diff --git a/policy-F14.patch b/policy-F14.patch
index 2b4238ea..a644247d 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -6592,7 +6592,7 @@ index e70b0e8..cd83b89 100644
  /usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
 +/usr/bin/consolehelper		--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
 diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..d73e7c8 100644
+index ced285a..2e50976 100644
 --- a/policy/modules/apps/userhelper.if
 +++ b/policy/modules/apps/userhelper.if
 @@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -6603,7 +6603,7 @@ index ced285a..d73e7c8 100644
  	')
  
  	########################################
-@@ -256,3 +257,58 @@ interface(`userhelper_exec',`
+@@ -256,3 +257,61 @@ interface(`userhelper_exec',`
  
  	can_exec($1, userhelper_exec_t)
  ')
@@ -6653,20 +6653,23 @@ index ced285a..d73e7c8 100644
 +
 +	auth_use_pam($1_consolehelper_t)
 +
++	userdom_manage_tmpfs_role($2, $1_consolehelper_t)
++
 +	optional_policy(`
 +		shutdown_run($1_consolehelper_t, $2)
 +		shutdown_send_sigchld($3)
 +	')
 +
 +	optional_policy(`
++		xserver_run_xauth($1_consolehelper_t, $2)
 +		xserver_read_xdm_pid($1_consolehelper_t)
 +	')
 +')
 diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
-index d584dff..f62c171 100644
+index d584dff..b46a20e 100644
 --- a/policy/modules/apps/userhelper.te
 +++ b/policy/modules/apps/userhelper.te
-@@ -6,9 +6,54 @@ policy_module(userhelper, 1.5.1)
+@@ -6,9 +6,61 @@ policy_module(userhelper, 1.5.1)
  #
  
  attribute userhelper_type;
@@ -6686,6 +6689,7 @@ index d584dff..f62c171 100644
 +# consolehelper local policy
 +#
 +
++allow consolehelper_domain self:shm create_shm_perms;
 +allow consolehelper_domain self:capability { setgid setuid }; 
 +
 +dontaudit consolehelper_domain  userhelper_conf_t:file write;
@@ -6711,14 +6715,20 @@ index d584dff..f62c171 100644
 +init_read_utmp(consolehelper_domain)
 +
 +miscfiles_read_localization(consolehelper_domain)
++miscfiles_read_fonts(consolehelper_domain)
 +
 +userhelper_exec(consolehelper_domain)
 +
 +userdom_use_user_ptys(consolehelper_domain)
 +userdom_use_user_ttys(consolehelper_domain)
-+userdom_search_user_home_content(consolehelper_domain)
++userdom_read_user_home_content_files(consolehelper_domain)
 +
 +optional_policy(`
++	gnome_read_gconf_home_files(consolehelper_domain)
++')
++
++optional_policy(`
++	xserver_read_home_fonts(consolehelper_domain)
 +	xserver_stream_connect(consolehelper_domain)
 +')
 diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
@@ -6928,7 +6938,7 @@ index 82842a0..369c3b5 100644
  		dbus_system_bus_client($1_wm_t)
  		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..93c9ec1 100644
+index 0eb1d97..794a0eb 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -9,8 +9,11 @@
@@ -6992,7 +7002,17 @@ index 0eb1d97..93c9ec1 100644
  /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -218,8 +235,11 @@ ifdef(`distro_gentoo',`
+@@ -205,7 +222,8 @@ ifdef(`distro_gentoo',`
+ /usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+-/usr/libsexec/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/libexec/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
+ 
+ /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
+ 
+@@ -218,8 +236,11 @@ ifdef(`distro_gentoo',`
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  
@@ -7004,7 +7024,7 @@ index 0eb1d97..93c9ec1 100644
  /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/denyhosts/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/denyhosts/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +248,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +249,8 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7013,7 +7033,7 @@ index 0eb1d97..93c9ec1 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +336,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +337,7 @@ ifdef(`distro_redhat', `
  /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@@ -7021,7 +7041,7 @@ index 0eb1d97..93c9ec1 100644
  ')
  
  ifdef(`distro_suse', `
-@@ -340,3 +363,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +364,27 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -18305,7 +18325,7 @@ index e1d7dc5..ee51a19 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..aff2296 100644
+index cbe14e4..396f956 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -18409,7 +18429,7 @@ index cbe14e4..aff2296 100644
  
  logging_send_syslog_msg(dovecot_deliver_t)
 -logging_search_logs(dovecot_auth_t)
-+logging_search_logs(dovecot_deliver_t)
++logging_append_all_logs(dovecot_deliver_t)
  
  miscfiles_read_localization(dovecot_deliver_t)
  
@@ -23480,7 +23500,7 @@ index 8581040..89e1edf 100644
  
  	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..61a3920 100644
+index da5b33d..3b620e3 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
 @@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -23519,6 +23539,15 @@ index da5b33d..61a3920 100644
  optional_policy(`
  	apache_content_template(nagios)
  	typealias httpd_nagios_script_t alias nagios_cgi_t;
+@@ -180,7 +179,7 @@ optional_policy(`
+ #
+ 
+ allow nrpe_t self:capability { setuid setgid };
+-dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
++dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
+ allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
+ allow nrpe_t self:fifo_file rw_fifo_file_perms;
+ allow nrpe_t self:tcp_socket create_stream_socket_perms;
 @@ -270,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
@@ -24068,6 +24097,19 @@ index 23c769c..be5a5b4 100644
 +	files_list_pids($1)
 +	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
  ')
+diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
+index ded9fb6..9d1e60a 100644
+--- a/policy/modules/services/ntop.te
++++ b/policy/modules/services/ntop.te
+@@ -51,7 +51,7 @@ files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+ 
+ manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+ manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+-files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
++files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir })
+ 
+ manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
+ files_pid_filetrans(ntop_t, ntop_var_run_t, file)
 diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
 index e80f8c0..694b002 100644
 --- a/policy/modules/services/ntp.if
@@ -24134,7 +24176,7 @@ index 79a225c..cbb2bce 100644
  	filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
  ')
 diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
-index ebb9582..c1825de 100644
+index ebb9582..1c72c6e 100644
 --- a/policy/modules/services/nx.te
 +++ b/policy/modules/services/nx.te
 @@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
@@ -24147,6 +24189,15 @@ index ebb9582..c1825de 100644
  ########################################
  #
  # NX server local policy
+@@ -36,7 +39,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
+ allow nx_server_t self:tcp_socket create_socket_perms;
+ allow nx_server_t self:udp_socket create_socket_perms;
+ 
+-allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(nx_server_t, nx_server_devpts_t)
+ 
+ manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
 @@ -50,6 +53,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
  manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
  files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
@@ -24157,6 +24208,21 @@ index ebb9582..c1825de 100644
  kernel_read_system_state(nx_server_t)
  kernel_read_kernel_sysctls(nx_server_t)
  
+@@ -83,10 +89,10 @@ seutil_dontaudit_search_config(nx_server_t)
+ sysnet_read_config(nx_server_t)
+ 
+ ifdef(`TODO',`
+-# clients already have create permissions; the nxclient wants to also have unlink rights
+-allow userdomain xdm_tmp_t:sock_file unlink;
+-# for a lockfile created by the client process
+-allow nx_server_t user_tmpfile:file getattr;
++	# clients already have create permissions; the nxclient wants to also have unlink rights
++	allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
++	# for a lockfile created by the client process
++	allow nx_server_t user_tmpfile:file getattr_file_perms;
+ ')
+ 
+ ########################################
 diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
 index bdf8c89..5ee1598 100644
 --- a/policy/modules/services/oddjob.fc
@@ -24243,10 +24309,26 @@ index bd76ec2..ca6517b 100644
  ## <summary>
  ##	Execute a domain transition to run oddjob_mkhomedir.
 diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
-index cadfc63..ef6919f 100644
+index cadfc63..c8f4d64 100644
 --- a/policy/modules/services/oddjob.te
 +++ b/policy/modules/services/oddjob.te
-@@ -99,8 +99,7 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+@@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0)
+ 
+ type oddjob_t;
+ type oddjob_exec_t;
+-domain_type(oddjob_t)
+ init_daemon_domain(oddjob_t, oddjob_exec_t)
+ domain_obj_id_change_exemption(oddjob_t)
+ domain_role_change_exemption(oddjob_t)
+@@ -15,7 +14,6 @@ domain_subj_id_change_exemption(oddjob_t)
+ 
+ type oddjob_mkhomedir_t;
+ type oddjob_mkhomedir_exec_t;
+-domain_type(oddjob_mkhomedir_t)
+ domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+ init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+ oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+@@ -99,8 +97,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
  
  # Add/remove user home directories
  userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
@@ -24254,9 +24336,9 @@ index cadfc63..ef6919f 100644
 -userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
  userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
 -userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+-
 +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
 +userdom_manage_user_home_content(oddjob_mkhomedir_t)
- 
 diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
 index bb4fae5..b1b5e51 100644
 --- a/policy/modules/services/oident.if
@@ -24327,9 +24409,30 @@ index bb4fae5..b1b5e51 100644
 +	admin_pattern($1, oidentd_config_t)
 +')
 diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
-index 0a244b1..9097656 100644
+index 0a244b1..73c1fa5 100644
 --- a/policy/modules/services/oident.te
 +++ b/policy/modules/services/oident.te
+@@ -1,4 +1,4 @@
+-policy_module(oident, 2.1.0) 
++policy_module(oident, 2.1.0)
+ 
+ ########################################
+ #
+@@ -26,10 +26,10 @@ files_config_file(oidentd_config_t)
+ #
+ 
+ allow oidentd_t self:capability { setuid setgid };
+-allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+-allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+-allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+-allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
++allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
++allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow oidentd_t self:tcp_socket create_stream_socket_perms;
++allow oidentd_t self:udp_socket create_socket_perms;
+ allow oidentd_t self:unix_dgram_socket { create connect };
+ 
+ allow oidentd_t oidentd_config_t:file read_file_perms;
 @@ -48,6 +48,7 @@ kernel_read_kernel_sysctls(oidentd_t)
  kernel_read_network_state(oidentd_t)
  kernel_read_network_state_symlinks(oidentd_t)
@@ -24367,9 +24470,22 @@ index 9d0a67b..9197ef0 100644
  #
  interface(`openct_domtrans',`
 diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..ba7c06b 100644
+index 8b550f4..cb87bef 100644
 --- a/policy/modules/services/openvpn.te
 +++ b/policy/modules/services/openvpn.te
+@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
+ #
+ 
+ ## <desc>
+-## <p>
+-## Allow openvpn to read home directories
+-## </p>
++##	<p>
++##	Allow openvpn to read home directories
++##	</p>
+ ## </desc>
+ gen_tunable(openvpn_enable_homedirs, false)
+ 
 @@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
  type openvpn_etc_rw_t;
  files_config_file(openvpn_etc_rw_t)
@@ -24380,7 +24496,12 @@ index 8b550f4..ba7c06b 100644
  type openvpn_initrc_exec_t;
  init_script_file(openvpn_initrc_exec_t)
  
-@@ -48,7 +51,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -43,12 +46,11 @@ files_pid_file(openvpn_var_run_t)
+ allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+ allow openvpn_t self:process { signal getsched };
+ allow openvpn_t self:fifo_file rw_fifo_file_perms;
+-
+ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
  allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow openvpn_t self:udp_socket create_socket_perms;
  allow openvpn_t self:tcp_socket server_stream_socket_perms;
@@ -24389,7 +24510,7 @@ index 8b550f4..ba7c06b 100644
  allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
  
  can_exec(openvpn_t, openvpn_etc_t)
-@@ -58,9 +61,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+@@ -58,9 +60,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
  manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
  filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
  
@@ -24403,7 +24524,7 @@ index 8b550f4..ba7c06b 100644
  manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
  files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
  
-@@ -68,6 +75,7 @@ kernel_read_kernel_sysctls(openvpn_t)
+@@ -68,6 +74,7 @@ kernel_read_kernel_sysctls(openvpn_t)
  kernel_read_net_sysctls(openvpn_t)
  kernel_read_network_state(openvpn_t)
  kernel_read_system_state(openvpn_t)
@@ -24411,7 +24532,7 @@ index 8b550f4..ba7c06b 100644
  
  corecmd_exec_bin(openvpn_t)
  corecmd_exec_shell(openvpn_t)
-@@ -113,19 +121,19 @@ sysnet_manage_config(openvpn_t)
+@@ -113,20 +120,20 @@ sysnet_manage_config(openvpn_t)
  sysnet_etc_filetrans_config(openvpn_t)
  
  userdom_use_user_terminals(openvpn_t)
@@ -24424,17 +24545,22 @@ index 8b550f4..ba7c06b 100644
  ')
  
  tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-         fs_read_nfs_files(openvpn_t)
+-        fs_read_nfs_files(openvpn_t)
 -        fs_read_nfs_symlinks(openvpn_t)
- ')  
+-')  
++	fs_read_nfs_files(openvpn_t)
++')
  
  tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
-         fs_read_cifs_files(openvpn_t)
+-        fs_read_cifs_files(openvpn_t)
 -        fs_read_cifs_symlinks(openvpn_t)
- ')  
+-')  
++	fs_read_cifs_files(openvpn_t)
++')
  
  optional_policy(`
-@@ -138,3 +146,7 @@ optional_policy(`
+ 	daemontools_service_domain(openvpn_t, openvpn_exec_t)
+@@ -138,3 +145,7 @@ optional_policy(`
  
  	networkmanager_dbus_chat(openvpn_t)
  ')
@@ -24470,6 +24596,39 @@ index 8ac407e..8235fb6 100644
 +	files_list_etc($1)
  	admin_pattern($1, pads_config_t)
  ')
+diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
+index b246bdd..f414173 100644
+--- a/policy/modules/services/pads.te
++++ b/policy/modules/services/pads.te
+@@ -1,4 +1,4 @@
+-policy_module(pads, 1.0.0) 
++policy_module(pads, 1.0.0)
+ 
+ ########################################
+ #
+@@ -8,7 +8,6 @@ policy_module(pads, 1.0.0)
+ type pads_t;
+ type pads_exec_t;
+ init_daemon_domain(pads_t, pads_exec_t)
+-role system_r types pads_t;
+ 
+ type pads_initrc_exec_t;
+ init_script_file(pads_initrc_exec_t)
+@@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t)
+ #
+ 
+ allow pads_t self:capability { dac_override net_raw };
+-allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+-allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
+-allow pads_t self:udp_socket { create ioctl };
+-allow pads_t self:unix_dgram_socket { write create connect };
++allow pads_t self:netlink_route_socket create_netlink_socket_perms;
++allow pads_t self:packet_socket create_socket_perms;
++allow pads_t self:udp_socket create_socket_perms;
++allow pads_t self:unix_dgram_socket create_socket_perms;
+ 
+ allow pads_t pads_config_t:file manage_file_perms;
+ files_etc_filetrans(pads_t, pads_config_t, file)
 diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
 new file mode 100644
 index 0000000..8d00972
@@ -24557,12 +24716,11 @@ index 0000000..66f9799
 +')
 diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
 new file mode 100644
-index 0000000..9cb0d1c
+index 0000000..ba9fdb9
 --- /dev/null
 +++ b/policy/modules/services/passenger.te
-@@ -0,0 +1,68 @@
-+
-+policy_module(passanger,1.0.0)
+@@ -0,0 +1,66 @@
++policy_module(passanger, 1.0.0)
 +
 +########################################
 +#
@@ -24593,7 +24751,6 @@ index 0000000..9cb0d1c
 +
 +allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
 +allow passenger_t self:process signal;
-+
 +allow passenger_t self:fifo_file rw_fifo_file_perms;
 +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
@@ -24645,8 +24802,20 @@ index 1c2a091..ea5ae69 100644
  ## </param>
  #
  interface(`pcscd_domtrans',`
+diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
+index 3116191..df751a6 100644
+--- a/policy/modules/services/pcscd.te
++++ b/policy/modules/services/pcscd.te
+@@ -7,7 +7,6 @@ policy_module(pcscd, 1.6.1)
+ 
+ type pcscd_t;
+ type pcscd_exec_t;
+-domain_type(pcscd_t)
+ init_daemon_domain(pcscd_t, pcscd_exec_t)
+ 
+ # pid files
 diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
-index 3185114..e2e2f67 100644
+index 3185114..5322412 100644
 --- a/policy/modules/services/pegasus.te
 +++ b/policy/modules/services/pegasus.te
 @@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t)
@@ -24658,10 +24827,21 @@ index 3185114..e2e2f67 100644
  dontaudit pegasus_t self:capability sys_tty_config;
  allow pegasus_t self:process signal;
  allow pegasus_t self:fifo_file rw_fifo_file_perms;
-@@ -57,14 +57,17 @@ manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+@@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+ allow pegasus_t self:tcp_socket create_stream_socket_perms;
+ 
+ allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+-allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
++allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms };
+ allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+ 
+ manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+@@ -56,15 +56,18 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+ manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
  files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
  
- allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+-allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
++allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms };
 +manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
  manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
 -files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
@@ -24765,6 +24945,19 @@ index 8688aae..1bfd8d2 100644
  	')
  
  	allow $1 pingd_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te
+index e9cf8a4..4a9d196 100644
+--- a/policy/modules/services/pingd.te
++++ b/policy/modules/services/pingd.te
+@@ -27,7 +27,7 @@ files_type(pingd_modules_t)
+ 
+ allow pingd_t self:capability net_raw;
+ allow pingd_t self:tcp_socket create_stream_socket_perms;
+-allow pingd_t self:rawip_socket { write read create bind };
++allow pingd_t self:rawip_socket create_socket_perms;
+ 
+ read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+ 
 diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc
 new file mode 100644
 index 0000000..2c7e06f
@@ -24978,11 +25171,11 @@ index 0000000..6403c17
 +')
 diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
 new file mode 100644
-index 0000000..0a5f27d
+index 0000000..6b69f38
 --- /dev/null
 +++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,220 @@
-+policy_module(piranha,1.0.0)
+@@ -0,0 +1,214 @@
++policy_module(piranha, 1.0.0)
 +
 +########################################
 +#
@@ -24990,9 +25183,9 @@ index 0000000..0a5f27d
 +#
 +
 +## <desc>
-+## <p>
-+## Allow piranha-lvs domain to connect to the network using TCP.
-+## </p>
++##	<p>
++##	Allow piranha-lvs domain to connect to the network using TCP.
++##	</p>
 +## </desc>
 +gen_tunable(piranha_lvs_can_network_connect, false)
 +
@@ -25049,7 +25242,6 @@ index 0000000..0a5f27d
 +allow piranha_web_t self:capability { setuid sys_nice kill setgid };
 +allow piranha_web_t self:process { getsched setsched signal signull ptrace };
 +allow piranha_web_t self:rawip_socket create_socket_perms;
-+
 +allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
 +allow piranha_web_t self:sem create_sem_perms;
 +allow piranha_web_t self:shm create_shm_perms;
@@ -25064,7 +25256,7 @@ index 0000000..0a5f27d
 +
 +manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
 +manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
-+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
++logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
 +
 +can_exec(piranha_web_t, piranha_web_tmp_t)
 +manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
@@ -25103,7 +25295,7 @@ index 0000000..0a5f27d
 +')
 +
 +optional_policy(`
-+        sasl_connect(piranha_web_t)
++	sasl_connect(piranha_web_t)
 +')
 +
 +######################################
@@ -25113,9 +25305,7 @@ index 0000000..0a5f27d
 +
 +# neede by nanny
 +allow piranha_lvs_t self:capability { net_raw sys_nice };
-+
 +allow piranha_lvs_t self:process signal;
-+
 +allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
 +allow piranha_lvs_t self:rawip_socket create_socket_perms;
 +
@@ -25129,7 +25319,7 @@ index 0000000..0a5f27d
 +
 +# needed by nanny
 +tunable_policy(`piranha_lvs_can_network_connect',`
-+    corenet_tcp_connect_all_ports(piranha_lvs_t)
++	corenet_tcp_connect_all_ports(piranha_lvs_t)
 +')
 +
 +# needed by ipvsadm
@@ -25160,7 +25350,7 @@ index 0000000..0a5f27d
 +')
 +
 +optional_policy(`
-+    sysnet_domtrans_ifconfig(piranha_pulse_t)
++	sysnet_domtrans_ifconfig(piranha_pulse_t)
 +')
 +
 +####################################
@@ -25194,9 +25384,6 @@ index 0000000..0a5f27d
 +corecmd_exec_bin(piranha_domain)
 +corecmd_exec_shell(piranha_domain)
 +
-+libs_use_ld_so(piranha_domain)
-+libs_use_shared_libs(piranha_domain)
-+
 +logging_send_syslog_msg(piranha_domain)
 +
 +miscfiles_read_localization(piranha_domain)
@@ -25367,7 +25554,7 @@ index 9759ed8..07dd3ff 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index fb8dc84..c30505a 100644
+index fb8dc84..836e2e2 100644
 --- a/policy/modules/services/plymouthd.te
 +++ b/policy/modules/services/plymouthd.te
 @@ -60,10 +60,14 @@ domain_use_interactive_fds(plymouthd_t)
@@ -25393,6 +25580,15 @@ index fb8dc84..c30505a 100644
  
  domain_use_interactive_fds(plymouth_t)
  
+@@ -87,7 +92,7 @@ sysnet_read_config(plymouth_t)
+ 
+ plymouthd_stream_connect(plymouth_t)
+ 
+-ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ 	optional_policy(`
+ 		hal_dontaudit_write_log(plymouth_t)
+ 		hal_dontaudit_rw_pipes(plymouth_t)
 diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc
 index 27c739c..c65d18f 100644
 --- a/policy/modules/services/policykit.fc
@@ -25554,7 +25750,7 @@ index 48ff1e8..13cdc77 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..e731afa 100644
+index 1e7169d..7385ecf 100644
 --- a/policy/modules/services/policykit.te
 +++ b/policy/modules/services/policykit.te
 @@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
@@ -25567,7 +25763,7 @@ index 1e7169d..e731afa 100644
  type policykit_var_lib_t alias polkit_var_lib_t;
  files_type(policykit_var_lib_t)
  
-@@ -35,11 +38,12 @@ files_pid_file(policykit_var_run_t)
+@@ -35,11 +38,11 @@ files_pid_file(policykit_var_run_t)
  # policykit local policy
  #
  
@@ -25577,14 +25773,13 @@ index 1e7169d..e731afa 100644
 +allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
 +allow policykit_t self:process { getsched getattr signal };
 +allow policykit_t self:fifo_file rw_fifo_file_perms;
-+
  allow policykit_t self:unix_dgram_socket create_socket_perms;
 -allow policykit_t self:unix_stream_socket create_stream_socket_perms;
 +allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
  
  policykit_domtrans_auth(policykit_t)
  
-@@ -56,10 +60,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,10 +59,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
  
@@ -25601,7 +25796,7 @@ index 1e7169d..e731afa 100644
  
  auth_use_nsswitch(policykit_t)
  
-@@ -67,45 +77,90 @@ logging_send_syslog_msg(policykit_t)
+@@ -67,45 +76,90 @@ logging_send_syslog_msg(policykit_t)
  
  miscfiles_read_localization(policykit_t)
  
@@ -25698,7 +25893,7 @@ index 1e7169d..e731afa 100644
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -118,6 +173,14 @@ optional_policy(`
+@@ -118,6 +172,14 @@ optional_policy(`
  	hal_read_state(policykit_auth_t)
  ')
  
@@ -25713,7 +25908,7 @@ index 1e7169d..e731afa 100644
  ########################################
  #
  # polkit_grant local policy
-@@ -125,7 +188,8 @@ optional_policy(`
+@@ -125,7 +187,8 @@ optional_policy(`
  
  allow policykit_grant_t self:capability setuid;
  allow policykit_grant_t self:process getattr;
@@ -25723,7 +25918,7 @@ index 1e7169d..e731afa 100644
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -155,9 +219,12 @@ miscfiles_read_localization(policykit_grant_t)
+@@ -155,9 +218,12 @@ miscfiles_read_localization(policykit_grant_t)
  userdom_read_all_users_state(policykit_grant_t)
  
  optional_policy(`
@@ -25737,7 +25932,7 @@ index 1e7169d..e731afa 100644
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -169,7 +236,8 @@ optional_policy(`
+@@ -169,7 +235,8 @@ optional_policy(`
  
  allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
  allow policykit_resolve_t self:process getattr;
@@ -25747,6 +25942,23 @@ index 1e7169d..e731afa 100644
  allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
  allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
  
+@@ -207,4 +274,3 @@ optional_policy(`
+ 	kernel_search_proc(policykit_resolve_t)
+ 	hal_read_state(policykit_resolve_t)
+ ')
+-
+diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
+index 333a1fe..d1cf513 100644
+--- a/policy/modules/services/portmap.te
++++ b/policy/modules/services/portmap.te
+@@ -12,7 +12,6 @@ init_daemon_domain(portmap_t, portmap_exec_t)
+ type portmap_helper_t;
+ type portmap_helper_exec_t;
+ init_system_domain(portmap_helper_t, portmap_helper_exec_t)
+-role system_r types portmap_helper_t;
+ 
+ type portmap_tmp_t;
+ files_tmp_file(portmap_tmp_t)
 diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
 index c69d047..1d9fa76 100644
 --- a/policy/modules/services/portreserve.fc
@@ -26152,18 +26364,17 @@ index 46bee12..7391f7e 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..87043e1 100644
+index 06e37d4..628fcda 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
-@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.0)
+@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
  # Declarations
  #
  
 +## <desc>
-+## <p>
-+## Allow postfix_local domain full write access to mail_spool directories
-+## 
-+## </p>
++##	<p>
++##	Allow postfix_local domain full write access to mail_spool directories
++##	</p>
 +## </desc>
 +gen_tunable(allow_postfix_local_write_mail_spool, false)
 +
@@ -26171,39 +26382,16 @@ index 06e37d4..87043e1 100644
  attribute postfix_user_domains;
  # domains that transition to the
  # postfix user domains
-@@ -12,7 +21,7 @@ attribute postfix_user_domtrans;
+@@ -12,7 +20,7 @@ attribute postfix_user_domtrans;
  
  postfix_server_domain_template(bounce)
  
 -type postfix_spool_bounce_t;
-+type postfix_spool_bounce_t,  postfix_spool_type;
++type postfix_spool_bounce_t, postfix_spool_type;
  files_type(postfix_spool_bounce_t)
  
  postfix_server_domain_template(cleanup)
-@@ -26,12 +35,21 @@ application_executable_file(postfix_exec_t)
- postfix_server_domain_template(local)
- mta_mailserver_delivery(postfix_local_t)
- 
-+# Handle vacation script
-+mta_send_mail(postfix_local_t)
-+
-+userdom_read_user_home_content_files(postfix_local_t)
-+
-+tunable_policy(`allow_postfix_local_write_mail_spool',`
-+	mta_manage_spool(postfix_local_t)
-+')
-+
- # Program for creating database files
- type postfix_map_t;
- type postfix_map_exec_t;
- application_domain(postfix_map_t, postfix_map_exec_t)
- role system_r types postfix_map_t;
--
-+     
- type postfix_map_tmp_t;
- files_tmp_file(postfix_map_tmp_t)
- 
-@@ -41,6 +59,9 @@ typealias postfix_master_t alias postfix_t;
+@@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t;
  # generation macro work
  mta_mailserver(postfix_t, postfix_master_exec_t)
  
@@ -26213,7 +26401,7 @@ index 06e37d4..87043e1 100644
  postfix_server_domain_template(pickup)
  
  postfix_server_domain_template(pipe)
-@@ -49,6 +70,7 @@ postfix_user_domain_template(postdrop)
+@@ -49,6 +60,7 @@ postfix_user_domain_template(postdrop)
  mta_mailserver_user_agent(postfix_postdrop_t)
  
  postfix_user_domain_template(postqueue)
@@ -26221,7 +26409,7 @@ index 06e37d4..87043e1 100644
  
  type postfix_private_t;
  files_type(postfix_private_t)
-@@ -65,13 +87,13 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -65,13 +77,13 @@ mta_mailserver_sender(postfix_smtp_t)
  
  postfix_server_domain_template(smtpd)
  
@@ -26238,9 +26426,15 @@ index 06e37d4..87043e1 100644
  files_type(postfix_spool_flush_t)
  
  type postfix_public_t;
-@@ -99,7 +121,9 @@ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+@@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t)
+ 
+ # chown is to set the correct ownership of queue dirs
+ allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
++allow postfix_master_t self:process setrlimit;
+ allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
  allow postfix_master_t self:udp_socket create_socket_perms;
- allow postfix_master_t self:process setrlimit;
+-allow postfix_master_t self:process setrlimit;
  
 +allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
  allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -26248,7 +26442,30 @@ index 06e37d4..87043e1 100644
  
  can_exec(postfix_master_t, postfix_exec_t)
  
-@@ -150,6 +174,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+ allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+ allow postfix_master_t postfix_data_t:file manage_file_perms;
+ 
+-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
++allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
+ 
+-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
+ 
+-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
++allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+ 
+ manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+ manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
+ 
+ allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+-allow postfix_master_t postfix_spool_bounce_t:file getattr;
++allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
+ 
+ manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+ manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -26258,7 +26475,7 @@ index 06e37d4..87043e1 100644
  corenet_tcp_bind_generic_node(postfix_master_t)
  corenet_tcp_bind_amavisd_send_port(postfix_master_t)
  corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +194,8 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +184,8 @@ corecmd_exec_bin(postfix_master_t)
  domain_use_interactive_fds(postfix_master_t)
  
  files_read_usr_files(postfix_master_t)
@@ -26267,7 +26484,53 @@ index 06e37d4..87043e1 100644
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -304,9 +333,17 @@ optional_policy(`
+@@ -220,7 +239,7 @@ allow postfix_bounce_t self:capability dac_read_search;
+ allow postfix_bounce_t self:tcp_socket create_socket_perms;
+ 
+ allow postfix_bounce_t postfix_public_t:sock_file write;
+-allow postfix_bounce_t postfix_public_t:dir search;
++allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
+ 
+ manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+@@ -264,8 +283,8 @@ optional_policy(`
+ # Postfix local local policy
+ #
+ 
+-allow postfix_local_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_local_t self:process { setsched setrlimit };
++allow postfix_local_t self:fifo_file rw_fifo_file_perms;
+ 
+ # connect to master process
+ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
+@@ -273,6 +292,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+ # for .forward - maybe we need a new type for it?
+ rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
+ 
++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
++
+ allow postfix_local_t postfix_spool_t:file rw_file_perms;
+ 
+ corecmd_exec_shell(postfix_local_t)
+@@ -286,10 +307,14 @@ mta_read_aliases(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+ # For reading spamassasin
+ mta_read_config(postfix_local_t)
++# Handle vacation script
++mta_send_mail(postfix_local_t)
+ 
+-domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+-# Might be a leak, but I need a postfix expert to explain
+-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++userdom_read_user_home_content_files(postfix_local_t)
++
++tunable_policy(`allow_postfix_local_write_mail_spool',`
++	mta_manage_spool(postfix_local_t)
++')
+ 
+ optional_policy(`
+ 	clamav_search_lib(postfix_local_t)
+@@ -304,9 +329,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26285,7 +26548,17 @@ index 06e37d4..87043e1 100644
  ########################################
  #
  # Postfix map local policy
-@@ -401,6 +438,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -390,8 +423,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+ # Postfix pipe local policy
+ #
+ 
+-allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_pipe_t self:process setrlimit;
++allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+ 
+ write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+ 
+@@ -401,6 +434,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -26294,7 +26567,7 @@ index 06e37d4..87043e1 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +459,7 @@ optional_policy(`
+@@ -420,6 +455,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -26302,7 +26575,35 @@ index 06e37d4..87043e1 100644
  ')
  
  optional_policy(`
-@@ -588,6 +628,11 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -436,6 +472,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+ allow postfix_postdrop_t self:tcp_socket create;
+ allow postfix_postdrop_t self:udp_socket create_socket_perms;
+ 
++# Might be a leak, but I need a postfix expert to explain
++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++
+ rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+ 
+ postfix_list_spool(postfix_postdrop_t)
+@@ -519,7 +558,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+ 
+ allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+ allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
++allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+ 
+ corecmd_exec_bin(postfix_qmgr_t)
+ 
+@@ -539,7 +578,7 @@ postfix_list_spool(postfix_showq_t)
+ 
+ allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
+ allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
+-allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
++allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+ 
+ # to write the mailq output, it really should not need read access!
+ term_use_all_ptys(postfix_showq_t)
+@@ -588,6 +627,11 @@ corecmd_exec_bin(postfix_smtpd_t)
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -26314,7 +26615,17 @@ index 06e37d4..87043e1 100644
  mta_read_aliases(postfix_smtpd_t)
  
  optional_policy(`
-@@ -630,3 +675,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -611,8 +655,8 @@ optional_policy(`
+ # Postfix virtual local policy
+ #
+ 
+-allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_virtual_t self:process { setsched setrlimit };
++allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+ 
+ allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+ 
+@@ -630,3 +674,8 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -26337,6 +26648,28 @@ index feae93b..d960d3f 100644
  	')
  
  	allow $1 postfix_policyd_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te
+index 7257526..7d73656 100644
+--- a/policy/modules/services/postfixpolicyd.te
++++ b/policy/modules/services/postfixpolicyd.te
+@@ -23,14 +23,14 @@ files_pid_file(postfix_policyd_var_run_t)
+ # Local Policy
+ #
+ 
+-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+ allow postfix_policyd_t self:process setrlimit;
+-allow postfix_policyd_t self:unix_dgram_socket { connect create write};
++allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
++allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
+ 
+ allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+ allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
++allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
+ 
+ manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+ files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
 diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
 index 539a7c9..4782bdb 100644
 --- a/policy/modules/services/postgresql.if
@@ -26494,9 +26827,41 @@ index 539a7c9..4782bdb 100644
  
  	postgresql_tcp_connect($1)
 diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 39abf57..4a85c12 100644
+index 39abf57..b4101fa 100644
 --- a/policy/modules/services/postgresql.te
 +++ b/policy/modules/services/postgresql.te
+@@ -15,16 +15,16 @@ gen_require(`
+ #
+ 
+ ## <desc>
+-## <p>
+-## Allow unprived users to execute DDL statement
+-## </p>
++##	<p>
++##	Allow unprived users to execute DDL statement
++##	</p>
+ ## </desc>
+ gen_tunable(sepgsql_enable_users_ddl, true)
+ 
+ ## <desc>
+-## <p>
+-## Allow database admins to execute DML statement
+-## </p>
++##	<p>
++##	Allow database admins to execute DML statement
++##	</p>
+ ## </desc>
+ gen_tunable(sepgsql_unconfined_dbadm, true)
+ 
+@@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+ read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+ read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+ 
+-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
++allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
+ can_exec(postgresql_t, postgresql_exec_t )
+ 
+ allow postgresql_t postgresql_lock_t:file manage_file_perms;
 @@ -251,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
  domain_use_interactive_fds(postgresql_t)
  
@@ -26622,9 +26987,32 @@ index b524673..09699d1 100644
  
  	admin_pattern($1, pptp_var_run_t)
 diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..74f07f8 100644
+index 2af42e7..d32a0d2 100644
 --- a/policy/modules/services/ppp.te
 +++ b/policy/modules/services/ppp.te
+@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
+ #
+ 
+ ## <desc>
+-## <p>
+-## Allow pppd to load kernel modules for certain modems
+-## </p>
++##	<p>
++##	Allow pppd to load kernel modules for certain modems
++##	</p>
+ ## </desc>
+ gen_tunable(pppd_can_insmod, false)
+ 
+ ## <desc>
+-## <p>
+-## Allow pppd to be run for a regular user
+-## </p>
++##	<p>
++##	Allow pppd to be run for a regular user
++##	</p>
+ ## </desc>
+ gen_tunable(pppd_for_user, false)
+ 
 @@ -70,7 +70,7 @@ files_pid_file(pptp_var_run_t)
  # PPPD Local policy
  #
@@ -26634,6 +27022,20 @@ index 2af42e7..74f07f8 100644
  dontaudit pppd_t self:capability sys_tty_config;
  allow pppd_t self:process { getsched signal };
  allow pppd_t self:fifo_file rw_fifo_file_perms;
+@@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms;
+ 
+ domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+ 
+-allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ 
+ allow pppd_t pppd_etc_t:dir rw_dir_perms;
+ allow pppd_t pppd_etc_t:file read_file_perms;
+-allow pppd_t pppd_etc_t:lnk_file { getattr read };
++allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
+ 
+ manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+ # Automatically label newly created files under /etc/ppp with this type
 @@ -104,8 +104,9 @@ manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
  manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
  files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
@@ -26755,6 +27157,29 @@ index 2316653..77ef768 100644
 +	files_list_tmp($1)
 +	admin_pattern($1, prelude_lml_tmp_t)
  ')
+diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
+index 7e84587..7a7310d 100644
+--- a/policy/modules/services/prelude.te
++++ b/policy/modules/services/prelude.te
+@@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t)
+ type prelude_correlator_t;
+ type prelude_correlator_exec_t;
+ init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
+-role system_r types prelude_correlator_t;
+ 
+ type prelude_correlator_config_t;
+ files_config_file(prelude_correlator_config_t)
+@@ -210,8 +209,8 @@ prelude_manage_spool(prelude_correlator_t)
+ #
+ 
+ allow prelude_lml_t self:capability dac_override;
+-allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
+-allow prelude_lml_t self:unix_dgram_socket { write create connect };
++allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
++allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
+ allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+ allow prelude_lml_t self:unix_stream_socket connectto;
+ 
 diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
 index 1da26dc..7221526 100644
 --- a/policy/modules/services/privoxy.if
@@ -26775,9 +27200,24 @@ index 1da26dc..7221526 100644
  
  	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
 diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
-index 0d295a8..19138e1 100644
+index 0d295a8..2404ddc 100644
 --- a/policy/modules/services/privoxy.te
 +++ b/policy/modules/services/privoxy.te
+@@ -6,10 +6,10 @@ policy_module(privoxy, 1.10.0)
+ #
+ 
+ ## <desc>
+-## <p>
+-## Allow privoxy to connect to all ports, not just
+-## HTTP, FTP, and Gopher ports.
+-## </p>
++##	<p>
++##	Allow privoxy to connect to all ports, not just
++##	HTTP, FTP, and Gopher ports.
++##	</p>
+ ## </desc>
+ gen_tunable(privoxy_connect_any, false)
+ 
 @@ -58,10 +58,12 @@ corenet_tcp_bind_generic_node(privoxy_t)
  corenet_tcp_bind_http_cache_port(privoxy_t)
  corenet_tcp_connect_http_port(privoxy_t)
@@ -26829,7 +27269,7 @@ index b64b02f..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
 +')
 diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..b558811 100644
+index 29b9295..2a70dd1 100644
 --- a/policy/modules/services/procmail.te
 +++ b/policy/modules/services/procmail.te
 @@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -26842,6 +27282,15 @@ index 29b9295..b558811 100644
  type procmail_log_t;
  logging_log_file(procmail_log_t) 
  
+@@ -32,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
+ can_exec(procmail_t, procmail_exec_t)
+ 
+ # Write log to /var/log/procmail.log or /var/log/procmail/.*
+-allow procmail_t procmail_log_t:dir setattr;
++allow procmail_t procmail_log_t:dir setattr_dir_perms;
+ create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+ append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+ read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
 @@ -76,9 +79,15 @@ files_search_pids(procmail_t)
  files_read_usr_files(procmail_t)
  
@@ -26999,9 +27448,24 @@ index 2855a44..0456b11 100644
  		type puppet_tmp_t;
  	')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..9587224 100644
+index 64c5f95..80c1f5d 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
+@@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0)
+ #
+ 
+ ## <desc>
+-## <p>
+-## Allow Puppet client to manage all file
+-## types.
+-## </p>
++##	<p>
++##	Allow Puppet client to manage all file
++##	types.
++##	</p>
+ ## </desc>
+ gen_tunable(puppet_manage_all_files, false)
+ 
 @@ -63,7 +63,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
  manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
  files_search_var_lib(puppet_t)
@@ -27011,9 +27475,14 @@ index 64c5f95..9587224 100644
  manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
  files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
  
-@@ -179,21 +179,26 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
- allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
- allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+@@ -176,24 +176,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+ list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+ 
+-allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+-allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
++allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
++allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
  logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
 +allow puppetmaster_t puppet_log_t:file relabel_file_perms;
  
@@ -27143,28 +27612,53 @@ index 494f7e2..aa3d0b4 100644
 +	admin_pattern($1, pyzor_var_lib_t)
 +')
 diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
-index cd683f9..2f03bad 100644
+index cd683f9..d455637 100644
 --- a/policy/modules/services/pyzor.te
 +++ b/policy/modules/services/pyzor.te
-@@ -5,6 +5,38 @@ policy_module(pyzor, 2.1.0)
+@@ -5,40 +5,62 @@ policy_module(pyzor, 2.1.0)
  # Declarations
  #
  
-+
+-type pyzor_t;
+-type pyzor_exec_t;
+-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+-application_domain(pyzor_t, pyzor_exec_t)
+-ubac_constrained(pyzor_t)
+-role system_r types pyzor_t;
+-
+-type pyzor_etc_t;
+-files_type(pyzor_etc_t)
+-
+-type pyzor_home_t;
+-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+-userdom_user_home_content(pyzor_home_t)
+-
+-type pyzor_tmp_t;
+-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+-files_tmp_file(pyzor_tmp_t)
+-ubac_constrained(pyzor_tmp_t)
+-
+-type pyzor_var_lib_t;
+-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+-files_type(pyzor_var_lib_t)
+-ubac_constrained(pyzor_var_lib_t)
+-
+-type pyzord_t;
+-type pyzord_exec_t;
+-init_daemon_domain(pyzord_t, pyzord_exec_t)
+-
+-type pyzord_log_t;
+-logging_log_file(pyzord_log_t)
 +ifdef(`distro_redhat',`
-+
 +	gen_require(`
-+		type spamc_t;
-+		type spamc_exec_t;
-+		type spamd_t;
-+		type spamd_initrc_exec_t;
-+		type spamd_exec_t;
-+		type spamc_tmp_t;
-+		type spamd_log_t;
-+		type spamd_var_lib_t;
-+		type spamd_etc_t;
-+		type spamc_tmp_t;
-+		type spamc_home_t;
++		type spamc_t, spamc_exec_t, spamd_t;
++		type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
++		type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
++		type spamc_tmp_t, spamc_home_t;
 +	')
 +
 +	typealias spamc_t alias pyzor_t;
@@ -27179,21 +27673,46 @@ index cd683f9..2f03bad 100644
 +	typealias spamd_etc_t alias pyzor_etc_t;
 +	typealias spamc_home_t alias pyzor_home_t;
 +	typealias spamc_home_t alias user_pyzor_home_t;
-+
 +',`
++	type pyzor_t;
++	type pyzor_exec_t;
++	typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
++	typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
++	application_domain(pyzor_t, pyzor_exec_t)
++	ubac_constrained(pyzor_t)
++	role system_r types pyzor_t;
 +
- type pyzor_t;
- type pyzor_exec_t;
- typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-@@ -39,6 +71,7 @@ init_daemon_domain(pyzord_t, pyzord_exec_t)
- 
- type pyzord_log_t;
- logging_log_file(pyzord_log_t)
++	type pyzor_etc_t;
++	files_type(pyzor_etc_t)
++
++	type pyzor_home_t;
++	typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
++	typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
++	userdom_user_home_content(pyzor_home_t)
++
++	type pyzor_tmp_t;
++	typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
++	typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
++	files_tmp_file(pyzor_tmp_t)
++	ubac_constrained(pyzor_tmp_t)
++
++	type pyzor_var_lib_t;
++	typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
++	typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
++	files_type(pyzor_var_lib_t)
++	ubac_constrained(pyzor_var_lib_t)
++
++	type pyzord_t;
++	type pyzord_exec_t;
++	init_daemon_domain(pyzord_t, pyzord_exec_t)
++
++	type pyzord_log_t;
++	logging_log_file(pyzord_log_t)
 +')
  
  ########################################
  #
-@@ -76,12 +109,16 @@ corenet_tcp_connect_http_port(pyzor_t)
+@@ -76,12 +98,16 @@ corenet_tcp_connect_http_port(pyzor_t)
  
  dev_read_urand(pyzor_t)
  
@@ -27210,6 +27729,17 @@ index cd683f9..2f03bad 100644
  userdom_dontaudit_search_user_home_dirs(pyzor_t)
  
  optional_policy(`
+@@ -111,8 +137,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
+ can_exec(pyzord_t, pyzor_exec_t)
+ 
+ manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+-allow pyzord_t pyzord_log_t:dir setattr;
+-logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
++allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
++logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
+ 
+ kernel_read_kernel_sysctls(pyzord_t)
+ kernel_read_system_state(pyzord_t)
 diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
 index a55bf44..77a25f5 100644
 --- a/policy/modules/services/qmail.if
@@ -27247,10 +27777,47 @@ index a55bf44..77a25f5 100644
  ')
  
 diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
-index 355b2a2..1b01d75 100644
+index 355b2a2..54329f9 100644
 --- a/policy/modules/services/qmail.te
 +++ b/policy/modules/services/qmail.te
-@@ -121,6 +121,10 @@ mta_append_spool(qmail_local_t)
+@@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+ ########################################
+ #
+ # qmail-clean local policy
+-#   this component cleans up the queue directory
++#	this component cleans up the queue directory
+ #
+ 
+ read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+@@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+ ########################################
+ #
+ # qmail-inject local policy
+-#   this component preprocesses mail from stdin and invokes qmail-queue
++#	this component preprocesses mail from stdin and invokes qmail-queue
+ #
+ 
+-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+ allow qmail_inject_t self:process signal_perms;
++allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+ 
+ allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
+ 
+@@ -88,11 +88,11 @@ qmail_read_config(qmail_inject_t)
+ ########################################
+ #
+ # qmail-local local policy
+-#   this component delivers a mail message
++#	this component delivers a mail message
+ #
+ 
+-allow qmail_local_t self:fifo_file write_file_perms;
+ allow qmail_local_t self:process signal_perms;
++allow qmail_local_t self:fifo_file write_file_perms;
+ allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+ 
+ manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+@@ -121,13 +121,17 @@ mta_append_spool(qmail_local_t)
  qmail_domtrans_queue(qmail_local_t)
  
  optional_policy(`
@@ -27261,6 +27828,102 @@ index 355b2a2..1b01d75 100644
  	spamassassin_domtrans_client(qmail_local_t)
  ')
  
+ ########################################
+ #
+ # qmail-lspawn local policy
+-#   this component schedules local deliveries
++#	this component schedules local deliveries
+ #
+ 
+ allow qmail_lspawn_t self:capability { setuid setgid };
+@@ -150,15 +154,15 @@ files_search_tmp(qmail_lspawn_t)
+ ########################################
+ #
+ # qmail-queue local policy
+-#   this component places a mail in a delivery queue, later to be processed by qmail-send
++#	this component places a mail in a delivery queue, later to be processed by qmail-send
+ #
+ 
+ allow qmail_queue_t qmail_lspawn_t:fd use;
+ allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+ 
++allow qmail_queue_t qmail_smtpd_t:process sigchld;
+ allow qmail_queue_t qmail_smtpd_t:fd use;
+ allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
+-allow qmail_queue_t qmail_smtpd_t:process sigchld;
+ 
+ manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+ manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+@@ -175,7 +179,7 @@ optional_policy(`
+ ########################################
+ #
+ # qmail-remote local policy
+-#   this component sends mail via SMTP
++#	this component sends mail via SMTP
+ #
+ 
+ allow qmail_remote_t self:tcp_socket create_socket_perms;
+@@ -202,7 +206,7 @@ sysnet_read_config(qmail_remote_t)
+ ########################################
+ #
+ # qmail-rspawn local policy
+-#   this component scedules remote deliveries
++#	this component scedules remote deliveries
+ #
+ 
+ allow qmail_rspawn_t self:process signal_perms;
+@@ -217,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t)
+ ########################################
+ #
+ # qmail-send local policy
+-#   this component delivers mail messages from the queue
++#	this component delivers mail messages from the queue
+ #
+ 
+ allow qmail_send_t self:process signal_perms;
+@@ -236,7 +240,7 @@ optional_policy(`
+ ########################################
+ #
+ # qmail-smtpd local policy
+-#   this component receives mails via SMTP
++#	this component receives mails via SMTP
+ #
+ 
+ allow qmail_smtpd_t self:process signal_perms;
+@@ -265,7 +269,7 @@ optional_policy(`
+ ########################################
+ #
+ # splogger local policy
+-#   this component creates entries in syslog
++#	this component creates entries in syslog
+ #
+ 
+ allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+@@ -279,13 +283,13 @@ miscfiles_read_localization(qmail_splogger_t)
+ ########################################
+ #
+ # qmail-start local policy
+-#   this component starts up the mail delivery component
++#	this component starts up the mail delivery component
+ #
+ 
+ allow qmail_start_t self:capability { setgid setuid };
+ dontaudit qmail_start_t self:capability sys_tty_config;
+-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+ allow qmail_start_t self:process signal_perms;
++allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+ 
+ can_exec(qmail_start_t, qmail_start_exec_t)
+ 
+@@ -303,7 +307,7 @@ optional_policy(`
+ ########################################
+ #
+ # tcp-env local policy
+-#   this component sets up TCP-related environment variables
++#	this component sets up TCP-related environment variables
+ #
+ 
+ allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
 diff --git a/policy/modules/services/qpidd.fc b/policy/modules/services/qpidd.fc
 new file mode 100644
 index 0000000..f3b89e4
@@ -27512,11 +28175,11 @@ index 0000000..c403abc
 +')
 diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
 new file mode 100644
-index 0000000..cf9a327
+index 0000000..43639a0
 --- /dev/null
 +++ b/policy/modules/services/qpidd.te
 @@ -0,0 +1,59 @@
-+policy_module(qpidd,1.0.0)
++policy_module(qpidd, 1.0.0)
 +
 +########################################
 +#
@@ -27550,7 +28213,7 @@ index 0000000..cf9a327
 +
 +manage_dirs_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
 +manage_files_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
-+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } )
++files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
 +
 +manage_dirs_pattern(qpidd_t, qpidd_var_run_t,  qpidd_var_run_t)
 +manage_files_pattern(qpidd_t, qpidd_var_run_t,  qpidd_var_run_t)
@@ -33205,7 +33868,7 @@ index 6f1e3c7..39c2bb3 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..61cc021 100644
+index da2601a..ef2a773 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -33740,7 +34403,7 @@ index da2601a..61cc021 100644
  ')
  
  ########################################
-@@ -1243,10 +1358,331 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1358,355 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -33946,7 +34609,7 @@ index da2601a..61cc021 100644
 +
 +########################################
 +## <summary>
-+##	Read user homedir fonts.
++##	Read/write inherited user homedir fonts.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -34052,6 +34715,7 @@ index da2601a..61cc021 100644
 +	xserver_domtrans_xauth($1)
 +	role $2 types xauth_t;
 +')
++
 +########################################
 +## <summary>
 +##	Read user homedir fonts.
@@ -34063,6 +34727,29 @@ index da2601a..61cc021 100644
 +## </param>
 +## <rolecap/>
 +#
++interface(`xserver_read_home_fonts',`
++	gen_require(`
++		type user_fonts_t, user_fonts_config_t;
++	')
++
++	list_dirs_pattern($1, user_fonts_t, user_fonts_t)
++	read_files_pattern($1, user_fonts_t, user_fonts_t)
++	read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++	read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++')
++
++########################################
++## <summary>
++##	Manage user homedir fonts.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
 +interface(`xserver_manage_home_fonts',`
 +	gen_require(`
 +		type user_fonts_t, user_fonts_config_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 61e9c1ad..80e32c14 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 23 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-4
+- Cleanup policy via dgrift
+- Allow dovecot_deliver to append to inherited log files
+- Lots of fixes for consolehelper
+
 * Wed Sep 21 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-3
 - Fix up Xguest policy