From 17da0166723ad84e66738af7dbba7c84d9b3f3e2 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Wed, 2 Jan 2013 15:52:27 +0100
Subject: [PATCH] * Wed Jan 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-69
 - Add systemd_status_all_unit_files() interface - Add support for nshadow -
 Allow sysadm_t to administrate the postfix domains - Add interface to setattr
 on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use
 with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t
 sys_admin for use with afs logins - Allow systemd to read/write all sysctls -
 Add systemd_status_all_unit_files() interface - Add support for nshadow -
 Allow sysadm_t to administrate the postfix domains - Add interface to setattr
 on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use
 with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t
 sys_admin for use with afs logins - Add labeling for
 /var/named/chroot/etc/localtim

* Thu Dec 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-68
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Dontaudit leaked ps content to mozilla plugin
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- init scripts are creating systemd_unit_file_t directories
---
 policy-rawhide-base.patch    | 895 +++++++++++++++++++----------------
 policy-rawhide-contrib.patch | 396 +++++++++++-----
 selinux-policy.spec          |  30 +-
 3 files changed, 778 insertions(+), 543 deletions(-)

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index d9a6df57..901141a2 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -117703,7 +117703,7 @@ index 8796ca3..cb02728 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..37f3b90 100644
+index e1e814d..360fbbd 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -55,6 +55,7 @@
@@ -118225,7 +118225,33 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -3135,6 +3446,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3059,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Setattr of directories on new filesystems
++##	that have not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_isid_type_dirs',`
++	gen_require(`
++		type file_t;
++	')
++
++	allow $1 file_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to search directories on new filesystems
+ ##	that have not yet been labeled.
+ ## </summary>
+@@ -3135,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -118251,7 +118277,7 @@ index e1e814d..37f3b90 100644
  ##	Create, read, write, and delete directories
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3382,6 +3712,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3382,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',`
  
  ########################################
  ## <summary>
@@ -118277,7 +118303,7 @@ index e1e814d..37f3b90 100644
  ##	Create, read, write, and delete block device nodes
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3723,20 +4072,38 @@ interface(`files_list_mnt',`
+@@ -3723,20 +4091,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -118321,7 +118347,7 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -4126,6 +4493,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4512,133 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -118455,7 +118481,7 @@ index e1e814d..37f3b90 100644
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
-@@ -4148,6 +4642,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4661,26 @@ interface(`files_associate_tmp',`
  
  ########################################
  ## <summary>
@@ -118482,7 +118508,7 @@ index e1e814d..37f3b90 100644
  ##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -4161,6 +4675,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,6 +4694,7 @@ interface(`files_getattr_tmp_dirs',`
  		type tmp_t;
  	')
  
@@ -118490,7 +118516,7 @@ index e1e814d..37f3b90 100644
  	allow $1 tmp_t:dir getattr;
  ')
  
-@@ -4171,7 +4686,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4171,7 +4705,7 @@ interface(`files_getattr_tmp_dirs',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -118499,7 +118525,7 @@ index e1e814d..37f3b90 100644
  ##	</summary>
  ## </param>
  #
-@@ -4198,6 +4713,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4732,7 @@ interface(`files_search_tmp',`
  		type tmp_t;
  	')
  
@@ -118507,7 +118533,7 @@ index e1e814d..37f3b90 100644
  	allow $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4234,6 +4750,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4769,7 @@ interface(`files_list_tmp',`
  		type tmp_t;
  	')
  
@@ -118515,7 +118541,7 @@ index e1e814d..37f3b90 100644
  	allow $1 tmp_t:dir list_dir_perms;
  ')
  
-@@ -4243,7 +4760,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4779,7 @@ interface(`files_list_tmp',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -118524,7 +118550,7 @@ index e1e814d..37f3b90 100644
  ##	</summary>
  ## </param>
  #
-@@ -4255,6 +4772,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4791,25 @@ interface(`files_dontaudit_list_tmp',`
  	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
@@ -118550,7 +118576,7 @@ index e1e814d..37f3b90 100644
  ########################################
  ## <summary>
  ##	Remove entries from the tmp directory.
-@@ -4270,6 +4806,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4825,7 @@ interface(`files_delete_tmp_dir_entry',`
  		type tmp_t;
  	')
  
@@ -118558,7 +118584,7 @@ index e1e814d..37f3b90 100644
  	allow $1 tmp_t:dir del_entry_dir_perms;
  ')
  
-@@ -4311,6 +4848,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4867,32 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -118591,72 +118617,198 @@ index e1e814d..37f3b90 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4365,6 +4928,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,7 +4947,7 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
+-##	Set the attributes of all tmp directories.
 +##	Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_dirs',`
-+	gen_require(`
-+		type tmp_t;
-+	')
-+
-+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel a file from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_files',`
-+	gen_require(`
-+		type tmp_t;
-+	')
-+
-+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
-@@ -4383,6 +4982,42 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##	<summary>
+@@ -4373,17 +4955,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
++	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
  
  ########################################
  ## <summary>
+-##	List all tmp directories.
++##	Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4391,59 +4973,53 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
++	relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	directory types.
++##	Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
+-		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
 +##	Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
 +interface(`files_read_inherited_tmp_files',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 tmpfile:file getattr;
 +	allow $1 tmpfile:file { append read_inherited_file_perms };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
++##	Allow caller to append inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4451,54 +5027,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_append_inherited_tmp_files',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	allow $1 tmpfile:file getattr;
++	allow $1 tmpfile:file append_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	file types.
++##	List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ 	gen_require(`
+ 		attribute tmpfile;
+-		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_files_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp sock_file.
++##	Relabel to and from all temporary
++##	directory types.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_relabel_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 tmpfile:sock_file getattr;
+-')
++	allow $1 var_t:dir search_dir_perms;
++	relabel_dirs_pattern($1, tmpfile, tmpfile)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to append inherited tmp files.
++##	Do not audit attempts to get the attributes
++##	of all tmp files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_tmp_files',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	dontaudit $1 tmpfile:file getattr;
++')
++
++########################################
++## <summary>
++##	Allow attempts to get the attributes
++##	of all tmp files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -118664,38 +118816,58 @@ index e1e814d..37f3b90 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
 +	gen_require(`
 +		attribute tmpfile;
 +	')
 +
-+	allow $1 tmpfile:file append_inherited_file_perms;
++	allow $1 tmpfile:file getattr;
 +')
 +
 +########################################
 +## <summary>
- ##	List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4428,7 +5063,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
++##	Relabel to and from all temporary
++##	file types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_tmp_files',`
++	gen_require(`
++		attribute tmpfile;
++		type var_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4488,7 +5123,7 @@ interface(`files_relabel_all_tmp_files',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4573,6 +5208,16 @@ interface(`files_purge_tmp',`
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	dontaudit $1 tmpfile:sock_file getattr;
++')
+ 
+ ########################################
+ ## <summary>
+@@ -4573,6 +5227,16 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118712,17 +118884,14 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -5150,12 +5795,30 @@ interface(`files_list_var',`
+@@ -5150,6 +5814,24 @@ interface(`files_list_var',`
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete directories
--##	in the /var directory.
 +##	Do not audit listing of the var directory (/var).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
@@ -118737,16 +118906,10 @@ index e1e814d..37f3b90 100644
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete directories
-+##	in the /var directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
-@@ -5505,6 +6168,25 @@ interface(`files_read_var_lib_symlinks',`
+ ##	Create, read, write, and delete directories
+ ##	in the /var directory.
+ ## </summary>
+@@ -5505,6 +6187,25 @@ interface(`files_read_var_lib_symlinks',`
  	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
@@ -118772,7 +118935,7 @@ index e1e814d..37f3b90 100644
  # cjp: the next two interfaces really need to be fixed
  # in some way.  They really neeed their own types.
  
-@@ -5550,7 +6232,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6251,7 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -118781,7 +118944,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5558,12 +6240,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6259,13 @@ interface(`files_manage_mounttab',`
  ##	</summary>
  ## </param>
  #
@@ -118797,7 +118960,7 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -5581,6 +6264,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6283,7 @@ interface(`files_search_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118805,7 +118968,7 @@ index e1e814d..37f3b90 100644
  	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
-@@ -5607,7 +6291,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6310,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
@@ -118833,7 +118996,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5615,13 +6318,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6337,12 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -118850,7 +119013,7 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -5640,7 +6342,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6361,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -118859,7 +119022,7 @@ index e1e814d..37f3b90 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5673,7 +6375,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6394,6 @@ interface(`files_create_lock_dirs',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -118867,7 +119030,7 @@ index e1e814d..37f3b90 100644
  #
  interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
-@@ -5701,8 +6402,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6421,7 @@ interface(`files_getattr_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118877,7 +119040,7 @@ index e1e814d..37f3b90 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5718,13 +6418,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6437,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -118895,7 +119058,7 @@ index e1e814d..37f3b90 100644
  ')
  
  ########################################
-@@ -5743,8 +6442,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6461,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118905,7 +119068,7 @@ index e1e814d..37f3b90 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5786,8 +6484,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6503,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118915,7 +119078,7 @@ index e1e814d..37f3b90 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6506,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6525,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -118925,7 +119088,7 @@ index e1e814d..37f3b90 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6543,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6562,7 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -118935,7 +119098,7 @@ index e1e814d..37f3b90 100644
  	filetrans_pattern($1, var_lock_t, $2, $3, $4)
  ')
  
-@@ -5911,6 +6606,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6625,43 @@ interface(`files_search_pids',`
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
@@ -118979,7 +119142,7 @@ index e1e814d..37f3b90 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5933,6 +6665,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6684,25 @@ interface(`files_dontaudit_search_pids',`
  
  ########################################
  ## <summary>
@@ -119005,7 +119168,7 @@ index e1e814d..37f3b90 100644
  ##	List the contents of the runtime process
  ##	ID directories (/var/run).
  ## </summary>
-@@ -6048,7 +6799,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6818,6 @@ interface(`files_pid_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -119013,7 +119176,7 @@ index e1e814d..37f3b90 100644
  	filetrans_pattern($1, var_run_t, $2, $3, $4)
  ')
  
-@@ -6157,30 +6907,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6926,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -119048,7 +119211,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6188,43 +6933,35 @@ interface(`files_read_all_pids',`
+@@ -6188,43 +6952,35 @@ interface(`files_read_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -119099,7 +119262,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6232,21 +6969,17 @@ interface(`files_delete_all_pids',`
+@@ -6232,21 +6988,17 @@ interface(`files_delete_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -119124,7 +119287,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6254,56 +6987,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6254,56 +7006,59 @@ interface(`files_delete_all_pid_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -119200,7 +119363,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6311,18 +7047,17 @@ interface(`files_list_spool',`
+@@ -6311,18 +7066,17 @@ interface(`files_list_spool',`
  ##	</summary>
  ## </param>
  #
@@ -119223,7 +119386,7 @@ index e1e814d..37f3b90 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6330,19 +7065,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6330,9 +7084,273 @@ interface(`files_manage_generic_spool_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -119232,62 +119395,40 @@ index e1e814d..37f3b90 100644
  	gen_require(`
 -		type var_t, var_spool_t;
 +		type var_run_t;
- 	')
- 
--	list_dirs_pattern($1, var_t, var_spool_t)
--	read_files_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	exec_files_pattern($1, var_run_t, var_run_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	spool files.
++')
++
++########################################
++## <summary>
 +##	manage all pidfiles 
 +##	in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6350,55 +7084,62 @@ interface(`files_read_generic_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_all_pids',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_files_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	manage_files_pattern($1,pidfile,pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in the spool directory
--##	with a private type with a type transition.
++')
++
++########################################
++## <summary>
 +##	Mount filesystems on all polyinstantiation
 +##	member directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="file">
--##	<summary>
--##	Type to which the created node will be transitioned.
--##	</summary>
--## </param>
--## <param name="class">
--##	<summary>
--##	Object class(es) (single or set including {}) for which this
--##	the transition will occur.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +interface(`files_mounton_all_poly_members',`
 +	gen_require(`
@@ -119302,69 +119443,48 @@ index e1e814d..37f3b90 100644
 +##	Delete all process IDs.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The name of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`files_spool_filetrans',`
++#
 +interface(`files_delete_all_pids',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
- 
- 	allow $1 var_t:dir search_dir_perms;
--	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++	')
++
++	allow $1 var_t:dir search_dir_perms;
 +	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 +	allow $1 var_run_t:dir rmdir;
 +	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
 +	delete_files_pattern($1, pidfile, pidfile)
 +	delete_fifo_files_pattern($1, pidfile, pidfile)
 +	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
- 
- ########################################
- ## <summary>
--##	Allow access to manage all polyinstantiated
--##	directories on the system.
++')
++
++########################################
++## <summary>
 +##	Delete all process ID directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6406,25 +7147,283 @@ interface(`files_spool_filetrans',`
- ##	</summary>
- ## </param>
- #
--interface(`files_polyinstantiate_all',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_pid_dirs',`
- 	gen_require(`
--		attribute polydir, polymember, polyparent;
--		type poly_t;
++	gen_require(`
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
- 
--	# Need to give access to /selinux/member
--	selinux_compute_member($1)
--
--	# Need sys_admin capability for mounting
--	allow $1 self:capability { chown fsetid sys_admin fowner };
--
--	# Need to give access to the directories to be polyinstantiated
--	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
--	# Need to give access to the polyinstantiated subdirectories
--	allow $1 polymember:dir search_dir_perms;
++	')
++
 +	allow $1 var_t:dir search_dir_perms;
 +	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 +	delete_dirs_pattern($1, pidfile, pidfile)
 +')
- 
--	# Need to give access to parent directories where original
++
 +########################################
 +## <summary>
 +##	Make the specified type a file
@@ -119539,102 +119659,10 @@ index e1e814d..37f3b90 100644
 +interface(`files_read_generic_spool',`
 +	gen_require(`
 +		type var_t, var_spool_t;
-+	')
-+
-+	list_dirs_pattern($1, var_t, var_spool_t)
-+	read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete generic
-+##	spool files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_generic_spool',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create objects in the spool directory
-+##	with a private type with a type transition.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="file">
-+##	<summary>
-+##	Type to which the created node will be transitioned.
-+##	</summary>
-+## </param>
-+## <param name="class">
-+##	<summary>
-+##	Object class(es) (single or set including {}) for which this
-+##	the transition will occur.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_spool_filetrans',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow access to manage all polyinstantiated
-+##	directories on the system.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_polyinstantiate_all',`
-+	gen_require(`
-+		attribute polydir, polymember, polyparent;
-+		type poly_t;
-+	')
-+
-+	# Need to give access to /selinux/member
-+	selinux_compute_member($1)
-+
-+	# Need sys_admin capability for mounting
-+	allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+	# Need to give access to the directories to be polyinstantiated
-+	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+	# Need to give access to the polyinstantiated subdirectories
-+	allow $1 polymember:dir search_dir_perms;
-+
-+	# Need to give access to parent directories where original
- 	# is remounted for polyinstantiation aware programs (like gdm)
- 	allow $1 polyparent:dir { getattr mounton };
+ 	')
  
-@@ -6467,3 +7466,457 @@ interface(`files_unconfined',`
+ 	list_dirs_pattern($1, var_t, var_spool_t)
+@@ -6467,3 +7485,457 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -124389,10 +124417,10 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..2fdb49f 100644
+index e5aee97..ead35b9 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,67 @@ policy_module(staff, 2.3.0)
+@@ -8,12 +8,68 @@ policy_module(staff, 2.3.0)
  role staff_r;
  
  userdom_unpriv_user_template(staff)
@@ -124441,6 +124469,7 @@ index e5aee97..2fdb49f 100644
 +
 +init_dbus_chat(staff_t)
 +init_dbus_chat_script(staff_t)
++init_status(staff_t)
 +
 +miscfiles_read_hwdata(staff_t)
 +
@@ -124460,7 +124489,7 @@ index e5aee97..2fdb49f 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +78,110 @@ optional_policy(`
+@@ -23,11 +79,110 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124572,7 +124601,7 @@ index e5aee97..2fdb49f 100644
  ')
  
  optional_policy(`
-@@ -35,15 +189,31 @@ optional_policy(`
+@@ -35,15 +190,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124606,7 +124635,7 @@ index e5aee97..2fdb49f 100644
  ')
  
  optional_policy(`
-@@ -52,10 +222,59 @@ optional_policy(`
+@@ -52,10 +223,59 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124666,7 +124695,7 @@ index e5aee97..2fdb49f 100644
  	xserver_role(staff_r, staff_t)
  ')
  
-@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +285,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -124677,7 +124706,7 @@ index e5aee97..2fdb49f 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -93,18 +308,10 @@ ifndef(`distro_redhat',`
+@@ -93,18 +309,10 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -124696,7 +124725,7 @@ index e5aee97..2fdb49f 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +333,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -124707,7 +124736,7 @@ index e5aee97..2fdb49f 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +345,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -124718,7 +124747,7 @@ index e5aee97..2fdb49f 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +375,20 @@ ifndef(`distro_redhat',`
+@@ -176,3 +376,20 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -124768,7 +124797,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 44c198a..82eb9e5 100644
+index 44c198a..72a70fc 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
@@ -125064,7 +125093,7 @@ index 44c198a..82eb9e5 100644
  
  optional_policy(`
 -	pyzor_role(sysadm_r, sysadm_t)
-+	postfix_filetrans_named_content(sysadm_t)
++	postfix_admin(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
@@ -126376,7 +126405,7 @@ index 3835596..fbca2be 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 9f6d4c3..23a78b4 100644
+index 9f6d4c3..07ceee0 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
 @@ -1,5 +1,12 @@
@@ -126392,7 +126421,7 @@ index 9f6d4c3..23a78b4 100644
  # this module should be named user, but that is
  # a compile error since user is a keyword.
  
-@@ -12,12 +19,97 @@ role user_r;
+@@ -12,12 +19,99 @@ role user_r;
  
  userdom_unpriv_user_template(user)
  
@@ -126405,6 +126434,8 @@ index 9f6d4c3..23a78b4 100644
 +storage_read_scsi_generic(user_t)
 +storage_write_scsi_generic(user_t)
 +
++init_status(user_t)
++
 +tunable_policy(`selinuxuser_execmod',`
 +	userdom_execmod_user_home_files(user_t)
 +')
@@ -126491,7 +126522,7 @@ index 9f6d4c3..23a78b4 100644
  ')
  
  optional_policy(`
-@@ -25,6 +117,18 @@ optional_policy(`
+@@ -25,6 +119,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -126510,7 +126541,7 @@ index 9f6d4c3..23a78b4 100644
  	vlock_run(user_t, user_r)
  ')
  
-@@ -66,10 +170,6 @@ ifndef(`distro_redhat',`
+@@ -66,10 +172,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -126521,7 +126552,7 @@ index 9f6d4c3..23a78b4 100644
  		gpg_role(user_r, user_t)
  	')
  
-@@ -102,10 +202,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +204,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -126532,7 +126563,7 @@ index 9f6d4c3..23a78b4 100644
  		postgresql_role(user_r, user_t)
  	')
  
-@@ -128,7 +224,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +226,6 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		ssh_role_template(user, user_r, user_t)
  	')
@@ -126540,7 +126571,7 @@ index 9f6d4c3..23a78b4 100644
  	optional_policy(`
  		su_role_template(user, user_r, user_t)
  	')
-@@ -161,3 +256,15 @@ ifndef(`distro_redhat',`
+@@ -161,3 +258,15 @@ ifndef(`distro_redhat',`
  		wireshark_role(user_r, user_t)
  	')
  ')
@@ -126938,7 +126969,7 @@ index 078bcd7..022c7db 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..6395fe1 100644
+index fe0c682..2b21421 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -127065,7 +127096,7 @@ index fe0c682..6395fe1 100644
  	files_pid_file($1_var_run_t)
  
 -	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
++	allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
  	allow $1_t self:fifo_file rw_fifo_file_perms;
 -	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
 +	allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
@@ -127114,12 +127145,12 @@ index fe0c682..6395fe1 100644
  
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
-@@ -241,35 +272,34 @@ template(`ssh_server_template', `
+@@ -241,35 +272,33 @@ template(`ssh_server_template', `
  
  	logging_search_logs($1_t)
  
 -	miscfiles_read_localization($1_t)
- 
+-
 -	userdom_create_all_users_keys($1_t)
  	userdom_dontaudit_relabelfrom_user_ptys($1_t)
 -	userdom_search_user_home_dirs($1_t)
@@ -127161,7 +127192,7 @@ index fe0c682..6395fe1 100644
  ')
  
  ########################################
-@@ -292,14 +322,15 @@ template(`ssh_server_template', `
+@@ -292,14 +321,15 @@ template(`ssh_server_template', `
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -127178,7 +127209,7 @@ index fe0c682..6395fe1 100644
  	')
  
  	##############################
-@@ -328,103 +359,56 @@ template(`ssh_role_template',`
+@@ -328,103 +358,56 @@ template(`ssh_role_template',`
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -127292,7 +127323,7 @@ index fe0c682..6395fe1 100644
  ')
  
  ########################################
-@@ -496,8 +480,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',`
  		type sshd_t;
  	')
  
@@ -127321,7 +127352,7 @@ index fe0c682..6395fe1 100644
  ########################################
  ## <summary>
  ##	Read and write a ssh server unnamed pipe.
-@@ -513,7 +516,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',`
  		type sshd_t;
  	')
  
@@ -127330,7 +127361,7 @@ index fe0c682..6395fe1 100644
  ')
  
  ########################################
-@@ -605,6 +608,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +607,24 @@ interface(`ssh_domtrans',`
  
  ########################################
  ## <summary>
@@ -127355,7 +127386,7 @@ index fe0c682..6395fe1 100644
  ##	Execute the ssh client in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -637,7 +658,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',`
  		type sshd_key_t;
  	')
  
@@ -127364,7 +127395,7 @@ index fe0c682..6395fe1 100644
  	files_search_pids($1)
  ')
  
-@@ -662,6 +683,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',`
  
  ########################################
  ## <summary>
@@ -127407,7 +127438,7 @@ index fe0c682..6395fe1 100644
  ##	Read ssh home directory content
  ## </summary>
  ## <param name="domain">
-@@ -701,6 +758,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +757,50 @@ interface(`ssh_domtrans_keygen',`
  
  ########################################
  ## <summary>
@@ -127458,7 +127489,7 @@ index fe0c682..6395fe1 100644
  ##	Read ssh server keys
  ## </summary>
  ## <param name="domain">
-@@ -714,7 +815,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +814,7 @@ interface(`ssh_dontaudit_read_server_keys',`
  		type sshd_key_t;
  	')
  
@@ -127467,7 +127498,7 @@ index fe0c682..6395fe1 100644
  ')
  
  ######################################
-@@ -754,3 +855,101 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +854,101 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -130986,10 +131017,10 @@ index c6fdab7..c59902a 100644
  	cron_sigchld(application_domain_type)
  ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..ffa1f8f 100644
+index 28ad538..ebe81bf 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -1,14 +1,25 @@
+@@ -1,14 +1,26 @@
 +HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 +HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
 +/root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
@@ -131002,6 +131033,7 @@ index 28ad538..ffa1f8f 100644
 +/etc/group\.lock	--	gen_context(system_u:object_r:passwd_file_t,s0)
  /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 -/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
++/etc/nshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 +/etc/security/opasswd	--	gen_context(system_u:object_r:shadow_t,s0)
 +/etc/security/opasswd\.old	--	gen_context(system_u:object_r:shadow_t,s0)
@@ -131019,7 +131051,7 @@ index 28ad538..ffa1f8f 100644
  /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
  /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +27,24 @@ ifdef(`distro_suse', `
+@@ -16,13 +28,24 @@ ifdef(`distro_suse', `
  /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ')
  
@@ -131046,7 +131078,7 @@ index 28ad538..ffa1f8f 100644
  
  /var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
  
-@@ -30,20 +52,24 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +53,24 @@ ifdef(`distro_gentoo', `
  
  /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
@@ -131076,7 +131108,7 @@ index 28ad538..ffa1f8f 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..b4efacf 100644
+index f416ce9..4d4ec55 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -131311,17 +131343,18 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -664,6 +720,9 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 +	files_var_filetrans($1, shadow_t, file, "shadow")
 +	files_var_filetrans($1, shadow_t, file, "shadow-")
 +	files_etc_filetrans($1, shadow_t, file, "gshadow")
++	files_etc_filetrans($1, shadow_t, file, "nshadow")
  ')
  
  #######################################
-@@ -763,7 +822,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
  	')
  
  	logging_search_logs($1)
@@ -131373,7 +131406,7 @@ index f416ce9..b4efacf 100644
  ')
  
  #######################################
-@@ -826,7 +928,7 @@ interface(`auth_rw_lastlog',`
+@@ -826,7 +929,7 @@ interface(`auth_rw_lastlog',`
  
  ########################################
  ## <summary>
@@ -131382,7 +131415,7 @@ index f416ce9..b4efacf 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -834,12 +936,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +937,27 @@ interface(`auth_rw_lastlog',`
  ##	</summary>
  ## </param>
  #
@@ -131413,7 +131446,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -854,15 +971,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +972,15 @@ interface(`auth_domtrans_pam',`
  #
  interface(`auth_signal_pam',`
  	gen_require(`
@@ -131432,7 +131465,7 @@ index f416ce9..b4efacf 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -875,13 +992,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +993,33 @@ interface(`auth_signal_pam',`
  ##	</summary>
  ## </param>
  #
@@ -131470,7 +131503,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -959,9 +1096,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1097,30 @@ interface(`auth_manage_var_auth',`
  	')
  
  	files_search_var($1)
@@ -131504,7 +131537,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -1040,6 +1198,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1199,10 @@ interface(`auth_manage_pam_pid',`
  	files_search_pids($1)
  	allow $1 pam_var_run_t:dir manage_dir_perms;
  	allow $1 pam_var_run_t:file manage_file_perms;
@@ -131515,7 +131548,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -1157,6 +1319,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1320,7 @@ interface(`auth_manage_pam_console_data',`
  	files_search_pids($1)
  	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
  	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -131523,7 +131556,7 @@ index f416ce9..b4efacf 100644
  ')
  
  #######################################
-@@ -1526,6 +1689,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1690,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -131549,7 +131582,7 @@ index f416ce9..b4efacf 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1676,24 +1858,7 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1859,7 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -131575,7 +131608,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -1717,11 +1882,13 @@ interface(`auth_relabel_login_records',`
+@@ -1717,11 +1883,13 @@ interface(`auth_relabel_login_records',`
  ## <infoflow type="both" weight="10"/>
  #
  interface(`auth_use_nsswitch',`
@@ -131592,7 +131625,7 @@ index f416ce9..b4efacf 100644
  ')
  
  ########################################
-@@ -1755,3 +1922,199 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1923,199 @@ interface(`auth_unconfined',`
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -132372,10 +132405,10 @@ index a97a096..f65892c 100644
 +
 +/var/run/blkid(/.*)?		gen_context(system_u:object_r:fsadm_var_run_t,s0)
 diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
-index 016a770..927f4b8 100644
+index 016a770..1effeb4 100644
 --- a/policy/modules/system/fstools.if
 +++ b/policy/modules/system/fstools.if
-@@ -154,3 +154,23 @@ interface(`fstools_getattr_swap_files',`
+@@ -154,3 +154,24 @@ interface(`fstools_getattr_swap_files',`
  
  	allow $1 swapfile_t:file getattr;
  ')
@@ -132396,6 +132429,7 @@ index 016a770..927f4b8 100644
 +	')
 +
 +	files_search_pids($1)
++	manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
 +	manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
 +	files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
 +')
@@ -133934,7 +133968,7 @@ index d26fe81..95c1bd8 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..c57afad 100644
+index 4a88fa1..fe91700 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,24 @@ gen_require(`
@@ -134170,7 +134204,7 @@ index 4a88fa1..c57afad 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -183,29 +269,177 @@ ifdef(`distro_gentoo',`
+@@ -183,29 +269,176 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -134227,9 +134261,7 @@ index 4a88fa1..c57afad 100644
 +
 +kernel_list_unlabeled(init_t)
 +kernel_read_network_state(init_t)
-+kernel_rw_kernel_sysctl(init_t)
-+kernel_rw_net_sysctls(init_t)
-+kernel_read_all_sysctls(init_t)
++kernel_rw_all_sysctls(init_t)
 +kernel_read_software_raid_state(init_t)
 +kernel_unmount_debugfs(init_t)
 +kernel_setsched(init_t)
@@ -134317,6 +134349,7 @@ index 4a88fa1..c57afad 100644
 +systemd_relabelto_fifo_file_passwd_run(init_t)
 +systemd_relabel_unit_dirs(init_t)
 +systemd_relabel_unit_files(init_t)
++systemd_create_unit_dirs(initrc_t)
 +systemd_config_all_services(initrc_t)
 +systemd_read_unit_files(initrc_t)
 +
@@ -134356,7 +134389,7 @@ index 4a88fa1..c57afad 100644
  ')
  
  optional_policy(`
-@@ -213,6 +447,27 @@ optional_policy(`
+@@ -213,6 +446,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134384,7 +134417,7 @@ index 4a88fa1..c57afad 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -222,8 +477,9 @@ optional_policy(`
+@@ -222,8 +476,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -134396,7 +134429,7 @@ index 4a88fa1..c57afad 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -251,12 +507,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +506,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -134413,7 +134446,7 @@ index 4a88fa1..c57afad 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +532,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +531,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -134456,7 +134489,7 @@ index 4a88fa1..c57afad 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,9 +569,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,9 +568,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -134468,7 +134501,7 @@ index 4a88fa1..c57afad 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -306,8 +581,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +580,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -134479,7 +134512,7 @@ index 4a88fa1..c57afad 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -315,17 +592,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +591,16 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -134499,7 +134532,7 @@ index 4a88fa1..c57afad 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -333,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +608,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134507,7 +134540,7 @@ index 4a88fa1..c57afad 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -340,8 +617,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +616,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -134519,7 +134552,7 @@ index 4a88fa1..c57afad 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -357,8 +636,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -134533,7 +134566,7 @@ index 4a88fa1..c57afad 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -368,9 +651,13 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +650,13 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -134548,7 +134581,7 @@ index 4a88fa1..c57afad 100644
  mcs_killall(initrc_t)
  mcs_process_set_categories(initrc_t)
  
-@@ -380,6 +667,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +666,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -134556,7 +134589,7 @@ index 4a88fa1..c57afad 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -391,6 +679,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +678,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -134564,7 +134597,7 @@ index 4a88fa1..c57afad 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -409,20 +698,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +697,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -134588,7 +134621,7 @@ index 4a88fa1..c57afad 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +763,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +762,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -134599,7 +134632,7 @@ index 4a88fa1..c57afad 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -496,7 +787,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +786,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -134608,7 +134641,7 @@ index 4a88fa1..c57afad 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -511,6 +802,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +801,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -134616,7 +134649,7 @@ index 4a88fa1..c57afad 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -531,6 +823,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +822,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -134624,7 +134657,7 @@ index 4a88fa1..c57afad 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +833,40 @@ ifdef(`distro_redhat',`
+@@ -540,8 +832,40 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -134665,7 +134698,7 @@ index 4a88fa1..c57afad 100644
  	')
  
  	optional_policy(`
-@@ -549,14 +874,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +873,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -134697,7 +134730,7 @@ index 4a88fa1..c57afad 100644
  	')
  ')
  
-@@ -567,6 +909,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +908,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -134737,7 +134770,7 @@ index 4a88fa1..c57afad 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +954,8 @@ optional_policy(`
+@@ -579,6 +953,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -134746,7 +134779,7 @@ index 4a88fa1..c57afad 100644
  ')
  
  optional_policy(`
-@@ -600,6 +977,7 @@ optional_policy(`
+@@ -600,6 +976,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -134754,7 +134787,7 @@ index 4a88fa1..c57afad 100644
  ')
  
  optional_policy(`
-@@ -612,6 +990,17 @@ optional_policy(`
+@@ -612,6 +989,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134772,7 +134805,7 @@ index 4a88fa1..c57afad 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -628,9 +1017,13 @@ optional_policy(`
+@@ -628,9 +1016,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -134786,7 +134819,7 @@ index 4a88fa1..c57afad 100644
  	')
  
  	optional_policy(`
-@@ -655,6 +1048,10 @@ optional_policy(`
+@@ -655,6 +1047,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134797,7 +134830,7 @@ index 4a88fa1..c57afad 100644
  	gpm_setattr_gpmctl(initrc_t)
  ')
  
-@@ -672,6 +1069,15 @@ optional_policy(`
+@@ -672,6 +1068,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134813,7 +134846,7 @@ index 4a88fa1..c57afad 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -712,6 +1118,7 @@ optional_policy(`
+@@ -712,6 +1117,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -134821,7 +134854,7 @@ index 4a88fa1..c57afad 100644
  ')
  
  optional_policy(`
-@@ -729,7 +1136,14 @@ optional_policy(`
+@@ -729,7 +1135,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134836,7 +134869,7 @@ index 4a88fa1..c57afad 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -752,6 +1166,10 @@ optional_policy(`
+@@ -752,6 +1165,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134847,7 +134880,7 @@ index 4a88fa1..c57afad 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -761,10 +1179,20 @@ optional_policy(`
+@@ -761,10 +1178,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134868,7 +134901,7 @@ index 4a88fa1..c57afad 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -773,6 +1201,10 @@ optional_policy(`
+@@ -773,6 +1200,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134879,7 +134912,7 @@ index 4a88fa1..c57afad 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -794,8 +1226,6 @@ optional_policy(`
+@@ -794,8 +1225,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -134888,7 +134921,7 @@ index 4a88fa1..c57afad 100644
  ')
  
  optional_policy(`
-@@ -804,6 +1234,10 @@ optional_policy(`
+@@ -804,6 +1233,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134899,7 +134932,7 @@ index 4a88fa1..c57afad 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -813,10 +1247,12 @@ optional_policy(`
+@@ -813,10 +1246,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -134912,7 +134945,7 @@ index 4a88fa1..c57afad 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1264,6 @@ optional_policy(`
+@@ -828,8 +1263,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134921,7 +134954,7 @@ index 4a88fa1..c57afad 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_pid_dirs(initrc_t)
  	udev_manage_rules_files(initrc_t)
-@@ -840,12 +1274,30 @@ optional_policy(`
+@@ -840,12 +1273,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134954,7 +134987,7 @@ index 4a88fa1..c57afad 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1307,18 @@ optional_policy(`
+@@ -855,6 +1306,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -134973,7 +135006,7 @@ index 4a88fa1..c57afad 100644
  ')
  
  optional_policy(`
-@@ -870,6 +1334,10 @@ optional_policy(`
+@@ -870,6 +1333,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134984,7 +135017,7 @@ index 4a88fa1..c57afad 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -880,3 +1348,185 @@ optional_policy(`
+@@ -880,3 +1347,185 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -141397,10 +141430,10 @@ index 0000000..6d7c302
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..5d53f08
+index 0000000..3e4cae7
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,924 @@
+@@ -0,0 +1,962 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@@ -141518,6 +141551,25 @@ index 0000000..5d53f08
 +	allow $1 systemd_unit_file_type:dir list_dir_perms;
 +')
 +
++######################################
++## <summary>
++##      Allow domain to list systemd unit dirs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`systemd_create_unit_dirs',`
++        gen_require(`
++                attribute systemd_unit_file_type;
++        ')
++	
++	files_search_var_lib($1)
++	allow $1 systemd_unit_file_type:dir create;
++')
++
 +#####################################
 +## <summary>
 +##      Allow domain to getattr all systemd unit files.
@@ -142325,6 +142377,25 @@ index 0000000..5d53f08
 +    systemd_exec_systemctl($1)
 +    allow $1 systemd_unit_file_type:service start;
 +')
++
++#######################################
++## <summary>
++##  Start power unit files domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`systemd_status_all_unit_files',`
++    gen_require(`
++        attribute systemd_unit_file_type;
++    ')
++
++    systemd_exec_systemctl($1)
++    allow $1 systemd_unit_file_type:service status;
++')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
 index 0000000..223e3f0
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 916914e1..1b100a30 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2132,7 +2132,7 @@ index 0000000..feabdf3
 +        files_getattr_all_sockets(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index fd9fa07..cca43af 100644
+index fd9fa07..dcb9d6e 100644
 --- a/apache.fc
 +++ b/apache.fc
 @@ -1,20 +1,37 @@
@@ -2233,7 +2233,12 @@ index fd9fa07..cca43af 100644
  
  /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +100,50 @@ ifdef(`distro_suse', `
+@@ -69,35 +96,54 @@ ifdef(`distro_suse', `
+ /var/cache/php-.*			gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/rt3(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/rt(3|4)(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2275,7 +2280,7 @@ index fd9fa07..cca43af 100644
  ')
  
 +/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/rt(3|4)/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +
  /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/cherokee\.pid		--	gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -17084,7 +17089,7 @@ index f706b99..3b4f593 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/devicekit.te b/devicekit.te
-index 1819518..1363f96 100644
+index 1819518..2cd919b 100644
 --- a/devicekit.te
 +++ b/devicekit.te
 @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0)
@@ -17202,7 +17207,15 @@ index 1819518..1363f96 100644
  	dbus_system_bus_client(devicekit_disk_t)
  
  	allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -170,6 +182,10 @@ optional_policy(`
+@@ -156,6 +168,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	mount_domtrans(devicekit_disk_t)
++	mount_read_pid_files(devicekit_disk_t)
+ ')
+ 
+ optional_policy(`
+@@ -170,6 +183,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17213,7 +17226,7 @@ index 1819518..1363f96 100644
  	udev_domtrans(devicekit_disk_t)
  	udev_read_db(devicekit_disk_t)
  ')
-@@ -178,55 +194,84 @@ optional_policy(`
+@@ -178,55 +195,84 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
@@ -17305,7 +17318,7 @@ index 1819518..1363f96 100644
  
  userdom_read_all_users_state(devicekit_power_t)
  
-@@ -235,10 +280,16 @@ optional_policy(`
+@@ -235,10 +281,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17322,7 +17335,7 @@ index 1819518..1363f96 100644
  	dbus_system_bus_client(devicekit_power_t)
  
  	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -261,14 +312,21 @@ optional_policy(`
+@@ -261,14 +313,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17345,7 +17358,7 @@ index 1819518..1363f96 100644
  	policykit_dbus_chat(devicekit_power_t)
  	policykit_domtrans_auth(devicekit_power_t)
  	policykit_read_lib(devicekit_power_t)
-@@ -276,9 +334,31 @@ optional_policy(`
+@@ -276,9 +335,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21279,10 +21292,10 @@ index 0000000..c4c7510
 +')
 diff --git a/firewalld.te b/firewalld.te
 new file mode 100644
-index 0000000..a7fcf3c
+index 0000000..90c8ee3
 --- /dev/null
 +++ b/firewalld.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,95 @@
 +
 +policy_module(firewalld,1.0.0)
 +
@@ -21329,7 +21342,8 @@ index 0000000..a7fcf3c
 +
 +# should be fixed to cooperate with systemd to create /var/run/firewalld directory
 +manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file })
++files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
++can_exec(firewalld_t, firewalld_var_run_t)
 +
 +kernel_read_network_state(firewalld_t)
 +kernel_read_system_state(firewalld_t)
@@ -21346,7 +21360,7 @@ index 0000000..a7fcf3c
 +
 +fs_getattr_xattr_fs(firewalld_t)
 +
-+auth_read_passwd(firewalld_t)
++auth_use_nsswitch(firewalld_t)
 +
 +logging_send_syslog_msg(firewalld_t)
 +
@@ -31517,7 +31531,7 @@ index 572b5db..1e55f43 100644
 +userdom_use_inherited_user_terminals(lockdev_t)
 +
 diff --git a/logrotate.te b/logrotate.te
-index 7090dae..4aaa8fb 100644
+index 7090dae..8a2583b 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t)
@@ -31527,7 +31541,7 @@ index 7090dae..4aaa8fb 100644
 -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
 -# for mailx
 -dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
-+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
 +dontaudit logrotate_t self:capability sys_resource;
  
  allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -31580,7 +31594,7 @@ index 7090dae..4aaa8fb 100644
  
  # cjp: why is this needed?
  init_domtrans_script(logrotate_t)
-@@ -112,21 +115,20 @@ logging_send_audit_msgs(logrotate_t)
+@@ -112,21 +115,21 @@ logging_send_audit_msgs(logrotate_t)
  # cjp: why is this needed?
  logging_exec_all_logs(logrotate_t)
  
@@ -31589,6 +31603,7 @@ index 7090dae..4aaa8fb 100644
 +systemd_getattr_unit_files(logrotate_t)
 +systemd_start_all_unit_files(logrotate_t)
 +systemd_reload_all_services(logrotate_t)
++systemd_status_all_unit_files(logrotate_t)
 +init_stream_connect(logrotate_t)
  
 -seutil_dontaudit_read_config(logrotate_t)
@@ -31611,7 +31626,7 @@ index 7090dae..4aaa8fb 100644
  	# for savelog
  	can_exec(logrotate_t, logrotate_exec_t)
  
-@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
  ')
  
  optional_policy(`
@@ -31620,7 +31635,7 @@ index 7090dae..4aaa8fb 100644
  ')
  
  optional_policy(`
-@@ -154,6 +156,10 @@ optional_policy(`
+@@ -154,6 +157,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31631,7 +31646,7 @@ index 7090dae..4aaa8fb 100644
  	asterisk_domtrans(logrotate_t)
  ')
  
-@@ -162,10 +168,20 @@ optional_policy(`
+@@ -162,10 +169,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31652,7 +31667,7 @@ index 7090dae..4aaa8fb 100644
  	cups_domtrans(logrotate_t)
  ')
  
-@@ -178,6 +194,10 @@ optional_policy(`
+@@ -178,6 +195,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31663,7 +31678,7 @@ index 7090dae..4aaa8fb 100644
  	icecast_signal(logrotate_t)
  ')
  
-@@ -194,15 +214,19 @@ optional_policy(`
+@@ -194,15 +215,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31684,7 +31699,7 @@ index 7090dae..4aaa8fb 100644
  
  optional_policy(`
  	samba_exec_log(logrotate_t)
-@@ -217,6 +241,11 @@ optional_policy(`
+@@ -217,6 +242,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31696,7 +31711,7 @@ index 7090dae..4aaa8fb 100644
  	squid_domtrans(logrotate_t)
  ')
  
-@@ -228,3 +257,14 @@ optional_policy(`
+@@ -228,3 +258,14 @@ optional_policy(`
  optional_policy(`
  	varnishd_manage_log(logrotate_t)
  ')
@@ -32389,10 +32404,10 @@ index 0000000..bd1d48e
 +')
 diff --git a/mailscanner.te b/mailscanner.te
 new file mode 100644
-index 0000000..45f3262
+index 0000000..d2f7a62
 --- /dev/null
 +++ b/mailscanner.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
 +policy_module(mailscanner, 1.0.0)
 +
 +########################################
@@ -32426,6 +32441,7 @@ index 0000000..45f3262
 +allow mscan_t self:fifo_file rw_fifo_file_perms;
 +
 +read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
++list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
 +
 +manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
 +files_pid_filetrans(mscan_t, mscan_var_run_t, file)
@@ -34307,10 +34323,10 @@ index 6647a35..f3b35e1 100644
  
  userdom_dontaudit_use_unpriv_user_fds(monopd_t)
 diff --git a/mozilla.fc b/mozilla.fc
-index 3a73e74..60e7237 100644
+index 3a73e74..0fa08be 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -2,8 +2,17 @@ HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0
+@@ -2,8 +2,18 @@ HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0
  HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -34322,13 +34338,14 @@ index 3a73e74..60e7237 100644
 +HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.lyx(/.*)?                   gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.spicec(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.ICAClient(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/zimbrauserdata(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
  
  #
  # /bin
-@@ -16,6 +25,12 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -16,6 +26,12 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
  /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  
@@ -34341,7 +34358,7 @@ index 3a73e74..60e7237 100644
  ifdef(`distro_debian',`
  /usr/lib/iceweasel/iceweasel	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  ')
-@@ -23,11 +38,20 @@ ifdef(`distro_debian',`
+@@ -23,11 +39,20 @@ ifdef(`distro_debian',`
  #
  # /lib
  #
@@ -34369,7 +34386,7 @@ index 3a73e74..60e7237 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index b397fde..17b14ad 100644
+index b397fde..cccec7e 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -18,10 +18,11 @@
@@ -34420,7 +34437,7 @@ index b397fde..17b14ad 100644
  ')
  
  ########################################
-@@ -193,11 +211,38 @@ interface(`mozilla_domtrans',`
+@@ -193,11 +211,35 @@ interface(`mozilla_domtrans',`
  #
  interface(`mozilla_domtrans_plugin',`
  	gen_require(`
@@ -34434,13 +34451,10 @@ index b397fde..17b14ad 100644
  	domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
 +	domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
 +	allow mozilla_plugin_t $1:process signull;
++	dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
 +	allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
 +	allow $1 mozilla_plugin_t:fd use;
 +
-+	#tunable_policy(`deny_ptrace',`',`
-+	#	allow $1 mozilla_plugin_t:process ptrace;
-+	#')
-+
 +	allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
 +	allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
 +	allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
@@ -34460,7 +34474,7 @@ index b397fde..17b14ad 100644
  	allow mozilla_plugin_t $1:process signull;
  ')
  
-@@ -224,6 +269,32 @@ interface(`mozilla_run_plugin',`
+@@ -224,6 +266,32 @@ interface(`mozilla_run_plugin',`
  
  	mozilla_domtrans_plugin($1)
  	role $2 types mozilla_plugin_t;
@@ -34493,7 +34507,7 @@ index b397fde..17b14ad 100644
  ')
  
  ########################################
-@@ -265,9 +336,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -265,9 +333,27 @@ interface(`mozilla_rw_tcp_sockets',`
  	allow $1 mozilla_t:tcp_socket rw_socket_perms;
  ')
  
@@ -34522,7 +34536,7 @@ index b397fde..17b14ad 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -275,28 +364,118 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +361,119 @@ interface(`mozilla_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -34553,8 +34567,9 @@ index b397fde..17b14ad 100644
  	gen_require(`
 -		type mozilla_plugin_tmpfs_t;
 +		type mozilla_plugin_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 mozilla_plugin_tmpfs_t:file unlink;
 +	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
 +')
 +
@@ -34574,7 +34589,7 @@ index b397fde..17b14ad 100644
 +    ')
 +
 +    dontaudit $1 mozilla_plugin_tmp_t:file { read write };
-+')
+ ')
 +
 +########################################
 +## <summary>
@@ -34609,11 +34624,10 @@ index b397fde..17b14ad 100644
 +interface(`mozilla_plugin_read_rw_files',`
 +	gen_require(`
 +		type mozilla_plugin_rw_t;
- 	')
- 
--	allow $1 mozilla_plugin_tmpfs_t:file unlink;
++	')
++
 +	read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
- ')
++')
 +
 +########################################
 +## <summary>
@@ -34646,10 +34660,11 @@ index b397fde..17b14ad 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
++	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
 +')
 +
 diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..907ff48 100644
+index d4fcb75..8cf0087 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -34812,7 +34827,7 @@ index d4fcb75..907ff48 100644
  	pulseaudio_stream_connect(mozilla_t)
  	pulseaudio_manage_home_files(mozilla_t)
  ')
-@@ -297,65 +317,101 @@ optional_policy(`
+@@ -297,65 +317,102 @@ optional_policy(`
  # mozilla_plugin local policy
  #
  
@@ -34841,6 +34856,7 @@ index d4fcb75..907ff48 100644
 +manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +mozilla_filetrans_home_content(mozilla_plugin_t)
  
  manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -34929,7 +34945,7 @@ index d4fcb75..907ff48 100644
  
  domain_use_interactive_fds(mozilla_plugin_t)
  domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +419,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +420,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
  files_read_config_files(mozilla_plugin_t)
  files_read_usr_files(mozilla_plugin_t)
  files_list_mnt(mozilla_plugin_t)
@@ -35011,7 +35027,7 @@ index d4fcb75..907ff48 100644
  ')
  
  optional_policy(`
-@@ -422,24 +482,39 @@ optional_policy(`
+@@ -422,24 +483,39 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(mozilla_plugin_t)
  	dbus_session_bus_client(mozilla_plugin_t)
@@ -35055,7 +35071,7 @@ index d4fcb75..907ff48 100644
  ')
  
  optional_policy(`
-@@ -447,10 +522,115 @@ optional_policy(`
+@@ -447,10 +523,116 @@ optional_policy(`
  	pulseaudio_stream_connect(mozilla_plugin_t)
  	pulseaudio_setattr_home_dir(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -35115,6 +35131,7 @@ index d4fcb75..907ff48 100644
 +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +
 +corecmd_exec_bin(mozilla_plugin_config_t)
 +corecmd_exec_shell(mozilla_plugin_config_t)
@@ -36979,7 +36996,7 @@ index c358d8f..1cc176c 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index f17583b..3a691c7 100644
+index f17583b..addfbf2 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -37118,11 +37135,11 @@ index f17583b..3a691c7 100644
  dev_read_sysfs(disk_munin_plugin_t)
  dev_read_urand(disk_munin_plugin_t)
 +dev_read_all_blk_files(munin_disk_plugin_t)
-+
-+fs_getattr_all_fs(disk_munin_plugin_t)
-+fs_getattr_all_dirs(disk_munin_plugin_t)
  
 -storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
++fs_getattr_all_fs(disk_munin_plugin_t)
++fs_getattr_all_dirs(disk_munin_plugin_t)
++
 +storage_raw_read_fixed_disk(disk_munin_plugin_t)
  
  sysnet_read_config(disk_munin_plugin_t)
@@ -37196,18 +37213,22 @@ index f17583b..3a691c7 100644
  	cups_stream_connect(services_munin_plugin_t)
  ')
  
-@@ -279,6 +316,10 @@ optional_policy(`
+@@ -279,6 +316,14 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	nscd_socket_use(services_munin_plugin_t)
 +')
 +
++optional_policy(`
++	ntp_exec(services_munin_plugin_t)
++')
++
 +optional_policy(`
  	postgresql_stream_connect(services_munin_plugin_t)
  ')
  
-@@ -286,6 +327,18 @@ optional_policy(`
+@@ -286,6 +331,18 @@ optional_policy(`
  	snmp_read_snmp_var_lib_files(services_munin_plugin_t)
  ')
  
@@ -37226,7 +37247,7 @@ index f17583b..3a691c7 100644
  ##################################
  #
  # local policy for system plugins
-@@ -295,12 +348,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,12 +352,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
  
  rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -37242,7 +37263,7 @@ index f17583b..3a691c7 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +364,47 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +368,47 @@ init_read_utmp(system_munin_plugin_t)
  sysnet_exec_ifconfig(system_munin_plugin_t)
  
  term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -41145,10 +41166,36 @@ index e79dccc..2a3c6af 100644
  /var/log/ntp.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
  /var/log/ntpstats(/.*)?			gen_context(system_u:object_r:ntpd_log_t,s0)
 diff --git a/ntp.if b/ntp.if
-index e80f8c0..0044e73 100644
+index e80f8c0..d60b451 100644
 --- a/ntp.if
 +++ b/ntp.if
-@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
+@@ -37,6 +37,25 @@ interface(`ntp_domtrans',`
+ 
+ ########################################
+ ## <summary>
++##     Execute ntp server in the caller domain.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed to transition.
++##     </summary>
++## </param>
++#
++interface(`ntp_exec',`
++       gen_require(`
++               type ntpd_exec_t;
++       ')
++
++       corecmd_search_bin($1)
++       can_exec($1, ntpd_exec_t)
++')
++
++########################################
++## <summary>
+ ##	Execute ntp in the ntp domain, and
+ ##	allow the specified role the ntp domain.
+ ## </summary>
+@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
  ')
  
@@ -41197,7 +41244,7 @@ index e80f8c0..0044e73 100644
  ########################################
  ## <summary>
  ##	Read and write ntpd shared memory.
-@@ -122,6 +164,25 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +183,25 @@ interface(`ntp_rw_shm',`
  
  ########################################
  ## <summary>
@@ -41223,7 +41270,7 @@ index e80f8c0..0044e73 100644
  ##	All of the rules required to administrate
  ##	an ntp environment
  ## </summary>
-@@ -140,12 +201,15 @@ interface(`ntp_rw_shm',`
+@@ -140,12 +220,15 @@ interface(`ntp_rw_shm',`
  interface(`ntp_admin',`
  	gen_require(`
  		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -41242,7 +41289,7 @@ index e80f8c0..0044e73 100644
  
  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -162,4 +226,8 @@ interface(`ntp_admin',`
+@@ -162,4 +245,8 @@ interface(`ntp_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, ntpd_var_run_t)
@@ -43840,10 +43887,10 @@ index 0000000..14f29e4
 +')
 diff --git a/openvswitch.te b/openvswitch.te
 new file mode 100644
-index 0000000..31370ed
+index 0000000..f6e0f04
 --- /dev/null
 +++ b/openvswitch.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,84 @@
 +policy_module(openvswitch, 1.0.0)
 +
 +########################################
@@ -43880,6 +43927,7 @@ index 0000000..31370ed
 +allow openvswitch_t self:fifo_file rw_fifo_file_perms;
 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow openvswitch_t self:netlink_socket create_socket_perms;
++allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
 +
 +can_exec(openvswitch_t, openvswitch_exec_t)
 +
@@ -48091,7 +48139,7 @@ index 1ddfa16..c0e0959 100644
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/postfix.if b/postfix.if
-index 46bee12..8ef270f 100644
+index 46bee12..20a3ccd 100644
 --- a/postfix.if
 +++ b/postfix.if
 @@ -28,75 +28,23 @@ interface(`postfix_stub',`
@@ -48347,7 +48395,69 @@ index 46bee12..8ef270f 100644
  ##	Execute the master postdrop in the
  ##	postfix_postdrop domain.
  ## </summary>
-@@ -462,7 +492,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -452,6 +482,61 @@ interface(`postfix_domtrans_postqueue',`
+ 	domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+ ')
+ 
++########################################
++## <summary>
++##	Execute the master postqueue in the
++##	postfix_postdrop domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  The role to be allowed the iptables domain.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++
++interface(`postfix_run_postqueue',`
++	gen_require(`
++		type postfix_postqueue_t;
++	')
++
++	postfix_domtrans_postqueue($1)
++	role $2 types postfix_postqueue_t;
++	allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
++')
++
++########################################
++## <summary>
++##	Execute postfix_postgqueue in the postfix_postgqueue domain, and
++##	allow the specified role the postfix_postgqueue domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`postfix_run_postgqueue',`
++	gen_require(`
++		type postfix_postgqueue_t;
++	')
++
++	postfix_domtrans_postgqueue($1)
++	role $2 types postfix_postgqueue_t;
++')
++
++
+ #######################################
+ ## <summary>
+ ##	Execute the master postqueue in the caller domain.
+@@ -462,7 +547,7 @@ interface(`postfix_domtrans_postqueue',`
  ##	</summary>
  ## </param>
  #
@@ -48356,7 +48466,7 @@ index 46bee12..8ef270f 100644
  	gen_require(`
  		type postfix_postqueue_exec_t;
  	')
-@@ -529,6 +559,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +614,25 @@ interface(`postfix_domtrans_smtp',`
  
  ########################################
  ## <summary>
@@ -48382,7 +48492,7 @@ index 46bee12..8ef270f 100644
  ##	Search postfix mail spool directories.
  ## </summary>
  ## <param name="domain">
-@@ -539,10 +588,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +643,10 @@ interface(`postfix_domtrans_smtp',`
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -48395,7 +48505,7 @@ index 46bee12..8ef270f 100644
  	files_search_spool($1)
  ')
  
-@@ -558,10 +607,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +662,10 @@ interface(`postfix_search_spool',`
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -48408,7 +48518,7 @@ index 46bee12..8ef270f 100644
  	files_search_spool($1)
  ')
  
-@@ -577,11 +626,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +681,11 @@ interface(`postfix_list_spool',`
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -48422,7 +48532,7 @@ index 46bee12..8ef270f 100644
  ')
  
  ########################################
-@@ -596,11 +645,31 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +700,31 @@ interface(`postfix_read_spool_files',`
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -48456,7 +48566,7 @@ index 46bee12..8ef270f 100644
  ')
  
  ########################################
-@@ -621,3 +690,155 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +745,157 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -48522,6 +48632,7 @@ index 46bee12..8ef270f 100644
 +
 +	postfix_run_map($1, $2)
 +	postfix_run_postdrop($1, $2)
++	postfix_run_postqueue($1, $2)
 +
 +	postfix_initrc_domtrans($1)
 +	domain_system_change_exemption($1)
@@ -48575,6 +48686,7 @@ index 46bee12..8ef270f 100644
 +	allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
 +')
 +
++
 +########################################
 +## <summary>
 +##	Execute postfix exec in the users domain
@@ -48613,7 +48725,7 @@ index 46bee12..8ef270f 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/postfix.te b/postfix.te
-index a1e0f60..85b12af 100644
+index a1e0f60..ae56a3e 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -48774,7 +48886,7 @@ index a1e0f60..85b12af 100644
  
  mta_rw_aliases(postfix_master_t)
  mta_read_sendmail_bin(postfix_master_t)
-@@ -195,7 +216,7 @@ optional_policy(`
+@@ -195,15 +216,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48783,7 +48895,15 @@ index a1e0f60..85b12af 100644
  	mailman_manage_data_files(postfix_master_t)
  ')
  
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+ optional_policy(`
+-	mysql_stream_connect(postfix_master_t)
+-')
+-
+-optional_policy(`
+ 	postgrey_search_spool(postfix_master_t)
+ ')
+ 
+@@ -220,13 +237,17 @@ allow postfix_bounce_t self:capability dac_read_search;
  allow postfix_bounce_t self:tcp_socket create_socket_perms;
  
  allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -48802,7 +48922,7 @@ index a1e0f60..85b12af 100644
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -237,22 +262,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -237,22 +258,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
  #
  
  allow postfix_cleanup_t self:process setrlimit;
@@ -48834,7 +48954,7 @@ index a1e0f60..85b12af 100644
  mta_read_aliases(postfix_cleanup_t)
  
  optional_policy(`
-@@ -264,7 +298,6 @@ optional_policy(`
+@@ -264,7 +294,6 @@ optional_policy(`
  # Postfix local local policy
  #
  
@@ -48842,7 +48962,7 @@ index a1e0f60..85b12af 100644
  allow postfix_local_t self:process { setsched setrlimit };
  
  # connect to master process
-@@ -272,28 +305,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -272,28 +301,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
  
  # for .forward - maybe we need a new type for it?
  rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -48899,7 +49019,7 @@ index a1e0f60..85b12af 100644
  ')
  
  optional_policy(`
-@@ -304,9 +360,26 @@ optional_policy(`
+@@ -304,9 +356,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48926,7 +49046,7 @@ index a1e0f60..85b12af 100644
  ########################################
  #
  # Postfix map local policy
-@@ -329,7 +402,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +398,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -48934,7 +49054,7 @@ index a1e0f60..85b12af 100644
  corenet_all_recvfrom_netlabel(postfix_map_t)
  corenet_tcp_sendrecv_generic_if(postfix_map_t)
  corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +420,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +416,6 @@ corecmd_read_bin_sockets(postfix_map_t)
  
  files_list_home(postfix_map_t)
  files_read_usr_files(postfix_map_t)
@@ -48942,7 +49062,7 @@ index a1e0f60..85b12af 100644
  files_read_etc_runtime_files(postfix_map_t)
  files_dontaudit_search_var(postfix_map_t)
  
-@@ -356,8 +427,6 @@ auth_use_nsswitch(postfix_map_t)
+@@ -356,8 +423,6 @@ auth_use_nsswitch(postfix_map_t)
  
  logging_send_syslog_msg(postfix_map_t)
  
@@ -48951,7 +49071,7 @@ index a1e0f60..85b12af 100644
  optional_policy(`
  	locallogin_dontaudit_use_fds(postfix_map_t)
  ')
-@@ -379,18 +448,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +444,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  
@@ -48977,7 +49097,7 @@ index a1e0f60..85b12af 100644
  allow postfix_pipe_t self:process setrlimit;
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +476,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +472,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -48986,7 +49106,7 @@ index a1e0f60..85b12af 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +497,7 @@ optional_policy(`
+@@ -420,6 +493,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -48994,7 +49114,7 @@ index a1e0f60..85b12af 100644
  ')
  
  optional_policy(`
-@@ -436,11 +514,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +510,17 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -49012,7 +49132,7 @@ index a1e0f60..85b12af 100644
  corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
  corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
  
-@@ -487,8 +571,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +567,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
  domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
  
  # to write the mailq output, it really should not need read access!
@@ -49023,7 +49143,7 @@ index a1e0f60..85b12af 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +603,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +599,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -49036,7 +49156,7 @@ index a1e0f60..85b12af 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +627,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +623,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -49047,7 +49167,7 @@ index a1e0f60..85b12af 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +644,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -49060,7 +49180,7 @@ index a1e0f60..85b12af 100644
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
-@@ -565,6 +661,14 @@ optional_policy(`
+@@ -565,6 +657,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49075,7 +49195,7 @@ index a1e0f60..85b12af 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +681,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
  corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
  
  # for prng_exch
@@ -49102,7 +49222,7 @@ index a1e0f60..85b12af 100644
  ')
  
  optional_policy(`
-@@ -599,6 +711,11 @@ optional_policy(`
+@@ -599,6 +707,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49114,7 +49234,7 @@ index a1e0f60..85b12af 100644
  	postgrey_stream_connect(postfix_smtpd_t)
  ')
  
-@@ -611,7 +728,6 @@ optional_policy(`
+@@ -611,7 +724,6 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -49122,7 +49242,7 @@ index a1e0f60..85b12af 100644
  allow postfix_virtual_t self:process { setsched setrlimit };
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +734,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
  corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
  
@@ -49130,7 +49250,7 @@ index a1e0f60..85b12af 100644
  files_read_usr_files(postfix_virtual_t)
  
  mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +741,80 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -49200,6 +49320,10 @@ index a1e0f60..85b12af 100644
 +userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
 +
 +optional_policy(`
++	mysql_stream_connect(postfix_domain)
++')
++
++optional_policy(`
 +	spamd_stream_connect(postfix_domain)
 +	spamassassin_domtrans_client(postfix_domain)
 +')
@@ -56111,7 +56235,7 @@ index 137605a..fd40b90 100644
 +	')
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..14193ca 100644
+index 783f678..62c40bb 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -56124,7 +56248,7 @@ index 783f678..14193ca 100644
  allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
  allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -43,17 +46,36 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+@@ -43,17 +46,40 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  
  manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
  manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -56133,24 +56257,28 @@ index 783f678..14193ca 100644
 +kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
  
++corenet_tcp_connect_http_port(rhsmcertd_t)
++
 +files_list_tmp(rhsmcertd_t)
 +
  corecmd_exec_bin(rhsmcertd_t)
++corecmd_exec_shell(rhsmcertd_t)
  
 +dev_read_rand(rhsmcertd_t)
  dev_read_urand(rhsmcertd_t)
 +dev_read_sysfs(rhsmcertd_t)
++dev_read_raw_memory(rhsmcertd_t)
  
  files_read_etc_files(rhsmcertd_t)
  files_read_usr_files(rhsmcertd_t)
 +files_manage_generic_locks(rhsmcertd_t)
 +
 +auth_read_passwd(rhsmcertd_t)
-+
-+logging_send_syslog_msg(rhsmcertd_t)
  
 -miscfiles_read_localization(rhsmcertd_t)
 -miscfiles_read_generic_certs(rhsmcertd_t)
++logging_send_syslog_msg(rhsmcertd_t)
++
 +miscfiles_read_certs(rhsmcertd_t)
  
  sysnet_dns_name_resolve(rhsmcertd_t)
@@ -62140,7 +62268,7 @@ index bcdd16c..039b0c8 100644
  	files_list_var_lib($1)
  	admin_pattern($1, setroubleshoot_var_lib_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..08ef0c7 100644
+index 086cd5f..ab3ba4d 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
 @@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -62283,7 +62411,7 @@ index 086cd5f..08ef0c7 100644
  files_list_tmp(setroubleshoot_fixit_t)
  
  auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,7 +192,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,9 +192,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  
@@ -62300,7 +62428,10 @@ index 086cd5f..08ef0c7 100644
 +')
  
  optional_policy(`
++	rpm_exec(setroubleshoot_fixit_t)
  	rpm_signull(setroubleshoot_fixit_t)
+ 	rpm_read_db(setroubleshoot_fixit_t)
+ 	rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
 diff --git a/sge.fc b/sge.fc
 new file mode 100644
 index 0000000..160ddc2
@@ -67808,7 +67939,7 @@ index 67b5592..ccddff5 100644
  corenet_tcp_sendrecv_generic_if(timidity_t)
  corenet_udp_sendrecv_generic_if(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index 0521d5a..4ad0788 100644
+index 0521d5a..b08a00a 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
 @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
@@ -67819,7 +67950,7 @@ index 0521d5a..4ad0788 100644
  application_domain(tmpreaper_t, tmpreaper_exec_t)
  role system_r types tmpreaper_t;
  
-@@ -18,33 +19,47 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,48 @@ role system_r types tmpreaper_t;
  allow tmpreaper_t self:process { fork sigchld };
  allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
  
@@ -67836,6 +67967,7 @@ index 0521d5a..4ad0788 100644
 +files_delete_all_non_security_files(tmpreaper_t)
  # why does it need setattr?
  files_setattr_all_tmp_dirs(tmpreaper_t)
++files_setattr_isid_type_dirs(tmpreaper_t)
 +files_setattr_usr_dirs(tmpreaper_t)
  files_getattr_all_dirs(tmpreaper_t)
  files_getattr_all_files(tmpreaper_t)
@@ -67873,7 +68005,7 @@ index 0521d5a..4ad0788 100644
  ')
  
  optional_policy(`
-@@ -52,7 +67,9 @@ optional_policy(`
+@@ -52,7 +68,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -67883,7 +68015,7 @@ index 0521d5a..4ad0788 100644
  	apache_delete_cache_files(tmpreaper_t)
  	apache_setattr_cache_dirs(tmpreaper_t)
  ')
-@@ -66,9 +83,17 @@ optional_policy(`
+@@ -66,9 +84,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70997,7 +71129,7 @@ index 6f0736b..408a20a 100644
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 947bbc6..d17661a 100644
+index 947bbc6..12c15cb 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -71242,12 +71374,13 @@ index 947bbc6..d17661a 100644
  
  corenet_udp_sendrecv_generic_if(svirt_t)
  corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +223,69 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,67 +223,71 @@ corenet_udp_bind_all_ports(svirt_t)
  corenet_tcp_bind_all_ports(svirt_t)
  corenet_tcp_connect_all_ports(svirt_t)
  
 -dev_list_sysfs(svirt_t)
--
++miscfiles_read_generic_certs(svirt_t)
+ 
 -userdom_search_user_home_content(svirt_t)
 -userdom_read_user_home_content_symlinks(svirt_t)
 -userdom_read_all_users_state(svirt_t)
@@ -71353,7 +71486,7 @@ index 947bbc6..d17661a 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +296,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +298,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -71366,6 +71499,7 @@ index 947bbc6..d17661a 100644
 -manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
 -logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
++allow virtd_t virt_image_type:dir setattr;
 +allow virtd_t virt_image_type:file relabel_file_perms;
 +allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 +allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
@@ -71388,7 +71522,7 @@ index 947bbc6..d17661a 100644
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
  manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
  manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +328,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +331,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
@@ -71412,7 +71546,7 @@ index 947bbc6..d17661a 100644
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +359,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
  corenet_rw_tun_tap_dev(virtd_t)
  
  dev_rw_sysfs(virtd_t)
@@ -71446,7 +71580,7 @@ index 947bbc6..d17661a 100644
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +391,18 @@ fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -71465,7 +71599,7 @@ index 947bbc6..d17661a 100644
  
  mcs_process_set_categories(virtd_t)
  
-@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +417,8 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -71475,7 +71609,7 @@ index 947bbc6..d17661a 100644
  miscfiles_read_generic_certs(virtd_t)
  miscfiles_read_hwdata(virtd_t)
  
-@@ -293,17 +424,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +427,36 @@ modutils_read_module_config(virtd_t)
  modutils_manage_module_config(virtd_t)
  
  logging_send_syslog_msg(virtd_t)
@@ -71512,7 +71646,7 @@ index 947bbc6..d17661a 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +472,10 @@ optional_policy(`
+@@ -322,6 +475,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71523,7 +71657,7 @@ index 947bbc6..d17661a 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -335,19 +489,34 @@ optional_policy(`
+@@ -335,19 +492,34 @@ optional_policy(`
  	optional_policy(`
  		hal_dbus_chat(virtd_t)
  	')
@@ -71559,7 +71693,7 @@ index 947bbc6..d17661a 100644
  
  	# Manages /etc/sysconfig/system-config-firewall
  	iptables_manage_config(virtd_t)
-@@ -362,6 +531,12 @@ optional_policy(`
+@@ -362,6 +534,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71572,7 +71706,7 @@ index 947bbc6..d17661a 100644
  	policykit_dbus_chat(virtd_t)
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +544,11 @@ optional_policy(`
+@@ -369,11 +547,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71589,7 +71723,7 @@ index 947bbc6..d17661a 100644
  ')
  
  optional_policy(`
-@@ -384,6 +559,7 @@ optional_policy(`
+@@ -384,6 +562,7 @@ optional_policy(`
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
@@ -71597,7 +71731,7 @@ index 947bbc6..d17661a 100644
  	xen_stream_connect(virtd_t)
  	xen_stream_connect_xenstore(virtd_t)
  	xen_read_image_files(virtd_t)
-@@ -402,35 +578,85 @@ optional_policy(`
+@@ -402,35 +581,85 @@ optional_policy(`
  #
  # virtual domains common policy
  #
@@ -71692,7 +71826,7 @@ index 947bbc6..d17661a 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -438,34 +664,627 @@ dev_write_sound(virt_domain)
+@@ -438,34 +667,628 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -71714,12 +71848,12 @@ index 947bbc6..d17661a 100644
 +fs_rw_inherited_nfs_files(virt_domain)
 +fs_rw_inherited_cifs_files(virt_domain)
 +fs_rw_inherited_noxattr_fs_files(virt_domain)
- 
--term_use_all_terms(virt_domain)
++
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
 +storage_raw_read_removable_device(virt_domain)
-+
+ 
+-term_use_all_terms(virt_domain)
 +sysnet_read_config(virt_domain)
 +
 +term_use_all_inherited_terms(virt_domain)
@@ -71755,7 +71889,7 @@ index 947bbc6..d17661a 100644
 +
 +optional_policy(`
 +	xserver_rw_shm(virt_domain)
-+')
+ ')
 +
 +tunable_policy(`virt_use_comm',`
 +	term_use_unallocated_ttys(virt_domain)
@@ -71905,7 +72039,7 @@ index 947bbc6..d17661a 100644
 +	fs_manage_nfs_dirs(virsh_t)
 +	fs_manage_nfs_files(virsh_t)
 +	fs_read_nfs_symlinks(virsh_t)
- ')
++')
 +
 +tunable_policy(`virt_use_samba',`
 +	fs_manage_cifs_files(virsh_t)
@@ -72004,6 +72138,7 @@ index 947bbc6..d17661a 100644
 +kernel_read_all_sysctls(virtd_lxc_t)
 +kernel_read_network_state(virtd_lxc_t)
 +kernel_read_system_state(virtd_lxc_t)
++kernel_request_load_module(virtd_lxc_t)
 +
 +corecmd_exec_bin(virtd_lxc_t)
 +corecmd_exec_shell(virtd_lxc_t)
@@ -75010,10 +75145,10 @@ index 0000000..b34b8b4
 +
 diff --git a/zoneminder.te b/zoneminder.te
 new file mode 100644
-index 0000000..3708d3c
+index 0000000..a98b795
 --- /dev/null
 +++ b/zoneminder.te
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,122 @@
 +policy_module(zoneminder, 1.0.0)
 +
 +########################################
@@ -75091,6 +75226,7 @@ index 0000000..3708d3c
 +
 +corenet_tcp_bind_http_cache_port(zoneminder_t)
 +corenet_tcp_bind_transproxy_port(zoneminder_t)
++corenet_tcp_connect_http_port(zoneminder_t)
 +
 +dev_read_sysfs(zoneminder_t)
 +dev_read_rand(zoneminder_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 397410c6..8600b50f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 67%{?dist}
+Release: 69%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,34 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Jan 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-69
+- Add systemd_status_all_unit_files() interface
+- Add support for nshadow
+- Allow sysadm_t to administrate the postfix domains
+- Add interface to setattr on isid directories for use by tmpreaper
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Add systemd_status_all_unit_files() interface
+- Add support for nshadow
+- Allow sysadm_t to administrate the postfix domains
+- Add interface to setattr on isid directories for use by tmpreaper
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Allow sshd_t sys_admin for use with afs logins
+- Add labeling for /var/named/chroot/etc/localtim
+
+* Thu Dec 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-68
+- Allow setroubleshoot_fixit to execute rpm
+- zoneminder needs to connect to httpd ports where remote cameras are listening
+- Allow firewalld to execute content created in /run directory
+- Allow svirt_t to read generic certs
+- Dontaudit leaked ps content to mozilla plugin
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- init scripts are creating systemd_unit_file_t directories
+
 * Fri Dec 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-67
 - systemd_logind_t is looking at all files under /run/user/apache
 - Allow systemd to manage all user tmp files