.9.2)
++policy_module(ktalk, 1.8.1)
+
+ ########################################
+ #
+@@ -7,12 +7,15 @@ policy_module(ktalk, 1.9.2)
type ktalkd_t;
type ktalkd_exec_t;
+-init_daemon_domain(ktalkd_t, ktalkd_exec_t)
+init_domain(ktalkd_t, ktalkd_exec_t)
inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
@@ -39497,19 +42222,24 @@ index 2cf3815..f932c32 100644
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
-@@ -35,11 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -36,21 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
-+corenet_all_recvfrom_netlabel(ktalkd_t)
+-corenet_all_recvfrom_unlabeled(ktalkd_t)
+ corenet_all_recvfrom_netlabel(ktalkd_t)
+corenet_tcp_sendrecv_generic_if(ktalkd_t)
-+corenet_udp_sendrecv_generic_if(ktalkd_t)
+ corenet_udp_sendrecv_generic_if(ktalkd_t)
+corenet_tcp_sendrecv_generic_node(ktalkd_t)
-+corenet_udp_sendrecv_generic_node(ktalkd_t)
+ corenet_udp_sendrecv_generic_node(ktalkd_t)
+-corenet_udp_bind_generic_node(ktalkd_t)
+-
+-corenet_sendrecv_ktalkd_server_packets(ktalkd_t)
+corenet_tcp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_sendrecv_all_ports(ktalkd_t)
-+corenet_udp_bind_ktalkd_port(ktalkd_t)
-+
+ corenet_udp_bind_ktalkd_port(ktalkd_t)
+-corenet_udp_sendrecv_ktalkd_port(ktalkd_t)
+
dev_read_urand(ktalkd_t)
fs_getattr_xattr_fs(ktalkd_t)
@@ -39520,7 +42250,7 @@ index 2cf3815..f932c32 100644
auth_use_nsswitch(ktalkd_t)
-@@ -47,4 +61,5 @@ init_read_utmp(ktalkd_t)
+@@ -58,4 +61,5 @@ init_read_utmp(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)
@@ -39547,9 +42277,15 @@ index 5297064..6ba8108 100644
domain_system_change_exemption($1)
role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
-index 9725f1a..34aa63b 100644
+index 1664036..34aa63b 100644
--- a/kudzu.te
+++ b/kudzu.te
+@@ -1,4 +1,4 @@
+-policy_module(kudzu, 1.9.0)
++policy_module(kudzu, 1.8.2)
+
+ ########################################
+ #
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
domain_use_interactive_fds(kudzu_t)
@@ -39824,9 +42560,15 @@ index 73e2803..34ca3aa 100644
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/l2tp.te b/l2tp.te
-index 19f2b97..bbbda10 100644
+index bb06a7f..bbbda10 100644
--- a/l2tp.te
+++ b/l2tp.te
+@@ -1,4 +1,4 @@
+-policy_module(l2tp, 1.1.0)
++policy_module(l2tp, 1.0.5)
+
+ ########################################
+ #
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
#
@@ -39894,10 +42636,10 @@ index 19f2b97..bbbda10 100644
ppp_signal(l2tpd_t)
ppp_kill(l2tpd_t)
diff --git a/ldap.fc b/ldap.fc
-index bc25c95..6692d91 100644
+index b7e5679..6692d91 100644
--- a/ldap.fc
+++ b/ldap.fc
-@@ -1,8 +1,11 @@
+@@ -1,29 +1,26 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
+
@@ -39911,7 +42653,19 @@ index bc25c95..6692d91 100644
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-@@ -17,8 +20,7 @@
+-/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+ /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
+ /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+ /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
+
+-/var/lib/openldap-data(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+-/var/lib/openldap-ldbm(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+-/var/lib/openldap-slurpd(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+-
+ /var/lock/subsys/ldap -- gen_context(system_u:object_r:slapd_lock_t,s0)
+ /var/lock/subsys/slapd -- gen_context(system_u:object_r:slapd_lock_t,s0)
+
/var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
/var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
@@ -39925,7 +42679,7 @@ index bc25c95..6692d91 100644
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index ee0c7cc..4ac8f2d 100644
+index 3602712..4ac8f2d 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,68 @@
@@ -40132,7 +42886,7 @@ index ee0c7cc..4ac8f2d 100644
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
- type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
-- type slapd_db_t;
+- type slapd_db_t, slapd_keytab_t;
+ type slapd_initrc_exec_t;
+ type slapd_unit_file_t;
')
@@ -40151,7 +42905,7 @@ index ee0c7cc..4ac8f2d 100644
allow $2 system_r;
files_list_etc($1)
-- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
+- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
+ admin_pattern($1, slapd_etc_t)
- files_list_locks($1)
@@ -40175,20 +42929,27 @@ index ee0c7cc..4ac8f2d 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index d7d9b09..d0fdb7c 100644
+index 4c2b111..d0fdb7c 100644
--- a/ldap.te
+++ b/ldap.te
-@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
+@@ -1,4 +1,4 @@
+-policy_module(ldap, 1.11.1)
++policy_module(ldap, 1.10.2)
+
+ ########################################
+ #
+@@ -21,8 +21,8 @@ files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
+-type slapd_keytab_t;
+-files_type(slapd_keytab_t)
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
-+
+
type slapd_lock_t;
files_lock_file(slapd_lock_t)
-
-@@ -46,7 +49,7 @@ files_pid_file(slapd_var_run_t)
+@@ -49,7 +49,7 @@ files_pid_file(slapd_var_run_t)
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
@@ -40197,7 +42958,13 @@ index d7d9b09..d0fdb7c 100644
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:tcp_socket { accept listen };
-@@ -64,9 +67,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+@@ -63,15 +63,11 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+
+ allow slapd_t slapd_etc_t:file read_file_perms;
+
+-allow slapd_t slapd_keytab_t:file read_file_perms;
+-
+ allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t, slapd_lock_t, file)
manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
@@ -40208,7 +42975,7 @@ index d7d9b09..d0fdb7c 100644
logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
-@@ -88,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -93,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -40216,7 +42983,7 @@ index d7d9b09..d0fdb7c 100644
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -110,25 +110,23 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,26 +110,23 @@ fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
files_read_etc_runtime_files(slapd_t)
@@ -40235,11 +43002,13 @@ index d7d9b09..d0fdb7c 100644
userdom_dontaudit_search_user_home_dirs(slapd_t)
optional_policy(`
- kerberos_keytab_template(slapd, slapd_t)
- kerberos_manage_host_rcache(slapd_t)
+- kerberos_read_keytab(slapd_t)
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
+- kerberos_use(slapd_t)
++ kerberos_keytab_template(slapd, slapd_t)
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
@@ -40260,9 +43029,15 @@ index 33a28b9..33ffe24 100644
+ ')
')
diff --git a/lightsquid.te b/lightsquid.te
-index 40a2607..308accb 100644
+index 09c4f27..308accb 100644
--- a/lightsquid.te
+++ b/lightsquid.te
+@@ -1,4 +1,4 @@
+-policy_module(lightsquid, 1.1.0)
++policy_module(lightsquid, 1.0.2)
+
+ ########################################
+ #
@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t)
dev_read_urand(lightsquid_t)
@@ -40418,9 +43193,15 @@ index bd20e8c..3393a01 100644
- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
-')
diff --git a/likewise.te b/likewise.te
-index 408fbe3..e86ead6 100644
+index d8c2442..e86ead6 100644
--- a/likewise.te
+++ b/likewise.te
+@@ -1,4 +1,4 @@
+-policy_module(likewise, 1.3.0)
++policy_module(likewise, 1.2.1)
+
+ #################################
+ #
@@ -26,7 +26,7 @@ type likewise_var_lib_t;
files_type(likewise_var_lib_t)
@@ -40485,9 +43266,15 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 98b5405..1150694 100644
+index 483c87b..1150694 100644
--- a/lircd.te
+++ b/lircd.te
+@@ -1,4 +1,4 @@
+-policy_module(lircd, 1.2.0)
++policy_module(lircd, 1.1.2)
+
+ ########################################
+ #
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
init_script_file(lircd_initrc_exec_t)
@@ -40555,9 +43342,15 @@ index e354181..c6b2383 100644
########################################
diff --git a/livecd.te b/livecd.te
-index 33f64b5..a920c08 100644
+index 2f974bf..a920c08 100644
--- a/livecd.te
+++ b/livecd.te
+@@ -1,4 +1,4 @@
+-policy_module(livecd, 1.3.0)
++policy_module(livecd, 1.2.1)
+
+ ########################################
+ #
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
# Local policy
#
@@ -40638,9 +43431,15 @@ index d18c960..fb5b674 100644
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
-index 648def0..07f58a5 100644
+index 2a491d9..07f58a5 100644
--- a/lldpad.te
+++ b/lldpad.te
+@@ -1,4 +1,4 @@
+-policy_module(lldpad, 1.1.0)
++policy_module(lldpad, 1.0.1)
+
+ ########################################
+ #
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
# Local policy
#
@@ -40669,9 +43468,15 @@ index 648def0..07f58a5 100644
+ networkmanager_dgram_send(lldpad_t)
+')
diff --git a/loadkeys.te b/loadkeys.te
-index 6cbb977..bd5406a 100644
+index d2f4643..bd5406a 100644
--- a/loadkeys.te
+++ b/loadkeys.te
+@@ -1,4 +1,4 @@
+-policy_module(loadkeys, 1.9.0)
++policy_module(loadkeys, 1.8.1)
+
+ ########################################
+ #
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
@@ -40727,9 +43532,15 @@ index 4313b8b..cd1435c 100644
## <summary>
## Role access for lockdev.
diff --git a/lockdev.te b/lockdev.te
-index db87831..30bfb76 100644
+index 61db5a0..30bfb76 100644
--- a/lockdev.te
+++ b/lockdev.te
+@@ -1,4 +1,4 @@
+-policy_module(lockdev, 1.5.0)
++policy_module(lockdev, 1.4.1)
+
+ ########################################
+ #
@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
logging_send_syslog_msg(lockdev_t)
@@ -40809,11 +43620,11 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..5c1e801 100644
+index be0ab84..5c1e801 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,26 @@
--policy_module(logrotate, 1.14.5)
+-policy_module(logrotate, 1.15.0)
+policy_module(logrotate, 1.14.0)
########################################
@@ -40956,8 +43767,9 @@ index 7bab8e5..5c1e801 100644
-auth_manage_login_records(logrotate_t)
-auth_use_nsswitch(logrotate_t)
-
+-init_all_labeled_script_domtrans(logrotate_t)
+# cjp: why is this needed?
- init_domtrans_script(logrotate_t)
++init_domtrans_script(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -41128,20 +43940,30 @@ index 7bab8e5..5c1e801 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..9125f9f 100644
+index ab65034..9125f9f 100644
--- a/logwatch.te
+++ b/logwatch.te
-@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
- # Declarations
+@@ -1,4 +1,4 @@
+-policy_module(logwatch, 1.12.2)
++policy_module(logwatch, 1.11.6)
+
+ #################################
+ #
+@@ -6,16 +6,16 @@ policy_module(logwatch, 1.12.2)
#
-+## <desc>
+ ## <desc>
+-## <p>
+-## Determine whether logwatch can connect
+-## to mail over the network.
+-## </p>
+## <p>
+## Allow epylog to send mail
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(logwatch_can_network_connect_mail, false)
+gen_tunable(logwatch_can_sendmail, false)
-+
+
type logwatch_t;
type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
@@ -41150,7 +43972,7 @@ index 4256a4c..9125f9f 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
-@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -45,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
@@ -41160,7 +43982,7 @@ index 4256a4c..9125f9f 100644
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -67,10 +76,11 @@ files_list_var(logwatch_t)
+@@ -75,10 +76,11 @@ files_list_var(logwatch_t)
files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
@@ -41173,7 +43995,7 @@ index 4256a4c..9125f9f 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -92,13 +102,14 @@ libs_read_lib_files(logwatch_t)
+@@ -100,32 +102,18 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -41189,7 +44011,26 @@ index 4256a4c..9125f9f 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +148,12 @@ optional_policy(`
+
+-tunable_policy(`logwatch_can_network_connect_mail',`
+- corenet_all_recvfrom_unlabeled(logwatch_t)
+- corenet_all_recvfrom_netlabel(logwatch_t)
+- corenet_tcp_sendrecv_generic_if(logwatch_t)
+- corenet_tcp_sendrecv_generic_node(logwatch_t)
+-
+- corenet_sendrecv_smtp_client_packets(logwatch_t)
+- corenet_tcp_connect_smtp_port(logwatch_t)
+- corenet_tcp_sendrecv_smtp_port(logwatch_t)
+-
+- corenet_sendrecv_pop_client_packets(logwatch_t)
+- corenet_tcp_connect_pop_port(logwatch_t)
+- corenet_tcp_sendrecv_pop_port(logwatch_t)
+-')
+-
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(logwatch_t)
+ ')
+@@ -160,6 +148,12 @@ optional_policy(`
')
optional_policy(`
@@ -41202,7 +44043,7 @@ index 4256a4c..9125f9f 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -145,6 +162,13 @@ optional_policy(`
+@@ -168,6 +162,13 @@ optional_policy(`
samba_read_share_files(logwatch_t)
')
@@ -41216,7 +44057,7 @@ index 4256a4c..9125f9f 100644
########################################
#
# Mail local policy
-@@ -164,6 +188,19 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +188,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -41429,9 +44270,15 @@ index 6256371..ce2acb8 100644
can_exec($1, lpr_exec_t)
')
diff --git a/lpd.te b/lpd.te
-index b9270f7..15f3748 100644
+index 39d3164..15f3748 100644
--- a/lpd.te
+++ b/lpd.te
+@@ -1,4 +1,4 @@
+-policy_module(lpd, 1.14.0)
++policy_module(lpd, 1.13.5)
+
+ ########################################
+ #
@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
type print_spool_t;
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
@@ -41583,29 +44430,32 @@ index b9270f7..15f3748 100644
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
diff --git a/lsm.fc b/lsm.fc
-new file mode 100644
-index 0000000..d60293d
---- /dev/null
+index c455730..d60293d 100644
+--- a/lsm.fc
+++ b/lsm.fc
-@@ -0,0 +1,7 @@
+@@ -1,3 +1,7 @@
+-/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
-+
+
+-/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
+/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
+/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
-new file mode 100644
-index 0000000..da30c5d
---- /dev/null
+index d314333..da30c5d 100644
+--- a/lsm.if
+++ b/lsm.if
-@@ -0,0 +1,99 @@
+@@ -1,25 +1,85 @@
+-## <summary>Storage array management library.</summary>
+
+## <summary>libStorageMgmt plug-in daemon </summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to administrate
+-## an lsmd environment.
+## Execute TEMPLATE in the lsmd domin.
+## </summary>
+## <param name="domain">
@@ -41625,12 +44475,13 @@ index 0000000..da30c5d
+########################################
+## <summary>
+## Read lsmd PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`lsmd_read_pid_files',`
+ gen_require(`
@@ -41672,24 +44523,26 @@ index 0000000..da30c5d
+## an lsmd environment
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`lsmd_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`lsmd_admin',`
+ gen_require(`
+- type lsmd_t, type lsmd_var_run_t;
+ type lsmd_t;
+ type lsmd_var_run_t;
+ type lsmd_unit_file_t;
-+ ')
-+
-+ allow $1 lsmd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, lsmd_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, lsmd_var_run_t)
+ ')
+
+ allow $1 lsmd_t:process { ptrace signal_perms };
+@@ -27,4 +87,13 @@ interface(`lsmd_admin',`
+
+ files_search_pids($1)
+ admin_pattern($1, lsmd_var_run_t)
+
+ lsmd_systemctl($1)
+ admin_pattern($1, lsmd_unit_file_t)
@@ -41699,19 +44552,15 @@ index 0000000..da30c5d
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/lsm.te b/lsm.te
-new file mode 100644
-index 0000000..7e8fde0
---- /dev/null
+index 4ec0eea..7e8fde0 100644
+--- a/lsm.te
+++ b/lsm.te
-@@ -0,0 +1,90 @@
-+policy_module(lsm, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
+@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
+ #
+ # Declarations
+ #
+## <desc>
+## <p>
+## Determine whether lsmd_plugin can
@@ -41719,14 +44568,13 @@ index 0000000..7e8fde0
+## </p>
+## </desc>
+gen_tunable(lsmd_plugin_connect_any, false)
-+
-+type lsmd_t;
-+type lsmd_exec_t;
-+init_daemon_domain(lsmd_t, lsmd_exec_t)
-+
-+type lsmd_var_run_t;
-+files_pid_file(lsmd_var_run_t)
-+
+
+ type lsmd_t;
+ type lsmd_exec_t;
+@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
+ type lsmd_var_run_t;
+ files_pid_file(lsmd_var_run_t)
+
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
@@ -41738,23 +44586,25 @@ index 0000000..7e8fde0
+type lsmd_plugin_tmp_t;
+files_tmp_file(lsmd_plugin_tmp_t)
+
-+########################################
-+#
+ ########################################
+ #
+-# Local policy
+# lsmd local policy
-+#
+ #
+-
+-allow lsmd_t self:capability setgid;
+allow lsmd_t self:capability { setgid };
+allow lsmd_t self:process { fork };
-+allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-+manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-+manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-+files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
-+
+ allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+ manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+ files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+
+corecmd_exec_bin(lsmd_t)
+
-+logging_send_syslog_msg(lsmd_t)
+ logging_send_syslog_msg(lsmd_t)
+
+########################################
+#
@@ -41797,10 +44647,13 @@ index 0000000..7e8fde0
+
+sysnet_read_config(lsmd_plugin_t)
diff --git a/mailman.fc b/mailman.fc
-index 7fa381b..bbe6b01 100644
+index 995d0a5..bbe6b01 100644
--- a/mailman.fc
+++ b/mailman.fc
-@@ -3,10 +3,12 @@
+@@ -1,11 +1,14 @@
+-/etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
++/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
++/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
@@ -42125,10 +44978,14 @@ index 108c0f1..a248501 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index 8eaf51b..a057913 100644
+index ac81c7f..a057913 100644
--- a/mailman.te
+++ b/mailman.te
-@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
+@@ -1,9 +1,15 @@
+-policy_module(mailman, 1.10.0)
++policy_module(mailman, 1.9.4)
+
+ ########################################
#
# Declarations
#
@@ -42219,7 +45076,7 @@ index 8eaf51b..a057913 100644
+ fs_manage_fusefs_symlinks(mailman_domain)
+')
diff --git a/mailscanner.if b/mailscanner.if
-index 0293f34..bd1d48e 100644
+index 214cb44..bd1d48e 100644
--- a/mailscanner.if
+++ b/mailscanner.if
@@ -2,29 +2,27 @@
@@ -42292,7 +45149,7 @@ index 0293f34..bd1d48e 100644
admin_pattern($1, mscan_etc_t)
+ files_list_etc($1)
-- files_search_pids($1
+- files_search_pids($1)
admin_pattern($1, mscan_var_run_t)
-
- files_search_spool($1)
@@ -42300,9 +45157,15 @@ index 0293f34..bd1d48e 100644
+ files_list_pids($1)
')
diff --git a/mailscanner.te b/mailscanner.te
-index 725ba32..cec64d0 100644
+index 6b6e2e1..cec64d0 100644
--- a/mailscanner.te
+++ b/mailscanner.te
+@@ -1,4 +1,4 @@
+-policy_module(mailscanner, 1.1.0)
++policy_module(mailscanner, 1.0.2)
+
+ ########################################
+ #
@@ -34,6 +34,7 @@ allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
@@ -42510,13 +45373,14 @@ index e08c55d..9e634bd 100644
+
+')
diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..c127555 100644
+index 8ae78b5..c127555 100644
--- a/mandb.fc
+++ b/mandb.fc
@@ -1 +1,12 @@
+-/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
+
- /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
++/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
@@ -42765,10 +45629,16 @@ index 327f3f7..4f61561 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index 5a414e0..8fc7de0 100644
+index e6136fd..8fc7de0 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -10,28 +10,54 @@ roleattribute system_r mandb_roles;
+@@ -1,4 +1,4 @@
+-policy_module(mandb, 1.1.1)
++policy_module(mandb, 1.0.3)
+
+ ########################################
+ #
+@@ -10,48 +10,54 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -42790,11 +45660,12 @@ index 5a414e0..8fc7de0 100644
# Local policy
#
--allow mandb_t self:process signal;
-+allow mandb_t self:process { setsched signal };
+-allow mandb_t self:capability { setuid setgid };
+ allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+-kernel_read_kernel_sysctls(mandb_t)
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
@@ -42810,6 +45681,9 @@ index 5a414e0..8fc7de0 100644
kernel_read_system_state(mandb_t)
corecmd_exec_bin(mandb_t)
+-corecmd_exec_shell(mandb_t)
+-
+-dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
@@ -42820,6 +45694,21 @@ index 5a414e0..8fc7de0 100644
+fs_getattr_all_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+-miscfiles_read_man_pages(mandb_t)
+-miscfiles_read_localization(mandb_t)
+-
+-ifdef(`distro_debian',`
+- optional_policy(`
+- apt_exec(mandb_t)
+- apt_read_db(mandb_t)
+- ')
+-
+- optional_policy(`
+- dpkg_exec(mandb_t)
+- dpkg_read_db(mandb_t)
+- userdom_dontaudit_search_user_home_dirs(mandb_t)
+- ')
+-')
+miscfiles_setattr_man_pages(mandb_t)
optional_policy(`
@@ -42827,7 +45716,7 @@ index 5a414e0..8fc7de0 100644
')
+
diff --git a/mcelog.if b/mcelog.if
-index 9dbe694..c73214d 100644
+index f89651e..c73214d 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
@@ -42856,18 +45745,16 @@ index 9dbe694..c73214d 100644
########################################
## <summary>
## All of the rules required to
-@@ -56,6 +75,6 @@ interface(`mcelog_admin',`
- logging_search_logs($1)
- admin_pattern($1, mcelog_log_t)
-
-- files_search_pids($1
-+ files_search_pids($1)
- admin_pattern($1, mcelog_var_run_t)
- ')
diff --git a/mcelog.te b/mcelog.te
-index 13ea191..2b4e761 100644
+index 59b3b3d..2b4e761 100644
--- a/mcelog.te
+++ b/mcelog.te
+@@ -1,4 +1,4 @@
+-policy_module(mcelog, 1.2.0)
++policy_module(mcelog, 1.1.3)
+
+ ########################################
+ #
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
## </desc>
gen_tunable(mcelog_server, false)
@@ -43282,9 +46169,15 @@ index 1d4eb19..650014e 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index 4926208..4396320 100644
+index 29b7521..4396320 100644
--- a/memcached.te
+++ b/memcached.te
+@@ -1,4 +1,4 @@
+-policy_module(memcached, 1.3.1)
++policy_module(memcached, 1.2.3)
+
+ ########################################
+ #
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
@@ -43294,15 +46187,7 @@ index 4926208..4396320 100644
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
-@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t)
- corenet_udp_bind_memcache_port(memcached_t)
- corenet_udp_sendrecv_all_ports(memcached_t)
-
-+dev_read_sysfs(memcached_t)
-+
- term_dontaudit_use_all_ptys(memcached_t)
- term_dontaudit_use_all_ttys(memcached_t)
- term_dontaudit_use_console(memcached_t)
+@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
@@ -43490,11 +46375,11 @@ index cba62db..562833a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 92508b2..9c51c34 100644
+index 4dc99f4..9c51c34 100644
--- a/milter.te
+++ b/milter.te
@@ -1,77 +1,121 @@
--policy_module(milter, 1.4.2)
+-policy_module(milter, 1.5.0)
+policy_module(milter, 1.4.0)
########################################
@@ -43693,6 +46578,340 @@ index 92508b2..9c51c34 100644
optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
+diff --git a/minidlna.fc b/minidlna.fc
+deleted file mode 100644
+index 02c1b50..0000000
+--- a/minidlna.fc
++++ /dev/null
+@@ -1,14 +0,0 @@
+-/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
+-
+-/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0)
+-
+-/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
+-
+-/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
+-
+-/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
+-
+-/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0)
+-/var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0)
+-
+-/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
+diff --git a/minidlna.if b/minidlna.if
+deleted file mode 100644
+index 358917a..0000000
+--- a/minidlna.if
++++ /dev/null
+@@ -1,64 +0,0 @@
+-## <summary>MiniDLNA lightweight DLNA/UPnP media server</summary>
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an minidlna environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`minidlna_admin',`
+- gen_require(`
+- type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
+- type minidlna_conf_t, minidlna_log_t, minidlna_db_t;
+- ')
+-
+- allow $1 minidlna_t:process { ptrace signal_perms };
+- ps_process_pattern($1, minidlna_t)
+-
+- minidlna_initrc_domtrans($1)
+- domain_system_change_exemption($1)
+- role_transition $2 minidlna_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, minidlna_conf_t)
+-
+- logging_search_logs($1)
+- admin_pattern($1, minidlna_log_t)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, minidlna_db_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, minidlna_var_run_t)
+-')
+-
+-########################################
+-## <summary>
+-## Execute minidlna init scripts in
+-## the initrc domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`minidlna_initrc_domtrans',`
+- gen_require(`
+- type minidlna_initrc_exec_t;
+- ')
+-
+- init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
+-')
+diff --git a/minidlna.te b/minidlna.te
+deleted file mode 100644
+index 4911ac0..0000000
+--- a/minidlna.te
++++ /dev/null
+@@ -1,102 +0,0 @@
+-policy_module(minidlna, 0.1)
+-
+-#############################################
+-#
+-# Declarations
+-#
+-
+-## <desc>
+-## <p>
+-## Determine whether minidlna can read generic user content.
+-## </p>
+-## </desc>
+-gen_tunable(minidlna_read_generic_user_content, false)
+-
+-type minidlna_t;
+-type minidlna_exec_t;
+-init_daemon_domain(minidlna_t, minidlna_exec_t)
+-
+-type minidlna_conf_t;
+-files_config_file(minidlna_conf_t)
+-
+-type minidlna_db_t;
+-files_type(minidlna_db_t)
+-
+-type minidlna_initrc_exec_t;
+-init_script_file(minidlna_initrc_exec_t)
+-
+-type minidlna_log_t;
+-logging_log_file(minidlna_log_t)
+-
+-type minidlna_var_run_t;
+-files_pid_file(minidlna_var_run_t)
+-
+-###############################################
+-#
+-# Local policy
+-#
+-
+-allow minidlna_t self:process setsched;
+-allow minidlna_t self:tcp_socket create_stream_socket_perms;
+-allow minidlna_t self:udp_socket create_socket_perms;
+-allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;
+-allow minidlna_t minidlna_conf_t:file read_file_perms;
+-
+-allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
+-allow minidlna_t minidlna_db_t:file manage_file_perms;
+-
+-allow minidlna_t minidlna_log_t:file append_file_perms;
+-create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
+-
+-allow minidlna_t minidlna_var_run_t:file manage_file_perms;
+-allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
+-files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
+-
+-kernel_read_fs_sysctls(minidlna_t)
+-kernel_read_system_state(minidlna_t)
+-
+-corecmd_exec_bin(minidlna_t)
+-corecmd_exec_shell(minidlna_t)
+-
+-corenet_all_recvfrom_netlabel(minidlna_t)
+-corenet_all_recvfrom_unlabeled(minidlna_t)
+-
+-corenet_sendrecv_ssdp_server_packets(minidlna_t)
+-corenet_sendrecv_trivnet1_server_packets(minidlna_t)
+-
+-corenet_tcp_bind_generic_node(minidlna_t)
+-corenet_tcp_bind_trivnet1_port(minidlna_t)
+-corenet_tcp_sendrecv_generic_if(minidlna_t)
+-corenet_tcp_sendrecv_generic_node(minidlna_t)
+-corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
+-
+-corenet_udp_bind_generic_node(minidlna_t)
+-corenet_udp_bind_ssdp_port(minidlna_t)
+-corenet_udp_sendrecv_generic_if(minidlna_t)
+-corenet_udp_sendrecv_generic_node(minidlna_t)
+-corenet_udp_sendrecv_ssdp_port(minidlna_t)
+-
+-files_search_var_lib(minidlna_t)
+-
+-auth_use_nsswitch(minidlna_t)
+-
+-logging_search_logs(minidlna_t)
+-
+-miscfiles_read_localization(minidlna_t)
+-miscfiles_read_public_files(minidlna_t)
+-
+-tunable_policy(`minidlna_read_generic_user_content',`
+- userdom_list_user_tmp(minidlna_t)
+- userdom_read_user_home_content_files(minidlna_t)
+- userdom_read_user_home_content_symlinks(minidlna_t)
+- userdom_read_user_tmp_files(minidlna_t)
+- userdom_read_user_tmp_symlinks(minidlna_t)
+-',`
+- files_dontaudit_list_home(minidlna_t)
+- files_dontaudit_list_tmp(minidlna_t)
+-
+- userdom_dontaudit_list_user_home_dirs(minidlna_t)
+- userdom_dontaudit_list_user_tmp(minidlna_t)
+- userdom_dontaudit_read_user_home_content_files(minidlna_t)
+- userdom_dontaudit_read_user_tmp_files(minidlna_t)
+-')
+diff --git a/minissdpd.fc b/minissdpd.fc
+deleted file mode 100644
+index 4970404..0000000
+--- a/minissdpd.fc
++++ /dev/null
+@@ -1,8 +0,0 @@
+-/etc/default/minissdpd -- gen_context(system_u:object_r:minissdpd_conf_t,s0)
+-
+-/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0)
+-
+-/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
+-
+-/var/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0)
+-/var/run/minissdpd\.sock -s gen_context(system_u:object_r:minissdpd_var_run_t,s0)
+diff --git a/minissdpd.if b/minissdpd.if
+deleted file mode 100644
+index b330161..0000000
+--- a/minissdpd.if
++++ /dev/null
+@@ -1,58 +0,0 @@
+-## <summary>Daemon used by MiniUPnPc to speed up device discoveries.</summary>
+-
+-########################################
+-## <summary>
+-## Read minissdpd configuration files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`minissdpd_read_config',`
+- gen_require(`
+- type minissdpd_conf_t;
+- ')
+-
+- files_search_etc($1)
+- allow $1 minissdpd_conf_t:file read_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an minissdpd environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`minissdpd_admin',`
+- gen_require(`
+- type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
+- type minissdpd_var_run_t
+- ')
+-
+- allow $1 minissdpd_t:process { ptrace signal_perms };
+- ps_process_pattern($1, minissdpd_t)
+-
+- init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 minissdpd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, minissdpd_conf_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, minissdpd_var_run_t)
+-')
+diff --git a/minissdpd.te b/minissdpd.te
+deleted file mode 100644
+index 34d75a7..0000000
+--- a/minissdpd.te
++++ /dev/null
+@@ -1,51 +0,0 @@
+-policy_module(minissdpd, 1.0.0)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type minissdpd_t;
+-type minissdpd_exec_t;
+-init_daemon_domain(minissdpd_t, minissdpd_exec_t)
+-
+-type minissdpd_initrc_exec_t;
+-init_script_file(minissdpd_initrc_exec_t)
+-
+-type minissdpd_conf_t;
+-files_config_file(minissdpd_conf_t)
+-
+-type minissdpd_var_run_t;
+-files_pid_file(minissdpd_var_run_t)
+-
+-########################################
+-#
+-# Local policy
+-#
+-
+-allow minissdpd_t self:capability { sys_module net_admin };
+-allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
+-allow minissdpd_t self:udp_socket create_socket_perms;
+-allow minissdpd_t self:unix_dgram_socket create_socket_perms;
+-
+-allow minissdpd_t minissdpd_var_run_t:file manage_file_perms;
+-allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms;
+-files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file })
+-
+-kernel_load_module(minissdpd_t)
+-kernel_read_network_state(minissdpd_t)
+-kernel_request_load_module(minissdpd_t)
+-
+-corenet_all_recvfrom_unlabeled(minissdpd_t)
+-corenet_all_recvfrom_netlabel(minissdpd_t)
+-corenet_udp_sendrecv_generic_if(minissdpd_t)
+-corenet_udp_sendrecv_generic_node(minissdpd_t)
+-corenet_udp_bind_generic_node(minissdpd_t)
+-
+-corenet_sendrecv_ssdp_server_packets(minissdpd_t)
+-corenet_udp_bind_ssdp_port(minissdpd_t)
+-corenet_udp_sendrecv_ssdp_port(minissdpd_t)
+-
+-logging_send_syslog_msg(minissdpd_t)
+-
+-miscfiles_read_localization(minissdpd_t)
+\ No newline at end of file
diff --git a/mip6d.fc b/mip6d.fc
new file mode 100644
index 0000000..767bbad
@@ -44840,15 +48059,9 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..25f2cfe 100644
+index d15eb5b..25f2cfe 100644
--- a/modemmanager.te
+++ b/modemmanager.te
-@@ -1,4 +1,4 @@
--policy_module(modemmanager, 1.1.1)
-+policy_module(modemmanager, 1.2.1)
-
- ########################################
- #
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
typealias modemmanager_t alias ModemManager_t;
typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -44886,12 +48099,6 @@ index cb4c13d..25f2cfe 100644
logging_send_syslog_msg(modemmanager_t)
-@@ -54,4 +59,5 @@ optional_policy(`
-
- optional_policy(`
- udev_read_db(modemmanager_t)
-+ udev_manage_pid_files(modemmanager_t)
- ')
diff --git a/mojomojo.if b/mojomojo.if
index 73952f4..b19a6ee 100644
--- a/mojomojo.if
@@ -44905,10 +48112,15 @@ index 73952f4..b19a6ee 100644
interface(`mojomojo_admin',`
refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
diff --git a/mojomojo.te b/mojomojo.te
-index 7e534cf..3652584 100644
+index b94102e..3652584 100644
--- a/mojomojo.te
+++ b/mojomojo.te
-@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.0.1)
+@@ -1,25 +1,45 @@
+-policy_module(mojomojo, 1.1.0)
++policy_module(mojomojo, 1.0.1)
+
+ ########################################
+ #
# Declarations
#
@@ -44971,9 +48183,15 @@ index 6fcfc31..9e6d170 100644
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
diff --git a/mongodb.te b/mongodb.te
-index 4de8949..c27b44b 100644
+index 169f236..c27b44b 100644
--- a/mongodb.te
+++ b/mongodb.te
+@@ -1,4 +1,4 @@
+-policy_module(mongodb, 1.1.0)
++policy_module(mongodb, 1.0.2)
+
+ ########################################
+ #
@@ -49,13 +49,12 @@ corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
@@ -44991,9 +48209,15 @@ index 4de8949..c27b44b 100644
-miscfiles_read_localization(mongod_t)
diff --git a/mono.te b/mono.te
-index d287fe9..3dc493c 100644
+index a6a8643..3dc493c 100644
--- a/mono.te
+++ b/mono.te
+@@ -1,4 +1,4 @@
+-policy_module(mono, 1.9.0)
++policy_module(mono, 1.8.1)
+
+ ########################################
+ #
@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
# local policy
#
@@ -45017,9 +48241,15 @@ index 8fdaece..5440757 100644
files_search_pids($1)
diff --git a/monop.te b/monop.te
-index 4462c0e..84944d1 100644
+index 5f93763..84944d1 100644
--- a/monop.te
+++ b/monop.te
+@@ -1,4 +1,4 @@
+-policy_module(monop, 1.8.0)
++policy_module(monop, 1.7.1)
+
+ ########################################
+ #
@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
@@ -46239,16 +49469,16 @@ index 6194b80..ecab2e6 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..c4db163 100644
+index 11ac8e4..c4db163 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
--policy_module(mozilla, 2.7.4)
+-policy_module(mozilla, 2.8.0)
+policy_module(mozilla, 2.6.0)
########################################
#
-@@ -6,17 +6,56 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
#
## <desc>
@@ -47383,10 +50613,16 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..b8c9bf1 100644
+index fe72523..b8c9bf1 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -7,6 +7,13 @@ policy_module(mpd, 1.0.4)
+@@ -1,4 +1,4 @@
+-policy_module(mpd, 1.1.1)
++policy_module(mpd, 1.0.4)
+
+ ########################################
+ #
+@@ -7,6 +7,13 @@ policy_module(mpd, 1.1.1)
## <desc>
## <p>
@@ -47400,7 +50636,7 @@ index 7c8afcc..b8c9bf1 100644
## Determine whether mpd can traverse
## user home directories.
## </p>
-@@ -62,18 +69,25 @@ files_type(mpd_var_lib_t)
+@@ -62,6 +69,12 @@ files_type(mpd_var_lib_t)
type mpd_user_data_t;
userdom_user_home_content(mpd_user_data_t) # customizable
@@ -47413,13 +50649,7 @@ index 7c8afcc..b8c9bf1 100644
########################################
#
# Local policy
- #
-
- allow mpd_t self:capability { dac_override kill setgid setuid };
--allow mpd_t self:process { getsched setsched setrlimit signal signull };
-+allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
- allow mpd_t self:fifo_file rw_fifo_file_perms;
- allow mpd_t self:unix_stream_socket { accept connectto listen };
+@@ -74,6 +87,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
allow mpd_t self:unix_dgram_socket sendto;
allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -47550,10 +50780,16 @@ index 861d5e9..1c3d5a5 100644
+ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
+')
diff --git a/mplayer.te b/mplayer.te
-index 9aca704..f92829c 100644
+index 0f03cd9..f92829c 100644
--- a/mplayer.te
+++ b/mplayer.te
-@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4)
+@@ -1,4 +1,4 @@
+-policy_module(mplayer, 2.5.0)
++policy_module(mplayer, 2.4.4)
+
+ ########################################
+ #
+@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0)
## its stack executable.
## </p>
## </desc>
@@ -47599,7 +50835,31 @@ index 9aca704..f92829c 100644
allow mencoder_t self:process { execmem execstack };
')
-@@ -173,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
+@@ -130,7 +129,6 @@ tunable_policy(`use_samba_home_dirs',`
+ allow mplayer_t self:process { signal_perms getsched };
+ allow mplayer_t self:fifo_file rw_fifo_file_perms;
+ allow mplayer_t self:sem create_sem_perms;
+-allow mplayer_t self:udp_socket create_socket_perms;
+
+ allow mplayer_t mplayer_etc_t:dir list_dir_perms;
+ allow mplayer_t mplayer_etc_t:file read_file_perms;
+@@ -156,15 +154,6 @@ kernel_read_kernel_sysctls(mplayer_t)
+ corecmd_exec_bin(mplayer_t)
+ corecmd_exec_shell(mplayer_t)
+
+-corenet_all_recvfrom_unlabeled(mplayer_t)
+-corenet_all_recvfrom_netlabel(mplayer_t)
+-corenet_tcp_sendrecv_generic_if(mplayer_t)
+-corenet_tcp_sendrecv_generic_node(mplayer_t)
+-
+-corenet_tcp_connect_http_port(mplayer_t)
+-corenet_tcp_sendrecv_http_port(mplayer_t)
+-corenet_sendrecv_http_client_packets(mplayer_t)
+-
+ dev_read_rand(mplayer_t)
+ dev_read_realtime_clock(mplayer_t)
+ dev_read_sound_mixer(mplayer_t)
+@@ -183,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
files_read_non_security_files(mplayer_t)
files_list_home(mplayer_t)
files_read_etc_runtime_files(mplayer_t)
@@ -47607,7 +50867,7 @@ index 9aca704..f92829c 100644
fs_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
-@@ -194,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+@@ -204,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
userdom_manage_user_home_content_dirs(mplayer_t)
userdom_manage_user_home_content_files(mplayer_t)
@@ -47616,7 +50876,7 @@ index 9aca704..f92829c 100644
userdom_write_user_tmp_sockets(mplayer_t)
-@@ -211,15 +209,15 @@ ifndef(`enable_mls',`
+@@ -221,15 +209,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(mplayer_t)
')
@@ -47636,7 +50896,7 @@ index 9aca704..f92829c 100644
allow mplayer_t self:process { execmem execstack };
')
-@@ -235,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -245,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(mplayer_t)
')
@@ -47676,9 +50936,15 @@ index c595094..2346458 100644
## </summary>
## <param name="domain">
diff --git a/mrtg.te b/mrtg.te
-index c97c177..9411154 100644
+index 65a246a..9411154 100644
--- a/mrtg.te
+++ b/mrtg.te
+@@ -1,4 +1,4 @@
+-policy_module(mrtg, 1.9.0)
++policy_module(mrtg, 1.8.2)
+
+ ########################################
+ #
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
@@ -48918,11 +52184,11 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..bff8488 100644
+index ff1d68c..bff8488 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
--policy_module(mta, 2.6.5)
+-policy_module(mta, 2.7.3)
+policy_module(mta, 2.5.0)
########################################
@@ -48948,7 +52214,7 @@ index afd2fad..bff8488 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -43,178 +43,79 @@ role system_r types system_mail_t;
+@@ -43,180 +43,79 @@ role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
@@ -48988,6 +52254,7 @@ index afd2fad..bff8488 100644
-
-can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
-
+-kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
-kernel_read_kernel_sysctls(user_mail_domain)
-kernel_read_network_state(user_mail_domain)
@@ -49042,6 +52309,7 @@ index afd2fad..bff8488 100644
- exim_domtrans(user_mail_domain)
- exim_manage_log(user_mail_domain)
- exim_manage_spool_files(user_mail_domain)
+- exim_read_var_lib_files(user_mail_domain)
-')
-
-optional_policy(`
@@ -49122,11 +52390,11 @@ index afd2fad..bff8488 100644
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+
-+allow system_mail_t mail_home_t:file manage_file_perms;
-+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-userdom_use_user_terminals(system_mail_t)
++allow system_mail_t mail_home_t:file manage_file_perms;
++userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
++
+
+logging_append_all_logs(system_mail_t)
+
@@ -49164,7 +52432,7 @@ index afd2fad..bff8488 100644
')
optional_policy(`
-@@ -223,18 +124,18 @@ optional_policy(`
+@@ -225,18 +124,21 @@ optional_policy(`
')
optional_policy(`
@@ -49183,18 +52451,16 @@ index afd2fad..bff8488 100644
optional_policy(`
- courier_stream_connect_authdaemon(system_mail_t)
- courier_manage_spool_dirs(system_mail_t)
- courier_manage_spool_files(system_mail_t)
- courier_rw_spool_pipes(system_mail_t)
-@@ -245,14 +146,10 @@ optional_policy(`
++ courier_manage_spool_dirs(system_mail_t)
++ courier_manage_spool_files(system_mail_t)
++ courier_rw_spool_pipes(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -244,9 +146,10 @@ optional_policy(`
')
optional_policy(`
-- exim_domtrans(system_mail_t)
-- exim_manage_log(system_mail_t)
--')
--
--optional_policy(`
- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- fail2ban_append_log(system_mail_t)
- fail2ban_rw_inherited_tmp_files(system_mail_t)
@@ -49205,7 +52471,7 @@ index afd2fad..bff8488 100644
')
optional_policy(`
-@@ -264,10 +161,17 @@ optional_policy(`
+@@ -258,10 +161,17 @@ optional_policy(`
')
optional_policy(`
@@ -49223,7 +52489,7 @@ index afd2fad..bff8488 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -278,6 +182,19 @@ optional_policy(`
+@@ -272,6 +182,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -49243,7 +52509,7 @@ index afd2fad..bff8488 100644
')
optional_policy(`
-@@ -285,6 +202,10 @@ optional_policy(`
+@@ -279,6 +202,10 @@ optional_policy(`
')
optional_policy(`
@@ -49254,7 +52520,7 @@ index afd2fad..bff8488 100644
userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
-@@ -293,42 +214,36 @@ optional_policy(`
+@@ -287,42 +214,36 @@ optional_policy(`
')
optional_policy(`
@@ -49307,7 +52573,7 @@ index afd2fad..bff8488 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +252,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,40 +252,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -49356,7 +52622,7 @@ index afd2fad..bff8488 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -378,6 +279,17 @@ optional_policy(`
+@@ -372,6 +279,17 @@ optional_policy(`
')
optional_policy(`
@@ -49374,7 +52640,7 @@ index afd2fad..bff8488 100644
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
-@@ -387,24 +299,176 @@ optional_policy(`
+@@ -381,24 +299,176 @@ optional_policy(`
########################################
#
@@ -49889,17 +53155,16 @@ index b744fe3..e713bb6 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..0911867 100644
+index b708708..0911867 100644
--- a/munin.te
+++ b/munin.te
-@@ -37,44 +37,47 @@ munin_plugin_template(disk)
- munin_plugin_template(mail)
- munin_plugin_template(selinux)
- munin_plugin_template(services)
-+
-+type services_munin_plugin_tmpfs_t;
-+files_tmpfs_file(services_munin_plugin_tmpfs_t)
-+
+@@ -1,4 +1,4 @@
+-policy_module(munin, 1.9.1)
++policy_module(munin, 1.8.10)
+
+ ########################################
+ #
+@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
munin_plugin_template(system)
munin_plugin_template(unconfined)
@@ -49948,7 +53213,7 @@ index 97370e4..0911867 100644
optional_policy(`
nscd_use(munin_plugin_domain)
-@@ -114,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -49957,7 +53222,7 @@ index 97370e4..0911867 100644
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -49965,7 +53230,7 @@ index 97370e4..0911867 100644
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +155,6 @@ domain_use_interactive_fds(munin_t)
+@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -49973,7 +53238,7 @@ index 97370e4..0911867 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -165,7 +166,6 @@ logging_send_syslog_msg(munin_t)
+@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -49981,7 +53246,7 @@ index 97370e4..0911867 100644
miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
@@ -49995,7 +53260,7 @@ index 97370e4..0911867 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +206,6 @@ optional_policy(`
+@@ -217,7 +206,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -50003,7 +53268,7 @@ index 97370e4..0911867 100644
')
optional_policy(`
-@@ -242,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -50031,7 +53296,7 @@ index 97370e4..0911867 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -268,6 +262,10 @@ optional_policy(`
+@@ -272,6 +262,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -50042,7 +53307,7 @@ index 97370e4..0911867 100644
####################################
#
# Mail local policy
-@@ -275,27 +273,38 @@ optional_policy(`
+@@ -279,27 +273,38 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -50085,17 +53350,15 @@ index 97370e4..0911867 100644
')
optional_policy(`
-@@ -320,6 +329,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
- allow services_munin_plugin_t self:udp_socket create_socket_perms;
- allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -326,7 +331,6 @@ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
+ manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
+-fs_tmpfs_filetrans(services_munin_plugin_t, services_munin_plugin_tmpfs_t, { dir file })
-+manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
-+manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
-+
corenet_sendrecv_all_client_packets(services_munin_plugin_t)
corenet_tcp_connect_all_ports(services_munin_plugin_t)
- corenet_tcp_connect_http_port(services_munin_plugin_t)
-@@ -331,7 +343,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +343,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -50104,7 +53367,7 @@ index 97370e4..0911867 100644
')
optional_policy(`
-@@ -340,6 +352,10 @@ optional_policy(`
+@@ -348,6 +352,10 @@ optional_policy(`
')
optional_policy(`
@@ -50115,7 +53378,7 @@ index 97370e4..0911867 100644
lpd_exec_lpr(services_munin_plugin_t)
')
-@@ -353,7 +369,11 @@ optional_policy(`
+@@ -361,7 +369,11 @@ optional_policy(`
')
optional_policy(`
@@ -50128,7 +53391,7 @@ index 97370e4..0911867 100644
')
optional_policy(`
-@@ -385,6 +405,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +405,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -50136,7 +53399,7 @@ index 97370e4..0911867 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +434,32 @@ optional_policy(`
+@@ -421,3 +434,32 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -50170,13 +53433,14 @@ index 97370e4..0911867 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
-index c48dc17..297f831 100644
+index 06f8666..297f831 100644
--- a/mysql.fc
+++ b/mysql.fc
-@@ -1,11 +1,25 @@
+@@ -1,12 +1,25 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+-/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
-
-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
@@ -50207,7 +53471,7 @@ index c48dc17..297f831 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
-@@ -13,13 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -14,14 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -50222,6 +53486,7 @@ index c48dc17..297f831 100644
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0)
@@ -50785,16 +54050,16 @@ index 687af38..a77dc09 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..dfca76c 100644
+index 7584bbe..dfca76c 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
--policy_module(mysql, 1.13.5)
+-policy_module(mysql, 1.14.1)
+policy_module(mysql, 1.13.0)
########################################
#
-@@ -6,20 +6,15 @@ policy_module(mysql, 1.13.5)
+@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
#
## <desc>
@@ -50836,7 +54101,7 @@ index 9f6179e..dfca76c 100644
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
-@@ -62,27 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,24 +59,24 @@ files_pid_file(mysqlmanagerd_var_run_t)
# Local policy
#
@@ -50866,16 +54131,9 @@ index 9f6179e..dfca76c 100644
allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
--allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
--logging_log_filetrans(mysqld_t, mysqld_log_t, file)
-+manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-+manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-+manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-+logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
-
- manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
- manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +92,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+ manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
+ manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
+@@ -95,50 +92,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -50953,7 +54211,7 @@ index 9f6179e..dfca76c 100644
')
optional_policy(`
-@@ -144,6 +153,10 @@ optional_policy(`
+@@ -146,6 +153,10 @@ optional_policy(`
')
optional_policy(`
@@ -50964,7 +54222,7 @@ index 9f6179e..dfca76c 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +166,25 @@ optional_policy(`
+@@ -155,31 +166,25 @@ optional_policy(`
#######################################
#
@@ -50989,10 +54247,10 @@ index 9f6179e..dfca76c 100644
-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
--allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+ list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+-manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-+list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-+manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -51003,7 +54261,7 @@ index 9f6179e..dfca76c 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +192,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +192,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -51019,9 +54277,9 @@ index 9f6179e..dfca76c 100644
+files_dontaudit_access_check_root(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-
-+files_write_root_dirs(mysqld_safe_t)
+
++files_write_root_dirs(mysqld_safe_t)
+
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@@ -51039,7 +54297,7 @@ index 9f6179e..dfca76c 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +222,7 @@ optional_policy(`
+@@ -209,7 +222,7 @@ optional_policy(`
########################################
#
@@ -51048,7 +54306,7 @@ index 9f6179e..dfca76c 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +231,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +231,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -51066,7 +54324,7 @@ index 9f6179e..dfca76c 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +244,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +244,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -51749,9 +55007,15 @@ index 0641e97..cad402c 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..39bcd98 100644
+index 7b3e682..39bcd98 100644
--- a/nagios.te
+++ b/nagios.te
+@@ -1,4 +1,4 @@
+-policy_module(nagios, 1.13.0)
++policy_module(nagios, 1.12.3)
+
+ ########################################
+ #
@@ -27,7 +27,7 @@ type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
@@ -52157,9 +55421,15 @@ index db9578f..4309e3d 100644
')
+
diff --git a/ncftool.te b/ncftool.te
-index b13c0b1..c8baed2 100644
+index 71f30ba..c8baed2 100644
--- a/ncftool.te
+++ b/ncftool.te
+@@ -1,4 +1,4 @@
+-policy_module(ncftool, 1.2.0)
++policy_module(ncftool, 1.1.2)
+
+ ########################################
+ #
@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t;
allow ncftool_t self:capability net_admin;
@@ -52208,9 +55478,15 @@ index b13c0b1..c8baed2 100644
optional_policy(`
diff --git a/nessus.te b/nessus.te
-index 56c0fbd..173a2c0 100644
+index fe1068b..173a2c0 100644
--- a/nessus.te
+++ b/nessus.te
+@@ -1,4 +1,4 @@
+-policy_module(nessus, 1.9.0)
++policy_module(nessus, 1.8.1)
+
+ ########################################
+ #
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
corecmd_exec_bin(nessusd_t)
@@ -52237,10 +55513,10 @@ index 56c0fbd..173a2c0 100644
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
-index a1fb3c3..dfb99d2 100644
+index 94b9734..dfb99d2 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
-@@ -1,43 +1,47 @@
+@@ -1,44 +1,47 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -52272,6 +55548,7 @@ index a1fb3c3..dfb99d2 100644
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+-/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -52312,7 +55589,7 @@ index a1fb3c3..dfb99d2 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..cde8567 100644
+index 86dc29d..9b302e8 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -52450,50 +55727,72 @@ index 0e8508c..cde8567 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -133,29 +158,31 @@ interface(`networkmanager_dbus_chat',`
+ allow NetworkManager_t $1:dbus send_msg;
+ ')
- ########################################
+-#######################################
++########################################
## <summary>
--## Send generic signals to networkmanager.
+-## Read metworkmanager process state files.
+## Do not audit attempts to send and
+## receive messages from NetworkManager
+## over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`networkmanager_read_state',`
+interface(`networkmanager_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type NetworkManager_t;
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
-+ ')
-+
+ ')
+
+- allow $1 NetworkManager_t:dir search_dir_perms;
+- allow $1 NetworkManager_t:file read_file_perms;
+- allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 NetworkManager_t:dbus send_msg;
+ dontaudit NetworkManager_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Send generic signals to networkmanager.
+## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
## <summary>
-@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
+@@ -173,8 +200,7 @@ interface(`networkmanager_signal',`
########################################
## <summary>
--## Read networkmanager lib files.
+-## Create, read, and write
+-## networkmanager library files.
+## Read NetworkManager lib files.
## </summary>
## <param name="domain">
## <summary>
-@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
- read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
- ')
+@@ -182,18 +208,38 @@ interface(`networkmanager_signal',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`networkmanager_manage_lib_files',`
++interface(`networkmanager_read_lib_files',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+ files_search_var_lib($1)
+- manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++')
++
+#######################################
+## <summary>
+## Read NetworkManager conf files.
@@ -52511,64 +55810,70 @@ index 0e8508c..cde8567 100644
+
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
-+')
-+
+ ')
+
########################################
## <summary>
--## Append networkmanager log files.
+-## Read networkmanager lib files.
+## Read NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
-@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -201,19 +247,18 @@ interface(`networkmanager_manage_lib_files',`
## </summary>
## </param>
#
--interface(`networkmanager_append_log_files',`
+-interface(`networkmanager_read_lib_files',`
+interface(`networkmanager_read_pid_files',`
gen_require(`
-- type NetworkManager_log_t;
+- type NetworkManager_var_lib_t;
+ type NetworkManager_var_run_t;
')
-- logging_search_logs($1)
-- allow $1 NetworkManager_log_t:dir list_dir_perms;
-- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+- files_search_var_lib($1)
+- list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+- read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ files_search_pids($1)
+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
########################################
## <summary>
--## Read networkmanager pid files.
+-## Append networkmanager log files.
+## Manage NetworkManager PID files.
## </summary>
## <param name="domain">
## <summary>
-@@ -201,25 +266,63 @@ interface(`networkmanager_append_log_files',`
+@@ -221,19 +266,18 @@ interface(`networkmanager_read_lib_files',`
## </summary>
## </param>
#
--interface(`networkmanager_read_pid_files',`
+-interface(`networkmanager_append_log_files',`
+interface(`networkmanager_manage_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type NetworkManager_log_t;
+ type NetworkManager_var_run_t;
-+ ')
-+
+ ')
+
+- logging_search_logs($1)
+- allow $1 NetworkManager_log_t:dir list_dir_perms;
+- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+ files_search_pids($1)
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read networkmanager pid files.
+## Manage NetworkManager PID sock files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -241,45 +285,78 @@ interface(`networkmanager_append_log_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_sock_files',`
gen_require(`
type NetworkManager_var_run_t;
@@ -52579,6 +55884,50 @@ index 0e8508c..cde8567 100644
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
+-####################################
++########################################
+ ## <summary>
+-## Connect to networkmanager over
+-## a unix domain stream socket.
++## Create objects in /etc with a private
++## type using a type_transition.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file_type">
++## <summary>
++## Private file type.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object classes to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
+ ## </param>
+ #
+-interface(`networkmanager_stream_connect',`
++interface(`networkmanager_pid_filetrans',`
+ gen_require(`
+- type NetworkManager_t, NetworkManager_var_run_t;
++ type NetworkManager_var_run_t;
+ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
++ filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4)
+ ')
+
########################################
## <summary>
-## All of the rules required to
@@ -52613,7 +55962,7 @@ index 0e8508c..cde8567 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -227,33 +330,152 @@ interface(`networkmanager_read_pid_files',`
+@@ -287,33 +364,170 @@ interface(`networkmanager_stream_connect',`
## </param>
## <rolecap/>
#
@@ -52744,6 +56093,24 @@ index 0e8508c..cde8567 100644
+
+########################################
+## <summary>
++## Send sigchld to networkmanager.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`networkmanager_sigchld',`
++ gen_require(`
++ type networkmanager_t;
++ ')
++
++ allow $1 networkmanager_t:process sigchld;
++')
++########################################
++## <summary>
+## Transition to networkmanager named content
+## </summary>
+## <param name="domain">
@@ -52786,11 +56153,11 @@ index 0e8508c..cde8567 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..9e9b2dc 100644
+index 55f2009..9e9b2dc 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
--policy_module(networkmanager, 1.14.7)
+-policy_module(networkmanager, 1.15.2)
+policy_module(networkmanager, 1.14.0)
########################################
@@ -52821,7 +56188,7 @@ index 0b48a30..9e9b2dc 100644
# Local policy
#
--allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
+-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
@@ -53152,12 +56519,13 @@ index 0b48a30..9e9b2dc 100644
')
optional_policy(`
-@@ -320,13 +380,19 @@ optional_policy(`
+@@ -320,14 +380,19 @@ optional_policy(`
')
optional_policy(`
- udev_exec(NetworkManager_t)
- udev_read_db(NetworkManager_t)
+- udev_read_pid_files(NetworkManager_t)
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
@@ -53176,7 +56544,7 @@ index 0b48a30..9e9b2dc 100644
')
optional_policy(`
-@@ -356,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -53625,11 +56993,11 @@ index 46e55c3..6e4e061 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3e4a31c..6aeb9dd 100644
+index 3a6b035..6aeb9dd 100644
--- a/nis.te
+++ b/nis.te
@@ -1,12 +1,10 @@
--policy_module(nis, 1.11.1)
+-policy_module(nis, 1.12.0)
+policy_module(nis, 1.11.0)
########################################
@@ -54708,11 +58076,11 @@ index 8f2ab09..bc2c7fe 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index df4c10f..2bbc3a6 100644
+index bcd7d0a..2bbc3a6 100644
--- a/nscd.te
+++ b/nscd.te
@@ -1,36 +1,37 @@
--policy_module(nscd, 1.10.3)
+-policy_module(nscd, 1.11.0)
+policy_module(nscd, 1.10.0)
gen_require(`
@@ -55019,11 +58387,11 @@ index a9c60ff..ad4f14a 100644
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
-index dde7f42..b3662dd 100644
+index 47bb1d2..b3662dd 100644
--- a/nsd.te
+++ b/nsd.te
@@ -1,4 +1,4 @@
--policy_module(nsd, 1.7.1)
+-policy_module(nsd, 1.8.0)
+policy_module(nsd, 1.7.0)
########################################
@@ -55318,11 +58686,11 @@ index 97df768..852d1c6 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..c37998e 100644
+index 421bf1a..c37998e 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -1,4 +1,4 @@
--policy_module(nslcd, 1.3.1)
+-policy_module(nslcd, 1.4.1)
+policy_module(nslcd, 1.3.0)
########################################
@@ -55344,7 +58712,7 @@ index a3e56f0..c37998e 100644
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -36,16 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
@@ -55358,11 +58726,13 @@ index a3e56f0..c37998e 100644
-corenet_sendrecv_ldap_client_packets(nslcd_t)
corenet_tcp_connect_ldap_port(nslcd_t)
-corenet_tcp_sendrecv_ldap_port(nslcd_t)
+-
+-dev_read_sysfs(nslcd_t)
+corenet_sendrecv_ldap_client_packets(nslcd_t)
files_read_usr_symlinks(nslcd_t)
files_list_tmp(nslcd_t)
-@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t)
+@@ -54,10 +50,14 @@ auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
@@ -56200,9 +59570,15 @@ index 0000000..7d839fe
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
-index 52757d8..0f7f5e4 100644
+index 8ec7859..0f7f5e4 100644
--- a/ntop.te
+++ b/ntop.te
+@@ -1,4 +1,4 @@
+-policy_module(ntop, 1.10.0)
++policy_module(ntop, 1.9.2)
+
+ ########################################
+ #
@@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
@@ -56246,7 +59622,7 @@ index af3c91e..6882a3f 100644
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/ntp.if b/ntp.if
-index b59196f..24f45be 100644
+index e96a309..24f45be 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
@@ -56295,7 +59671,7 @@ index b59196f..24f45be 100644
')
########################################
-@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,23 +117,46 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -56318,33 +59694,37 @@ index b59196f..24f45be 100644
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Read ntp drift files.
+## Execute ntpd server in the ntpd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`ntp_read_drift_files',`
+interface(`ntp_systemctl',`
-+ gen_require(`
+ gen_require(`
+- type ntp_drift_t;
+ type ntpd_unit_file_t;
+ type ntpd_t;
-+ ')
-+
+ ')
+
+- files_search_var_lib($1)
+- read_files_pattern($1, ntp_drift_t, ntp_drift_t)
+ systemd_exec_systemctl($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Read and write ntpd shared memory.
-@@ -122,8 +183,27 @@ interface(`ntp_rw_shm',`
+@@ -141,8 +183,27 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -56374,7 +59754,7 @@ index b59196f..24f45be 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -132,7 +212,7 @@ interface(`ntp_rw_shm',`
+@@ -151,7 +212,7 @@ interface(`ntp_rw_shm',`
## </param>
## <param name="role">
## <summary>
@@ -56383,7 +59763,7 @@ index b59196f..24f45be 100644
## </summary>
## </param>
## <rolecap/>
-@@ -140,20 +220,22 @@ interface(`ntp_rw_shm',`
+@@ -159,20 +220,22 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -56406,12 +59786,18 @@ index b59196f..24f45be 100644
allow $2 system_r;
- files_list_etc($1)
-- admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
+- admin_pattern($1, { ntpd_key_t ntp_conf_t })
+ admin_pattern($1, ntpd_key_t)
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
-@@ -164,5 +246,30 @@ interface(`ntp_admin',`
+@@ -180,11 +243,33 @@ interface(`ntp_admin',`
+ files_list_tmp($1)
+ admin_pattern($1, ntpd_tmp_t)
+
+- files_list_var_lib($1)
+- admin_pattern($1, ntp_drift_t)
+-
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -56444,9 +59830,15 @@ index b59196f..24f45be 100644
+ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
')
diff --git a/ntp.te b/ntp.te
-index b90e343..ae081d4 100644
+index f81b113..ae081d4 100644
--- a/ntp.te
+++ b/ntp.te
+@@ -1,4 +1,4 @@
+-policy_module(ntp, 1.11.0)
++policy_module(ntp, 1.10.3)
+
+ ########################################
+ #
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
@@ -56639,16 +60031,16 @@ index 0d3c270..709dda1 100644
+ ')
')
diff --git a/numad.te b/numad.te
-index f5d145d..f050103 100644
+index b0a1be4..f050103 100644
--- a/numad.te
+++ b/numad.te
@@ -1,4 +1,4 @@
--policy_module(numad, 1.0.3)
+-policy_module(numad, 1.1.0)
+policy_module(numad, 1.0.0)
########################################
#
-@@ -8,37 +8,44 @@ policy_module(numad, 1.0.3)
+@@ -8,37 +8,44 @@ policy_module(numad, 1.1.0)
type numad_t;
type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t)
@@ -56831,16 +60223,16 @@ index 57c0161..4534676 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..8ee90b0 100644
+index 5b2cb0d..8ee90b0 100644
--- a/nut.te
+++ b/nut.te
@@ -1,4 +1,4 @@
--policy_module(nut, 1.2.4)
+-policy_module(nut, 1.3.0)
+policy_module(nut, 1.2.0)
########################################
#
-@@ -7,131 +7,124 @@ policy_module(nut, 1.2.4)
+@@ -7,131 +7,124 @@ policy_module(nut, 1.3.0)
attribute nut_domain;
@@ -57107,9 +60499,15 @@ index 251d681..50ae2a9 100644
+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
+')
diff --git a/nx.te b/nx.te
-index b1832ca..d181d03 100644
+index 091f872..d181d03 100644
--- a/nx.te
+++ b/nx.te
+@@ -1,4 +1,4 @@
+-policy_module(nx, 1.7.0)
++policy_module(nx, 1.6.1)
+
+ ########################################
+ #
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -57152,9 +60550,15 @@ index b1832ca..d181d03 100644
sysnet_read_config(nx_server_t)
diff --git a/oav.te b/oav.te
-index 75fdf58..1a9e754 100644
+index b09c4c4..1a9e754 100644
--- a/oav.te
+++ b/oav.te
+@@ -1,4 +1,4 @@
+-policy_module(oav, 1.10.0)
++policy_module(oav, 1.9.1)
+
+ ########################################
+ #
@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
domain_use_interactive_fds(scannerdaemon_t)
@@ -57586,11 +60990,11 @@ index c87bd2a..7de054a 100644
+ ')
')
diff --git a/oddjob.te b/oddjob.te
-index 296a1d3..edc3e32 100644
+index e403097..edc3e32 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -1,12 +1,10 @@
--policy_module(oddjob, 1.9.2)
+-policy_module(oddjob, 1.10.0)
+policy_module(oddjob, 1.9.0)
########################################
@@ -57687,18 +61091,37 @@ index 296a1d3..edc3e32 100644
+userdom_home_manager(oddjob_mkhomedir_t)
+userdom_stream_connect(oddjob_mkhomedir_t)
+
+diff --git a/oident.te b/oident.te
+index edfad9d..cd22d87 100644
+--- a/oident.te
++++ b/oident.te
+@@ -1,4 +1,4 @@
+-policy_module(oident, 2.3.0)
++policy_module(oident, 2.2.1)
+
+ ########################################
+ #
+diff --git a/openca.te b/openca.te
+index 0fc3a58..d808ab0 100644
+--- a/openca.te
++++ b/openca.te
+@@ -1,4 +1,4 @@
+-policy_module(openca, 1.3.0)
++policy_module(openca, 1.2.1)
+
+ ########################################
+ #
diff --git a/openct.te b/openct.te
-index 8467596..428ae48 100644
+index 3b6920e..428ae48 100644
--- a/openct.te
+++ b/openct.te
-@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t)
-
- dontaudit openct_t self:capability sys_tty_config;
- allow openct_t self:process signal_perms;
-+allow openct_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -1,4 +1,4 @@
+-policy_module(openct, 1.6.1)
++policy_module(openct, 1.5.1)
- manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
- manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ ########################################
+ #
+@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
@@ -57713,7 +61136,7 @@ index 8467596..428ae48 100644
dev_read_sysfs(openct_t)
dev_rw_usbfs(openct_t)
dev_rw_smartcard(openct_t)
-@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
+@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t)
@@ -57730,9 +61153,15 @@ index 8467596..428ae48 100644
userdom_dontaudit_search_user_home_dirs(openct_t)
diff --git a/openhpi.te b/openhpi.te
-index 7f398c0..e66751b 100644
+index 8de6191..e66751b 100644
--- a/openhpi.te
+++ b/openhpi.te
+@@ -1,4 +1,4 @@
+-policy_module(openhpi, 1.1.0)
++policy_module(openhpi, 1.0.1)
+
+ ########################################
+ #
@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
dev_read_urand(openhpid_t)
@@ -59708,10 +63137,16 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..baf76c1 100644
+index 63957a3..baf76c1 100644
--- a/openvpn.te
+++ b/openvpn.te
-@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
+@@ -1,4 +1,4 @@
+-policy_module(openvpn, 1.12.2)
++policy_module(openvpn, 1.11.3)
+
+ ########################################
+ #
+@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
#
## <desc>
@@ -59725,22 +63160,25 @@ index 3270ff9..baf76c1 100644
## <p>
## Determine whether openvpn can
## read generic user home content files.
-@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3)
- ## </desc>
+@@ -14,12 +21,12 @@ policy_module(openvpn, 1.12.2)
gen_tunable(openvpn_enable_homedirs, false)
-+## <desc>
+ ## <desc>
+-## <p>
+-## Determine whether openvpn can
+-## connect to the TCP network.
+-## </p>
+## <p>
+## Determine whether openvpn can
+## connect to the TCP network.
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(openvpn_can_network_connect, false)
+gen_tunable(openvpn_can_network_connect, true)
-+
+
attribute_role openvpn_roles;
- type openvpn_t;
-@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t)
+@@ -34,14 +41,17 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -59753,13 +63191,14 @@ index 3270ff9..baf76c1 100644
type openvpn_status_t;
logging_log_file(openvpn_status_t)
+-type openvpn_tmp_t;
+-files_tmp_file(openvpn_tmp_t)
+type openvpn_var_lib_t;
+files_type(openvpn_var_lib_t)
-+
+
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)
-
-@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
+@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
@@ -59768,13 +63207,14 @@ index 3270ff9..baf76c1 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -73,13 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+-allow openvpn_t openvpn_tmp_t:file manage_file_perms;
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
-+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
-+
+ files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
+manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
@@ -59786,7 +63226,7 @@ index 3270ff9..baf76c1 100644
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t)
+@@ -97,7 +108,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -59794,7 +63234,7 @@ index 3270ff9..baf76c1 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -117,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
@@ -59811,7 +63251,7 @@ index 3270ff9..baf76c1 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -118,21 +144,31 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -132,21 +144,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
@@ -59846,20 +63286,22 @@ index 3270ff9..baf76c1 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -143,11 +179,25 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(openvpn_t)
+@@ -158,9 +180,11 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
')
-+tunable_policy(`openvpn_can_network_connect',`
+ tunable_policy(`openvpn_can_network_connect',`
+- corenet_sendrecv_all_client_packets(openvpn_t)
+- corenet_tcp_connect_all_ports(openvpn_t)
+- corenet_tcp_sendrecv_all_ports(openvpn_t)
+ corenet_tcp_connect_all_ports(openvpn_t)
+')
+
+optional_policy(`
+ brctl_domtrans(openvpn_t)
-+')
-+
+ ')
+
optional_policy(`
- daemontools_service_domain(openvpn_t, openvpn_exec_t)
+@@ -168,6 +192,12 @@ optional_policy(`
')
optional_policy(`
@@ -59872,7 +63314,7 @@ index 3270ff9..baf76c1 100644
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
-@@ -155,3 +205,27 @@ optional_policy(`
+@@ -175,3 +205,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -60201,11 +63643,11 @@ index 9b15730..eedd136 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..452ad74 100644
+index 44dbc99..452ad74 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
--policy_module(openvswitch, 1.0.1)
+-policy_module(openvswitch, 1.1.1)
+policy_module(openvswitch, 1.0.0)
########################################
@@ -60224,13 +63666,7 @@ index 508fedf..452ad74 100644
type openvswitch_var_lib_t;
files_type(openvswitch_var_lib_t)
-@@ -21,23 +18,34 @@ files_type(openvswitch_var_lib_t)
- type openvswitch_log_t;
- logging_log_file(openvswitch_log_t)
-
-+type openvswitch_tmp_t;
-+files_tmp_file(openvswitch_tmp_t)
-+
+@@ -27,20 +24,28 @@ files_tmp_file(openvswitch_tmp_t)
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -60267,7 +63703,7 @@ index 508fedf..452ad74 100644
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,45 +53,57 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -48,9 +53,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -60278,14 +63714,7 @@ index 508fedf..452ad74 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-+manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
-+manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
-+files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
-+
- manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
- manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
- manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+@@ -65,33 +68,42 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -61103,10 +64532,15 @@ index 9682d9a..d47f913 100644
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
-index 3dd8ada..993c92c 100644
+index 6e6efb6..993c92c 100644
--- a/pacemaker.te
+++ b/pacemaker.te
-@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2)
+@@ -1,10 +1,17 @@
+-policy_module(pacemaker, 1.1.0)
++policy_module(pacemaker, 1.0.2)
+
+ ########################################
+ #
# Declarations
#
@@ -61229,9 +64663,15 @@ index 6e097c9..503c97a 100644
domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
diff --git a/pads.te b/pads.te
-index 29a7364..446e5ca 100644
+index 078adc4..446e5ca 100644
--- a/pads.te
+++ b/pads.te
+@@ -1,4 +1,4 @@
+-policy_module(pads, 1.1.0)
++policy_module(pads, 1.0.1)
+
+ ########################################
+ #
@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t)
#
@@ -61460,11 +64900,11 @@ index bf59ef7..2d8335f 100644
+')
+
diff --git a/passenger.te b/passenger.te
-index 4e114ff..d688bab 100644
+index 08ec33b..d688bab 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
--policy_module(passanger, 1.0.3)
+-policy_module(passanger, 1.1.1)
+policy_module(passanger, 1.0.0)
########################################
@@ -61511,7 +64951,7 @@ index 4e114ff..d688bab 100644
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-@@ -45,19 +50,22 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
@@ -61524,8 +64964,8 @@ index 4e114ff..d688bab 100644
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
-+kernel_read_network_state(passenger_t)
-+kernel_read_net_sysctls(passenger_t)
+@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t)
+ kernel_read_net_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
-corenet_all_recvfrom_unlabeled(passenger_t)
@@ -61539,7 +64979,7 @@ index 4e114ff..d688bab 100644
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
-@@ -66,19 +74,20 @@ dev_read_urand(passenger_t)
+@@ -68,8 +74,6 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
@@ -61548,13 +64988,7 @@ index 4e114ff..d688bab 100644
auth_use_nsswitch(passenger_t)
logging_send_syslog_msg(passenger_t)
-
- miscfiles_read_localization(passenger_t)
-
-+sysnet_exec_ifconfig(passenger_t)
-+
- userdom_dontaudit_use_user_terminals(passenger_t)
-
+@@ -83,6 +87,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
@@ -61562,7 +64996,7 @@ index 4e114ff..d688bab 100644
')
optional_policy(`
-@@ -90,14 +99,21 @@ optional_policy(`
+@@ -94,14 +99,21 @@ optional_policy(`
')
optional_policy(`
@@ -61591,9 +65025,15 @@ index 4e114ff..d688bab 100644
+ rpm_read_db(passenger_t)
')
diff --git a/pcmcia.te b/pcmcia.te
-index 3ad10b5..49baca5 100644
+index 8176e4a..49baca5 100644
--- a/pcmcia.te
+++ b/pcmcia.te
+@@ -1,4 +1,4 @@
+-policy_module(pcmcia, 1.7.0)
++policy_module(pcmcia, 1.6.1)
+
+ ########################################
+ #
@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
logging_send_syslog_msg(cardmgr_t)
@@ -62113,9 +65553,15 @@ index 43d50f9..7f77d32 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index 96db654..a958595 100644
+index 1fb1964..a958595 100644
--- a/pcscd.te
+++ b/pcscd.te
+@@ -1,4 +1,4 @@
+-policy_module(pcscd, 1.8.0)
++policy_module(pcscd, 1.7.3)
+
+ ########################################
+ #
@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
#
@@ -62333,11 +65779,11 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..37539ec 100644
+index 608f454..37539ec 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
--policy_module(pegasus, 1.8.3)
+-policy_module(pegasus, 1.9.0)
+policy_module(pegasus, 1.8.0)
########################################
@@ -62846,6 +66292,16 @@ index 7bcf327..37539ec 100644
virt_domtrans(pegasus_t)
virt_stream_connect(pegasus_t)
virt_manage_config(pegasus_t)
+diff --git a/perdition.te b/perdition.te
+index 9feb1ef..39027de 100644
+--- a/perdition.te
++++ b/perdition.te
+@@ -1,4 +1,4 @@
+-policy_module(perdition, 1.8.0)
++policy_module(perdition, 1.7.1)
+
+ ########################################
+ #
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000..7b54c39
@@ -63041,9 +66497,15 @@ index 21a6ecb..b99e4cb 100644
domain_system_change_exemption($1)
role_transition $2 pingd_initrc_exec_t system_r;
diff --git a/pingd.te b/pingd.te
-index 0f77942..1ee68e9 100644
+index ab01060..1ee68e9 100644
--- a/pingd.te
+++ b/pingd.te
+@@ -1,4 +1,4 @@
+-policy_module(pingd, 1.1.0)
++policy_module(pingd, 1.0.1)
+
+ ########################################
+ #
@@ -10,7 +10,7 @@ type pingd_exec_t;
init_daemon_domain(pingd_t, pingd_exec_t)
@@ -63589,7 +67051,7 @@ index 0000000..a989aea
+sysnet_read_config(piranha_domain)
diff --git a/pkcs.fc b/pkcs.fc
deleted file mode 100644
-index f9dc0be..0000000
+index 9a72226..0000000
--- a/pkcs.fc
+++ /dev/null
@@ -1,7 +0,0 @@
@@ -63599,7 +67061,7 @@ index f9dc0be..0000000
-
-/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
-
--/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
+-/var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
diff --git a/pkcs.if b/pkcs.if
deleted file mode 100644
index 69be2aa..0000000
@@ -63653,11 +67115,11 @@ index 69be2aa..0000000
-')
diff --git a/pkcs.te b/pkcs.te
deleted file mode 100644
-index 977b972..0000000
+index 8eb3f7b..0000000
--- a/pkcs.te
+++ /dev/null
-@@ -1,58 +0,0 @@
--policy_module(pkcs, 1.0.0)
+@@ -1,60 +0,0 @@
+-policy_module(pkcs, 1.0.1)
-
-########################################
-#
@@ -63688,7 +67150,7 @@ index 977b972..0000000
-# Local policy
-#
-
--allow pkcs_slotd_t self:capability kill;
+-allow pkcs_slotd_t self:capability { fsetid kill chown };
-allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
-allow pkcs_slotd_t self:sem create_sem_perms;
-allow pkcs_slotd_t self:shm create_shm_perms;
@@ -63699,8 +67161,10 @@ index 977b972..0000000
-manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
-files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
-
+-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
--files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file)
+-manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
+-files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, { sock_file file dir })
-
-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
@@ -64970,11 +68434,11 @@ index 30e751f..61feb3a 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index b1f412b..b78836f 100644
+index 3078ce9..b78836f 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -1,4 +1,4 @@
--policy_module(plymouthd, 1.1.4)
+-policy_module(plymouthd, 1.2.0)
+policy_module(plymouthd, 1.0.1)
########################################
@@ -65096,9 +68560,15 @@ index b1f412b..b78836f 100644
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
-index a14b3bc..b196183 100644
+index 9123f71..b196183 100644
--- a/podsleuth.te
+++ b/podsleuth.te
+@@ -1,4 +1,4 @@
+-policy_module(podsleuth, 1.7.0)
++policy_module(podsleuth, 1.6.1)
+
+ ########################################
+ #
@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
#
@@ -65412,16 +68882,16 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 49694e8..55d1871 100644
+index ee91778..55d1871 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
--policy_module(policykit, 1.2.8)
+-policy_module(policykit, 1.3.0)
+policy_module(policykit, 1.1.0)
########################################
#
-@@ -7,9 +7,6 @@ policy_module(policykit, 1.2.8)
+@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
attribute policykit_domain;
@@ -66019,16 +69489,16 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 316d53a..6646219 100644
+index 9764bfe..6646219 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
--policy_module(polipo, 1.0.4)
+-policy_module(polipo, 1.1.1)
+policy_module(polipo, 1.0.0)
########################################
#
-@@ -7,19 +7,27 @@ policy_module(polipo, 1.0.4)
+@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
## <desc>
## <p>
@@ -66095,7 +69565,7 @@ index 316d53a..6646219 100644
type polipo_cache_t;
files_type(polipo_cache_t)
-@@ -56,112 +63,98 @@ files_type(polipo_cache_t)
+@@ -56,116 +63,98 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
@@ -66202,24 +69672,24 @@ index 316d53a..6646219 100644
optional_policy(`
- cron_system_entry(polipo_system_t, polipo_exec_t)
+ cron_system_entry(polipo_t, polipo_exec_t)
-+')
-+
-+tunable_policy(`polipo_connect_all_unreserved',`
-+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
')
-tunable_policy(`polipo_system_use_cifs',`
- fs_manage_cifs_files(polipo_system_t)
-',`
- fs_dontaudit_read_cifs_files(polipo_system_t)
-+tunable_policy(`polipo_use_cifs',`
-+ fs_manage_cifs_files(polipo_t)
++tunable_policy(`polipo_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(polipo_t)
')
-tunable_policy(`polipo_system_use_nfs',`
- fs_manage_nfs_files(polipo_system_t)
-',`
- fs_dontaudit_read_nfs_files(polipo_system_t)
++tunable_policy(`polipo_use_cifs',`
++ fs_manage_cifs_files(polipo_t)
++')
++
+tunable_policy(`polipo_use_nfs',`
+ fs_manage_nfs_files(polipo_t)
')
@@ -66238,17 +69708,21 @@ index 316d53a..6646219 100644
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
-corenet_tcp_bind_generic_node(polipo_daemon)
-+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
-+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-
+-
-corenet_sendrecv_http_client_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_port(polipo_daemon)
-corenet_tcp_connect_http_port(polipo_daemon)
-+auth_use_nsswitch(polipo_session_t)
++read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
++manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
-corenet_tcp_bind_http_cache_port(polipo_daemon)
++auth_use_nsswitch(polipo_session_t)
+
+-corenet_sendrecv_tor_client_packets(polipo_daemon)
+-corenet_tcp_sendrecv_tor_port(polipo_daemon)
+-corenet_tcp_connect_tor_port(polipo_daemon)
+userdom_use_user_terminals(polipo_session_t)
-files_read_usr_files(polipo_daemon)
@@ -66275,9 +69749,15 @@ index 67e8c12..18b89d7 100644
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
diff --git a/portage.te b/portage.te
-index a95fc4a..b9b5418 100644
+index b410c67..b9b5418 100644
--- a/portage.te
+++ b/portage.te
+@@ -1,4 +1,4 @@
+-policy_module(portage, 1.14.0)
++policy_module(portage, 1.13.7)
+
+ ########################################
+ #
@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
files_manage_etc_files(gcc_config_t)
@@ -66314,9 +69794,15 @@ index cd45831..69406ee 100644
/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/portmap.te b/portmap.te
-index 738c13b..04a202e 100644
+index 18b255e..04a202e 100644
--- a/portmap.te
+++ b/portmap.te
+@@ -1,4 +1,4 @@
+-policy_module(portmap, 1.11.0)
++policy_module(portmap, 1.10.1)
+
+ ########################################
+ #
@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)
@@ -66385,9 +69871,15 @@ index 5ad5291..7f1ae2a 100644
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
-index a38b57a..49758db 100644
+index 00b01e2..49758db 100644
--- a/portreserve.te
+++ b/portreserve.te
+@@ -1,4 +1,4 @@
+-policy_module(portreserve, 1.4.0)
++policy_module(portreserve, 1.3.1)
+
+ ########################################
+ #
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
corecmd_getattr_bin_files(portreserve_t)
@@ -66408,9 +69900,15 @@ index a38b57a..49758db 100644
+ sssd_search_lib(portreserve_t)
+')
diff --git a/portslave.te b/portslave.te
-index e85e33d..a7d7c55 100644
+index cbe36c1..a7d7c55 100644
--- a/portslave.te
+++ b/portslave.te
+@@ -1,4 +1,4 @@
+-policy_module(portslave, 1.8.0)
++policy_module(portslave, 1.7.2)
+
+ ########################################
+ #
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
@@ -66521,7 +70019,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 2e23946..d8a163f 100644
+index ded95ec..d8a163f 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -67241,7 +70739,7 @@ index 2e23946..d8a163f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -710,37 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,38 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',`
#
interface(`postfix_admin',`
gen_require(`
@@ -67249,6 +70747,7 @@ index 2e23946..d8a163f 100644
- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
- type postfix_data_t, postfix_var_run_t, postfix_public_t;
- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
+- type postfix_keytab_t;
+ attribute postfix_spool_type;
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
@@ -67302,7 +70801,7 @@ index 2e23946..d8a163f 100644
allow $2 system_r;
- files_search_etc($1)
-- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
+- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+ admin_pattern($1, postfix_data_t)
- files_search_spool($1)
@@ -67400,16 +70899,16 @@ index 2e23946..d8a163f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..f88edc4 100644
+index 5cfb83e..f88edc4 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
--policy_module(postfix, 1.14.10)
+-policy_module(postfix, 1.15.1)
+policy_module(postfix, 1.14.0)
########################################
#
-@@ -6,27 +6,23 @@ policy_module(postfix, 1.14.10)
+@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
#
## <desc>
@@ -67443,7 +70942,13 @@ index 191a66f..f88edc4 100644
postfix_server_domain_template(cleanup)
-@@ -39,16 +35,19 @@ application_executable_file(postfix_exec_t)
+@@ -36,22 +32,22 @@ files_config_file(postfix_etc_t)
+ type postfix_exec_t;
+ application_executable_file(postfix_exec_t)
+
+-type postfix_keytab_t;
+-files_type(postfix_keytab_t)
+-
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
@@ -67464,7 +70969,7 @@ index 191a66f..f88edc4 100644
mta_mailserver(postfix_t, postfix_master_exec_t)
type postfix_initrc_exec_t;
-@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe)
+@@ -63,6 +59,7 @@ postfix_server_domain_template(pipe)
postfix_user_domain_template(postdrop)
mta_mailserver_user_agent(postfix_postdrop_t)
@@ -67472,7 +70977,7 @@ index 191a66f..f88edc4 100644
postfix_user_domain_template(postqueue)
mta_mailserver_user_agent(postfix_postqueue_t)
-@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -83,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
type postfix_spool_t, postfix_spool_type;
@@ -67489,7 +70994,7 @@ index 191a66f..f88edc4 100644
type postfix_public_t;
files_type(postfix_public_t)
-@@ -94,6 +94,7 @@ files_type(postfix_public_t)
+@@ -97,6 +94,7 @@ files_type(postfix_public_t)
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -67497,7 +71002,7 @@ index 191a66f..f88edc4 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -105,164 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -67615,9 +71120,10 @@ index 191a66f..f88edc4 100644
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
--allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+-allow postfix_master_t postfix_keytab_t:file read_file_perms;
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
-+
+
+-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
@@ -67649,7 +71155,7 @@ index 191a66f..f88edc4 100644
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
-
+-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -67666,15 +71172,17 @@ index 191a66f..f88edc4 100644
-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
+-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
--
--can_exec(postfix_master_t, postfix_exec_t)
+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-can_exec(postfix_master_t, postfix_exec_t)
+-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+kernel_read_all_sysctls(postfix_master_t)
@@ -67683,7 +71191,7 @@ index 191a66f..f88edc4 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -270,65 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -67745,6 +71253,11 @@ index 191a66f..f88edc4 100644
-optional_policy(`
- cyrus_stream_connect(postfix_master_t)
+-')
+-
+-optional_policy(`
+- kerberos_read_keytab(postfix_master_t)
+- kerberos_use(postfix_master_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
@@ -67752,10 +71265,6 @@ index 191a66f..f88edc4 100644
')
optional_policy(`
-- kerberos_keytab_template(postfix, postfix_t)
--')
--
--optional_policy(`
- mailman_manage_data_files(postfix_master_t)
+ cyrus_stream_connect(postfix_master_t)
')
@@ -67766,7 +71275,7 @@ index 191a66f..f88edc4 100644
')
optional_policy(`
-@@ -333,12 +221,14 @@ optional_policy(`
+@@ -341,12 +221,14 @@ optional_policy(`
########################################
#
@@ -67783,7 +71292,7 @@ index 191a66f..f88edc4 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -363,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -67830,7 +71339,7 @@ index 191a66f..f88edc4 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +280,50 @@ optional_policy(`
+@@ -401,36 +280,50 @@ optional_policy(`
########################################
#
@@ -67890,7 +71399,7 @@ index 191a66f..f88edc4 100644
')
optional_policy(`
-@@ -434,16 +335,25 @@ optional_policy(`
+@@ -442,16 +335,25 @@ optional_policy(`
')
optional_policy(`
@@ -67916,7 +71425,7 @@ index 191a66f..f88edc4 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +368,17 @@ optional_policy(`
+@@ -466,15 +368,17 @@ optional_policy(`
########################################
#
@@ -67940,7 +71449,7 @@ index 191a66f..f88edc4 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -484,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -67960,7 +71469,7 @@ index 191a66f..f88edc4 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -500,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -67968,7 +71477,7 @@ index 191a66f..f88edc4 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -508,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -67994,7 +71503,7 @@ index 191a66f..f88edc4 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -532,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -68020,7 +71529,7 @@ index 191a66f..f88edc4 100644
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
-@@ -549,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+@@ -557,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
corecmd_exec_bin(postfix_pipe_t)
optional_policy(`
@@ -68031,7 +71540,7 @@ index 191a66f..f88edc4 100644
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -576,19 +493,26 @@ optional_policy(`
+@@ -584,19 +493,26 @@ optional_policy(`
########################################
#
@@ -68063,7 +71572,7 @@ index 191a66f..f88edc4 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +527,7 @@ optional_policy(`
+@@ -611,10 +527,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -68075,7 +71584,7 @@ index 191a66f..f88edc4 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +542,24 @@ optional_policy(`
+@@ -629,17 +542,24 @@ optional_policy(`
#######################################
#
@@ -68103,7 +71612,7 @@ index 191a66f..f88edc4 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +575,77 @@ optional_policy(`
+@@ -655,69 +575,77 @@ optional_policy(`
########################################
#
@@ -68184,11 +71693,12 @@ index 191a66f..f88edc4 100644
rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-corenet_tcp_bind_generic_node(postfix_smtp_t)
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
+
+files_search_all_mountpoints(postfix_smtp_t)
-+
+
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
@@ -68199,7 +71709,7 @@ index 191a66f..f88edc4 100644
')
optional_policy(`
-@@ -720,28 +658,32 @@ optional_policy(`
+@@ -730,28 +658,32 @@ optional_policy(`
########################################
#
@@ -68240,7 +71750,7 @@ index 191a66f..f88edc4 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -754,6 +696,7 @@ optional_policy(`
+@@ -764,6 +696,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -68248,7 +71758,7 @@ index 191a66f..f88edc4 100644
')
optional_policy(`
-@@ -764,31 +707,99 @@ optional_policy(`
+@@ -774,31 +707,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -68380,9 +71890,15 @@ index 5de8173..985b877 100644
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
-index 70f0533..77d4cd9 100644
+index ea1582a..77d4cd9 100644
--- a/postfixpolicyd.te
+++ b/postfixpolicyd.te
+@@ -1,4 +1,4 @@
+-policy_module(postfixpolicyd, 1.3.0)
++policy_module(postfixpolicyd, 1.2.1)
+
+ ########################################
+ #
@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
@@ -68441,9 +71957,15 @@ index b9e71b5..a7502cd 100644
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
-index 3b11496..04e3809 100644
+index fd58805..04e3809 100644
--- a/postgrey.te
+++ b/postgrey.te
+@@ -1,4 +1,4 @@
+-policy_module(postgrey, 1.9.0)
++policy_module(postgrey, 1.8.1)
+
+ ########################################
+ #
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
init_script_file(postgrey_initrc_exec_t)
@@ -69044,16 +72566,16 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..3ed75e7 100644
+index d616ca3..3ed75e7 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
--policy_module(ppp, 1.13.5)
+-policy_module(ppp, 1.14.0)
+policy_module(ppp, 1.13.0)
########################################
#
-@@ -6,41 +6,47 @@ policy_module(ppp, 1.13.5)
+@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
#
## <desc>
@@ -69563,16 +73085,16 @@ index 20d4697..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index c0f047a..e04bdd6 100644
+index 8e26216..e04bdd6 100644
--- a/prelink.te
+++ b/prelink.te
@@ -1,4 +1,4 @@
--policy_module(prelink, 1.10.2)
+-policy_module(prelink, 1.11.0)
+policy_module(prelink, 1.10.0)
########################################
#
-@@ -6,13 +6,10 @@ policy_module(prelink, 1.10.2)
+@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
attribute prelink_object;
@@ -69937,9 +73459,15 @@ index c83a838..f41a4f7 100644
admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
-index db864df..f7eb5e0 100644
+index 8f44609..f7eb5e0 100644
--- a/prelude.te
+++ b/prelude.te
+@@ -1,4 +1,4 @@
+-policy_module(prelude, 1.4.0)
++policy_module(prelude, 1.3.2)
+
+ ########################################
+ #
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
init_script_file(prelude_initrc_exec_t)
@@ -70057,9 +73585,15 @@ index bdcee30..34f3143 100644
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/privoxy.te b/privoxy.te
-index 85b1c9a..072d425 100644
+index ec21f80..072d425 100644
--- a/privoxy.te
+++ b/privoxy.te
+@@ -1,4 +1,4 @@
+-policy_module(privoxy, 1.12.0)
++policy_module(privoxy, 1.11.1)
+
+ ########################################
+ #
@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
corenet_tcp_sendrecv_tor_port(privoxy_t)
@@ -70258,11 +73792,11 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index d447152..f3e6fbf 100644
+index cc426e6..f3e6fbf 100644
--- a/procmail.te
+++ b/procmail.te
@@ -1,4 +1,4 @@
--policy_module(procmail, 1.12.2)
+-policy_module(procmail, 1.13.1)
+policy_module(procmail, 1.12.0)
########################################
@@ -70293,7 +73827,7 @@ index d447152..f3e6fbf 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,89 +44,108 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,83 +44,98 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -70428,18 +73962,16 @@ index d447152..f3e6fbf 100644
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
- postfix_read_local_state(procmail_t)
- postfix_read_master_state(procmail_t)
-- postfix_rw_master_pipes(procmail_t)
-+ postfix_rw_inherited_master_pipes(procmail_t)
-+')
-+
-+optional_policy(`
-+ nagios_search_spool(procmail_t)
+@@ -126,11 +145,18 @@ optional_policy(`
')
optional_policy(`
-@@ -131,6 +154,9 @@ optional_policy(`
++ nagios_search_spool(procmail_t)
++')
++
++optional_policy(`
+ pyzor_domtrans(procmail_t)
+ pyzor_signal(procmail_t)
')
optional_policy(`
@@ -70953,9 +74485,15 @@ index d4dcf78..3cce82e 100644
admin_pattern($1, psad_tmp_t)
')
diff --git a/psad.te b/psad.te
-index 5427bb6..718c847 100644
+index b5d717b..718c847 100644
--- a/psad.te
+++ b/psad.te
+@@ -1,4 +1,4 @@
+-policy_module(psad, 1.1.0)
++policy_module(psad, 1.0.1)
+
+ ########################################
+ #
@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
corecmd_exec_bin(psad_t)
corecmd_exec_shell(psad_t)
@@ -70981,10 +74519,24 @@ index 5427bb6..718c847 100644
sysnet_exec_ifconfig(psad_t)
optional_policy(`
+diff --git a/ptchown.fc b/ptchown.fc
+index dd96822..9fc398e 100644
+--- a/ptchown.fc
++++ b/ptchown.fc
+@@ -1,3 +1 @@
+ /usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
+-
+-/usr/lib/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
diff --git a/ptchown.te b/ptchown.te
-index d67905e..2da9eca 100644
+index 28d2abc..2da9eca 100644
--- a/ptchown.te
+++ b/ptchown.te
+@@ -1,4 +1,4 @@
+-policy_module(ptchown, 1.2.0)
++policy_module(ptchown, 1.1.2)
+
+ ########################################
+ #
@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
allow ptchown_t self:capability { chown fowner fsetid setuid };
allow ptchown_t self:process { getcap setcap };
@@ -70999,6 +74551,16 @@ index d67905e..2da9eca 100644
-miscfiles_read_localization(ptchown_t)
+auth_read_passwd(ptchown_t)
+diff --git a/publicfile.te b/publicfile.te
+index 3246bef..d7df1b3 100644
+--- a/publicfile.te
++++ b/publicfile.te
+@@ -1,4 +1,4 @@
+-policy_module(publicfile, 1.2.0)
++policy_module(publicfile, 1.1.1)
+
+ ########################################
+ #
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 6864479..0e7d875 100644
--- a/pulseaudio.fc
@@ -71023,10 +74585,10 @@ index 6864479..0e7d875 100644
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index fa3dc8e..99cfa95 100644
+index 45843b5..99cfa95 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
-@@ -2,47 +2,44 @@
+@@ -2,43 +2,44 @@
########################################
## <summary>
@@ -71057,20 +74619,16 @@ index fa3dc8e..99cfa95 100644
- pulseaudio_run($2, $1)
+ role $1 types pulseaudio_t;
-
-- allow $2 pulseaudio_t:process { ptrace signal_perms };
-- ps_process_pattern($2, pulseaudio_t)
++
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
+- allow $2 pulseaudio_t:process { ptrace signal_perms };
+ ps_process_pattern($2, pulseaudio_t)
+
- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-+ ps_process_pattern($2, pulseaudio_t)
-
-- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse")
-- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth")
-- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie")
+ allow pulseaudio_t $2:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
@@ -71092,7 +74650,7 @@ index fa3dc8e..99cfa95 100644
')
########################################
-@@ -69,9 +66,8 @@ interface(`pulseaudio_domtrans',`
+@@ -65,9 +66,8 @@ interface(`pulseaudio_domtrans',`
########################################
## <summary>
@@ -71104,7 +74662,7 @@ index fa3dc8e..99cfa95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -86,16 +82,16 @@ interface(`pulseaudio_domtrans',`
+@@ -82,16 +82,16 @@ interface(`pulseaudio_domtrans',`
#
interface(`pulseaudio_run',`
gen_require(`
@@ -71124,7 +74682,7 @@ index fa3dc8e..99cfa95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -108,13 +104,12 @@ interface(`pulseaudio_exec',`
+@@ -104,13 +104,12 @@ interface(`pulseaudio_exec',`
type pulseaudio_exec_t;
')
@@ -71139,7 +74697,7 @@ index fa3dc8e..99cfa95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -132,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',`
+@@ -128,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',`
########################################
## <summary>
@@ -71148,7 +74706,7 @@ index fa3dc8e..99cfa95 100644
## processes.
## </summary>
## <param name="domain">
-@@ -151,8 +146,8 @@ interface(`pulseaudio_signull',`
+@@ -147,8 +146,8 @@ interface(`pulseaudio_signull',`
#####################################
## <summary>
@@ -71159,7 +74717,7 @@ index fa3dc8e..99cfa95 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -162,11 +157,15 @@ interface(`pulseaudio_signull',`
+@@ -158,11 +157,15 @@ interface(`pulseaudio_signull',`
#
interface(`pulseaudio_stream_connect',`
gen_require(`
@@ -71177,7 +74735,7 @@ index fa3dc8e..99cfa95 100644
')
########################################
-@@ -192,9 +191,9 @@ interface(`pulseaudio_dbus_chat',`
+@@ -188,9 +191,9 @@ interface(`pulseaudio_dbus_chat',`
########################################
## <summary>
@@ -71189,7 +74747,7 @@ index fa3dc8e..99cfa95 100644
## <summary>
## Domain allowed access.
## </summary>
-@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
+@@ -201,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
type pulseaudio_home_t;
')
@@ -71428,16 +74986,16 @@ index fa3dc8e..99cfa95 100644
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index e31bbe1..d261e97 100644
+index 6643b49..d261e97 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -1,4 +1,4 @@
--policy_module(pulseaudio, 1.5.4)
+-policy_module(pulseaudio, 1.6.0)
+policy_module(pulseaudio, 1.5.0)
########################################
#
-@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.5.4)
+@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
@@ -71445,7 +75003,7 @@ index e31bbe1..d261e97 100644
-
type pulseaudio_t;
type pulseaudio_exec_t;
--init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+-# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+#init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role pulseaudio_roles types pulseaudio_t;
@@ -71529,7 +75087,7 @@ index e31bbe1..d261e97 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -85,60 +70,57 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,62 +70,57 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
@@ -71581,6 +75139,8 @@ index e31bbe1..d261e97 100644
logging_send_syslog_msg(pulseaudio_t)
-miscfiles_read_localization(pulseaudio_t)
+-
+-userdom_read_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_write_user_tmp_sockets(pulseaudio_t)
@@ -71608,7 +75168,7 @@ index e31bbe1..d261e97 100644
')
optional_policy(`
-@@ -151,8 +133,9 @@ optional_policy(`
+@@ -153,8 +133,9 @@ optional_policy(`
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
@@ -71620,7 +75180,7 @@ index e31bbe1..d261e97 100644
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
-@@ -172,29 +155,49 @@ optional_policy(`
+@@ -174,29 +155,49 @@ optional_policy(`
')
optional_policy(`
@@ -71672,7 +75232,7 @@ index e31bbe1..d261e97 100644
#
# Client local policy
#
-@@ -208,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+@@ -210,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
fs_getattr_tmpfs(pulseaudio_client)
@@ -71681,7 +75241,7 @@ index e31bbe1..d261e97 100644
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
-@@ -218,36 +219,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+@@ -220,40 +219,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
@@ -71714,6 +75274,10 @@ index e31bbe1..d261e97 100644
- fs_manage_cifs_dirs(pulseaudio_client)
- fs_manage_cifs_files(pulseaudio_client)
- fs_read_cifs_symlinks(pulseaudio_client)
+-')
+-
+-optional_policy(`
+- pulseaudio_dbus_chat(pulseaudio_client)
+ fs_getattr_cifs(pulseaudio_client)
+ fs_manage_cifs_dirs(pulseaudio_client)
+ fs_manage_cifs_files(pulseaudio_client)
@@ -71721,19 +75285,19 @@ index e31bbe1..d261e97 100644
')
optional_policy(`
-- pulseaudio_dbus_chat(pulseaudio_client)
+- rtkit_scheduled(pulseaudio_client)
+ pulseaudio_dbus_chat(pulseaudio_client)
')
optional_policy(`
-- rtkit_scheduled(pulseaudio_client)
+- unconfined_signull(pulseaudio_client)
+ rtkit_scheduled(pulseaudio_client)
')
diff --git a/puppet.fc b/puppet.fc
-index 4ecda09..cad91e2 100644
+index d68e26d..cad91e2 100644
--- a/puppet.fc
+++ b/puppet.fc
-@@ -1,14 +1,20 @@
+@@ -1,18 +1,20 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
@@ -71742,23 +75306,27 @@ index 4ecda09..cad91e2 100644
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
--/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
--/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
--/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+#helper scripts
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
--/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
--/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+-
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
@@ -72105,16 +75673,10 @@ index 7cb8b1f..9422c90 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index f2309f4..0903e67 100644
+index 618dcfe..0903e67 100644
--- a/puppet.te
+++ b/puppet.te
-@@ -1,4 +1,4 @@
--policy_module(puppet, 1.3.7)
-+policy_module(puppet, 1.4.0)
-
- ########################################
- #
-@@ -6,25 +6,32 @@ policy_module(puppet, 1.3.7)
+@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
#
## <desc>
@@ -72783,9 +76345,15 @@ index 3078e34..215df88 100644
-
-miscfiles_read_localization(pwauth_t)
diff --git a/pxe.te b/pxe.te
-index 72db707..6dae5e5 100644
+index 06bec9b..6dae5e5 100644
--- a/pxe.te
+++ b/pxe.te
+@@ -1,4 +1,4 @@
+-policy_module(pxe, 1.5.0)
++policy_module(pxe, 1.4.1)
+
+ ########################################
+ #
@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
domain_use_interactive_fds(pxe_t)
@@ -72872,11 +76440,11 @@ index 0ccea82..0000000
-')
diff --git a/pyicqt.te b/pyicqt.te
deleted file mode 100644
-index 99bebbd..0000000
+index f2863de..0000000
--- a/pyicqt.te
+++ /dev/null
@@ -1,92 +0,0 @@
--policy_module(pyicqt, 1.0.1)
+-policy_module(pyicqt, 1.1.0)
-
-########################################
-#
@@ -73124,11 +76692,11 @@ index 593c03d..2c411af 100644
+ admin_pattern($1, pyzor_var_lib_t)
')
diff --git a/pyzor.te b/pyzor.te
-index 6c456d2..86daaba 100644
+index 2439d13..86daaba 100644
--- a/pyzor.te
+++ b/pyzor.te
@@ -1,61 +1,82 @@
--policy_module(pyzor, 2.2.1)
+-policy_module(pyzor, 2.3.0)
+policy_module(pyzor, 2.1.0)
########################################
@@ -73369,14 +76937,15 @@ index 6c456d2..86daaba 100644
+ logging_send_syslog_msg(pyzord_t)
+')
diff --git a/qemu.fc b/qemu.fc
-index 6b53fa4..64d877e 100644
+index 86ea53c..64d877e 100644
--- a/qemu.fc
+++ b/qemu.fc
-@@ -1,5 +1,4 @@
+@@ -1,6 +1,4 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+-/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
-
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
@@ -73749,16 +77318,16 @@ index eaf56b8..580f9ee 100644
#
interface(`qemu_entry_type',`
diff --git a/qemu.te b/qemu.te
-index 2e824eb..695c857 100644
+index 4f90743..695c857 100644
--- a/qemu.te
+++ b/qemu.te
@@ -1,4 +1,4 @@
--policy_module(qemu, 1.7.4)
+-policy_module(qemu, 1.8.0)
+policy_module(qemu, 1.7.0)
########################################
#
-@@ -6,28 +6,58 @@ policy_module(qemu, 1.7.4)
+@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
#
## <desc>
@@ -74167,11 +77736,11 @@ index e4f0000..05e219e 100644
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/qmail.te b/qmail.te
-index 1bef513..af2850e 100644
+index 8742944..af2850e 100644
--- a/qmail.te
+++ b/qmail.te
@@ -1,11 +1,11 @@
--policy_module(qmail, 1.5.1)
+-policy_module(qmail, 1.6.1)
+policy_module(qmail, 1.5.0)
########################################
@@ -74193,7 +77762,7 @@ index 1bef513..af2850e 100644
type qmail_inject_exec_t;
domain_type(qmail_inject_t)
domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
-@@ -32,18 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+@@ -32,21 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
mta_mailserver_delivery(qmail_lspawn_t)
qmail_child_domain_template(qmail_queue, qmail_inject_t)
@@ -74208,8 +77777,11 @@ index 1bef513..af2850e 100644
qmail_child_domain_template(qmail_send, qmail_start_t)
+
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
-+
- qmail_child_domain_template(qmail_splogger, qmail_start_t)
+-qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+-type qmail_keytab_t;
+-files_type(qmail_keytab_t)
++qmail_child_domain_template(qmail_splogger, qmail_start_t)
type qmail_spool_t;
-files_type(qmail_spool_t)
@@ -74217,7 +77789,7 @@ index 1bef513..af2850e 100644
type qmail_start_t;
type qmail_start_exec_t;
-@@ -55,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+@@ -58,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
########################################
#
@@ -74248,7 +77820,7 @@ index 1bef513..af2850e 100644
#
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
-@@ -84,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+@@ -87,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
########################################
#
@@ -74263,7 +77835,7 @@ index 1bef513..af2850e 100644
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
-@@ -96,18 +81,18 @@ corecmd_search_bin(qmail_inject_t)
+@@ -99,18 +81,18 @@ corecmd_search_bin(qmail_inject_t)
files_search_var(qmail_inject_t)
@@ -74286,7 +77858,7 @@ index 1bef513..af2850e 100644
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
-@@ -134,12 +119,17 @@ mta_append_spool(qmail_local_t)
+@@ -137,12 +119,17 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
@@ -74305,7 +77877,7 @@ index 1bef513..af2850e 100644
#
allow qmail_lspawn_t self:capability { setuid setgid };
-@@ -153,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
+@@ -156,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
@@ -74332,7 +77904,7 @@ index 1bef513..af2850e 100644
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
-@@ -183,28 +175,34 @@ optional_policy(`
+@@ -186,28 +175,34 @@ optional_policy(`
########################################
#
@@ -74374,7 +77946,7 @@ index 1bef513..af2850e 100644
#
allow qmail_rspawn_t self:process signal_perms;
-@@ -214,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
+@@ -217,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
@@ -74388,7 +77960,7 @@ index 1bef513..af2850e 100644
#
allow qmail_send_t self:process signal_perms;
-@@ -234,7 +235,8 @@ optional_policy(`
+@@ -237,15 +235,14 @@ optional_policy(`
########################################
#
@@ -74398,7 +77970,25 @@ index 1bef513..af2850e 100644
#
allow qmail_smtpd_t self:process signal_perms;
-@@ -262,26 +264,26 @@ optional_policy(`
+ allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
+ allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+
+-allow qmail_smtpd_t qmail_keytab_t:file read_file_perms;
+-
+ allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
+
+ dev_read_rand(qmail_smtpd_t)
+@@ -258,8 +255,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_read_keytab(qmail_smtpd_t)
+- kerberos_use(qmail_smtpd_t)
++ kerberos_keytab_template(qmail, qmail_smtpd_t)
+ ')
+
+ optional_policy(`
+@@ -268,26 +264,26 @@ optional_policy(`
########################################
#
@@ -74430,7 +78020,7 @@ index 1bef513..af2850e 100644
can_exec(qmail_start_t, qmail_start_exec_t)
-@@ -298,7 +300,8 @@ optional_policy(`
+@@ -304,7 +300,8 @@ optional_policy(`
########################################
#
@@ -74441,7 +78031,7 @@ index 1bef513..af2850e 100644
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
diff --git a/qpid.if b/qpid.if
-index cd51b96..f7e9c70 100644
+index fe2adf8..f7e9c70 100644
--- a/qpid.if
+++ b/qpid.if
@@ -1,4 +1,4 @@
@@ -74709,7 +78299,7 @@ index cd51b96..f7e9c70 100644
+ allow $1 qpidd_t:process ptrace;
+ ')
-- files_search_var_lib($1(
+- files_search_var_lib($1)
- admin_pattern($1, qpidd_var_lib_t)
+ qpidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -74725,9 +78315,15 @@ index cd51b96..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 76f5b39..f7670b2 100644
+index 83eb09e..f7670b2 100644
--- a/qpid.te
+++ b/qpid.te
+@@ -1,4 +1,4 @@
+-policy_module(qpid, 1.1.0)
++policy_module(qpid, 1.0.1)
+
+ ########################################
+ #
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
type qpidd_initrc_exec_t;
init_script_file(qpidd_initrc_exec_t)
@@ -75165,11 +78761,11 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..7cc3063 100644
+index 8644d8b..7cc3063 100644
--- a/quantum.te
+++ b/quantum.te
@@ -1,96 +1,180 @@
--policy_module(quantum, 1.0.2)
+-policy_module(quantum, 1.1.0)
+policy_module(quantum, 1.0.3)
########################################
@@ -75698,11 +79294,11 @@ index da64218..3fb8575 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
')
diff --git a/quota.te b/quota.te
-index 4b2c272..1aee969 100644
+index f47c8e8..1aee969 100644
--- a/quota.te
+++ b/quota.te
@@ -1,16 +1,14 @@
--policy_module(quota, 1.5.2)
+-policy_module(quota, 1.6.0)
+policy_module(quota, 1.5.0)
########################################
@@ -75869,10 +79465,15 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..f1b94dd 100644
+index dc3b0ed..f1b94dd 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0)
+@@ -1,17 +1,18 @@
+-policy_module(rabbitmq, 1.0.2)
++policy_module(rabbitmq, 1.0.0)
+
+ ########################################
+ #
# Declarations
#
@@ -75903,7 +79504,7 @@ index 3698b51..f1b94dd 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,80 +31,92 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,92 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -75922,55 +79523,63 @@ index 3698b51..f1b94dd 100644
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-+allow rabbitmq_t self:capability setuid;
-
+-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+-
+-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
++allow rabbitmq_t self:capability setuid;
+
+-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+allow rabbitmq_t self:process { setsched signal signull };
+allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_t self:tcp_socket { accept listen };
--can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+-kernel_read_system_state(rabbitmq_beam_t)
+-kernel_read_fs_sysctls(rabbitmq_beam_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
--domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+-corecmd_exec_bin(rabbitmq_beam_t)
+-corecmd_exec_shell(rabbitmq_beam_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file })
--kernel_read_system_state(rabbitmq_beam_t)
+-corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
+-corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
+-corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file)
--corecmd_exec_bin(rabbitmq_beam_t)
--corecmd_exec_shell(rabbitmq_beam_t)
+-corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
+-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
--corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
--corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
--corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
--corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
--corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+-corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+-corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+kernel_read_system_state(rabbitmq_t)
+kernel_read_fs_sysctls(rabbitmq_t)
--corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
--corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
--corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
+-corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
+corecmd_exec_bin(rabbitmq_t)
+corecmd_exec_shell(rabbitmq_t)
--corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
--corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
--corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+-dev_read_sysfs(rabbitmq_beam_t)
+-dev_read_urand(rabbitmq_beam_t)
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_udp_bind_generic_node(rabbitmq_t)
+corenet_all_recvfrom_unlabeled(rabbitmq_t)
@@ -75993,18 +79602,28 @@ index 3698b51..f1b94dd 100644
+corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
+corenet_tcp_connect_http_port(rabbitmq_t)
--dev_read_sysfs(rabbitmq_beam_t)
+-fs_getattr_all_fs(rabbitmq_beam_t)
+-fs_search_cgroup_dirs(rabbitmq_beam_t)
+domain_read_all_domains_state(rabbitmq_t)
-files_read_etc_files(rabbitmq_beam_t)
+auth_read_passwd(rabbitmq_t)
+auth_use_pam(rabbitmq_t)
--miscfiles_read_localization(rabbitmq_beam_t)
+-storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
+files_getattr_all_mountpoints(rabbitmq_t)
+-miscfiles_read_localization(rabbitmq_beam_t)
+-
-sysnet_dns_name_resolve(rabbitmq_beam_t)
-
+- optional_policy(`
+- couchdb_manage_lib_files(rabbitmq_beam_t)
+- couchdb_read_conf_files(rabbitmq_beam_t)
+- couchdb_read_log_files(rabbitmq_beam_t)
+- couchdb_read_pid_files(rabbitmq_beam_t)
+- ')
+-
-########################################
-#
-# Epmd local policy
@@ -76052,9 +79671,16 @@ index 3698b51..f1b94dd 100644
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
-index c84b7ae..4125f6d 100644
+index d447e85..4125f6d 100644
--- a/radius.fc
+++ b/radius.fc
+@@ -1,5 +1,5 @@
+ /etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+-/etc/cron\.((daily)|(weekly)|(monthly))/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
++/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+ /etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
+
@@ -9,7 +9,9 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
@@ -76128,9 +79754,15 @@ index 4460582..60cf556 100644
+
')
diff --git a/radius.te b/radius.te
-index 1e7927f..eb72458 100644
+index 403a4fe..eb72458 100644
--- a/radius.te
+++ b/radius.te
+@@ -1,4 +1,4 @@
+-policy_module(radius, 1.13.0)
++policy_module(radius, 1.12.1)
+
+ ########################################
+ #
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
@@ -76234,9 +79866,15 @@ index ac7058d..48739ac 100644
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
-index b31f2d7..046f5b8 100644
+index 6d162e4..046f5b8 100644
--- a/radvd.te
+++ b/radvd.te
+@@ -1,4 +1,4 @@
+-policy_module(radvd, 1.14.0)
++policy_module(radvd, 1.13.1)
+
+ ########################################
+ #
@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
logging_send_syslog_msg(radvd_t)
@@ -76485,9 +80123,15 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index 2c1730b..36acb6c 100644
+index c99753f..36acb6c 100644
--- a/raid.te
+++ b/raid.te
+@@ -1,4 +1,4 @@
+-policy_module(raid, 1.13.1)
++policy_module(raid, 1.12.5)
+
+ ########################################
+ #
@@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@@ -76507,7 +80151,7 @@ index 2c1730b..36acb6c 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,43 +37,72 @@ dev_associate(mdadm_var_run_t)
+@@ -25,44 +37,72 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -76580,7 +80224,7 @@ index 2c1730b..36acb6c 100644
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
-+fs_getattr_all_fs(mdadm_t)
+ fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
fs_list_hugetlbfs(mdadm_t)
fs_rw_cgroup_files(mdadm_t)
@@ -76589,7 +80233,7 @@ index 2c1730b..36acb6c 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +111,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +111,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -76613,7 +80257,7 @@ index 2c1730b..36acb6c 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -89,17 +137,38 @@ optional_policy(`
+@@ -90,17 +137,38 @@ optional_policy(`
')
optional_policy(`
@@ -77130,11 +80774,11 @@ index 1e4b523..fee3b7c 100644
## <param name="domain">
## <summary>
diff --git a/razor.te b/razor.te
-index 5ddedbc..4e15f29 100644
+index 68455f9..4e15f29 100644
--- a/razor.te
+++ b/razor.te
@@ -1,139 +1,128 @@
--policy_module(razor, 2.3.2)
+-policy_module(razor, 2.4.0)
+policy_module(razor, 2.3.0)
########################################
@@ -77497,7 +81141,7 @@ index 9196c1d..b775931 100644
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
diff --git a/readahead.fc b/readahead.fc
-index f307db4..0428aee 100644
+index f01b32f..0428aee 100644
--- a/readahead.fc
+++ b/readahead.fc
@@ -1,7 +1,10 @@
@@ -77511,7 +81155,7 @@ index f307db4..0428aee 100644
+
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
--/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0)
+-/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/readahead.if b/readahead.if
index 661bb88..06f69c4 100644
@@ -77546,9 +81190,15 @@ index 661bb88..06f69c4 100644
+')
+
diff --git a/readahead.te b/readahead.te
-index f1512d6..8ee7e70 100644
+index c0b02c9..8ee7e70 100644
--- a/readahead.te
+++ b/readahead.te
+@@ -1,4 +1,4 @@
+-policy_module(readahead, 1.13.0)
++policy_module(readahead, 1.12.2)
+
+ ########################################
+ #
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
@@ -77763,16 +81413,16 @@ index bff31df..3b2a829 100644
+')
+
diff --git a/realmd.te b/realmd.te
-index 9a8f052..3baa71a 100644
+index 5bc878b..3baa71a 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
--policy_module(realmd, 1.0.2)
+-policy_module(realmd, 1.1.0)
+policy_module(realmd, 1.0.0)
########################################
#
-@@ -7,47 +7,89 @@ policy_module(realmd, 1.0.2)
+@@ -7,47 +7,89 @@ policy_module(realmd, 1.1.0)
type realmd_t;
type realmd_exec_t;
@@ -77948,33 +81598,38 @@ index 9a8f052..3baa71a 100644
+ unconfined_domain_noaudit(realmd_consolehelper_t)
')
diff --git a/redis.fc b/redis.fc
-new file mode 100644
-index 0000000..741b785
---- /dev/null
+index e240ac9..741b785 100644
+--- a/redis.fc
+++ b/redis.fc
-@@ -0,0 +1,12 @@
-+/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-+
+@@ -1,9 +1,12 @@
+ /etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+
+-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
-+
+
+-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-+
+
+-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
-+
+
+-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/run/redis\.sock -- gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
-new file mode 100644
-index 0000000..2640ab5
---- /dev/null
+index 16c8ecb..2640ab5 100644
+--- a/redis.if
+++ b/redis.if
-@@ -0,0 +1,266 @@
+@@ -1,9 +1,224 @@
+-## <summary>Advanced key-value store.</summary>
+## <summary>Advanced key-value store</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an redis environment.
+## Execute redis server in the redis domin.
+## </summary>
+## <param name="domain">
@@ -78192,41 +81847,30 @@ index 0000000..2640ab5
+## <summary>
+## All of the rules required to administrate
+## an redis environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`redis_admin',`
-+ gen_require(`
-+ type redis_t, redis_initrc_exec_t, redis_var_lib_t;
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -20,7 +235,7 @@
+ interface(`redis_admin',`
+ gen_require(`
+ type redis_t, redis_initrc_exec_t, redis_var_lib_t;
+- type redis_log_t, redis_var_run_t;
+ type redis_log_t, redis_var_run_t, redis_unit_file_t;
-+ ')
-+
-+ allow $1 redis_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, redis_t)
-+
-+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 redis_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
+ ')
+
+ allow $1 redis_t:process { ptrace signal_perms };
+@@ -32,11 +247,20 @@ interface(`redis_admin',`
+ allow $2 system_r;
+
+ logging_search_logs($1)
+- admin_pattern($!, redis_log_t)
+ admin_pattern($1, redis_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, redis_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, redis_var_run_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, redis_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, redis_var_run_t)
+
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
@@ -78236,76 +81880,56 @@ index 0000000..2640ab5
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/redis.te b/redis.te
-new file mode 100644
-index 0000000..51cd1fe
---- /dev/null
+index 25cd417..51cd1fe 100644
+--- a/redis.te
+++ b/redis.te
-@@ -0,0 +1,64 @@
+@@ -1,4 +1,4 @@
+-policy_module(redis, 1.0.1)
+policy_module(redis, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type redis_t;
-+type redis_exec_t;
-+init_daemon_domain(redis_t, redis_exec_t)
-+
-+type redis_initrc_exec_t;
-+init_script_file(redis_initrc_exec_t)
-+
-+type redis_log_t;
-+logging_log_file(redis_log_t)
-+
-+type redis_var_lib_t;
-+files_type(redis_var_lib_t)
-+
-+type redis_var_run_t;
-+files_pid_file(redis_var_run_t)
-+
+
+ ########################################
+ #
+@@ -21,9 +21,12 @@ files_type(redis_var_lib_t)
+ type redis_var_run_t;
+ files_pid_file(redis_var_run_t)
+
+type redis_unit_file_t;
+systemd_unit_file(redis_unit_file_t)
+
-+########################################
-+#
+ ########################################
+ #
+-# Local policy
+# redis local policy
-+#
-+
-+allow redis_t self:process { setrlimit signal_perms };
-+allow redis_t self:fifo_file rw_fifo_file_perms;
-+allow redis_t self:unix_stream_socket create_stream_socket_perms;
-+allow redis_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
-+manage_files_pattern(redis_t, redis_log_t, redis_log_t)
-+manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
-+
-+manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
-+manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
-+manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
-+
-+manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
-+manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
-+manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+ #
+
+ allow redis_t self:process { setrlimit signal_perms };
+@@ -42,18 +45,13 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+ manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+ manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+ manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+files_pid_filetrans(redis_t, redis_var_run_t, { sock_file })
-+
-+kernel_read_system_state(redis_t)
-+
-+corenet_tcp_bind_generic_node(redis_t)
-+corenet_tcp_bind_redis_port(redis_t)
-+
-+dev_read_sysfs(redis_t)
-+dev_read_urand(redis_t)
-+
-+logging_send_syslog_msg(redis_t)
-+
-+miscfiles_read_localization(redis_t)
-+
-+sysnet_dns_name_resolve(redis_t)
+
+ kernel_read_system_state(redis_t)
+
+-corenet_all_recvfrom_unlabeled(redis_t)
+-corenet_all_recvfrom_netlabel(redis_t)
+-corenet_tcp_sendrecv_generic_if(redis_t)
+-corenet_tcp_sendrecv_generic_node(redis_t)
+ corenet_tcp_bind_generic_node(redis_t)
+-
+-corenet_sendrecv_redis_server_packets(redis_t)
+ corenet_tcp_bind_redis_port(redis_t)
+-corenet_tcp_sendrecv_redis_port(redis_t)
+
+ dev_read_sysfs(redis_t)
+ dev_read_urand(redis_t)
+@@ -63,3 +61,4 @@ logging_send_syslog_msg(redis_t)
+ miscfiles_read_localization(redis_t)
+
+ sysnet_dns_name_resolve(redis_t)
+
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf0..d8691bd 100644
@@ -78386,11 +82010,11 @@ index a9ce68e..92520aa 100644
+ allow $1 remote_login_t:process signull;
')
diff --git a/remotelogin.te b/remotelogin.te
-index c51a32c..bef8238 100644
+index ae30871..bef8238 100644
--- a/remotelogin.te
+++ b/remotelogin.te
@@ -1,4 +1,4 @@
--policy_module(remotelogin, 1.7.2)
+-policy_module(remotelogin, 1.8.0)
+policy_module(remotelogin, 1.7.0)
########################################
@@ -78507,9 +82131,15 @@ index c51a32c..bef8238 100644
')
diff --git a/resmgr.te b/resmgr.te
-index 6f219b3..6bef328 100644
+index f6eb358..6bef328 100644
--- a/resmgr.te
+++ b/resmgr.te
+@@ -1,4 +1,4 @@
+-policy_module(resmgr, 1.3.0)
++policy_module(resmgr, 1.2.2)
+
+ ########################################
+ #
@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
domain_use_interactive_fds(resmgrd_t)
@@ -78754,16 +82384,16 @@ index 1c2f9aa..a4133dc 100644
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+')
diff --git a/rgmanager.te b/rgmanager.te
-index b418d1c..1ad9c12 100644
+index c8a1e16..1ad9c12 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -1,4 +1,4 @@
--policy_module(rgmanager, 1.2.2)
+-policy_module(rgmanager, 1.3.0)
+policy_module(rgmanager, 1.2.0)
########################################
#
-@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.2.2)
+@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
#
## <desc>
@@ -79094,7 +82724,7 @@ index 47de2d6..5ad36aa 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..1337d42 100644
+index c8bdea2..1337d42 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -79138,7 +82768,7 @@ index 56bc01f..1337d42 100644
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
+- files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
- optional_policy(`
@@ -79856,9 +83486,15 @@ index 56bc01f..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..a8f6097 100644
+index 6cf79c4..a8f6097 100644
--- a/rhcs.te
+++ b/rhcs.te
+@@ -1,4 +1,4 @@
+-policy_module(rhcs, 1.2.1)
++policy_module(rhcs, 1.1.4)
+
+ ########################################
+ #
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
## </desc>
gen_tunable(fenced_can_ssh, false)
@@ -81226,9 +84862,15 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..7dc8f6e 100644
+index d32e1a2..7dc8f6e 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
+@@ -1,4 +1,4 @@
+-policy_module(rhsmcertd, 1.1.1)
++policy_module(rhsmcertd, 1.0.2)
+
+ ########################################
+ #
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
type rhsmcertd_lock_t;
files_lock_file(rhsmcertd_lock_t)
@@ -81265,7 +84907,7 @@ index 1cedd70..7dc8f6e 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -51,22 +57,51 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -51,24 +57,51 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@@ -81291,13 +84933,13 @@ index 1cedd70..7dc8f6e 100644
+files_create_boot_flag(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
++
++libs_exec_ldconfig(rhsmcertd_t)
+
+ init_read_state(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
-+libs_exec_ldconfig(rhsmcertd_t)
-+
-+init_read_state(rhsmcertd_t)
-+
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_manage_cert_files(rhsmcertd_t)
@@ -81555,9 +85197,15 @@ index 2ab3ed1..23d579c 100644
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/ricci.te b/ricci.te
-index 9702ed2..a265af9 100644
+index 0ba2569..a265af9 100644
--- a/ricci.te
+++ b/ricci.te
+@@ -1,4 +1,4 @@
+-policy_module(ricci, 1.8.0)
++policy_module(ricci, 1.7.4)
+
+ ########################################
+ #
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
corecmd_exec_bin(ricci_t)
@@ -81800,10 +85448,34 @@ index 050479d..0e1b364 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d34cdec..15d7ca6 100644
+index ee27948..15d7ca6 100644
--- a/rlogin.te
+++ b/rlogin.te
-@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
+@@ -1,4 +1,4 @@
+-policy_module(rlogin, 1.11.3)
++policy_module(rlogin, 1.10.1)
+
+ ########################################
+ #
+@@ -9,7 +9,6 @@ type rlogind_t;
+ type rlogind_exec_t;
+ auth_login_pgm_domain(rlogind_t)
+ inetd_service_domain(rlogind_t, rlogind_exec_t)
+-init_daemon_domain(rlogind_t, rlogind_exec_t)
+
+ type rlogind_devpts_t;
+ term_login_pty(rlogind_devpts_t)
+@@ -17,9 +16,6 @@ term_login_pty(rlogind_devpts_t)
+ type rlogind_home_t;
+ userdom_user_home_content(rlogind_home_t)
+
+-type rlogind_keytab_t;
+-files_type(rlogind_keytab_t)
+-
+ type rlogind_tmp_t;
+ files_tmp_file(rlogind_tmp_t)
+
+@@ -34,18 +30,17 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
@@ -81814,32 +85486,38 @@ index d34cdec..15d7ca6 100644
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
-@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
+ allow rlogind_t rlogind_home_t:file read_file_perms;
+
+-allow rlogind_t rlogind_keytab_t:file read_file_perms;
+-
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -56,14 +51,15 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
-corenet_all_recvfrom_unlabeled(rlogind_t)
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
- corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -58,6 +58,8 @@ corenet_tcp_sendrecv_generic_node(rlogind_t)
- corenet_udp_sendrecv_generic_node(rlogind_t)
- corenet_tcp_sendrecv_all_ports(rlogind_t)
- corenet_udp_sendrecv_all_ports(rlogind_t)
++corenet_udp_sendrecv_generic_if(rlogind_t)
+ corenet_tcp_sendrecv_generic_node(rlogind_t)
+-
+-corenet_sendrecv_rlogind_server_packets(rlogind_t)
++corenet_udp_sendrecv_generic_node(rlogind_t)
++corenet_tcp_sendrecv_all_ports(rlogind_t)
++corenet_udp_sendrecv_all_ports(rlogind_t)
+corenet_tcp_bind_rlogin_port(rlogind_t)
-+corenet_tcp_bind_rlogind_port(rlogind_t)
+ corenet_tcp_bind_rlogind_port(rlogind_t)
+-corenet_tcp_sendrecv_rlogind_port(rlogind_t)
dev_read_urand(rlogind_t)
-@@ -67,6 +69,7 @@ fs_getattr_all_fs(rlogind_t)
+@@ -73,6 +69,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -81847,7 +85525,7 @@ index d34cdec..15d7ca6 100644
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-@@ -77,30 +80,23 @@ init_rw_utmp(rlogind_t)
+@@ -83,31 +80,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
@@ -81879,25 +85557,29 @@ index d34cdec..15d7ca6 100644
+rlogin_read_home_content(rlogind_t)
optional_policy(`
- kerberos_keytab_template(rlogind, rlogind_t)
+- kerberos_read_keytab(rlogind_t)
- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
- kerberos_manage_host_rcache(rlogind_t)
+- kerberos_use(rlogind_t)
++ kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
')
optional_policy(`
diff --git a/rngd.fc b/rngd.fc
-index 5dd779e..276eb3a 100644
+index fa19aa8..276eb3a 100644
--- a/rngd.fc
+++ b/rngd.fc
-@@ -1,3 +1,5 @@
+@@ -1,5 +1,5 @@
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+-/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
-+
- /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+
+-/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
++/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
diff --git a/rngd.if b/rngd.if
-index 0e759a2..9c83bc9 100644
+index 13f788f..9c83bc9 100644
--- a/rngd.if
+++ b/rngd.if
@@ -2,6 +2,28 @@
@@ -81929,14 +85611,14 @@ index 0e759a2..9c83bc9 100644
## All of the rules required to
## administrate an rng environment.
## </summary>
-@@ -17,16 +39,24 @@
+@@ -17,19 +39,24 @@
## </param>
## <rolecap/>
#
-interface(`rngd_admin',`
+interface(`rng_admin',`
gen_require(`
-- type rngd_t, rngd_initrc_exec_t;
+- type rngd_t, rngd_initrc_exec_t, rngd_var_run_t;
+ type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
')
@@ -81952,26 +85634,50 @@ index 0e759a2..9c83bc9 100644
domain_system_change_exemption($1)
role_transition $2 rngd_initrc_exec_t system_r;
allow $2 system_r;
-+
+
+- files_search_pids($1)
+- admin_pattern($1, rngd_var_run_t)
+ rng_systemctl_rngd($1)
+ admin_pattern($1, rngd_unit_file_t)
+ allow $1 rngd_unit_file_t:service all_service_perms;
')
diff --git a/rngd.te b/rngd.te
-index 35c1427..2519caa 100644
+index a7b7717..2519caa 100644
--- a/rngd.te
+++ b/rngd.te
-@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
+@@ -1,4 +1,4 @@
+-policy_module(rngd, 1.1.0)
++policy_module(rngd, 1.0.2)
+
+ ########################################
+ #
+@@ -12,22 +12,19 @@ init_daemon_domain(rngd_t, rngd_exec_t)
type rngd_initrc_exec_t;
init_script_file(rngd_initrc_exec_t)
+-type rngd_var_run_t;
+-files_pid_file(rngd_var_run_t)
+type rngd_unit_file_t;
+systemd_unit_file(rngd_unit_file_t)
-+
+
########################################
#
# Local policy
-@@ -29,8 +32,5 @@ dev_read_urand(rngd_t)
+ #
+
+-allow rngd_t self:capability { ipc_lock sys_admin };
++allow rngd_t self:capability sys_admin;
+ allow rngd_t self:process signal;
+ allow rngd_t self:fifo_file rw_fifo_file_perms;
+ allow rngd_t self:unix_stream_socket { accept listen };
+
+-allow rngd_t rngd_var_run_t:file manage_file_perms;
+-files_pid_filetrans(rngd_t, rngd_var_run_t, file, "rngd.pid")
+-
+ kernel_rw_kernel_sysctl(rngd_t)
+
+ dev_read_rand(rngd_t)
+@@ -35,8 +32,5 @@ dev_read_urand(rngd_t)
dev_rw_tpm(rngd_t)
dev_write_rand(rngd_t)
@@ -81998,9 +85704,15 @@ index 975bb6a..ce4f5ea 100644
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/roundup.te b/roundup.te
-index 353960c..3b74aae 100644
+index ccb5991..3b74aae 100644
--- a/roundup.te
+++ b/roundup.te
+@@ -1,4 +1,4 @@
+-policy_module(roundup, 1.8.0)
++policy_module(roundup, 1.7.1)
+
+ ########################################
+ #
@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t)
corecmd_exec_bin(roundup_t)
@@ -82075,7 +85787,7 @@ index a6fb30c..b0c22f7 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 3bd6446..eec0a35 100644
+index 0bf13c2..eec0a35 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -82531,7 +86243,7 @@ index 3bd6446..eec0a35 100644
- attribute rpc_domain;
- type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
- type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
-- type nfsd_ro_t, nfsd_rw_t;
+- type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ type var_lib_nfs_t;
')
@@ -82544,7 +86256,7 @@ index 3bd6446..eec0a35 100644
- allow $2 system_r;
-
- files_list_etc($1)
-- admin_pattern($1, exports_t)
+- admin_pattern($1, { gssd_keytab_t exports_t })
-
- files_list_var_lib($1)
- admin_pattern($1, var_lib_nfs_t)
@@ -82564,16 +86276,16 @@ index 3bd6446..eec0a35 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..fbbff71 100644
+index 2da9fca..fbbff71 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
--policy_module(rpc, 1.14.6)
+-policy_module(rpc, 1.15.1)
+policy_module(rpc, 1.14.0)
########################################
#
-@@ -6,24 +6,20 @@ policy_module(rpc, 1.14.6)
+@@ -6,143 +6,76 @@ policy_module(rpc, 1.15.1)
#
## <desc>
@@ -82608,7 +86320,15 @@ index e5212e6..fbbff71 100644
type exports_t;
files_config_file(exports_t)
-@@ -36,110 +32,50 @@ files_tmp_file(gssd_tmp_t)
+
+ rpc_domain_template(gssd)
+
+-type gssd_keytab_t;
+-files_type(gssd_keytab_t)
+-
+ type gssd_tmp_t;
+ files_tmp_file(gssd_tmp_t)
+
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
@@ -82733,7 +86453,7 @@ index e5212e6..fbbff71 100644
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -160,13 +96,14 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,21 +96,26 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -82744,26 +86464,29 @@ index e5212e6..fbbff71 100644
miscfiles_read_generic_certs(rpcd_t)
-seutil_dontaudit_search_config(rpcd_t)
--
--userdom_signal_all_users(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
- optional_policy(`
- automount_signal(rpcd_t)
-@@ -174,19 +111,27 @@ optional_policy(`
+-userdom_signal_all_users(rpcd_t)
++optional_policy(`
++ automount_signal(rpcd_t)
++ automount_dontaudit_write_pipes(rpcd_t)
++')
+
+-ifdef(`distro_debian',`
+- term_dontaudit_use_unallocated_ttys(rpcd_t)
++optional_policy(`
++ domain_unconfined_signal(rpcd_t)
')
optional_policy(`
-+ domain_unconfined_signal(rpcd_t)
-+')
-+
-+optional_policy(`
+- automount_signal(rpcd_t)
+- automount_dontaudit_write_pipes(rpcd_t)
+ quota_manage_db(rpcd_t)
-+')
-+
-+optional_policy(`
- nis_read_ypserv_config(rpcd_t)
+ ')
+
+ optional_policy(`
+@@ -185,15 +123,15 @@ optional_policy(`
')
optional_policy(`
@@ -82782,7 +86505,7 @@ index e5212e6..fbbff71 100644
')
########################################
-@@ -195,41 +140,56 @@ optional_policy(`
+@@ -202,41 +140,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -82847,7 +86570,7 @@ index e5212e6..fbbff71 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -82855,7 +86578,7 @@ index e5212e6..fbbff71 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -82870,7 +86593,7 @@ index e5212e6..fbbff71 100644
')
########################################
-@@ -263,7 +222,7 @@ optional_policy(`
+@@ -270,16 +222,15 @@ optional_policy(`
# GSSD local policy
#
@@ -82879,7 +86602,9 @@ index e5212e6..fbbff71 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+-allow gssd_t gssd_keytab_t:file read_file_perms;
+-
+ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -82887,7 +86612,7 @@ index e5212e6..fbbff71 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -279,25 +239,30 @@ kernel_signal(gssd_t)
+@@ -288,25 +239,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -82921,12 +86646,15 @@ index e5212e6..fbbff71 100644
')
optional_policy(`
-@@ -306,8 +271,11 @@ optional_policy(`
+@@ -314,10 +270,12 @@ optional_policy(`
+ ')
optional_policy(`
- kerberos_keytab_template(gssd, gssd_t)
- kerberos_manage_host_rcache(gssd_t)
+- kerberos_read_keytab(gssd_t)
- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+- kerberos_use(gssd_t)
++ kerberos_keytab_template(gssd, gssd_t)
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
+')
+
@@ -83090,9 +86818,15 @@ index 3b5e9ee..ff1163f 100644
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
-index c49828c..56cb0c2 100644
+index 54de77c..56cb0c2 100644
--- a/rpcbind.te
+++ b/rpcbind.te
+@@ -1,4 +1,4 @@
+-policy_module(rpcbind, 1.6.1)
++policy_module(rpcbind, 1.5.4)
+
+ ########################################
+ #
@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t)
@@ -83101,21 +86835,18 @@ index c49828c..56cb0c2 100644
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -62,12 +61,11 @@ corecmd_exec_shell(rpcbind_t)
-
- domain_use_interactive_fds(rpcbind_t)
+@@ -68,8 +67,8 @@ auth_use_nsswitch(rpcbind_t)
--files_read_etc_files(rpcbind_t)
- files_read_etc_runtime_files(rpcbind_t)
-
--logging_send_syslog_msg(rpcbind_t)
-+auth_use_nsswitch(rpcbind_t)
+ logging_send_syslog_msg(rpcbind_t)
-miscfiles_read_localization(rpcbind_t)
-+logging_send_syslog_msg(rpcbind_t)
-
- sysnet_dns_name_resolve(rpcbind_t)
++sysnet_dns_name_resolve(rpcbind_t)
+-ifdef(`distro_debian',`
+- term_dontaudit_use_unallocated_ttys(rpcbind_t)
++optional_policy(`
++ nis_use_ypbind(rpcbind_t)
+ ')
diff --git a/rpm.fc b/rpm.fc
index ebe91fc..576ca21 100644
--- a/rpm.fc
@@ -83239,7 +86970,7 @@ index ebe91fc..576ca21 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..e9dbd7e 100644
+index ef3b225..e9dbd7e 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -83821,7 +87552,7 @@ index 0628d50..e9dbd7e 100644
- admin_pattern($1, rpm_var_run_t)
-
- fs_search_tmpfs($1)
-- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }
+- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t })
-
- rpm_run($1, $2)
+ allow $1 rpm_script_t:fd use;
@@ -83830,11 +87561,11 @@ index 0628d50..e9dbd7e 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..a461faa 100644
+index 6fc360e..a461faa 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
--policy_module(rpm, 1.15.3)
+-policy_module(rpm, 1.16.0)
+policy_module(rpm, 1.15.0)
+
+attribute rpm_transition_domain;
@@ -84357,11 +88088,11 @@ index 7ad29c0..2e87d76 100644
domtrans_pattern($1, rshd_exec_t, rshd_t)
')
diff --git a/rshd.te b/rshd.te
-index f842825..24cf46d 100644
+index 864e089..24cf46d 100644
--- a/rshd.te
+++ b/rshd.te
-@@ -1,62 +1,75 @@
--policy_module(rshd, 1.7.1)
+@@ -1,68 +1,75 @@
+-policy_module(rshd, 1.8.1)
+policy_module(rshd, 1.7.0)
########################################
@@ -84373,6 +88104,9 @@ index f842825..24cf46d 100644
type rshd_exec_t;
-auth_login_pgm_domain(rshd_t)
inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+-
+-type rshd_keytab_t;
+-files_type(rshd_keytab_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
@@ -84388,6 +88122,8 @@ index f842825..24cf46d 100644
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
+-allow rshd_t rshd_keytab_t:file read_file_perms;
+-
kernel_read_kernel_sysctls(rshd_t)
-corenet_all_recvfrom_unlabeled(rshd_t)
@@ -84449,16 +88185,24 @@ index f842825..24cf46d 100644
+userdom_home_reader(rshd_t)
optional_policy(`
- kerberos_keytab_template(rshd, rshd_t)
- kerberos_manage_host_rcache(rshd_t)
+- kerberos_read_keytab(rshd_t)
- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
+- kerberos_use(rshd_t)
++ kerberos_keytab_template(rshd, rshd_t)
')
optional_policy(`
diff --git a/rssh.te b/rssh.te
-index d1fd97f..7ee8502 100644
+index 5c5465f..7ee8502 100644
--- a/rssh.te
+++ b/rssh.te
+@@ -1,4 +1,4 @@
+-policy_module(rssh, 2.3.0)
++policy_module(rssh, 2.2.1)
+
+ ########################################
+ #
@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
kernel_read_system_state(rssh_t)
kernel_read_kernel_sysctls(rssh_t)
@@ -84778,16 +88522,16 @@ index f1140ef..8afe362 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..7a6ca6c 100644
+index abeb302..7a6ca6c 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
--policy_module(rsync, 1.12.2)
+-policy_module(rsync, 1.13.0)
+policy_module(rsync, 1.12.0)
########################################
#
-@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2)
+@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
#
## <desc>
@@ -85323,7 +89067,7 @@ index 0000000..9a5164c
+ unconfined_domain(rtas_errd_t)
+')
diff --git a/rtkit.if b/rtkit.if
-index bd35afe..051addd 100644
+index e904ec4..051addd 100644
--- a/rtkit.if
+++ b/rtkit.if
@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',`
@@ -85334,7 +89078,7 @@ index bd35afe..051addd 100644
domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
')
-@@ -42,55 +41,43 @@ interface(`rtkit_daemon_dbus_chat',`
+@@ -42,56 +41,43 @@ interface(`rtkit_daemon_dbus_chat',`
########################################
## <summary>
@@ -85358,6 +89102,7 @@ index bd35afe..051addd 100644
- allow rtkit_daemon_t $1:process { getsched setsched };
-
+- kernel_search_proc($1)
- ps_process_pattern(rtkit_daemon_t, $1)
-
- optional_policy(`
@@ -85406,9 +89151,15 @@ index bd35afe..051addd 100644
+ rtkit_daemon_dbus_chat($1)
')
diff --git a/rtkit.te b/rtkit.te
-index 3f5a8ef..29a8e9e 100644
+index 7eea21f..29a8e9e 100644
--- a/rtkit.te
+++ b/rtkit.te
+@@ -1,4 +1,4 @@
+-policy_module(rtkit, 1.2.0)
++policy_module(rtkit, 1.1.2)
+
+ ########################################
+ #
@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
logging_send_syslog_msg(rtkit_daemon_t)
@@ -85436,9 +89187,15 @@ index 0360ff0..e6cb34f 100644
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rwho.te b/rwho.te
-index 9927d29..6746952 100644
+index 7fb75f4..6746952 100644
--- a/rwho.te
+++ b/rwho.te
+@@ -1,4 +1,4 @@
+-policy_module(rwho, 1.7.0)
++policy_module(rwho, 1.6.1)
+
+ ########################################
+ #
@@ -16,7 +16,7 @@ type rwho_log_t;
files_type(rwho_log_t)
@@ -85576,7 +89333,7 @@ index b8b66ff..d1fa967 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index aee75af..a6bab06 100644
+index 50d07fb..a6bab06 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
@@ -86241,7 +89998,7 @@ index aee75af..a6bab06 100644
## </summary>
## </param>
## <rolecap/>
-@@ -684,41 +840,71 @@ interface(`samba_stream_connect_winbind',`
+@@ -684,42 +840,71 @@ interface(`samba_stream_connect_winbind',`
interface(`samba_admin',`
gen_require(`
type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
@@ -86250,24 +90007,25 @@ index aee75af..a6bab06 100644
- type samba_etc_t, samba_share_t, samba_initrc_exec_t;
- type swat_var_run_t, swat_tmp_t, winbind_log_t;
- type winbind_var_run_t, winbind_tmp_t;
+- type smbd_keytab_t;
+ type smbd_t, smbd_tmp_t, samba_secrets_t;
+ type samba_initrc_exec_t, samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t, winbind_log_t;
+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
+ type samba_unit_file_t;
- ')
-
-- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { nmbd_t smbd_t })
++ ')
++
+ allow $1 smbd_t:process signal_perms;
+ ps_process_pattern($1, smbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 smbd_t:process ptrace;
+ allow $1 nmbd_t:process ptrace;
+ allow $1 samba_unconfined_script_t:process ptrace;
-+ ')
-+
+ ')
+
+- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { nmbd_t smbd_t })
+ allow $1 nmbd_t:process signal_perms;
+ ps_process_pattern($1, nmbd_t)
+
@@ -86284,11 +90042,11 @@ index aee75af..a6bab06 100644
role_transition $2 samba_initrc_exec_t system_r;
allow $2 system_r;
-- files_list_etc($1)
+ admin_pattern($1, nmbd_var_run_t)
+
- admin_pattern($1, samba_etc_t)
-+ files_list_etc($1)
++ admin_pattern($1, samba_etc_t)
+ files_list_etc($1)
+- admin_pattern($1, { samba_etc_t smbd_keytab_t })
+ admin_pattern($1, samba_log_t)
logging_list_logs($1)
@@ -86333,16 +90091,16 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..8736764 100644
+index 2b7c441..8736764 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
--policy_module(samba, 1.15.7)
+-policy_module(samba, 1.16.3)
+policy_module(samba, 1.15.0)
#################################
#
-@@ -6,100 +6,80 @@ policy_module(samba, 1.15.7)
+@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
#
## <desc>
@@ -86497,7 +90255,7 @@ index 57c034b..8736764 100644
type samba_net_tmp_t;
files_tmp_file(samba_net_tmp_t)
-@@ -136,7 +119,7 @@ files_type(samba_var_t)
+@@ -136,25 +119,26 @@ files_type(samba_var_t)
type smbcontrol_t;
type smbcontrol_exec_t;
application_domain(smbcontrol_t, smbcontrol_exec_t)
@@ -86506,7 +90264,11 @@ index 57c034b..8736764 100644
type smbd_t;
type smbd_exec_t;
-@@ -145,13 +128,17 @@ init_daemon_domain(smbd_t, smbd_exec_t)
+ init_daemon_domain(smbd_t, smbd_exec_t)
+
+-type smbd_keytab_t;
+-files_type(smbd_keytab_t)
+-
type smbd_tmp_t;
files_tmp_file(smbd_tmp_t)
@@ -86526,7 +90288,7 @@ index 57c034b..8736764 100644
type swat_t;
type swat_exec_t;
-@@ -170,27 +157,29 @@ type winbind_exec_t;
+@@ -173,28 +157,29 @@ type winbind_exec_t;
init_daemon_domain(winbind_t, winbind_exec_t)
type winbind_helper_t;
@@ -86554,7 +90316,7 @@ index 57c034b..8736764 100644
#
-
allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
-+allow samba_net_t self:capability2 block_suspend;
+ allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
-allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
@@ -86564,7 +90326,7 @@ index 57c034b..8736764 100644
allow samba_net_t samba_etc_t:file read_file_perms;
-@@ -206,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -210,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -86591,7 +90353,7 @@ index 57c034b..8736764 100644
dev_read_urand(samba_net_t)
-@@ -229,15 +223,16 @@ auth_manage_cache(samba_net_t)
+@@ -233,15 +223,16 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -86612,7 +90374,7 @@ index 57c034b..8736764 100644
')
optional_policy(`
-@@ -245,44 +240,56 @@ optional_policy(`
+@@ -249,46 +240,56 @@ optional_policy(`
')
optional_policy(`
@@ -86659,7 +90421,8 @@ index 57c034b..8736764 100644
-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-+
+
+-allow smbd_t smbd_keytab_t:file read_file_perms;
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
@@ -86681,7 +90444,7 @@ index 57c034b..8736764 100644
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
-@@ -292,20 +299,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -298,20 +299,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -86712,7 +90475,7 @@ index 57c034b..8736764 100644
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -315,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -321,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -86767,7 +90530,7 @@ index 57c034b..8736764 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
-@@ -360,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@@ -86834,7 +90597,7 @@ index 57c034b..8736764 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -413,20 +429,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +429,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -86857,7 +90620,7 @@ index 57c034b..8736764 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
-@@ -435,6 +441,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +441,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -86865,7 +90628,7 @@ index 57c034b..8736764 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +449,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,17 +449,6 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -86883,7 +90646,7 @@ index 57c034b..8736764 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -460,6 +456,7 @@ optional_policy(`
+@@ -466,6 +456,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@@ -86891,19 +90654,22 @@ index 57c034b..8736764 100644
')
optional_policy(`
-@@ -473,6 +470,11 @@ optional_policy(`
+@@ -474,8 +465,13 @@ optional_policy(`
')
optional_policy(`
-+ ldap_stream_connect(smbd_t)
-+ dirsrv_stream_connect(smbd_t)
+- kerberos_read_keytab(smbd_t)
+ kerberos_use(smbd_t)
++ kerberos_keytab_template(smbd, smbd_t)
+')
+
+optional_policy(`
- lpd_exec_lpr(smbd_t)
++ ldap_stream_connect(smbd_t)
++ dirsrv_stream_connect(smbd_t)
')
-@@ -482,6 +484,10 @@ optional_policy(`
+ optional_policy(`
+@@ -488,6 +484,10 @@ optional_policy(`
')
optional_policy(`
@@ -86914,7 +90680,7 @@ index 57c034b..8736764 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -493,9 +499,36 @@ optional_policy(`
+@@ -499,9 +499,36 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -86952,7 +90718,7 @@ index 57c034b..8736764 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +539,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -86967,7 +90733,7 @@ index 57c034b..8736764 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -86991,7 +90757,7 @@ index 57c034b..8736764 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +572,42 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -87040,14 +90806,14 @@ index 57c034b..8736764 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@@ -87058,7 +90824,7 @@ index 57c034b..8736764 100644
')
optional_policy(`
-@@ -600,19 +620,26 @@ optional_policy(`
+@@ -606,20 +620,26 @@ optional_policy(`
########################################
#
@@ -87078,19 +90844,19 @@ index 57c034b..8736764 100644
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
-+
+
+-manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+allow smbcontrol_t winbind_t:process { signal signull };
+files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
--samba_rw_var_files(smbcontrol_t)
+manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
samba_search_var(smbcontrol_t)
samba_read_winbind_pid(smbcontrol_t)
-@@ -620,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -87108,7 +90874,7 @@ index 57c034b..8736764 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +660,23 @@ optional_policy(`
+@@ -644,22 +660,23 @@ optional_policy(`
########################################
#
@@ -87140,7 +90906,7 @@ index 57c034b..8736764 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -87176,7 +90942,7 @@ index 57c034b..8736764 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -87268,7 +91034,7 @@ index 57c034b..8736764 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -87292,7 +91058,7 @@ index 57c034b..8736764 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +805,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +805,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -87335,7 +91101,7 @@ index 57c034b..8736764 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +835,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +835,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -87349,7 +91115,7 @@ index 57c034b..8736764 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -833,17 +858,20 @@ optional_policy(`
+@@ -840,17 +858,20 @@ optional_policy(`
# Winbind local policy
#
@@ -87375,7 +91141,7 @@ index 57c034b..8736764 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -87386,7 +91152,7 @@ index 57c034b..8736764 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -87416,7 +91182,7 @@ index 57c034b..8736764 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +915,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +915,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -87437,7 +91203,7 @@ index 57c034b..8736764 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -87448,7 +91214,7 @@ index 57c034b..8736764 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -87494,7 +91260,7 @@ index 57c034b..8736764 100644
')
optional_policy(`
-@@ -952,31 +993,29 @@ optional_policy(`
+@@ -959,31 +993,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -87532,7 +91298,7 @@ index 57c034b..8736764 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1029,38 @@ optional_policy(`
+@@ -997,25 +1029,38 @@ optional_policy(`
########################################
#
@@ -87585,9 +91351,15 @@ index 57c034b..8736764 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
-index d9f8784..9c40dbd 100644
+index e18b0a2..9c40dbd 100644
--- a/sambagui.te
+++ b/sambagui.te
+@@ -1,4 +1,4 @@
+-policy_module(sambagui, 1.2.0)
++policy_module(sambagui, 1.1.2)
+
+ ########################################
+ #
@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -87628,9 +91400,15 @@ index f0236d6..78a792a 100644
########################################
diff --git a/samhain.te b/samhain.te
-index 931312b..bd9a4c7 100644
+index c41ce4b..bd9a4c7 100644
--- a/samhain.te
+++ b/samhain.te
+@@ -1,4 +1,4 @@
+-policy_module(samhain, 1.2.0)
++policy_module(samhain, 1.1.1)
+
+ ########################################
+ #
@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
init_read_utmp(samhain_domain)
@@ -88888,16 +92666,16 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index a34eac4..e19c914 100644
+index 0045465..e19c914 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
--policy_module(sanlock, 1.0.2)
+-policy_module(sanlock, 1.1.0)
+policy_module(sanlock,1.0.0)
########################################
#
-@@ -6,21 +6,26 @@ policy_module(sanlock, 1.0.2)
+@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
#
## <desc>
@@ -89056,7 +92834,7 @@ index 54f41c2..7e58679 100644
+/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/sasl.if b/sasl.if
-index b2f388a..3e6a93f 100644
+index 8c3c151..3e6a93f 100644
--- a/sasl.if
+++ b/sasl.if
@@ -1,4 +1,4 @@
@@ -89076,11 +92854,12 @@ index b2f388a..3e6a93f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -38,11 +38,15 @@ interface(`sasl_connect',`
+@@ -38,21 +38,21 @@ interface(`sasl_connect',`
#
interface(`sasl_admin',`
gen_require(`
- type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
+- type saslauthd_keytab_t;
+ type saslauthd_t, saslauthd_var_run_t;
+ type saslauthd_initrc_exec_t;
')
@@ -89094,17 +92873,26 @@ index b2f388a..3e6a93f 100644
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_list_etc($1)
+- admin_pattern($1, saslauthd_keytab_t)
+-
+ files_list_pids($1)
+ admin_pattern($1, saslauthd_var_run_t)
+ ')
diff --git a/sasl.te b/sasl.te
-index a63b875..1c9e41b 100644
+index 6c3bc20..1c9e41b 100644
--- a/sasl.te
+++ b/sasl.te
@@ -1,4 +1,4 @@
--policy_module(sasl, 1.14.3)
+-policy_module(sasl, 1.15.1)
+policy_module(sasl, 1.14.0)
########################################
#
-@@ -6,12 +6,11 @@ policy_module(sasl, 1.14.3)
+@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
#
## <desc>
@@ -89121,18 +92909,30 @@ index a63b875..1c9e41b 100644
type saslauthd_t;
type saslauthd_exec_t;
-@@ -32,7 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
+@@ -20,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+
+-type saslauthd_keytab_t;
+-files_type(saslauthd_keytab_t)
+-
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+
+@@ -35,9 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process { setsched signal_perms };
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
-allow saslauthd_t self:unix_stream_socket { accept listen };
+-
+-allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t self:tcp_socket create_socket_perms;
manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
-@@ -43,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
+@@ -48,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
kernel_rw_afs_state(saslauthd_t)
@@ -89168,7 +92968,7 @@ index a63b875..1c9e41b 100644
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
-@@ -73,33 +65,37 @@ selinux_compute_access_vector(saslauthd_t)
+@@ -78,34 +65,37 @@ selinux_compute_access_vector(saslauthd_t)
auth_use_pam(saslauthd_t)
@@ -89200,10 +93000,12 @@ index a63b875..1c9e41b 100644
')
optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
- kerberos_keytab_template(saslauthd, saslauthd_t)
+- kerberos_read_keytab(saslauthd_t)
- kerberos_manage_host_rcache(saslauthd_t)
- kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
+- kerberos_use(saslauthd_t)
++ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
++ kerberos_keytab_template(saslauthd, saslauthd_t)
')
optional_policy(`
@@ -89423,10 +93225,16 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..21c15bb 100644
+index 299756b..21c15bb 100644
--- a/sblim.te
+++ b/sblim.te
-@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
+@@ -1,4 +1,4 @@
+-policy_module(sblim, 1.1.0)
++policy_module(sblim, 1.0.3)
+
+ ########################################
+ #
+@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
attribute sblim_domain;
@@ -89575,12 +93383,13 @@ index 4a23d84..21c15bb 100644
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
diff --git a/screen.fc b/screen.fc
-index ac04d27..b73334e 100644
+index e7c2cf7..b73334e 100644
--- a/screen.fc
+++ b/screen.fc
-@@ -1,8 +1,19 @@
+@@ -1,9 +1,19 @@
-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+-HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
+#
+# /home
+#
@@ -89605,7 +93414,7 @@ index ac04d27..b73334e 100644
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/screen.if b/screen.if
-index c21ddcc..4dd623e 100644
+index be5cce2..4dd623e 100644
--- a/screen.if
+++ b/screen.if
@@ -1,4 +1,4 @@
@@ -89626,7 +93435,7 @@ index c21ddcc..4dd623e 100644
')
########################################
-@@ -35,49 +34,48 @@ template(`screen_role_template',`
+@@ -35,50 +34,48 @@ template(`screen_role_template',`
#
type $1_screen_t, screen_domain;
@@ -89670,6 +93479,7 @@ index c21ddcc..4dd623e 100644
-
- userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
+- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
+ manage_files_pattern($3, screen_home_t, screen_home_t)
@@ -89700,7 +93510,7 @@ index c21ddcc..4dd623e 100644
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
-@@ -87,3 +85,41 @@ template(`screen_role_template',`
+@@ -88,3 +85,41 @@ template(`screen_role_template',`
fs_nfs_domtrans($1_screen_t, $3)
')
')
@@ -89743,11 +93553,11 @@ index c21ddcc..4dd623e 100644
+')
+
diff --git a/screen.te b/screen.te
-index f095081..ee69aa7 100644
+index 5466a73..ee69aa7 100644
--- a/screen.te
+++ b/screen.te
@@ -1,13 +1,11 @@
--policy_module(screen, 2.5.3)
+-policy_module(screen, 2.6.0)
+policy_module(screen, 2.5.0)
########################################
@@ -89774,7 +93584,7 @@ index f095081..ee69aa7 100644
type screen_var_run_t;
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
-@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t)
+@@ -30,34 +23,35 @@ ubac_constrained(screen_var_run_t)
########################################
#
@@ -89789,12 +93599,13 @@ index f095081..ee69aa7 100644
-allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
-allow screen_domain self:tcp_socket { accept listen };
--allow screen_domain self:unix_stream_socket connectto;
+-allow screen_domain self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
+-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
+allow screen_domain self:tcp_socket create_stream_socket_perms;
+allow screen_domain self:udp_socket create_socket_perms;
+# Internal screen networking
@@ -89823,7 +93634,7 @@ index f095081..ee69aa7 100644
kernel_read_kernel_sysctls(screen_domain)
corecmd_list_bin(screen_domain)
-@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
+@@ -66,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
corecmd_read_bin_pipes(screen_domain)
corecmd_read_bin_sockets(screen_domain)
@@ -89931,16 +93742,16 @@ index c78a569..9007451 100644
- allow sectoolm_t $2:unix_dgram_socket sendto;
-')
diff --git a/sectoolm.te b/sectoolm.te
-index 8193bf1..b6a0bbd 100644
+index 4bc8c13..b6a0bbd 100644
--- a/sectoolm.te
+++ b/sectoolm.te
@@ -1,4 +1,4 @@
--policy_module(sectoolm, 1.0.1)
+-policy_module(sectoolm, 1.1.0)
+policy_module(sectoolm, 1.0.0)
########################################
#
-@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.1)
+@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0)
type sectoolm_t;
type sectoolm_exec_t;
@@ -90048,7 +93859,7 @@ index d14b6bf..da5d41d 100644
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
-index 88e753f..133d993 100644
+index 35ad2a7..133d993 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
@@ -90235,9 +94046,10 @@ index 88e753f..133d993 100644
########################################
## <summary>
-## Execute sendmail in the unconfined sendmail domain.
--## </summary>
--## <param name="domain">
--## <summary>
++## Set the attributes of sendmail pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
@@ -90260,10 +94072,9 @@ index 88e753f..133d993 100644
-## sendmail domain, and allow the
-## specified role the unconfined
-## sendmail domain.
-+## Set the attributes of sendmail pid files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
+-## </summary>
+-## <param name="domain">
+-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
@@ -90297,11 +94108,12 @@ index 88e753f..133d993 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',`
+@@ -353,20 +304,20 @@ interface(`sendmail_run_unconfined',`
interface(`sendmail_admin',`
gen_require(`
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
- type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+- type sendmail_keytab_t;
+ type sendmail_tmp_t, sendmail_var_run_t;
+ type mail_spool_t;
')
@@ -90319,7 +94131,13 @@ index 88e753f..133d993 100644
domain_system_change_exemption($1)
role_transition $2 sendmail_initrc_exec_t system_r;
-@@ -372,6 +327,6 @@ interface(`sendmail_admin',`
+- files_list_etc($1)
+- admin_pattern($1, sendmail_keytab_t)
+-
+ logging_list_logs($1)
+ admin_pattern($1, sendmail_log_t)
+
+@@ -376,6 +327,6 @@ interface(`sendmail_admin',`
files_list_pids($1)
admin_pattern($1, sendmail_var_run_t)
@@ -90329,11 +94147,11 @@ index 88e753f..133d993 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 5f35d78..65aed74 100644
+index 12700b4..65aed74 100644
--- a/sendmail.te
+++ b/sendmail.te
-@@ -1,18 +1,10 @@
--policy_module(sendmail, 1.11.5)
+@@ -1,21 +1,10 @@
+-policy_module(sendmail, 1.12.1)
+policy_module(sendmail, 1.11.0)
########################################
@@ -90349,10 +94167,13 @@ index 5f35d78..65aed74 100644
-type sendmail_initrc_exec_t;
-init_script_file(sendmail_initrc_exec_t)
-
+-type sendmail_keytab_t;
+-files_type(sendmail_keytab_t)
+-
type sendmail_log_t;
logging_log_file(sendmail_log_t)
-@@ -26,27 +18,27 @@ type sendmail_t;
+@@ -29,29 +18,27 @@ type sendmail_t;
mta_sendmail_mailserver(sendmail_t)
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -90378,6 +94199,8 @@ index 5f35d78..65aed74 100644
allow sendmail_t self:fifo_file rw_fifo_file_perms;
-allow sendmail_t self:unix_stream_socket { accept listen };
-allow sendmail_t self:tcp_socket { accept listen };
+-
+-allow sendmail_t sendmail_keytab_t:file read_file_perms;
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
@@ -90392,7 +94215,7 @@ index 5f35d78..65aed74 100644
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -58,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -63,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
kernel_read_network_state(sendmail_t)
kernel_read_kernel_sysctls(sendmail_t)
@@ -90430,7 +94253,7 @@ index 5f35d78..65aed74 100644
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
-@@ -93,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -98,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
term_dontaudit_use_generic_ptys(sendmail_t)
@@ -90486,7 +94309,7 @@ index 5f35d78..65aed74 100644
')
optional_policy(`
-@@ -129,8 +123,8 @@ optional_policy(`
+@@ -134,8 +123,8 @@ optional_policy(`
')
optional_policy(`
@@ -90497,15 +94320,21 @@ index 5f35d78..65aed74 100644
')
optional_policy(`
-@@ -158,14 +152,27 @@ optional_policy(`
+@@ -159,8 +148,11 @@ optional_policy(`
')
optional_policy(`
-+ inn_write_inherited_news_lib(sendmail_t)
+- kerberos_read_keytab(sendmail_t)
+- kerberos_use(sendmail_t)
++ kerberos_keytab_template(sendmail, sendmail_t)
+')
+
+optional_policy(`
- milter_stream_connect_all(sendmail_t)
++ inn_write_inherited_news_lib(sendmail_t)
+ ')
+
+ optional_policy(`
+@@ -168,10 +160,19 @@ optional_policy(`
')
optional_policy(`
@@ -90525,7 +94354,7 @@ index 5f35d78..65aed74 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -187,21 +194,13 @@ optional_policy(`
+@@ -193,21 +194,13 @@ optional_policy(`
')
optional_policy(`
@@ -90828,16 +94657,16 @@ index 3a9a70b..903109c 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..0f1e101 100644
+index ce67935..0f1e101 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
--policy_module(setroubleshoot, 1.11.2)
+-policy_module(setroubleshoot, 1.12.1)
+policy_module(setroubleshoot, 1.11.0)
########################################
#
-@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.11.2)
+@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t;
@@ -90938,15 +94767,7 @@ index 49b12ae..0f1e101 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -101,33 +109,32 @@ selinux_read_policy(setroubleshootd_t)
- term_dontaudit_use_all_ptys(setroubleshootd_t)
- term_dontaudit_use_all_ttys(setroubleshootd_t)
-
-+mls_dbus_recv_all_levels(setroubleshootd_t)
-+
- auth_use_nsswitch(setroubleshootd_t)
-
- init_read_utmp(setroubleshootd_t)
+@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -90979,7 +94800,7 @@ index 49b12ae..0f1e101 100644
')
optional_policy(`
-@@ -135,10 +142,18 @@ optional_policy(`
+@@ -137,10 +142,18 @@ optional_policy(`
')
optional_policy(`
@@ -90998,7 +94819,7 @@ index 49b12ae..0f1e101 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,26 +163,36 @@ optional_policy(`
+@@ -150,26 +163,36 @@ optional_policy(`
########################################
#
@@ -91037,7 +94858,7 @@ index 49b12ae..0f1e101 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -91498,9 +95319,15 @@ index 1aeef8a..d5ce40a 100644
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
-index ca03de6..e0ebb61 100644
+index 7710b9f..e0ebb61 100644
--- a/shorewall.te
+++ b/shorewall.te
+@@ -1,4 +1,4 @@
+-policy_module(shorewall, 1.4.0)
++policy_module(shorewall, 1.3.5)
+
+ ########################################
+ #
@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
@@ -91720,9 +95547,15 @@ index d1706bf..87ab4a7 100644
## <param name="domain">
## <summary>
diff --git a/shutdown.te b/shutdown.te
-index 7880d1f..8804935 100644
+index e2544e1..8804935 100644
--- a/shutdown.te
+++ b/shutdown.te
+@@ -1,4 +1,4 @@
+-policy_module(shutdown, 1.2.0)
++policy_module(shutdown, 1.1.2)
+
+ ########################################
+ #
@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t)
mls_file_write_to_clearance(shutdown_t)
@@ -91759,20 +95592,56 @@ index 7880d1f..8804935 100644
xserver_dontaudit_write_log(shutdown_t)
+ xserver_xdm_append_log(shutdown_t)
')
+diff --git a/slocate.fc b/slocate.fc
+index 5844628..6eede98 100644
+--- a/slocate.fc
++++ b/slocate.fc
+@@ -1,7 +1,3 @@
+-/etc/cron\.daily/[sm]locate -- gen_context(system_u:object_r:locate_exec_t,s0)
+-
+-/usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0)
++/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
+
+ /var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
+-
+-/var/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0)
diff --git a/slocate.te b/slocate.te
-index ba26427..f2745d2 100644
+index 7292dc0..f2745d2 100644
--- a/slocate.te
+++ b/slocate.te
-@@ -18,7 +18,7 @@ files_type(locate_var_lib_t)
+@@ -1,4 +1,4 @@
+-policy_module(slocate, 1.12.2)
++policy_module(slocate, 1.11.1)
+
+ #################################
+ #
+@@ -12,9 +12,6 @@ init_system_domain(locate_t, locate_exec_t)
+ type locate_var_lib_t;
+ files_type(locate_var_lib_t)
+
+-type locate_var_run_t;
+-files_pid_file(locate_var_run_t)
+-
+ ########################################
#
+ # Local policy
+@@ -28,24 +25,22 @@ allow locate_t self:unix_stream_socket create_socket_perms;
+ manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+ manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+
+-allow locate_t locate_var_run_t:file manage_file_perms;
+-files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock")
+-
+-can_exec(locate_t, locate_exec_t)
+-
+ kernel_read_system_state(locate_t)
+ kernel_dontaudit_search_network_state(locate_t)
+ kernel_dontaudit_search_sysctl(locate_t)
- allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
--allow locate_t self:process { execmem execheap execstack signal };
-+allow locate_t self:process { execmem execheap execstack signal setsched };
- allow locate_t self:fifo_file rw_fifo_file_perms;
- allow locate_t self:unix_stream_socket create_socket_perms;
+ corecmd_exec_bin(locate_t)
+-corecmd_exec_shell(locate_t)
-@@ -35,8 +35,12 @@ dev_getattr_all_blk_files(locate_t)
+ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
@@ -91785,7 +95654,7 @@ index ba26427..f2745d2 100644
files_getattr_all_pipes(locate_t)
files_getattr_all_sockets(locate_t)
files_read_etc_runtime_files(locate_t)
-@@ -53,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+@@ -62,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
@@ -91793,7 +95662,7 @@ index ba26427..f2745d2 100644
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
-@@ -62,3 +65,8 @@ ifdef(`enable_mls',`
+@@ -71,3 +65,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
@@ -91871,9 +95740,15 @@ index ca32e89..98278dd 100644
+
')
diff --git a/slpd.te b/slpd.te
-index 66ac42a..5efa3fd 100644
+index 731512a..5efa3fd 100644
--- a/slpd.te
+++ b/slpd.te
+@@ -1,4 +1,4 @@
+-policy_module(slpd, 1.1.0)
++policy_module(slpd, 1.0.3)
+
+ ########################################
+ #
@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t)
# Local policy
#
@@ -91908,9 +95783,15 @@ index 66ac42a..5efa3fd 100644
+
+sysnet_dns_name_resolve(slpd_t)
diff --git a/slrnpull.te b/slrnpull.te
-index 5437237..3dfc982 100644
+index 59eb07f..3dfc982 100644
--- a/slrnpull.te
+++ b/slrnpull.te
+@@ -1,4 +1,4 @@
+-policy_module(slrnpull, 1.5.0)
++policy_module(slrnpull, 1.4.1)
+
+ ########################################
+ #
@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
files_pid_file(slrnpull_var_run_t)
@@ -91937,6 +95818,16 @@ index 5437237..3dfc982 100644
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
userdom_dontaudit_search_user_home_dirs(slrnpull_t)
+diff --git a/smartmon.fc b/smartmon.fc
+index 36e908f..2c29fc5 100644
+--- a/smartmon.fc
++++ b/smartmon.fc
+@@ -1,4 +1,4 @@
+-/etc/rc\.d/init\.d/(smartd|smartmontools) -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/((smartd)|(smartmontools)) -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+
+ /usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
diff --git a/smartmon.if b/smartmon.if
index e0644b5..ea347cc 100644
--- a/smartmon.if
@@ -91957,9 +95848,15 @@ index e0644b5..ea347cc 100644
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
-index 9ade9c5..60d6c41 100644
+index 9cf6582..60d6c41 100644
--- a/smartmon.te
+++ b/smartmon.te
+@@ -1,4 +1,4 @@
+-policy_module(smartmon, 1.12.0)
++policy_module(smartmon, 1.11.3)
+
+ ########################################
+ #
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
corecmd_exec_all_executables(fsdaemon_t)
@@ -92046,9 +95943,15 @@ index 1fa51c1..82e111c 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index a8b1aaf..4689a59 100644
+index ec031a0..4689a59 100644
--- a/smokeping.te
+++ b/smokeping.te
+@@ -1,4 +1,4 @@
+-policy_module(smokeping, 1.2.0)
++policy_module(smokeping, 1.1.2)
+
+ ########################################
+ #
@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
#
@@ -92085,10 +95988,23 @@ index a8b1aaf..4689a59 100644
sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
+diff --git a/smoltclient.fc b/smoltclient.fc
+index 1ff2958..27ddf8d 100644
+--- a/smoltclient.fc
++++ b/smoltclient.fc
+@@ -1 +1 @@
+-/usr/share/smolt/client/sendProfile\.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
++/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..d8d4623 100644
+index b3f2c6f..d8d4623 100644
--- a/smoltclient.te
+++ b/smoltclient.te
+@@ -1,4 +1,4 @@
+-policy_module(smoltclient, 1.2.0)
++policy_module(smoltclient, 1.1.1)
+
+ ########################################
+ #
@@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t)
corenet_sendrecv_http_client_packets(smoltclient_t)
@@ -92465,6 +96381,18 @@ index 0000000..1fad7b8
+logging_send_syslog_msg(smsd_t)
+
+sysnet_dns_name_resolve(smsd_t)
+diff --git a/smstools.fc b/smstools.fc
+index 4afc690..8e7d825 100644
+--- a/smstools.fc
++++ b/smstools.fc
+@@ -1,6 +1,6 @@
+ /etc/smsd\.conf -- gen_context(system_u:object_r:smsd_conf_t,s0)
+
+-/etc/rc\.d/init\.d/(smsd|smstools) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/((smsd)|(smstools)) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+
+ /usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
+
diff --git a/smstools.if b/smstools.if
index cbfe369..6594af3 100644
--- a/smstools.if
@@ -92712,11 +96640,12 @@ index 0000000..3591c8e
+ unconfined_domain(snapperd_t)
+')
diff --git a/snmp.fc b/snmp.fc
-index c73fa24..50d80f4 100644
+index 2f0a2f2..50d80f4 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,6 +1,6 @@
- /etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
@@ -92853,9 +96782,15 @@ index 7a9cc9d..86cbca9 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 81864ce..e0f790d 100644
+index 9dcaeb8..e0f790d 100644
--- a/snmp.te
+++ b/snmp.te
+@@ -1,4 +1,4 @@
+-policy_module(snmp, 1.14.0)
++policy_module(snmp, 1.13.4)
+
+ ########################################
+ #
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
#
@@ -92951,6 +96886,20 @@ index 81864ce..e0f790d 100644
mta_search_queue(snmpd_t)
')
+diff --git a/snort.fc b/snort.fc
+index 591b9a1..24a8e1b 100644
+--- a/snort.fc
++++ b/snort.fc
+@@ -3,8 +3,8 @@
+ /etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
+
+ /usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+-/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+
++/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+ /usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
+
+ /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/snort.if b/snort.if
index 7d86b34..5f58180 100644
--- a/snort.if
@@ -92984,9 +96933,15 @@ index 7d86b34..5f58180 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index ccd28bb..6e335a9 100644
+index 1af72df..6e335a9 100644
--- a/snort.te
+++ b/snort.te
+@@ -1,4 +1,4 @@
+-policy_module(snort, 1.11.0)
++policy_module(snort, 1.10.1)
+
+ ########################################
+ #
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
@@ -93056,10 +97011,25 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..08a6332 100644
+index f2f507d..08a6332 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
+@@ -1,4 +1,4 @@
+-policy_module(sosreport, 1.3.1)
++policy_module(sosreport, 1.2.2)
+
+ ########################################
+ #
+@@ -13,15 +13,15 @@ type sosreport_exec_t;
+ application_domain(sosreport_t, sosreport_exec_t)
+ role sosreport_roles types sosreport_t;
+
+-type sosreport_var_run_t;
+-files_pid_file(sosreport_var_run_t)
+-
+ type sosreport_tmp_t;
+ files_tmp_file(sosreport_tmp_t)
+
type sosreport_tmpfs_t;
files_tmpfs_file(sosreport_tmpfs_t)
@@ -93069,14 +97039,14 @@ index 703efa3..08a6332 100644
optional_policy(`
pulseaudio_tmpfs_content(sosreport_tmpfs_t)
')
-@@ -28,11 +31,14 @@ optional_policy(`
+@@ -31,12 +31,14 @@ optional_policy(`
# Local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
--allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override chown };
-+dontaudit sosreport_t self:capability sys_ptrace;
+ dontaudit sosreport_t self:capability sys_ptrace;
+-allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:process { setpgid setsched signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
@@ -93086,20 +97056,24 @@ index 703efa3..08a6332 100644
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
-@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+@@ -44,20 +46,32 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
-+manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
-+manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
-+manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
-+manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
-+files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
-+
- manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
- fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+-manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+-fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+-
+ manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+ manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+ manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+ manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+ files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
-@@ -48,6 +60,18 @@ kernel_read_all_sysctls(sosreport_t)
++manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
++fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
++
+ kernel_read_network_state(sosreport_t)
+ kernel_read_all_sysctls(sosreport_t)
kernel_read_software_raid_state(sosreport_t)
kernel_search_debugfs(sosreport_t)
kernel_read_messages(sosreport_t)
@@ -93118,25 +97092,17 @@ index 703efa3..08a6332 100644
corecmd_exec_all_executables(sosreport_t)
-@@ -58,6 +82,10 @@ dev_read_rand(sosreport_t)
- dev_read_urand(sosreport_t)
+@@ -69,6 +83,9 @@ dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
-+dev_rw_generic_usb_dev(sosreport_t)
+ dev_rw_generic_usb_dev(sosreport_t)
+dev_rw_lvm_control(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
-@@ -65,12 +93,13 @@ domain_getattr_all_sockets(sosreport_t)
- domain_getattr_all_pipes(sosreport_t)
-
- files_getattr_all_sockets(sosreport_t)
-+files_getattr_all_files(sosreport_t)
-+files_getattr_all_pipes(sosreport_t)
- files_exec_etc_files(sosreport_t)
- files_list_all(sosreport_t)
+@@ -83,7 +100,6 @@ files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_non_auth_files(sosreport_t)
@@ -93144,7 +97110,7 @@ index 703efa3..08a6332 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,27 +108,49 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -92,30 +108,49 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -93156,8 +97122,8 @@ index 703efa3..08a6332 100644
+term_getattr_pty_fs(sosreport_t)
+term_getattr_all_ptys(sosreport_t)
-+term_use_generic_ptys(sosreport_t)
-+
+ term_use_generic_ptys(sosreport_t)
+
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
+files_read_non_security_files(sosreport_t)
@@ -93184,7 +97150,7 @@ index 703efa3..08a6332 100644
optional_policy(`
abrt_manage_pid_files(sosreport_t)
abrt_manage_cache(sosreport_t)
-+ abrt_stream_connect(sosreport_t)
+ abrt_stream_connect(sosreport_t)
+ abrt_signal(sosreport_t)
+')
+
@@ -93197,7 +97163,7 @@ index 703efa3..08a6332 100644
')
optional_policy(`
-@@ -111,6 +162,16 @@ optional_policy(`
+@@ -127,6 +162,16 @@ optional_policy(`
')
optional_policy(`
@@ -93214,7 +97180,7 @@ index 703efa3..08a6332 100644
fstools_domtrans(sosreport_t)
')
-@@ -120,6 +181,10 @@ optional_policy(`
+@@ -136,6 +181,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(sosreport_t)
')
@@ -93225,7 +97191,7 @@ index 703efa3..08a6332 100644
')
optional_policy(`
-@@ -131,15 +196,40 @@ optional_policy(`
+@@ -147,15 +196,40 @@ optional_policy(`
')
optional_policy(`
@@ -93289,9 +97255,15 @@ index a5abc5a..b9eff74 100644
domain_system_change_exemption($1)
role_transition $2 soundd_initrc_exec_t system_r;
diff --git a/soundserver.te b/soundserver.te
-index db1bc6f..b6c0d16 100644
+index 0919e0c..b6c0d16 100644
--- a/soundserver.te
+++ b/soundserver.te
+@@ -1,4 +1,4 @@
+-policy_module(soundserver, 1.9.0)
++policy_module(soundserver, 1.8.1)
+
+ ########################################
+ #
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
@@ -93837,16 +97809,16 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..e8531d9 100644
+index cc58e35..e8531d9 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
--policy_module(spamassassin, 2.5.8)
+-policy_module(spamassassin, 2.6.1)
+policy_module(spamassassin, 2.5.0)
########################################
#
-@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.5.8)
+@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
## <desc>
## <p>
@@ -94281,29 +98253,29 @@ index 4faa7e0..e8531d9 100644
')
optional_policy(`
-+ postfix_domtrans_postdrop(spamc_t)
-+ postfix_search_spool(spamc_t)
-+ postfix_rw_local_pipes(spamc_t)
-+ postfix_rw_inherited_master_pipes(spamc_t)
-+')
-+
-+optional_policy(`
- mta_send_mail(spamc_t)
- mta_read_config(spamc_t)
- mta_read_queue(spamc_t)
+- mta_send_mail(spamc_t)
+- mta_read_config(spamc_t)
+- mta_read_queue(spamc_t)
- sendmail_rw_pipes(spamc_t)
- sendmail_stub(spamc_t)
+- sendmail_stub(spamc_t)
-')
-
-optional_policy(`
-- postfix_domtrans_postdrop(spamc_t)
-- postfix_search_spool(spamc_t)
-- postfix_rw_local_pipes(spamc_t)
-- postfix_rw_master_pipes(spamc_t)
-+ sendmail_rw_pipes(spamc_t)
-+ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
+ postfix_rw_local_pipes(spamc_t)
+ postfix_rw_inherited_master_pipes(spamc_t)
')
++optional_policy(`
++ mta_send_mail(spamc_t)
++ mta_read_config(spamc_t)
++ mta_read_queue(spamc_t)
++ sendmail_stub(spamc_t)
++ sendmail_rw_pipes(spamc_t)
++ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
++')
++
########################################
#
-# Daemon local policy
@@ -94839,9 +98811,15 @@ index 0000000..931fa6c
+dev_read_urand(speech-dispatcher_t)
+
diff --git a/speedtouch.te b/speedtouch.te
-index 9025dbd..388ce0a 100644
+index b38b8b1..388ce0a 100644
--- a/speedtouch.te
+++ b/speedtouch.te
+@@ -1,4 +1,4 @@
+-policy_module(speedtouch, 1.5.0)
++policy_module(speedtouch, 1.4.1)
+
+ #######################################
+ #
@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t)
domain_use_interactive_fds(speedmgmt_t)
@@ -94929,9 +98907,15 @@ index 5e1f053..e7820bc 100644
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
-index 221c560..d892e00 100644
+index 03472ed..d892e00 100644
--- a/squid.te
+++ b/squid.te
+@@ -1,4 +1,4 @@
+-policy_module(squid, 1.12.1)
++policy_module(squid, 1.11.2)
+
+ ########################################
+ #
@@ -29,7 +29,7 @@ type squid_cache_t;
files_type(squid_cache_t)
@@ -94966,14 +98950,7 @@ index 221c560..d892e00 100644
########################################
#
# Local policy
-@@ -74,20 +81,20 @@ allow squid_t squid_conf_t:file read_file_perms;
- allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
--append_files_pattern(squid_t, squid_log_t, squid_log_t)
--create_files_pattern(squid_t, squid_log_t, squid_log_t)
--setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
-+manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+@@ -78,14 +85,16 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
@@ -94993,7 +98970,7 @@ index 221c560..d892e00 100644
files_pid_filetrans(squid_t, squid_var_run_t, file)
can_exec(squid_t, squid_exec_t)
-@@ -96,7 +103,6 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -94,7 +103,6 @@ kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
kernel_read_network_state(squid_t)
@@ -95001,7 +98978,7 @@ index 221c560..d892e00 100644
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
-@@ -134,6 +140,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
+@@ -132,6 +140,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
corenet_udp_sendrecv_gopher_port(squid_t)
corenet_sendrecv_squid_server_packets(squid_t)
@@ -95009,7 +98986,7 @@ index 221c560..d892e00 100644
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
corenet_tcp_sendrecv_squid_port(squid_t)
-@@ -156,7 +163,6 @@ dev_read_urand(squid_t)
+@@ -154,7 +163,6 @@ dev_read_urand(squid_t)
domain_use_interactive_fds(squid_t)
files_read_etc_runtime_files(squid_t)
@@ -95017,7 +98994,7 @@ index 221c560..d892e00 100644
files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dirs(squid_t)
files_getattr_home_dir(squid_t)
-@@ -178,7 +184,6 @@ libs_exec_lib_files(squid_t)
+@@ -176,7 +184,6 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
@@ -95025,7 +99002,7 @@ index 221c560..d892e00 100644
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -200,6 +205,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -198,6 +205,8 @@ tunable_policy(`squid_use_tproxy',`
optional_policy(`
apache_content_template(squid)
@@ -95034,7 +99011,7 @@ index 221c560..d892e00 100644
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -209,18 +216,18 @@ optional_policy(`
+@@ -207,18 +216,18 @@ optional_policy(`
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
@@ -95060,7 +99037,7 @@ index 221c560..d892e00 100644
')
optional_policy(`
-@@ -238,3 +245,24 @@ optional_policy(`
+@@ -236,3 +245,24 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -95508,11 +99485,11 @@ index a240455..3dd6f00 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..b400fb6 100644
+index 2d8db1f..b400fb6 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
--policy_module(sssd, 1.1.4)
+-policy_module(sssd, 1.2.0)
+policy_module(sssd, 1.1.0)
########################################
@@ -95930,9 +99907,15 @@ index 0000000..337d201
+')
+
diff --git a/stunnel.te b/stunnel.te
-index 9992e62..47f1802 100644
+index 27a8480..47f1802 100644
--- a/stunnel.te
+++ b/stunnel.te
+@@ -1,4 +1,4 @@
+-policy_module(stunnel, 1.11.0)
++policy_module(stunnel, 1.10.2)
+
+ ########################################
+ #
@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t)
corecmd_exec_bin(stunnel_t)
@@ -96115,9 +100098,15 @@ index 2ac91b6..dd2ac36 100644
')
+
diff --git a/svnserve.te b/svnserve.te
-index c6aaac7..84cdcac 100644
+index 49d688d..84cdcac 100644
--- a/svnserve.te
+++ b/svnserve.te
+@@ -1,4 +1,4 @@
+-policy_module(svnserve, 1.1.0)
++policy_module(svnserve, 1.0.2)
+
+ ########################################
+ #
@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
type svnserve_initrc_exec_t;
init_script_file(svnserve_initrc_exec_t)
@@ -96555,9 +100544,15 @@ index 0000000..6e39c4f
+
+
diff --git a/sxid.te b/sxid.te
-index c9824cb..1973f71 100644
+index 01a9d0a..1973f71 100644
--- a/sxid.te
+++ b/sxid.te
+@@ -1,4 +1,4 @@
+-policy_module(sxid, 1.8.0)
++policy_module(sxid, 1.7.1)
+
+ ########################################
+ #
@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
@@ -96585,9 +100580,15 @@ index c9824cb..1973f71 100644
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..c81d332 100644
+index b92f677..c81d332 100644
--- a/sysstat.te
+++ b/sysstat.te
+@@ -1,4 +1,4 @@
+-policy_module(sysstat, 1.8.0)
++policy_module(sysstat, 1.7.1)
+
+ ########################################
+ #
@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
allow sysstat_t self:fifo_file rw_fifo_file_perms;
@@ -96705,11 +100706,11 @@ index c755e2d..0000000
-')
diff --git a/systemtap.te b/systemtap.te
deleted file mode 100644
-index 6c06a84..0000000
+index ffde368..0000000
--- a/systemtap.te
+++ /dev/null
@@ -1,101 +0,0 @@
--policy_module(systemtap, 1.0.2)
+-policy_module(systemtap, 1.1.0)
-
-########################################
-#
@@ -96811,9 +100812,15 @@ index 6c06a84..0000000
- rpm_exec(stapserver_t)
-')
diff --git a/tcpd.te b/tcpd.te
-index f388db3..1e1a075 100644
+index 2d6d2c2..1e1a075 100644
--- a/tcpd.te
+++ b/tcpd.te
+@@ -1,4 +1,4 @@
+-policy_module(tcpd, 1.5.0)
++policy_module(tcpd, 1.4.1)
+
+ ########################################
+ #
@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
@@ -96839,6 +100846,17 @@ index f388db3..1e1a075 100644
sysnet_read_config(tcpd_t)
inetd_domtrans_child(tcpd_t)
+diff --git a/tcsd.fc b/tcsd.fc
+index c2c2636..a38b954 100644
+--- a/tcsd.fc
++++ b/tcsd.fc
+@@ -1,4 +1,5 @@
+-/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/trousers -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+
+ /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
+
diff --git a/tcsd.if b/tcsd.if
index b42ec1d..91b8f71 100644
--- a/tcsd.if
@@ -96857,10 +100875,16 @@ index b42ec1d..91b8f71 100644
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/tcsd.te b/tcsd.te
-index ac8213a..14da480 100644
+index b26d44a..14da480 100644
--- a/tcsd.te
+++ b/tcsd.te
-@@ -41,10 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
+@@ -1,4 +1,4 @@
+-policy_module(tcsd, 1.1.1)
++policy_module(tcsd, 1.0.3)
+
+ ########################################
+ #
+@@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
dev_read_urand(tcsd_t)
dev_rw_tpm(tcsd_t)
@@ -96868,19 +100892,20 @@ index ac8213a..14da480 100644
-
auth_use_nsswitch(tcsd_t)
--logging_send_syslog_msg(tcsd_t)
-+init_read_utmp(tcsd_t)
+ init_read_utmp(tcsd_t)
+ logging_send_syslog_msg(tcsd_t)
+-
-miscfiles_read_localization(tcsd_t)
-+logging_send_syslog_msg(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
-index c7de0cf..03fc880 100644
+index 6c7f8f8..03fc880 100644
--- a/telepathy.fc
+++ b/telepathy.fc
-@@ -1,34 +1,23 @@
+@@ -1,35 +1,23 @@
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
+-HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
@@ -97349,11 +101374,11 @@ index 42946bc..9f70e4c 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..5a41683 100644
+index 9afcbc9..5a41683 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
--policy_module(telepathy, 1.3.5)
+-policy_module(telepathy, 1.4.2)
+policy_module(telepathy, 1.3.0)
########################################
@@ -97392,7 +101417,7 @@ index e9c0964..5a41683 100644
telepathy_domain_template(gabble)
-@@ -67,176 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,179 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t)
#######################################
#
@@ -97463,14 +101488,14 @@ index e9c0964..5a41683 100644
- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
corenet_tcp_connect_generic_port(telepathy_gabble_t)
- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
-+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
- ')
-
+-')
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_gabble_t)
- fs_manage_nfs_files(telepathy_gabble_t)
--')
--
++ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+ ')
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_gabble_t)
- fs_manage_cifs_files(telepathy_gabble_t)
@@ -97585,16 +101610,19 @@ index e9c0964..5a41683 100644
+userdom_search_user_home_dirs(telepathy_mission_control_t)
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+
-+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
- manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
--filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
-+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
++manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
++filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
+
+-manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+-manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+optional_policy(`
+ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
+ gnome_manage_home_config(telepathy_mission_control_t)
@@ -97620,7 +101648,7 @@ index e9c0964..5a41683 100644
optional_policy(`
dbus_system_bus_client(telepathy_mission_control_t)
-@@ -245,59 +215,51 @@ optional_policy(`
+@@ -248,59 +215,51 @@ optional_policy(`
devicekit_dbus_chat_power(telepathy_mission_control_t)
')
optional_policy(`
@@ -97695,7 +101723,7 @@ index e9c0964..5a41683 100644
init_read_state(telepathy_msn_t)
-@@ -307,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -310,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_all_certs(telepathy_msn_t)
@@ -97720,7 +101748,7 @@ index e9c0964..5a41683 100644
')
optional_policy(`
-@@ -329,43 +292,33 @@ optional_policy(`
+@@ -332,43 +292,33 @@ optional_policy(`
')
')
@@ -97769,7 +101797,7 @@ index e9c0964..5a41683 100644
')
optional_policy(`
-@@ -378,73 +331,53 @@ optional_policy(`
+@@ -381,73 +331,53 @@ optional_policy(`
#######################################
#
@@ -97853,7 +101881,7 @@ index e9c0964..5a41683 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +385,49 @@ optional_policy(`
+@@ -455,31 +385,49 @@ optional_policy(`
#######################################
#
@@ -97911,21 +101939,45 @@ index e9c0964..5a41683 100644
')
+
diff --git a/telnet.te b/telnet.te
-index 9f89916..1bdef51 100644
+index d7c8633..1bdef51 100644
--- a/telnet.te
+++ b/telnet.te
-@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t)
+@@ -1,4 +1,4 @@
+-policy_module(telnet, 1.11.3)
++policy_module(telnet, 1.10.2)
+
+ ########################################
+ #
+@@ -8,14 +8,10 @@ policy_module(telnet, 1.11.3)
+ type telnetd_t;
+ type telnetd_exec_t;
+ inetd_service_domain(telnetd_t, telnetd_exec_t)
+-init_daemon_domain(telnetd_t, telnetd_exec_t)
+
+ type telnetd_devpts_t;
+ term_login_pty(telnetd_devpts_t)
+
+-type telnetd_keytab_t;
+-files_type(telnetd_keytab_t)
+-
+ type telnetd_tmp_t;
+ files_tmp_file(telnetd_tmp_t)
+
+@@ -30,16 +26,17 @@ files_pid_file(telnetd_var_run_t)
allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
+-allow telnetd_t self:tcp_socket { accept listen };
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+allow telnetd_t self:udp_socket create_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
-+
- term_create_pty(telnetd_t, telnetd_devpts_t)
+-term_create_pty(telnetd_t, telnetd_devpts_t)
+
+-allow telnetd_t telnetd_keytab_t:file read_file_perms;
++term_create_pty(telnetd_t, telnetd_devpts_t)
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
@@ -97933,23 +101985,26 @@ index 9f89916..1bdef51 100644
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
-@@ -41,7 +45,6 @@ kernel_read_kernel_sysctls(telnetd_t)
+@@ -48,14 +45,14 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
-corenet_all_recvfrom_unlabeled(telnetd_t)
corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_generic_if(telnetd_t)
- corenet_udp_sendrecv_generic_if(telnetd_t)
-@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t)
- corenet_udp_sendrecv_generic_node(telnetd_t)
- corenet_tcp_sendrecv_all_ports(telnetd_t)
- corenet_udp_sendrecv_all_ports(telnetd_t)
-+corenet_tcp_bind_telnetd_port(telnetd_t)
++corenet_udp_sendrecv_generic_if(telnetd_t)
+ corenet_tcp_sendrecv_generic_node(telnetd_t)
+-
+-corenet_sendrecv_telnetd_server_packets(telnetd_t)
++corenet_udp_sendrecv_generic_node(telnetd_t)
++corenet_tcp_sendrecv_all_ports(telnetd_t)
++corenet_udp_sendrecv_all_ports(telnetd_t)
+ corenet_tcp_bind_telnetd_port(telnetd_t)
+-corenet_tcp_sendrecv_telnetd_port(telnetd_t)
corecmd_search_bin(telnetd_t)
-@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t)
+@@ -63,7 +60,6 @@ dev_read_urand(telnetd_t)
domain_interactive_fd(telnetd_t)
@@ -97957,7 +102012,7 @@ index 9f89916..1bdef51 100644
files_read_etc_runtime_files(telnetd_t)
files_search_home(telnetd_t)
-@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t)
+@@ -76,12 +72,12 @@ init_rw_utmp(telnetd_t)
logging_send_syslog_msg(telnetd_t)
@@ -97972,21 +102027,25 @@ index 9f89916..1bdef51 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -92,10 +88,9 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
optional_policy(`
- kerberos_keytab_template(telnetd, telnetd_t)
+- kerberos_read_keytab(telnetd_t)
- kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
++ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
kerberos_manage_host_rcache(telnetd_t)
+- kerberos_use(telnetd_t)
')
+ optional_policy(`
diff --git a/tftp.fc b/tftp.fc
-index 93a5bf4..621f343 100644
+index 3dd87da..621f343 100644
--- a/tftp.fc
+++ b/tftp.fc
@@ -1,9 +1,9 @@
--/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+-/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
@@ -98236,16 +102295,16 @@ index 9957e30..cf0b925 100644
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
-index f455e70..a3b440c 100644
+index cfaa2a1..a3b440c 100644
--- a/tftp.te
+++ b/tftp.te
@@ -1,4 +1,4 @@
--policy_module(tftp, 1.12.4)
+-policy_module(tftp, 1.13.0)
+policy_module(tftp, 1.12.0)
########################################
#
-@@ -6,30 +6,24 @@ policy_module(tftp, 1.12.4)
+@@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0)
#
## <desc>
@@ -98438,9 +102497,15 @@ index 5406b6e..dc5b46e 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
-index c93c973..704a0e2 100644
+index d010963..704a0e2 100644
--- a/tgtd.te
+++ b/tgtd.te
+@@ -1,4 +1,4 @@
+-policy_module(tgtd, 1.3.1)
++policy_module(tgtd, 1.2.3)
+
+ ########################################
+ #
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
# Local policy
#
@@ -98450,7 +102515,7 @@ index c93c973..704a0e2 100644
allow tgtd_t self:capability2 block_suspend;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -56,29 +56,30 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
+@@ -56,32 +56,30 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
@@ -98464,8 +102529,11 @@ index c93c973..704a0e2 100644
corenet_sendrecv_iscsi_server_packets(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
-+corenet_tcp_connect_isns_port(tgtd_t)
- corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+-corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+-
+-corenet_sendrecv_iscsi_client_packets(tgtd_t)
+ corenet_tcp_connect_isns_port(tgtd_t)
++corenet_tcp_sendrecv_iscsi_port(tgtd_t)
dev_read_sysfs(tgtd_t)
@@ -99023,9 +103091,15 @@ index 0000000..dd6ba2c
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
-index 4257ede..fc265b8 100644
+index 5e867da..fc265b8 100644
--- a/thunderbird.te
+++ b/thunderbird.te
+@@ -1,4 +1,4 @@
+-policy_module(thunderbird, 2.4.0)
++policy_module(thunderbird, 2.3.4)
+
+ ########################################
+ #
@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
corecmd_exec_shell(thunderbird_t)
@@ -99078,9 +103152,15 @@ index 4257ede..fc265b8 100644
ifndef(`enable_mls',`
fs_search_removable(thunderbird_t)
diff --git a/timidity.te b/timidity.te
-index 67ca5c5..a1ef2d2 100644
+index 97cd155..a1ef2d2 100644
--- a/timidity.te
+++ b/timidity.te
+@@ -1,4 +1,4 @@
+-policy_module(timidity, 1.10.0)
++policy_module(timidity, 1.9.1)
+
+ ########################################
+ #
@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
kernel_read_kernel_sysctls(timidity_t)
kernel_read_system_state(timidity_t)
@@ -99098,11 +103178,29 @@ index 67ca5c5..a1ef2d2 100644
files_search_tmp(timidity_t)
fs_search_auto_mountpoints(timidity_t)
+diff --git a/tmpreaper.fc b/tmpreaper.fc
+index d19a6cf..ed08c94 100644
+--- a/tmpreaper.fc
++++ b/tmpreaper.fc
+@@ -1,5 +1,5 @@
+-/etc/rc\.d/init\.d/mountall-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+-/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
++/etc/rc\.d/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
++/etc/rc\.d/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+
+ /usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+ /usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..9ae28c6 100644
+index 585a77f..9ae28c6 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
-@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
+@@ -1,4 +1,4 @@
+-policy_module(tmpreaper, 1.7.1)
++policy_module(tmpreaper, 1.6.3)
+
+ ########################################
+ #
+@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.7.1)
type tmpreaper_t;
type tmpreaper_exec_t;
init_system_domain(tmpreaper_t, tmpreaper_exec_t)
@@ -99110,7 +103208,11 @@ index a4a949c..9ae28c6 100644
########################################
#
-@@ -18,20 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+@@ -15,48 +16,45 @@ init_system_domain(tmpreaper_t, tmpreaper_exec_t)
+ #
+
+ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+-allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
kernel_list_unlabeled(tmpreaper_t)
kernel_read_system_state(tmpreaper_t)
@@ -99118,6 +103220,9 @@ index a4a949c..9ae28c6 100644
dev_read_urand(tmpreaper_t)
+-corecmd_exec_bin(tmpreaper_t)
+-corecmd_exec_shell(tmpreaper_t)
+-
fs_getattr_xattr_fs(tmpreaper_t)
fs_list_all(tmpreaper_t)
+fs_setattr_tmpfs_dirs(tmpreaper_t)
@@ -99140,13 +103245,19 @@ index a4a949c..9ae28c6 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -39,14 +45,16 @@ auth_use_nsswitch(tmpreaper_t)
+ auth_use_nsswitch(tmpreaper_t)
+-init_use_inherited_script_ptys(tmpreaper_t)
+-
logging_send_syslog_msg(tmpreaper_t)
-miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
+-ifdef(`distro_debian',`
+- term_dontaudit_use_unallocated_ttys(tmpreaper_t)
+-')
+-
ifdef(`distro_redhat',`
- userdom_list_all_user_home_content(tmpreaper_t)
+ userdom_list_user_home_content(tmpreaper_t)
@@ -99159,7 +103270,7 @@ index a4a949c..9ae28c6 100644
')
optional_policy(`
-@@ -54,6 +62,7 @@ optional_policy(`
+@@ -64,6 +62,7 @@ optional_policy(`
')
optional_policy(`
@@ -99167,7 +103278,7 @@ index a4a949c..9ae28c6 100644
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +78,19 @@ optional_policy(`
+@@ -79,11 +78,19 @@ optional_policy(`
')
optional_policy(`
@@ -99177,9 +103288,10 @@ index a4a949c..9ae28c6 100644
+
+optional_policy(`
+ mandb_delete_cache(tmpreaper_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- plymouthd_exec_plymouth(tmpreaper_t)
+ sandbox_list(tmpreaper_t)
+ sandbox_delete_dirs(tmpreaper_t)
+ sandbox_delete_files(tmpreaper_t)
@@ -99682,11 +103794,14 @@ index 0000000..5a263b2
+ tomcat_search_lib(tomcat_domain)
+')
diff --git a/tor.fc b/tor.fc
-index 6b9d449..ac02092 100644
+index dce42ec..ac02092 100644
--- a/tor.fc
+++ b/tor.fc
-@@ -6,6 +6,8 @@
+@@ -3,8 +3,11 @@
+ /etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
+ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
++
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
@@ -99764,10 +103879,16 @@ index 61c2e07..5e1df41 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 964a395..ea77295 100644
+index 5ceacde..ea77295 100644
--- a/tor.te
+++ b/tor.te
-@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
+@@ -1,4 +1,4 @@
+-policy_module(tor, 1.9.0)
++policy_module(tor, 1.8.4)
+
+ ########################################
+ #
+@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
## </desc>
gen_tunable(tor_bind_all_unreserved_ports, false)
@@ -99834,9 +103955,15 @@ index 964a395..ea77295 100644
seutil_sigchld_newrole(tor_t)
')
diff --git a/transproxy.te b/transproxy.te
-index 20d1a28..494a46d 100644
+index 34973ee..494a46d 100644
--- a/transproxy.te
+++ b/transproxy.te
+@@ -1,4 +1,4 @@
+-policy_module(transproxy, 1.8.0)
++policy_module(transproxy, 1.7.1)
+
+ ########################################
+ #
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t)
kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
@@ -99862,9 +103989,15 @@ index 20d1a28..494a46d 100644
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
diff --git a/tripwire.te b/tripwire.te
-index 2e1110d..2c989b4 100644
+index 03aa6b7..2c989b4 100644
--- a/tripwire.te
+++ b/tripwire.te
+@@ -1,4 +1,4 @@
+-policy_module(tripwire, 1.3.0)
++policy_module(tripwire, 1.2.1)
+
+ ########################################
+ #
@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t)
logging_send_syslog_msg(tripwire_t)
@@ -99904,6 +104037,18 @@ index 2e1110d..2c989b4 100644
-
-userdom_use_user_terminals(siggen_t)
+userdom_use_inherited_user_terminals(siggen_t)
+diff --git a/tuned.fc b/tuned.fc
+index 956587a..23ba272 100644
+--- a/tuned.fc
++++ b/tuned.fc
+@@ -1,6 +1,6 @@
+ /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
+
+-/etc/tuned(/.*)? gen_context(system_u:object_r:tuned_etc_t,s0)
++/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
+ /etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
+
+ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
diff --git a/tuned.if b/tuned.if
index e29db63..061fb98 100644
--- a/tuned.if
@@ -99924,9 +104069,15 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..3f42127 100644
+index 393a330..3f42127 100644
--- a/tuned.te
+++ b/tuned.te
+@@ -1,4 +1,4 @@
+-policy_module(tuned, 1.2.0)
++policy_module(tuned, 1.1.4)
+
+ ########################################
+ #
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
type tuned_log_t;
logging_log_file(tuned_log_t)
@@ -100089,9 +104240,15 @@ index 1bb0f7c..372be2f 100644
## <summary>
## Role access for tvtime
diff --git a/tvtime.te b/tvtime.te
-index 3292fcc..20099b0 100644
+index afd2d6c..20099b0 100644
--- a/tvtime.te
+++ b/tvtime.te
+@@ -1,4 +1,4 @@
+-policy_module(tvtime, 2.3.0)
++policy_module(tvtime, 2.2.1)
+
+ ########################################
+ #
@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
@@ -100135,9 +104292,15 @@ index 3292fcc..20099b0 100644
optional_policy(`
xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
diff --git a/tzdata.te b/tzdata.te
-index aa6ae96..9f86987 100644
+index 221c43b..9f86987 100644
--- a/tzdata.te
+++ b/tzdata.te
+@@ -1,4 +1,4 @@
+-policy_module(tzdata, 1.5.0)
++policy_module(tzdata, 1.4.1)
+
+ ########################################
+ #
@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t)
locallogin_dontaudit_use_fds(tzdata_t)
@@ -100152,9 +104315,15 @@ index aa6ae96..9f86987 100644
optional_policy(`
postfix_search_spool(tzdata_t)
diff --git a/ucspitcp.te b/ucspitcp.te
-index 5e365c2..0fbc46e 100644
+index 7745b72..0fbc46e 100644
--- a/ucspitcp.te
+++ b/ucspitcp.te
+@@ -1,4 +1,4 @@
+-policy_module(ucspitcp, 1.4.0)
++policy_module(ucspitcp, 1.3.1)
+
+ ########################################
+ #
@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t)
corenet_tcp_bind_generic_node(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
@@ -100189,14 +104358,22 @@ index 9b95c3e..a892845 100644
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
-index c6acbbe..022c367 100644
+index de35e5f..022c367 100644
--- a/ulogd.te
+++ b/ulogd.te
-@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t)
+@@ -1,4 +1,4 @@
+-policy_module(ulogd, 1.3.0)
++policy_module(ulogd, 1.2.1)
+
+ ########################################
+ #
+@@ -26,11 +26,13 @@ logging_log_file(ulogd_var_log_t)
+ # Local policy
#
- allow ulogd_t self:capability { net_admin sys_nice };
+-allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
-allow ulogd_t self:process setsched;
++allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:process { setsched };
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -100233,9 +104410,15 @@ index ab5c1d0..d13105e 100644
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
diff --git a/uml.te b/uml.te
-index dc03cc5..423afe4 100644
+index b68bd49..423afe4 100644
--- a/uml.te
+++ b/uml.te
+@@ -1,4 +1,4 @@
+-policy_module(uml, 2.3.0)
++policy_module(uml, 2.2.1)
+
+ ########################################
+ #
@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
corecmd_exec_bin(uml_t)
@@ -100280,9 +104463,15 @@ index dc03cc5..423afe4 100644
userdom_dontaudit_search_user_home_dirs(uml_switch_t)
diff --git a/updfstab.te b/updfstab.te
-index 2d871b8..acbf304 100644
+index 5ceb912..acbf304 100644
--- a/updfstab.te
+++ b/updfstab.te
+@@ -1,4 +1,4 @@
+-policy_module(updfstab, 1.6.0)
++policy_module(updfstab, 1.5.1)
+
+ ########################################
+ #
@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t)
logging_search_logs(updfstab_t)
logging_send_syslog_msg(updfstab_t)
@@ -100318,9 +104507,15 @@ index 01a3234..19f4724 100644
')
diff --git a/uptime.te b/uptime.te
-index 09741f6..8e5b35c 100644
+index 58397dc..8e5b35c 100644
--- a/uptime.te
+++ b/uptime.te
+@@ -1,4 +1,4 @@
+-policy_module(uptime, 1.5.0)
++policy_module(uptime, 1.4.1)
+
+ ########################################
+ #
@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t;
init_script_file(uptimed_initrc_exec_t)
@@ -100340,9 +104535,15 @@ index 09741f6..8e5b35c 100644
userdom_dontaudit_search_user_home_dirs(uptimed_t)
diff --git a/usbmodules.te b/usbmodules.te
-index cb9b5bb..3aa7952 100644
+index 279e511..3aa7952 100644
--- a/usbmodules.te
+++ b/usbmodules.te
+@@ -1,4 +1,4 @@
+-policy_module(usbmodules, 1.3.0)
++policy_module(usbmodules, 1.2.1)
+
+ ########################################
+ #
@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t)
dev_list_usbfs(usbmodules_t)
dev_rw_usbfs(usbmodules_t)
@@ -100452,9 +104653,15 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..6a13ab8 100644
+index 34a8917..6a13ab8 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
+@@ -1,4 +1,4 @@
+-policy_module(usbmuxd, 1.2.0)
++policy_module(usbmuxd, 1.1.1)
+
+ ########################################
+ #
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
type usbmuxd_t;
@@ -100535,7 +104742,7 @@ index c416a83..cd83b89 100644
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index cf118fd..cd80e83 100644
+index 98b51fd..cd80e83 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
@@ -100598,52 +104805,46 @@ index cf118fd..cd80e83 100644
+ allow $1_userhelper_t self:unix_dgram_socket sendto;
+ allow $1_userhelper_t self:unix_stream_socket connectto;
+ allow $1_userhelper_t self:sock_file read_sock_file_perms;
-
-- allow $1_consolehelper_t $3:unix_stream_socket connectto;
++
+ #Transition to the derived domain.
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
-- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+- allow $1_consolehelper_t $3:unix_stream_socket connectto;
+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
-- allow $3 $1_consolehelper_t:process { ptrace signal_perms };
-- ps_process_pattern($3, $1_consolehelper_t)
+- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+ can_exec($1_userhelper_t, userhelper_exec_t)
-- auth_use_pam($1_consolehelper_t)
+- allow $3 $1_consolehelper_t:process { ptrace signal_perms };
+- ps_process_pattern($3, $1_consolehelper_t)
+ dontaudit $3 $1_userhelper_t:process signal;
-- optional_policy(`
-- dbus_connect_all_session_bus($1_consolehelper_t)
+- auth_use_pam($1_consolehelper_t)
+ kernel_read_all_sysctls($1_userhelper_t)
+ kernel_getattr_debugfs($1_userhelper_t)
+ kernel_read_system_state($1_userhelper_t)
-- optional_policy(`
-- userhelper_dbus_chat_all_consolehelper($3)
-- ')
-- ')
+- optional_policy(`
+- dbus_connect_all_session_bus($1_consolehelper_t)
+ # Execute shells
+ corecmd_exec_shell($1_userhelper_t)
+ # By default, revert to the calling domain when a program is executed
+ corecmd_bin_domtrans($1_userhelper_t, $3)
-- ########################################
-- #
-- # Userhelper local policy
-- #
+- optional_policy(`
+- userhelper_dbus_chat_all_consolehelper($3)
+- ')
+- ')
+ # Inherit descriptors from the current session.
+ domain_use_interactive_fds($1_userhelper_t)
+ # for when the user types "exec userhelper" at the command line
+ domain_sigchld_interactive_fds($1_userhelper_t)
-
-- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
++
+ dev_read_urand($1_userhelper_t)
+ # Read /dev directories and any symbolic links.
+ dev_list_all_dev_nodes($1_userhelper_t)
-
-- dontaudit $3 $1_userhelper_t:process signal;
++
+ files_list_var_lib($1_userhelper_t)
+ # Read the /etc/security/default_type file
+ files_read_etc_files($1_userhelper_t)
@@ -100652,8 +104853,7 @@ index cf118fd..cd80e83 100644
+ files_read_var_symlinks($1_userhelper_t)
+ # for some PAM modules and for cwd
+ files_search_home($1_userhelper_t)
-
-- corecmd_bin_domtrans($1_userhelper_t, $3)
++
+ fs_search_auto_mountpoints($1_userhelper_t)
+ fs_read_nfs_files($1_userhelper_t)
+ fs_read_nfs_symlinks($1_userhelper_t)
@@ -100675,24 +104875,33 @@ index cf118fd..cd80e83 100644
+ term_use_all_ttys($1_userhelper_t)
+ term_use_all_ptys($1_userhelper_t)
- auth_domtrans_chk_passwd($1_userhelper_t)
+- ########################################
+- #
+- # Userhelper local policy
+- #
++ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
- auth_use_nsswitch($1_userhelper_t)
++ auth_use_nsswitch($1_userhelper_t)
+- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+ logging_send_syslog_msg($1_userhelper_t)
-+
+
+- dontaudit $3 $1_userhelper_t:process signal;
+ # Inherit descriptors from the current session.
+ init_use_fds($1_userhelper_t)
+ # Write to utmp.
+ init_manage_utmp($1_userhelper_t)
+ init_pid_filetrans_utmp($1_userhelper_t)
-+
-+
+
+- corecmd_bin_domtrans($1_userhelper_t, $3)
+
+- auth_domtrans_chk_passwd($1_userhelper_t)
+- auth_use_nsswitch($1_userhelper_t)
+ seutil_read_config($1_userhelper_t)
+ seutil_read_default_contexts($1_userhelper_t)
-+
+
+ # Allow $1_userhelper_t to transition to user domains.
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
@@ -100773,14 +104982,14 @@ index cf118fd..cd80e83 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -206,6 +263,93 @@ interface(`userhelper_exec',`
+@@ -206,14 +263,82 @@ interface(`userhelper_exec',`
type userhelper_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, userhelper_exec_t)
')
-+
+
+#######################################
+## <summary>
+## The role template for the consolehelper module.
@@ -100851,29 +105060,33 @@ index cf118fd..cd80e83 100644
+ ')
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Execute the consolehelper program
+-## in the caller domain.
+## Execute the consolehelper program in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -221,11 +346,10 @@ interface(`userhelper_exec',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userhelper_exec_consolehelper',`
+interface(`userhelper_exec_console',`
-+ gen_require(`
-+ type consolehelper_exec_t;
-+ ')
-+
-+ can_exec($1, consolehelper_exec_t)
-+')
+ gen_require(`
+ type consolehelper_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, consolehelper_exec_t)
+ ')
diff --git a/userhelper.te b/userhelper.te
-index 274ed9c..cc18d6f 100644
+index 42cfce0..cc18d6f 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -1,15 +1,12 @@
--policy_module(userhelper, 1.7.3)
+-policy_module(userhelper, 1.8.1)
+policy_module(userhelper, 1.7.0)
########################################
@@ -101093,10 +105306,16 @@ index 7deec55..c542887 100644
')
diff --git a/usernetctl.te b/usernetctl.te
-index dd3f01e..465c661 100644
+index f973af8..465c661 100644
--- a/usernetctl.te
+++ b/usernetctl.te
-@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.6.1)
+@@ -1,4 +1,4 @@
+-policy_module(usernetctl, 1.7.0)
++policy_module(usernetctl, 1.6.1)
+
+ ########################################
+ #
+@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.7.0)
#
attribute_role usernetctl_roles;
@@ -101187,9 +105406,15 @@ index af9acc0..cdaf82e 100644
admin_pattern($1, uucpd_log_t)
diff --git a/uucp.te b/uucp.te
-index 380902c..c09534e 100644
+index 849f607..c09534e 100644
--- a/uucp.te
+++ b/uucp.te
+@@ -1,4 +1,4 @@
+-policy_module(uucp, 1.13.0)
++policy_module(uucp, 1.12.1)
+
+ ########################################
+ #
@@ -31,7 +31,7 @@ type uucpd_ro_t;
files_type(uucpd_ro_t)
@@ -101288,9 +105513,15 @@ index 6e48653..6abf74a 100644
uuidd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/uuidd.te b/uuidd.te
-index e670f55..2b332c5 100644
+index f8e52fc..2b332c5 100644
--- a/uuidd.te
+++ b/uuidd.te
+@@ -1,4 +1,4 @@
+-policy_module(uuidd, 1.1.0)
++policy_module(uuidd, 1.0.1)
+
+ ########################################
+ #
@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t)
domain_use_interactive_fds(uuidd_t)
@@ -101298,10 +105529,25 @@ index e670f55..2b332c5 100644
-files_read_etc_files(uuidd_t)
-miscfiles_read_localization(uuidd_t)
+diff --git a/uwimap.fc b/uwimap.fc
+index e85c4ae..3c504c6 100644
+--- a/uwimap.fc
++++ b/uwimap.fc
+@@ -1,3 +1,3 @@
+-/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
++/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
+
+ /var/run/imapd\.pid -- gen_context(system_u:object_r:imapd_var_run_t,s0)
diff --git a/uwimap.te b/uwimap.te
-index b81e5c8..d120c52 100644
+index acdc78a..d120c52 100644
--- a/uwimap.te
+++ b/uwimap.te
+@@ -1,4 +1,4 @@
+-policy_module(uwimap, 1.10.0)
++policy_module(uwimap, 1.9.3)
+
+ ########################################
+ #
@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)
@@ -101416,9 +105662,15 @@ index 9d4d8cb..1189323 100644
tunable_policy(`varnishd_connect_any',`
corenet_sendrecv_all_client_packets(varnishd_t)
diff --git a/vbetool.te b/vbetool.te
-index 14e1eec..b33d259 100644
+index 2a61f75..b33d259 100644
--- a/vbetool.te
+++ b/vbetool.te
+@@ -1,4 +1,4 @@
+-policy_module(vbetool, 1.7.0)
++policy_module(vbetool, 1.6.1)
+
+ ########################################
+ #
@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t;
#
@@ -101533,9 +105785,15 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 77be35a..9ed83d0 100644
+index 87da8a2..9ed83d0 100644
--- a/vdagent.te
+++ b/vdagent.te
+@@ -1,4 +1,4 @@
+-policy_module(vdagent, 1.1.1)
++policy_module(vdagent, 1.0.2)
+
+ ########################################
+ #
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
dontaudit vdagent_t self:capability sys_admin;
@@ -101544,29 +105802,31 @@ index 77be35a..9ed83d0 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
-@@ -39,20 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,23 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
+kernel_request_load_module(vdagent_t)
+
dev_rw_input_dev(vdagent_t)
+-dev_rw_mtrr(vdagent_t)
dev_read_sysfs(vdagent_t)
dev_dontaudit_write_mtrr(vdagent_t)
-files_read_etc_files(vdagent_t)
--
- init_read_state(vdagent_t)
++init_read_state(vdagent_t)
--logging_send_syslog_msg(vdagent_t)
+-term_use_virtio_console(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
--miscfiles_read_localization(vdagent_t)
+-init_read_state(vdagent_t)
+term_use_virtio_console(vdagent_t)
-+
-+logging_send_syslog_msg(vdagent_t)
+ logging_send_syslog_msg(vdagent_t)
+
+-miscfiles_read_localization(vdagent_t)
+-
userdom_read_all_users_state(vdagent_t)
+xserver_read_xdm_state(vdagent_t)
@@ -101594,9 +105854,15 @@ index 22edd58..c3a5364 100644
domain_system_change_exemption($1)
role_transition $2 vhostmd_initrc_exec_t system_r;
diff --git a/vhostmd.te b/vhostmd.te
-index 0be8535..b96e329 100644
+index 3d11c6a..b96e329 100644
--- a/vhostmd.te
+++ b/vhostmd.te
+@@ -1,4 +1,4 @@
+-policy_module(vhostmd, 1.1.0)
++policy_module(vhostmd, 1.0.1)
+
+ ########################################
+ #
@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t)
dev_read_sysfs(vhostmd_t)
@@ -101621,10 +105887,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..9ccc90c 100644
+index a4f20bc..9ccc90c 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,97 @@
+@@ -1,51 +1,97 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -101655,8 +105921,7 @@ index c30da4c..9ccc90c 100644
+/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
--/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
@@ -101693,32 +105958,24 @@ index c30da4c..9ccc90c 100644
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-
--/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
--/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
--/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
--
--/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--
--/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++
+/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
- /var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
- /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
--/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
--/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
--/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
--/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
++/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-+
+
+-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-+
+
+-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+# support for AEOLUS project
+/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -101727,7 +105984,15 @@ index c30da4c..9ccc90c 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-+
+
+-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+# add support vios-proxy-*
+/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -101762,7 +106027,7 @@ index c30da4c..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..c7a2d97 100644
+index facdee8..c7a2d97 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -103536,7 +107801,7 @@ index 9dec06c..c7a2d97 100644
- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
- type virt_var_run_t, virt_tmp_t, virt_log_t;
- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
-- type virt_etc_t, svirt_cache_t;
+- type virt_etc_t, svirt_cache_t, virtd_keytab_t;
+ attribute virt_domain;
+ attribute virt_system_domain;
+ attribute svirt_file_type;
@@ -103569,7 +107834,7 @@ index 9dec06c..c7a2d97 100644
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-
- files_search_etc($1)
-- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
+- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
-
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
@@ -103614,11 +107879,11 @@ index 9dec06c..c7a2d97 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..92d1a81 100644
+index f03dcf5..92d1a81 100644
--- a/virt.te
+++ b/virt.te
-@@ -1,147 +1,224 @@
--policy_module(virt, 1.6.10)
+@@ -1,149 +1,223 @@
+-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
########################################
@@ -103904,15 +108169,16 @@ index 1f22fba..92d1a81 100644
+type virtd_initrc_exec_t, virt_file_type;
init_script_file(virtd_initrc_exec_t)
+-type virtd_keytab_t;
+-files_type(virtd_keytab_t)
+type qemu_var_run_t, virt_file_type;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
-+
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
- ')
-@@ -150,295 +227,132 @@ ifdef(`enable_mls',`
+@@ -153,299 +227,132 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -103974,6 +108240,7 @@ index 1f22fba..92d1a81 100644
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
+-allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow virt_domain self:netlink_route_socket r_netlink_socket_perms;
-allow virt_domain self:shm create_shm_perms;
-allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -104120,6 +108387,7 @@ index 1f22fba..92d1a81 100644
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(virt_domain)
- dev_read_sysfs(virt_domain)
+- fs_getattr_dos_fs(virt_domain)
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
@@ -104234,7 +108502,7 @@ index 1f22fba..92d1a81 100644
+')
+
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
--allow virtd_t self:unix_stream_socket { accept connectto listen };
+-allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
-allow virtd_t self:tcp_socket { accept listen };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
+allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -104262,11 +108530,7 @@ index 1f22fba..92d1a81 100644
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
-filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
--allow virtd_t svirt_var_run_t:file relabel_file_perms;
--manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
--manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
--manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
--filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
+-allow virtd_t virtd_keytab_t:file read_file_perms;
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
@@ -104275,7 +108539,12 @@ index 1f22fba..92d1a81 100644
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
-+
+
+-allow virtd_t svirt_var_run_t:file relabel_file_perms;
+-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
@@ -104285,7 +108554,7 @@ index 1f22fba..92d1a81 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +362,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +362,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -104332,7 +108601,7 @@ index 1f22fba..92d1a81 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +397,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,16 +397,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -104354,7 +108623,7 @@ index 1f22fba..92d1a81 100644
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +410,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -520,6 +410,7 @@ kernel_read_kernel_sysctls(virtd_t)
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
kernel_setsched(virtd_t)
@@ -104362,7 +108631,7 @@ index 1f22fba..92d1a81 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,24 +418,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +418,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -104390,7 +108659,7 @@ index 1f22fba..92d1a81 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -548,22 +438,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,22 +438,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -104423,7 +108692,7 @@ index 1f22fba..92d1a81 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +489,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +489,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -104443,7 +108712,7 @@ index 1f22fba..92d1a81 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +511,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +511,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -104480,7 +108749,7 @@ index 1f22fba..92d1a81 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +539,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +539,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -104489,7 +108758,7 @@ index 1f22fba..92d1a81 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,20 +564,12 @@ optional_policy(`
+@@ -665,20 +564,12 @@ optional_policy(`
')
optional_policy(`
@@ -104510,7 +108779,7 @@ index 1f22fba..92d1a81 100644
')
optional_policy(`
-@@ -684,14 +582,20 @@ optional_policy(`
+@@ -691,20 +582,25 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -104533,7 +108802,14 @@ index 1f22fba..92d1a81 100644
iptables_manage_config(virtd_t)
')
-@@ -704,11 +608,13 @@ optional_policy(`
+ optional_policy(`
+- kerberos_read_keytab(virtd_t)
+- kerberos_use(virtd_t)
++ kerberos_keytab_template(virtd, virtd_t)
+ ')
+
+ optional_policy(`
+@@ -712,11 +608,13 @@ optional_policy(`
')
optional_policy(`
@@ -104547,7 +108823,7 @@ index 1f22fba..92d1a81 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -719,10 +625,18 @@ optional_policy(`
+@@ -727,10 +625,18 @@ optional_policy(`
')
optional_policy(`
@@ -104566,8 +108842,11 @@ index 1f22fba..92d1a81 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +651,277 @@ optional_policy(`
+@@ -743,47 +649,279 @@ optional_policy(`
+ optional_policy(`
+ udev_domtrans(virtd_t)
udev_read_db(virtd_t)
+- udev_read_pid_files(virtd_t)
')
-########################################
@@ -104713,7 +108992,7 @@ index 1f22fba..92d1a81 100644
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+miscfiles_read_generic_certs(virt_domain)
-+
+
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
@@ -104823,7 +109102,7 @@ index 1f22fba..92d1a81 100644
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-
++
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -104867,7 +109146,7 @@ index 1f22fba..92d1a81 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +932,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +932,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -104894,7 +109173,7 @@ index 1f22fba..92d1a81 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +952,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +952,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -104911,10 +109190,10 @@ index 1f22fba..92d1a81 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -104928,7 +109207,7 @@ index 1f22fba..92d1a81 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +989,20 @@ optional_policy(`
+@@ -856,14 +989,20 @@ optional_policy(`
')
optional_policy(`
@@ -104950,7 +109229,7 @@ index 1f22fba..92d1a81 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +1027,65 @@ optional_policy(`
+@@ -888,49 +1027,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -105034,7 +109313,7 @@ index 1f22fba..92d1a81 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1097,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1097,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -105054,7 +109333,7 @@ index 1f22fba..92d1a81 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1118,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1118,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -105078,7 +109357,7 @@ index 1f22fba..92d1a81 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1143,317 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1143,317 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -105490,10 +109769,10 @@ index 1f22fba..92d1a81 100644
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+
-+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
++append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
++
+kernel_read_irq_sysctls(svirt_qemu_net_t)
+
+dev_read_sysfs(svirt_qemu_net_t)
@@ -105536,7 +109815,7 @@ index 1f22fba..92d1a81 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1466,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1466,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -105551,7 +109830,7 @@ index 1f22fba..92d1a81 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1484,8 @@ optional_policy(`
+@@ -1192,9 +1484,8 @@ optional_policy(`
########################################
#
@@ -105562,7 +109841,7 @@ index 1f22fba..92d1a81 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1498,219 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1498,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -105785,9 +110064,15 @@ index 1f22fba..92d1a81 100644
+
+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
diff --git a/vlock.te b/vlock.te
-index 9ead775..b5285e7 100644
+index 6b72968..b5285e7 100644
--- a/vlock.te
+++ b/vlock.te
+@@ -1,4 +1,4 @@
+-policy_module(vlock, 1.2.0)
++policy_module(vlock, 1.1.1)
+
+ ########################################
+ #
@@ -38,7 +38,7 @@ auth_use_pam(vlock_t)
init_dontaudit_rw_utmp(vlock_t)
@@ -106057,9 +110342,15 @@ index 20a1fb2..470ea95 100644
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
diff --git a/vmware.te b/vmware.te
-index 3a56513..d7ec42b 100644
+index 4ad1894..d7ec42b 100644
--- a/vmware.te
+++ b/vmware.te
+@@ -1,4 +1,4 @@
+-policy_module(vmware, 2.7.0)
++policy_module(vmware, 2.6.1)
+
+ ########################################
+ #
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
# Host local policy
#
@@ -106177,9 +110468,15 @@ index 137ac44..b644854 100644
domain_system_change_exemption($1)
role_transition $2 vnstatd_initrc_exec_t system_r;
diff --git a/vnstatd.te b/vnstatd.te
-index febc3e5..ff18188 100644
+index e2220ae..ff18188 100644
--- a/vnstatd.te
+++ b/vnstatd.te
+@@ -1,4 +1,4 @@
+-policy_module(vnstatd, 1.1.0)
++policy_module(vnstatd, 1.0.1)
+
+ ########################################
+ #
@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
@@ -106328,16 +110625,16 @@ index 7a7f342..afedcba 100644
## <param name="domain">
## <summary>
diff --git a/vpn.te b/vpn.te
-index 9329eae..38a4bf3 100644
+index 95b26d1..38a4bf3 100644
--- a/vpn.te
+++ b/vpn.te
@@ -1,4 +1,4 @@
--policy_module(vpn, 1.15.1)
+-policy_module(vpn, 1.16.0)
+policy_module(vpn, 1.15.0)
########################################
#
-@@ -6,6 +6,7 @@ policy_module(vpn, 1.15.1)
+@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
#
attribute_role vpnc_roles;
@@ -106448,11 +110745,27 @@ index 9329eae..38a4bf3 100644
- seutil_use_newrole_fds(vpnc_t)
+ networkmanager_manage_pid_files(vpnc_t)
')
+diff --git a/w3c.fc b/w3c.fc
+index 463c799..4834796 100644
+--- a/w3c.fc
++++ b/w3c.fc
+@@ -1,4 +1,4 @@
+-/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
++/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+
+ /usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+ /usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --git a/w3c.te b/w3c.te
-index bcb76b6..d3cf4a8 100644
+index b14d6a9..d3cf4a8 100644
--- a/w3c.te
+++ b/w3c.te
-@@ -7,10 +7,17 @@ policy_module(w3c, 1.0.1)
+@@ -1,4 +1,4 @@
+-policy_module(w3c, 1.1.0)
++policy_module(w3c, 1.0.1)
+
+ ########################################
+ #
+@@ -7,10 +7,17 @@ policy_module(w3c, 1.1.0)
apache_content_template(w3c_validator)
@@ -106488,9 +110801,15 @@ index eecd0e0..8df2e8c 100644
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..026b259 100644
+index 3548317..026b259 100644
--- a/watchdog.te
+++ b/watchdog.te
+@@ -1,4 +1,4 @@
+-policy_module(watchdog, 1.8.0)
++policy_module(watchdog, 1.7.1)
+
+ #################################
+ #
@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
@@ -106745,9 +111064,15 @@ index 1e3aec0..d17ff39 100644
+
')
diff --git a/wdmd.te b/wdmd.te
-index ebbdaf6..144c0e7 100644
+index 4815a93..144c0e7 100644
--- a/wdmd.te
+++ b/wdmd.te
+@@ -1,4 +1,4 @@
+-policy_module(wdmd, 1.1.0)
++policy_module(wdmd, 1.0.3)
+
+ ########################################
+ #
@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t)
dev_read_watchdog(wdmd_t)
dev_write_watchdog(wdmd_t)
@@ -106770,9 +111095,15 @@ index ebbdaf6..144c0e7 100644
+ rhcs_rw_cluster_tmpfs(wdmd_t)
')
diff --git a/webadm.te b/webadm.te
-index 708254f..d26f598 100644
+index 2a6cae7..d26f598 100644
--- a/webadm.te
+++ b/webadm.te
+@@ -1,4 +1,4 @@
+-policy_module(webadm, 1.2.0)
++policy_module(webadm, 1.1.1)
+
+ ########################################
+ #
@@ -25,6 +25,9 @@ role webadm_r;
userdom_base_user_template(webadm)
@@ -106808,9 +111139,15 @@ index 708254f..d26f598 100644
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
diff --git a/webalizer.te b/webalizer.te
-index cdca8c7..3c09628 100644
+index ae919b9..3c09628 100644
--- a/webalizer.te
+++ b/webalizer.te
+@@ -1,4 +1,4 @@
+-policy_module(webalizer, 1.13.0)
++policy_module(webalizer, 1.12.1)
+
+ ########################################
+ #
@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t)
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
@@ -107025,10 +111362,16 @@ index fd2b6cc..938c4a7 100644
+')
+
diff --git a/wine.te b/wine.te
-index b51923c..e5944be 100644
+index 491b87b..e5944be 100644
--- a/wine.te
+++ b/wine.te
-@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
+@@ -1,4 +1,4 @@
+-policy_module(wine, 1.11.0)
++policy_module(wine, 1.10.1)
+
+ ########################################
+ #
+@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
## </desc>
gen_tunable(wine_mmap_zero_ignore, false)
@@ -107127,9 +111470,15 @@ index b51923c..e5944be 100644
')
+
diff --git a/wireshark.te b/wireshark.te
-index cf5cab6..a2d910f 100644
+index ff6ef38..a2d910f 100644
--- a/wireshark.te
+++ b/wireshark.te
+@@ -1,4 +1,4 @@
+-policy_module(wireshark, 2.4.0)
++policy_module(wireshark, 2.3.1)
+
+ ########################################
+ #
@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
# Local Policy
#
@@ -107192,7 +111541,7 @@ index 304ae09..c1d10a1 100644
-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
-index 25b702d..36b2f81 100644
+index 95f888d..36b2f81 100644
--- a/wm.if
+++ b/wm.if
@@ -1,4 +1,4 @@
@@ -107201,7 +111550,7 @@ index 25b702d..36b2f81 100644
#######################################
## <summary>
-@@ -29,54 +29,46 @@
+@@ -29,69 +29,59 @@
#
template(`wm_role_template',`
gen_require(`
@@ -107262,6 +111611,9 @@ index 25b702d..36b2f81 100644
- auth_use_nsswitch($1_wm_t)
-
+- xserver_role($2, $1_wm_t)
+- xserver_manage_core_devices($1_wm_t)
+-
- optional_policy(`
- dbus_spec_session_bus_client($1, $1_wm_t)
- dbus_system_bus_client($1_wm_t)
@@ -107272,9 +111624,16 @@ index 25b702d..36b2f81 100644
- ')
-
optional_policy(`
- pulseaudio_run($1_wm_t, $2)
+- gnome_stream_connect_gkeyringd($1, $1_wm_t)
++ pulseaudio_run($1_wm_t, $2)
+ ')
+
+ optional_policy(`
+- pulseaudio_run($1_wm_t, $2)
++ xserver_role($2, $1_wm_t)
++ xserver_manage_core_devices($1_wm_t)
')
-@@ -89,7 +81,7 @@ template(`wm_role_template',`
+ ')
########################################
## <summary>
@@ -107283,7 +111642,7 @@ index 25b702d..36b2f81 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -102,33 +94,5 @@ interface(`wm_exec',`
+@@ -104,33 +94,5 @@ interface(`wm_exec',`
type wm_exec_t;
')
@@ -107318,11 +111677,11 @@ index 25b702d..36b2f81 100644
- allow $1_wm_t $2:dbus send_msg;
-')
diff --git a/wm.te b/wm.te
-index 7c7f7fa..20ce90b 100644
+index 638d10f..20ce90b 100644
--- a/wm.te
+++ b/wm.te
-@@ -1,36 +1,88 @@
--policy_module(wm, 1.2.5)
+@@ -1,74 +1,88 @@
+-policy_module(wm, 1.3.3)
+policy_module(wm, 1.2.0)
+
+attribute wm_domain;
@@ -107335,39 +111694,44 @@ index 7c7f7fa..20ce90b 100644
-attribute wm_domain;
-
type wm_exec_t;
--
+ corecmd_executable_file(wm_exec_t)
+
-########################################
-#
-# Common wm domain local policy
-#
-+corecmd_executable_file(wm_exec_t)
-
+-
allow wm_domain self:fifo_file rw_fifo_file_perms;
--allow wm_domain self:process getsched;
-+allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
-+allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
+ allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
+ allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
-kernel_read_system_state(wm_domain)
-
+-corecmd_getattr_all_executables(wm_domain)
+-
+-dev_read_sound(wm_domain)
+-dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+-dev_rw_wireless(wm_domain)
+dev_read_sound(wm_domain)
-+dev_write_sound(wm_domain)
+ dev_write_sound(wm_domain)
+-
+-files_read_usr_files(wm_domain)
+dev_rw_wireless(wm_domain)
+dev_read_sysfs(wm_domain)
-+
-+fs_getattr_all_fs(wm_domain)
-+
+
+ fs_getattr_all_fs(wm_domain)
+
+corecmd_dontaudit_access_all_executables(wm_domain)
+corecmd_getattr_all_executables(wm_domain)
-
--files_read_usr_files(wm_domain)
++
+application_signull(wm_domain)
+
+init_read_state(wm_domain)
-
++
miscfiles_read_fonts(wm_domain)
-miscfiles_read_localization(wm_domain)
@@ -107377,16 +111741,28 @@ index 7c7f7fa..20ce90b 100644
+systemd_read_logind_sessions_files(wm_domain)
+systemd_write_inhibit_pipes(wm_domain)
+systemd_login_read_pid_files(wm_domain)
-+
+
+-userdom_manage_user_home_content_dirs(wm_domain)
+-userdom_manage_user_home_content_files(wm_domain)
+-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+userdom_read_user_home_content_files(wm_domain)
-+
+
+-optional_policy(`
+- accountsd_dbus_chat(wm_domain)
+-')
+-
+-optional_policy(`
+- bluetooth_dbus_chat(wm_domain)
+-')
+udev_read_pid_files(wm_domain)
-+
-+optional_policy(`
+
+ optional_policy(`
+- devicekit_dbus_chat_power(wm_domain)
+ gnome_stream_connect_gkeyringd(wm_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- networkmanager_dbus_chat(wm_domain)
+ dbus_system_bus_client(wm_domain)
+ dbus_session_bus_client(wm_domain)
+ optional_policy(`
@@ -107412,22 +111788,22 @@ index 7c7f7fa..20ce90b 100644
+ optional_policy(`
+ systemd_dbus_chat_logind(wm_domain)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- policykit_dbus_chat(wm_domain)
+ pulseaudio_stream_connect(wm_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- pulseaudio_stream_connect(wm_domain)
+ userhelper_exec_console(wm_domain)
-+')
+ ')
--userdom_manage_user_home_content_dirs(wm_domain)
--userdom_manage_user_home_content_files(wm_domain)
--userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
-+optional_policy(`
+ optional_policy(`
+- userhelper_exec_consolehelper(wm_domain)
+ xserver_manage_core_devices(wm_domain)
-+')
+ ')
diff --git a/xen.fc b/xen.fc
index 42d83b0..651d1cb 100644
--- a/xen.fc
@@ -107759,11 +112135,11 @@ index f93558c..16e29c1 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index ed40676..3fe3e35 100644
+index 6f736a9..3fe3e35 100644
--- a/xen.te
+++ b/xen.te
@@ -1,42 +1,34 @@
--policy_module(xen, 1.12.5)
+-policy_module(xen, 1.13.0)
+policy_module(xen, 1.12.0)
########################################
@@ -108455,9 +112831,15 @@ index ed40676..3fe3e35 100644
- fs_manage_xenfs_files(xm_ssh_t)
-')
diff --git a/xfs.te b/xfs.te
-index 0cea2cd..7668014 100644
+index 0928c5d..7668014 100644
--- a/xfs.te
+++ b/xfs.te
+@@ -1,4 +1,4 @@
+-policy_module(xfs, 1.7.0)
++policy_module(xfs, 1.6.1)
+
+ ########################################
+ #
@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
@@ -108483,16 +112865,16 @@ index 0cea2cd..7668014 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index 2882821..0f1f514 100644
+index a64aad3..0f1f514 100644
--- a/xguest.te
+++ b/xguest.te
@@ -1,4 +1,4 @@
--policy_module(xguest, 1.1.2)
+-policy_module(xguest, 1.2.0)
+policy_module(xguest, 1.1.0)
########################################
#
-@@ -6,46 +6,47 @@ policy_module(xguest, 1.1.2)
+@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
#
## <desc>
@@ -108779,9 +113161,15 @@ index 3c44d84..ce5e69d 100644
sysnet_read_config(xprint_t)
diff --git a/xscreensaver.te b/xscreensaver.te
-index c9c9650..485e77d 100644
+index 04096a0..485e77d 100644
--- a/xscreensaver.te
+++ b/xscreensaver.te
+@@ -1,4 +1,4 @@
+-policy_module(xscreensaver, 1.2.0)
++policy_module(xscreensaver, 1.1.1)
+
+ ########################################
+ #
@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(xscreensaver_t)
@@ -108803,9 +113191,15 @@ index c9c9650..485e77d 100644
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/yam.te b/yam.te
-index d837e88..910aeec 100644
+index 2695db2..910aeec 100644
--- a/yam.te
+++ b/yam.te
+@@ -1,4 +1,4 @@
+-policy_module(yam, 1.5.0)
++policy_module(yam, 1.4.1)
+
+ ########################################
+ #
@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t)
logging_send_syslog_msg(yam_t)
@@ -108822,12 +113216,12 @@ index d837e88..910aeec 100644
userdom_search_user_home_dirs(yam_t)
diff --git a/zabbix.fc b/zabbix.fc
-index ce10cb1..14dc7c6 100644
+index c3b5a81..14dc7c6 100644
--- a/zabbix.fc
+++ b/zabbix.fc
@@ -1,15 +1,23 @@
- /etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
@@ -109014,10 +113408,16 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..bf87704 100644
+index 7f496c6..bf87704 100644
--- a/zabbix.te
+++ b/zabbix.te
-@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
+@@ -1,4 +1,4 @@
+-policy_module(zabbix, 1.6.0)
++policy_module(zabbix, 1.5.3)
+
+ ########################################
+ #
+@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
#
## <desc>
@@ -109504,11 +113904,11 @@ index 36e32df..3d08962 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
')
diff --git a/zarafa.te b/zarafa.te
-index a4479b1..ffeb7f4 100644
+index 3fded1c..ffeb7f4 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -1,13 +1,18 @@
--policy_module(zarafa, 1.1.4)
+-policy_module(zarafa, 1.2.0)
+policy_module(zarafa, 1.1.0)
########################################
@@ -109905,16 +114305,16 @@ index 3416401..676925c 100644
+ allow $1 zebra_unit_file_t:service all_service_perms;
')
diff --git a/zebra.te b/zebra.te
-index b0803c2..e2b8723 100644
+index 2e80d04..e2b8723 100644
--- a/zebra.te
+++ b/zebra.te
@@ -1,4 +1,4 @@
--policy_module(zebra, 1.12.1)
+-policy_module(zebra, 1.13.0)
+policy_module(zebra, 1.12.0)
########################################
#
-@@ -6,23 +6,26 @@ policy_module(zebra, 1.12.1)
+@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0)
#
## <desc>
@@ -110668,9 +115068,15 @@ index b14698c..16e1581 100644
interface(`zosremote_run',`
gen_require(`
diff --git a/zosremote.te b/zosremote.te
-index 9ba9f81..983b6c8 100644
+index bc6a5db..983b6c8 100644
--- a/zosremote.te
+++ b/zosremote.te
+@@ -1,4 +1,4 @@
+-policy_module(zosremote, 1.2.0)
++policy_module(zosremote, 1.1.1)
+
+ ########################################
+ #
@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen };
auth_use_nsswitch(zos_remote_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 696afef..c8bb6f0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 199%{?dist}
+Release: 200%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon May 04 2015 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-200
+- add interface networkmanager_sigchld
+- Fix labels on new location of resolv.conf
+- Add new rules to dnssec-trigger
+- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
+- Added interface files_search_all_pids
+- Add fixes for resolv.conf to F20
+
* Mon Feb 02 2015 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-199
- Allow svirt sandbox domains to read /proc/mtrr
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f20&id=12c7ae31557bf761b427bb79f46564c9a64e2734
More information about the scm-commits
mailing list