From 631f95b1cf5e7251e4b71fe69fd1d803e2dff144 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Mon, 7 Aug 2017 16:17:01 +0200
Subject: [PATCH] * Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> -
 3.13.1-267 - After fix in kernel where LSM hooks for dac_override and
 dac_search_read capability was swaped we need to fix it also in policy

---
 container-selinux.tgz        |  Bin 6904 -> 6903 bytes
 policy-rawhide-base.patch    |  210 +++--
 policy-rawhide-contrib.patch | 1464 +++++++++++++++++++++++++---------
 selinux-policy.spec          |    5 +-
 4 files changed, 1238 insertions(+), 441 deletions(-)

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 715e8fa7e47b88ca144cd05f3e9d6e90722a2c8f..6d087c8d6b40c937b3f99b6a28c85a641db5d0d0 100644
GIT binary patch
delta 4933
zcmV-L6T0m9HTN}tABzY8ZFPuQ00Zq^>yO+vlF!%aze2DBcqXvt<v0s?vU^x02i$!)
zAlO~tK3wiPYDwL#9lau{=Wzq?-+ooahbW4qD7D6(J$Qg*JW|z<WRWZui^Wn@7Hyao
zNqwGfzj>ygOZfTWhwt(C)gL}ws=wjq{SWW2uD-c?fA#%;_2nO~KYaM`&E?hm>#NIe
zg3ITskot3I+OQ6SZ?d~O+$52eZtVR(>Cfu*>)^-ckmq6j_@}?^lc21U;$2f7>L>}q
zs>;$RY}2v`A~8^cq}ajl^B*q++X_JZetM<BA1D9%kVJ<zQP9&OX!q)axXj@n=frxU
z@CH9tVIAgwK@sN3A73%5SAQCm@H4##!YnKAlQ?M0psmBANwHBT&<jF^f3MP_P3mnJ
zC8xj1+N|qC(WZH_hVlsK&D-BrC%dFr*U9gPv<BMM$w~WIDJ_sZ?OVgc1SGI-Zya2C
zwQY#v&Dm;o5|wol<?*^n!aCZoH)(PD?bX@pL{w;#eE};0FO#VOCn2xR7zptka}|X2
zVkasN_$i{6^U*omqOc%J=PWyNLj5I^@c}D;D|MqHzbxGZF;p{Z%Q{V(34`}}1j)x4
zRLe(@cVUgBogk_F;M*$`%|~cw!13Xq>nf@91{k+#mNcSZPECV+;nm=!iJIo<=M=O>
zXGp#!)J0$1)U{t+(4-u&g;bqc;<k>_69Q+i&8kCUeFm8~`>;-4lGLd}{&HvJ9#YSL
z(x%0+Z4){NGCcC>vT^RLxSfsQ-{FJq{xi*bT#}nAiPCKf9mF~k&6Q-J@~F(14G82v
z(q4K-J$T$ev1qm#A~y*AKf)s1=?lrrm}5Cr?b&o2hd)NU35>A`^Q>BO(1S0k_q=<K
z$xrs1NAGYB!z2HmabYamD=*17<HErqC1!rtI2NeSC)Jl`_9{BdSGv<xmP7K-s%d@#
z>j1aNo0B^OVSftB3gsVWe|*)}2U`=7R4aCqq{YswSo0JS>$$gs*Em63-dJT4e0vT5
zy@&t4Uv@9@%fJ8pLe^Qb*sC<2W+T;y!lG~hs+q9)BOv3$#a$dtQr|6dgt3sH+u~z-
zY}zD`+H9(?PJeeO(w4;Ebri#n`KCe?#Cj`5@;b>%+<%yYq*549^d{gxf|+;gwq)QH
zD3<#eYr=30z89q?AMsZpM~3vijBxP^1$+VHe+ur;=%S=)92RkKU#F(cWS-=(a(($p
zeGf9qXL)-KJt1kJAM$`<3)xSQrY_7N(4^U)mR0*WbqNnNe5*KviN_U(1_oRENa_*i
zLSLw2hJR?Hjgz~oCA$}2qM-1%LB4|UW3*?6F3K2cv5b)Mhq*>NX9!z;6=CDQlA@g=
zYWx|N<PbSAOcHyyP-FS=n%5G0!M_`n<=;Xf{U!KLpCDPebFeCFp@m{!=7~NA_@c-c
zU2#xoSsIb#ZSYFII|sg3XR~qQGP<1)(g62*P=6zQItL9*eHG_jl%>$U^O0EF7O2TA
z*)WVUnkQMU1`Wr6;kN^OnTDYag@&j=$R46z@nZP9s=$q1OBH6~3<NP5!O)#EG2UgM
z?izJudD{O5r*${_x9RRYDejg;-Iq<<EDcEewFNQjq$#tzbCkd$u&k#VFa$Q`L$XZs
z8Gj}kwF|<Puz$$H$K?^P7laJkGEapL0K=t*ReK%Ad0Mcw2oF7N(}yiq0_j}70JI}r
zKV?w}|AsU=u<=0{fT8~oG%c7UIjt{A`^D{NRvWZ8u-3Dq$c!6YOXQek6Wy=Ltc|o~
zALIwE)pqJD^M+94{3yKaLGSo*hV|<lcz=KW<)^L=%}XAARpdPakrwST_~q-DVUKCc
zwT8Nqfx=qeXj^y!|A-P2^<i`YuU1<g**mZ=5#GW20JREu`^b$#IxB^OVeKX#Z$HfS
zF0IQVpR{Rtp6;T09_y{KI^IQ(y4^d&T?^Rh<`+BTb7szXx&cJU+Y@ZkYmi3Jq?48g
zVGy&lvv(aH+C2~S9C&=`<qMMs2ObqBy)LBS-5p0oCo2fYp0gT^Z6@cJvpNTV0e@E+
z?)(2g{BZf<{owxp`>*%^Kg$pEw5;<o2E}$NN5k9T`uzIp{PJw2=?fO-$-FB;U6yTm
zJJnQPy$*g(0H>zJ0<h++NR`D&6Y&t6iU-#u7@`8z3GVj^=)qbICke?s7Jg##=4M&&
zx1W9qs<Lin3{J)MBtyr>w1*<xsDEvhTQe}%-v-+-YmzgqO1wtQs^`aus;3`H&w1eY
zt}YK%aLV0MXIx8r)Pfsj44|urZ6^cGO+#F0$f^Jx=rp|h)WR62h`cyVa!}7qX`dQO
za$Ruds=hgF{=NpoE!v|>@07j?PBNi7_vDZc4O8{(wR5d)E7g!t7cp)(n12=<POXcY
zZNmE^X3qw_qB;$S^j`hqbjzJ7?NS^R{Wy`+-rM0AlkV((6_qe2epdp;W%hy_LzMb(
zB5X+<Ad|U350MY{ey2MB5LdYF`^eo%1FI+ho0@KP`x}oo`k3OlgCS-jNa<APGNBDB
z$d5?$$eUA*$uax$YM=q|k$>zN_(MbNu{x3Qz;uAk4w5B0{AtJEHnvek18z8~%%jwN
zKBA%O&apoD&{bzGLnj>;r5t1QOX(eyiSr2g@YIMfgcmWIee5p8lZ9)xkEcVHAsCO?
z=wrz!L?(p1gf1iZ%ISd7AZS=s2jZn?H!Ji*7fDNhpXw~QmZsY{*?*q?me88F2J;@b
zBCmNwI4%J3G0PC_^)7>V0qz=@^!Mp*4=XQi!22a<Y~R0F!MKf4%baWpbrucik1z|E
zJqE9skIc02H%Yer7==~1Nwc(l44#5$U)~qNZ3+g^7XF1dESscF;~>8+$~eHTp#wbn
z*Cs7w{5?IWL$GO*c7F?yxZtfZ_=?g$eYzQ|1z0iSz`jm0u#Yo5upeO(d*pvWq0ym+
zq0^4@^bO7t>TQf+N#kVbWTaV8qCqf9&CeDwc3L@TWQUjD%*wS<Pu{%Q(QzsK_T<1I
zdKQ4K2GWl)?K`HuFB8=1cfp1K_GB{!eDI>xhn{F{R4ssVh<^ttQ`ox+c^z!X7HAGl
zl@zgyQ`ePhQ_w|3lhtb+GbI$jG%2GLD(^9)sBuTM_y|@|Iq4F82I?zIi`(@rzo2+X
z?l3&yh?)sR=!iHCcN&y<I}6fPE4hT?03Zzwo5Z9}qctdSqnULkS#aP^WC8h4WucJ?
z!?{kPI~LT1+kfown$6*%s(I2&flZ*78-6#-O50*-UU@SQ*YBH5zt%ruSunG3_~c9=
z%8L;TK>BDT9<YPSjGp-7zOBo=Tj(j_NnXZaCajFf5JsveLV<_dJku@mW5I@b7G@)k
zhCF*B8)BdZG_SO4Piz=;Qv@cqzvf7|IsNHIWKdx7`5eos1Jv$~yqec!wnI0?&CO}9
z9ZmBQc(qlaJz<m03???Cn8GZ}0jygsV44-*C$@#|2e^$?(-?ls>#kpSd-wOIEY9KO
zD^~-aj4r#O58%@<n&Nfv=aVT7NC7RAat&t(&sm7Lb^e@_;0;k51-rY0`<(FC%j28w
zjXzHj%AN1$D*&%)uU>bPOb+z|Z=AD34_^TR*OQ|VO#wHP@en+JPZVLyYz2?_Vl}7|
zc=Iq?qx-Z@<AnZTQO#aB6iZVybE<Hy@Y<{38}|GZz}iBw*76sQ82nxB(l`*C%R$O3
z-#9~10W!WYV7uC3(4u$L;={JqV|0&-g5(PNctDCFj(2qzLi}WktqgF*V(z->LCH^!
z;M5=zDe6W#$Kq#y><-eVu?`R7e2-+*3tHT2?=6|*K8+o7kldvesO4f?jyOPmKO{}N
zCYw&bU}~V}?OEqAOTd_MyI=&d+reTW_VMq~=k2_ZpUcApq-;2P(5ih%#<=iO5w9m}
z&)6Dm_R!Ko7MIQ9X0)3|13s2j5*0EGsbrsIFd1Fu_i7b?CwJ-|#Nvrkh(K_7*lu%k
z0VQ=iEVh=}B1sM&G}#@kxourKs)nCLz*;#eva+nap!|x&%7IByJ6!-mW@(eg6pb~y
zMdw?UBN#?^=mQR)J@|l0p2<z(k|%Cs{szV~UI5o!NbN&cz<(4+mzuryCft5|ZT-!8
z#`f{5XTr6A-A_Eod?nEIZ_m4ilukP03IUbf@W>liTjWM-{lGS!e#GQtS;P-ROV<7X
z(=ppPAU%CCgq9X%n{FT7E}OL2C#aEQB}8eYMY5L5yP-zpdGA;DsyoDz&T8vUQj%6}
z{@@@Hk_RNK<cU!D0Y(YMyf_qSKt>^Tg8je^Eil-BsdpPi=(`3U+PCX;kC}O{Xu!zp
z%Qja)$5OXz`Iq?AlanXj9MJj*(Olf6wnbCkkMP;6N?JBHJnvEnE@|1}1Lq-D$H6+T
zE65=$Ba;Y)oyucZcS>>vWvVhp%B>RGjLQ|zP$HcLcPVr#`BAs*5_P9a;fbRT8lj_s
z8YK&V^Kp8EH4e9)IFU<OVVhVd$^zyjq7{6sIh`?2b#s{VZ(IUz!h92IB9BsUQ4*<F
z_YmbYsT0e%*hyStb+!tDXWSuSY~g=f`I)S)BJ8=Nokns;ZH)BpmI@XcK8(XjC`OtG
zDG6}A(q=awVkqQ#Zp)@8WOm4XrZElDSlXF?m^;Jt-Vl7suBNc#w;Qd@eo&POP|5v6
zC-|-M{V2T!(jn~ATtgB@JKMJDMP#r(Wu}Oo3Ab1smsrc$CeO@eap8s)9dA$vIS*k4
zr3krkuY;D-c2#G}z`v~y1`9ha^E}*#R($#%m!-Ze4U#YnTtv*`=#IV6Qn4&+&Ls1H
zepZNyJ_pgJh0T4&5-FNW-llbO4>KknZRi`TP;omy%lm(j`+VDhhK;d^@JOb>lUHlr
zl(W@qm9V>_HK{0?3Zth>jLdO#!)BC+)o7v=Q*o?pIb~f7Gf|89Mqhei^7R;K5L&oi
zQ}WR4A>shtrvuhK?PB&Bi@awtSM!K}HkYh2Hi|b>s5Pb9wxL1{pjSdXisJN`UnZp_
zu@;SH_vjlcY)Dtb&PGpq#NG8i_Xs&`)*#<gXEl&CMl$nPZl35{r=w>JCc~&JE$Y%2
z3bSZNvICW^A88aiEJ3|6-x#IId6F<su`xpu<>Wi&F03oj-{312#@R9`MkXJBp31L8
zhI0hR2&Ydcb*GBfb3;RZWb>r=E0K>=Lx4PtRyEuhN3OPn^CFCA_Vy)}bJ<sECDpUd
z<{<LU@Q|3wOArvMN9C>W>bEXRGUGZ__LzOUs2A4iM(#9AUw@I_JR4Kx;!9nf^0w(U
zQBPe-I^x!6rPEduoU!kNjAS`~<Eb=fB-~OtC#IK@X1E1T31E<^)Na)5Fjl)le4b<E
zKF9bsMqKYkuXZd1@4Sq$P#La!8OIjkzM|oSK7LKZ^0Ai@wSVl_U&viQ<*v{)!TH?;
zkYioDt6^|_Nm5sArX*4V?nL?+BbZ;%p(G!VN0X#86<(`ryVt=_EZ<>&_Q<kcr0fGb
zuxNuhjmr2OKSUT9Y*(4YzpLLF&wIgAa;n9$Cv0&*+mo!b8~yTxmf(}6(I-Gd+T`9n
zBYxMy>rT>~8yBwq#bQ9CIU<LR5cfVz3kEMrUocoAPV*XLX1Naf`2&NS{*+4V-wjhr
zIEi{5fAaHdM^}<?#MbD4J)?=DZ}eL|hS(Su%#V(Xk{yg{Iis1^jz_@C<c0ifw&xNR
zl*U2K!(Q3-AL-Q4BPJYy4UV`DS3HNNo~&0PTEnd*)}VgK?l6m^A?vS@#HgzreSF=g
zL-q29#*L)EaZ!t4NQK&T>B<!K$W3hW_cpN6zh$1^BsWFp4NHuFmDtN0K7eJAvS>!C
z3*IobO`fP$jlHVT{X3Xr?RX?t+m8%0gtE1Mml^rAab4P=lWN}^V6FeXpw>T6WIG{0
zWIN$Dlc}~Nbk56St$+SU(^Q?AA@;cRw8Iq3QwlW(15XOKou4OmMt<01^TIBd4|b{W
z=b`!%dAe0KCh~QEQ|@js6?g#nf&Hp5KHQ$O8;@}Im=c@k`BnlXWkPQyIj1YfL~jQm
zj?#upjz?ArPo$x^bQ*O*d}6`Q0Y6-$RvGVoG_id%Zg;zQ9RFC3r#pgPRGEHQZ;VRQ
z4$`ek{uz$NeUHN@9D|P@e|sEz`yF@tiiFQom+|A1nt6<WcS@${F{}xC>&@HXx9)S_
zYFxGLHlMHDh?%4|enZe36INPKM~$Z?I=G}W&NFgB$itwWQmEgRATQC7?)H=m(Rww8
zQ@$DIOrRZ;yfw!5Op1-%{|0AA_w@^V|1W=J&!2Cf?b~+l@Bdw0et-R8@cqBbuiyXs
zEI$`$KVJNk9vKlKN4_Z4A3HU{Q<yiGpkFQyO?{E28(gz57|zA{cPH=Od6Q5X7e#jn
zw`AJ^^J2j&!n<gh3L=`M`mg`F`0wx7$-%O{^A3I9O}ki)IV%6|(9*C)c~@qKJb5==
z6v{{ZI_QRkT&Lwyqv|=6tQl(o_mdbJCIR}BKN>gz43l^oL;-h`y&5wJi)Q^+0LTCU
DEoQS>

delta 4933
zcmV-L6T0m8HTX4uABzY8{_t^G00Zq^ZExH-lFnE6uMm;}Vh<AAv1c+sJiCX*%mH^F
z4jAk%a35~&deoA-TVuVAr1r}N+24Lu#TQW&Nl|J!@g8De#<5iOkSvnLVzF3?%AyU^
zBB{^Q?TaV+xrCqh@4v&}?|%6HQvD4-*YB_2y?gQQ`rY+^ch^5$UjOj^#pS!}t9REg
zg3G6>kot3I+OQ6S7uj7MZj#7KH}?LY^k?<zRq$hT$n&s%{PW-UNl;cv@wO=sb(92Q
zRb^=uwrN=ekr*gJQtaUO`HvTZZ3Q5HKfTi6kCT6WNTNfVDClVsw0reIT;}kPb7H+v
zc!M9SunzNopa}EiPcIqO%RdiF_?cb=VV0HmNgT9g(AHtmq}V7E=mnv|zgKC|CiOOq
zlGER0ZPxXnXwy7dLwSVr`ps{vlU-7*>*S9^S_AFs<fMJ9lom*y_Ko3T0uoraHx916
z+BQV-`fRm2iOM>O@_5}OVIA$)o3uFn=H1!qL{w;#eE};0ual_(Cn2uP7zptca}|X2
zY$qxX_$i{6^U*omqOc%J=PWyNLj5(9@c}D;8+D^1zbxGZF;p{Z%Q{V(34`}(1j)x4
zRLe(@cVUgBogk_F;G1_Qnh(&<faAkI*Hu#I4KQxgENMi+oSFvt!mGh^6E)4z&nak&
z&X9adsEfY1scXNuph-Dk3#mG@#BCj;Cj`!3n^lLz`V2B}_F<hoC#h3~{N>KbJ*1w0
zrA>=t+a`1lWO(G$W#imgaXTBqzrzRJ{TG_`xFk1K5~bS|I*4^7nk&gb<x!b28xY8U
zq`mZndhob`V$p0fL~aoJe}qN2(-)HGF~@SM+LP%v4u6bx6BuI?=1H~Wpa-8-?|Jte
zlb`H2kKW-NhDZKA<HA_BSDuq`#)X3+OU(SPaV$`uPpZ$&>{WD@uXLxYEQjQuRMY$f
z)&XvjH<LR9VSfzD3gsVWe|p*02U`=7R4aCqq{YswSo0JS>$$gs*Em63-dJT4d~*f=
zUBiFhExQ-_<==mPChII&>{S|1vytjUVNo~$)lAs@5s>lW;x3LRsqYp!!dS@9ZSgTZ
zHf@qeZ8p_cr@uQCX-neoI*MV(d{ZF`V!f3jd7We>ZhuTcQYnlldK2&;!OXjLTQcwp
z6w7^#HDNdg--}X{5BMvPBSU&$M!0x|0=|IpKLz(^bWzeY4vRRruT#@zGEZ_?xxW0Q
zz6TlQv%I~Ao{%)q4|%|_h3qFtQx|3sXwvLY%c^~xx`YQBzEzyT#N&!X1B0!7B=v}M
zp)XW1Lw_{U#>rjPlHH3hQBe5XAYVcFA=)!T7iA2!SVqYB!(1bsGlZ?aim>rtNzqOb
zHU11sa)_K5CW*aUsImNb&1;Fh;NK0(@^7J#{t|qrPmrwKIarmo&_b~<^F$v5d{N|!
zt~e;PER9I=CU_~|ode&?v)MRt8QsnYX@Gk@sDBYYor4CZzKZiU%2Mdw`ADp73)Ezm
zY#2rv&6BKFgN9?k@Y{jCOvBKILPJy_WDilVcrpB4Rp7?1r3y1~27;K3VCc@77;iIB
zca1u-Jnesj)4Ch|+jMuH6n9Ia?#rfamIkE#+JcyM(v;cVIZ9v=Sk_Yw7y_H}Az7yR
z41W`i+6CcC*gs_9<MN1C3qpo%nWsVrfZ<ZZs=W^5JT2H-gomEC>BAN)fpjik0NRnR
zpRy=~e?uA_*!Um}z|emPnifowoYt45{o?jBs}0&4SnJtQWX27yC34KNiSE~A)<)X0
z5AuW7YCH9nc|)jieh^;vpm%&Y!}@g&ynny_@>5rb<~fhPD)JtINQ-tE{POk7u*bCJ
zT0>pQKw&L!v@JY=e?SR|`Y^hHSF0_L>>b#b2=8EhfLaB-edI<Vos~ktuy&J=w;$$u
zm)2#GPujFRO?Oc}kM-7A9q*z?-R_;?t_AFL^NXGFIWuQG-2fuw?IUc`Ymi3Jq?48g
zVGzBvvv(aH+C2~S9C&=`<uj892Obq7y)LBS-5p0oCo2fYp0gT^Z6@dEvpNTV0e@8)
z?)(4m-(P-zJ-GjW{q_F;XZc~CmUUjnpx933Xm}G`onO5>zdT!M`htadGVe-Imt|Yt
zPBoQRuY#Wwz^N&*0IWGHQe|<{L_EZ%;=wfuhNwVwg8O{}dazc*NkTG@g`b$bxmgzc
z{ik1os;pZXgHv%m$<VPe?V$)aYJXeh)(p(`H^DZ{n&eEY60Z@n>iIFE>gk8la~}A;
ztII<boN~9+8Q0Ptwcth>1L*2u+sQz4(-0RLvMN9aIt}kWwJ^phA}<b;9Mm&Y+NXw+
zTo;_Vs&5XP-`8NcMSE1~ozgeKNhVb1o*dGlVXB_JcCNK;r5Y0IBF60o(|=;asdZ7a
zO?Y3#?Af4KRHxyP-m71nZn-n1U5bOEA189!dpjIs(w*I}q7vrB?@FM!%wBL~h*BR;
zge{2!WHJ}%A@afA?^Nd>;tJP&AGteeVD;pGQ`3!Zf8)_cA5$E6FvLs*DV^$ECbU5X
z`4Nd8d2^~UIc9%e4Kx5gl7Bq|e`tt3RwptZm=3VnL9#@LKkfM2#x|;Gzzs*0d6b&Z
zM>JI3Io1asy6UWD=%mA<lw*v3DZPU-aULNbo*EH`@FGUDkKKiMvT)7z@pQ;C1mh7K
zeJmM;$b^uW&}HOaIUO(>1P!a|K)m$qW`%y}B5CRGQ=J9Z(sUaq+keyF5?b@tVBX_a
z<Q0zy#|0ohW*LIL-evGMz+D5A{yyF9VdbR_c)#R~?fVxi7`HKMnUgJ{&Y}VR5oQ6i
z$KVz7k(n0$CdsxRqOb}#X_mH+!N(xlm-j_*n}Pwfg@54<%O+{lILL2{G7hk7=m3xY
zwMh#Ze@_qU5Nw*H-G2fkE_iDUzM}L`pKiu#0alDSu&<L0?Bfg%>_?cy9{C?oXmqGy
z=(OWJeS>p^dK+U{(l{A98EF=jXb_B2^Rq>aomLJS+2N%(vvO_JlQ(a6bX*F*JvlIl
zo&{j5f%Icc`;KYv%LH}$LvZ20J=shFAG~Pwp(k1!RSTdT;(r0k6!vaHUIiPn1)4)s
zB}MGw)ODrW6m${MWc3=yObG=rP0A>R%6rTxYTOYmK7tigPP#;&f%?kQ;&y$@FDM?8
zI}8svqGkdSIwDTPodzY|&VqE+N-m)|07yf_CNZhgXblS7Xl9*B796+}SwQ|%S!iU!
zaITZ+js<n$Hh+7(W^;I`YM%5`U=!%&hTqMy(zaNdSKiFS_4_8%ul0{u7R)RhJ~<PJ
z@?yjSkUkoT2kc-nqmO)X-_~W`E%cP|Brjty6IRA#2qV=Kp}@m!p6M3(v0%eI3$qbN
zL!Ld64KdIHnpfJjCpHYaDFPGQUvnhfoc?qpGAOY4{2b-f0c!U~Ue0SW+o7A{=H@il
zj;8qtyxJ<zK4O#23??>%n8GZ}0jygsV44-*C$@#|2e^$?(-?ls>#kpSd;5D+7U%Ht
zrK<rSjV`;P58%@<n&MUPmy;<CNC6F#at&t(Pg#h#b^er-;0;k51iQO~`;_ok%j28w
zjXzBh%AN10D*&%)uU>VNOb+z|ubs0)4_^TRSCgX<O##=F@en+JA1T6^*$N)<#cEI`
z@aAE(M)zr*#tHqwqME&MD3+#Z=2YQI;k8%6H|+Ui0BZ}yTFYNJV(@phOXEOnE(a;E
zeB%s31<3fqfbD9BL5to|ix1mckI_9U3X&`6;{hp#INsG=2=PZ#Y-NBe7IW844@&;%
z2u=+mk)m#-b1Z&;#_k|(8td>N&i6=0y`aUd_TG{??$g*Y2gzMpfm$xM<%k31k3-V5
zYqII|3#JBo-kx<1vjmJ8w+luPyB#bBVjuqwecsLs`KdfiK+1-r2d&zNWQ+?h74dqq
z_KdC3W)CebWO3OnZbrLlG~i=dB~c;6kV^JR29wccey>)4adM~bK`fpqg$M+PhwU~u
z7f@2S!(wZhEt2HmL6hCln%mZ;qiXm`1gw>lA}h<v3(BuZtQ?pWwbKP4WR^B*Owm}Q
zTXeovIf7wyhd$u&*@F+5<eA(gE_vcM=5Js;;{|Zth15QD1^h>Gbg9{EZ^G@j*Vf;h
zXKWv@dL~?d+x^6Y%vS<U|Mt9VNa>^_t`Jb!4UfEWwMA~U)(>ps=|@aXmPPz9v}ElM
zFdegv1JctMLuhGHw(0iK?XpRWeS#V}Rzj3US|n?^yc=pnp7(xbuew7l>8!TyBqeFp
z<_``MA$dTuN}dRXA7GSF%!@;T24oacC)f|%&;o;hoqD%XguZLwp?$kf_n4XIiUy3l
zzHD;^bS!ndmVb#)Jvn*e%>k{C5Y5G1YFjkr{Rp4Es-$IO!}BhM;F6XdK5!mlbsVhY
zx`G_CGBSx!*r_~rb*Cg(P^Kzlq}(c@&A43g3?<T8aF;@-k{@-;E>U-?6rMQhpb<J6
zs8O<iFdwHkSmSW(i4(bm6}E|WqAXxeB3i-6n$sEcR5yny|Jo(+Cd@aXCh{ot7A28-
zbq`TalRB}Ci=D(ZR%fdac*Y$P#uom!m7mG#D#D&S+G!+r)W%5fZmD3Q;lntbgkq$5
zkdgq$D{Xf3A%;S(=eBHmLS~2DXByKWjisG`iMcaO?+wAH>}m=-e!J1i><3ku0F~T7
zbb{Y1-;dH;ARWR!%{3%pw6krSUPK1#Q)Y_TnQ)8Maf!8@ZSu@q78h<<(eVa#kn<2$
zP>PTn_c~}PZC7=s4E)>bV6d>$GS9<(XvL@Raaroi(jW=Lz(vF?j_%kCEfveM=1ekw
z?`MUW=yMQlTG-rYERmwA<ZW6f_b_AP(T2XZ3Kh5Wv%LQYxzD#9XxJEw2#;h6JbAU|
zO*vb=QVF{&T9b;RsW5uF#K;^+H*7|ESdAu1F%`$kmQ&WXFcY<iZ}g=XCSQ+%2BC%P
z6(tYN9wH9VeL7&>(=KM8vB-NSb2X2DXmiObW21O8g<4apZ5t}Y0D2|FqbN>~`DIc{
z5^K?Dc8|WH!iID;>}>R;N8DZSbB~b2W)1Q^byfpOV<a<w<>n)O>vZ&N!DJY9rA1x(
zLSYuoNOqvI^&^c!hb5>N<{P6lIZqPiDK=(EqMUrk+=X=|`Wt-3!Z=$7#mMA;!&CW{
z$Z(F}7~%Bkr0!JFdTwaQk8GawekJm8Y6y^r(W-_U<H*&Pa9)J*%-+7FaxVKSt)zOk
z*&IaP86FZ-c?kkS^{Bk{UH#TYNoHJ!${w?C7xltg-N>D0>FY1jn`dLHTzsjkQ{Fbc
zChDmxNk`oJtaRFHf;0AgkdZ8ZXFQeWjD%Y%=fw0<(hRr2DFF;JmD-J(9mZ-`h|hD3
z+~*ko#)#|P=+%ye;GLH-7AnJaFXPxE+*dSw(8sT7SU&bLqV|vd`U|=1r`#2qCOE&F
z0CKErcQp)-FG=c(&6Gq+z@11RV+8XHI+Wz&@o18CrowA=ZTBkpiRC+g%pO_Ri<Es}
z2NrEGr%@T7<A(?XgY7Dl_;>X?<9RPwN=~&{_Jl1CXnT@%cB5aO&=P#IH2MT+NSoZd
zXT<MXc-={wbK}CbzgP@tG)LsH5#rv5X~Ez{=?ex+#A#k*%q&+yKYw6w)1Ojl{fA*n
z2`5p{<4=Bm?dVDpj@TN1y=OF0^o@S2#}FICg89*LQL=+kEoU_I+VKcjnY@sn&GuZP
zg3>sMdDttv{v(|ldc=eyu)z`6;fm+b)RXlpL~FQ}#2VBO*&SwaG-Ul1k{ETBqmQrq
zbf{kb(72KGH!f-s45?6?E?t?T9=VB4{@w;Q`nSyUo8+eGykUudu@ZZE!w0YoQWnif
zb-^2^w#gIKs<Br!x_<|AtR0W!YWtC4hETTF?=mBwHm*w>bW-hm1FZGG7u5RaiEJn2
zhioU@W-`@wgwA<cto6_TXqu`sGsGU3o_3gGc}k(iVBksNw)6AE&d3jYY+l&q^1&_@
z{ybD)B2Txf#zek<Zpz&arUDNDKd@gF#)sQ;cH<Gw9#dlTJl{%yq)h0oB<FPHnCR^Q
z#8KLC$??c4;fXX9mrkQDh#y(7bHESRs8z;$A5CoEjN9EV9>+hH<LQo|7geSo)*GYJ
zw1af3l7E6@ao^+c3CG~0$KM{u-hRj3z9QlC)Mfnmq-Gv}<DHTzdJJoV-g^Be_^tcg
zw;ES%yUph-H)1BKjo%RT#)Op?)KTMUi4HF5jPs0K5b`i+rxfaUCCE!Oq`N)kLbP6u
z;gqk3ITL8dByWweJ(FT1_rJl}(S7~G-v7%V+4JYyC;PUY`}=?IF2B3_e(?Rj%dg-6
z`z${fXg^+)92pWJ2firPA38O`Q<yiGpkFQyO?{E28(gz57|zA{w<mAkdXrBX7e%)S
zw`AJ^^J2j&!n<gh3L=`M`mg`F`0sDo$-%O{^A>&HO}ki)IV%6|(9*C)c~@qKJb61^
z6v{{ZI_QRkT&Lwyqv|P>s~Kwn`;!+MCIRY`J{mXy1e13fL;<&xyc#nIHR6XX0LTCU
Dg?z6u

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1b0360a3..ce8d03c1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2328,10 +2328,18 @@ index 688abc2..3d89250 100644
  /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
 +/usr/bin/su		--	gen_context(system_u:object_r:su_exec_t,s0)
 diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..1ed2cd4 100644
+index 03ec5ca..1e3ace4 100644
 --- a/policy/modules/admin/su.if
 +++ b/policy/modules/admin/su.if
-@@ -48,6 +48,7 @@ template(`su_restricted_domain_template', `
+@@ -41,13 +41,14 @@ template(`su_restricted_domain_template', `
+ 
+ 	allow $2 $1_su_t:process signal;
+ 
+-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
+ 	dontaudit $1_su_t self:capability sys_tty_config;
+ 	allow $1_su_t self:key { search write };
+ 	allow $1_su_t self:process { setexec setsched setrlimit };
  	allow $1_su_t self:fifo_file rw_fifo_file_perms;
  	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
  	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
@@ -2516,7 +2524,7 @@ index 03ec5ca..1ed2cd4 100644
  
  #######################################
 diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
-index 85bb77e..5f38282 100644
+index 85bb77e..a430233 100644
 --- a/policy/modules/admin/su.te
 +++ b/policy/modules/admin/su.te
 @@ -9,3 +9,82 @@ attribute su_domain_type;
@@ -2524,7 +2532,7 @@ index 85bb77e..5f38282 100644
  type su_exec_t;
  corecmd_executable_file(su_exec_t)
 +
-+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
 +dontaudit su_domain_type self:capability sys_tty_config;
 +allow su_domain_type self:process { setexec setsched setrlimit };
 +allow su_domain_type self:fifo_file rw_fifo_file_perms;
@@ -2797,7 +2805,7 @@ index 0960199..2e75ec7 100644
 +    manage_files_pattern($1, sudo_db_t, sudo_db_t)
 +')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..8a18a54 100644
+index d9fce57..174f893 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
 @@ -7,3 +7,111 @@ attribute sudodomain;
@@ -2818,7 +2826,7 @@ index d9fce57..8a18a54 100644
 +#
 +
 +# Use capabilities.
-+allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
++allow sudodomain self:capability { chown fowner setuid setgid dac_read_search dac_override sys_nice sys_resource };
 +dontaudit sudodomain self:capability net_admin;
 +allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 +allow sudodomain self:process { setexec setrlimit };
@@ -3090,7 +3098,7 @@ index 99e3903..fa68362 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..a7fa09d 100644
+index 1d732f1..121ace8 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3113,7 +3121,7 @@ index 1d732f1..a7fa09d 100644
  application_domain(passwd_t, passwd_exec_t)
  role passwd_roles types passwd_t;
  
-@@ -61,9 +64,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
+@@ -61,15 +64,19 @@ files_tmp_file(sysadm_passwd_tmp_t)
  type useradd_t;
  type useradd_exec_t;
  domain_obj_id_change_exemption(useradd_t)
@@ -3127,6 +3135,13 @@ index 1d732f1..a7fa09d 100644
  ########################################
  #
  # Chfn local policy
+ #
+ 
+-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
++allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
+ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+ allow chfn_t self:process { setrlimit setfscreate };
+ allow chfn_t self:fd use;
 @@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto;
  
  kernel_read_system_state(chfn_t)
@@ -3205,6 +3220,15 @@ index 1d732f1..a7fa09d 100644
  ########################################
  #
  # Crack local policy
+@@ -186,7 +210,7 @@ optional_policy(`
+ # Groupadd local policy
+ #
+ 
+-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
++allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write };
+ dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+ allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+ allow groupadd_t self:process { setrlimit setfscreate };
 @@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t)
  selinux_compute_relabel_context(groupadd_t)
  selinux_compute_user_contexts(groupadd_t)
@@ -3259,7 +3283,7 @@ index 1d732f1..a7fa09d 100644
  #
  
 -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
-+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
++allow passwd_t self:capability { chown dac_read_search dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
  dontaudit passwd_t self:capability sys_tty_config;
  allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow passwd_t self:process { setrlimit setfscreate };
@@ -3351,6 +3375,15 @@ index 1d732f1..a7fa09d 100644
  
  optional_policy(`
  	nscd_run(passwd_t, passwd_roles)
+@@ -362,7 +411,7 @@ optional_policy(`
+ # Password admin local policy
+ #
+ 
+-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
++allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
+ allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sysadm_passwd_t self:process { setrlimit setfscreate };
+ allow sysadm_passwd_t self:fd use;
 @@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3391,7 +3424,7 @@ index 1d732f1..a7fa09d 100644
  
 -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
 -dontaudit useradd_t self:capability sys_tty_config;
-+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
++allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
 +
 +dontaudit useradd_t self:capability { net_admin sys_tty_config };
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -3632,7 +3665,7 @@ index 1dc7a85..e4f6fc2 100644
 +	corecmd_shell_domtrans($1_seunshare_t, $1_t)
  ')
 diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..d81185e 100644
+index 7590165..f50f799 100644
 --- a/policy/modules/apps/seunshare.te
 +++ b/policy/modules/apps/seunshare.te
 @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
@@ -3649,7 +3682,7 @@ index 7590165..d81185e 100644
  #
  # seunshare local policy
  #
-+allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice };
 +allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
  
 -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@@ -11114,7 +11147,7 @@ index b876c48..2e591a5 100644
 +
 +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?           gen_context(system_u:object_r:root_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..4785fe8 100644
+index f962f76..c1b46d8 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -11993,7 +12026,7 @@ index f962f76..4785fe8 100644
 -		type root_t;
 +		attribute mountpoint;
  	')
-+    dontaudit $1 self:capability  dac_override;
++    dontaudit $1 self:capability  { dac_read_search dac_override };
  
 -	allow $1 root_t:dir list_dir_perms;
 -	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
@@ -24360,7 +24393,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..e5d8ff8 100644
+index 2522ca6..8932351 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,102 @@ policy_module(sysadm, 2.6.1)
@@ -24781,7 +24814,7 @@ index 2522ca6..e5d8ff8 100644
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
-+    allow sysadm_screen_t self:capability dac_override;
++    allow sysadm_screen_t self:capability { dac_read_search dac_override };
  ')
  
  optional_policy(`
@@ -27061,7 +27094,7 @@ index 76d9f66..7528851 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..20f3ba4 100644
+index fe0c682..79d568a 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -27192,7 +27225,7 @@ index fe0c682..20f3ba4 100644
  	files_pid_file($1_var_run_t)
  
 -	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+	allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
++	allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
  	allow $1_t self:fifo_file rw_fifo_file_perms;
 -	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
 +	allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
@@ -27794,7 +27827,7 @@ index fe0c682..20f3ba4 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..92de2d7 100644
+index cc877c7..3038b08 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -28275,7 +28308,7 @@ index cc877c7..92de2d7 100644
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
-+allow ssh_keygen_t self:capability dac_override;
++allow ssh_keygen_t self:capability { dac_read_search dac_override };
  dontaudit ssh_keygen_t self:capability sys_tty_config;
  allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
 -
@@ -30397,7 +30430,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..8c9110f 100644
+index 8b40377..fc04c66 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -30657,7 +30690,7 @@ index 8b40377..8c9110f 100644
  # Xauth local policy
  #
  
-+allow xauth_t self:capability dac_override;
++allow xauth_t self:capability { dac_read_search dac_override };
  allow xauth_t self:process signal;
 +allow xauth_t self:shm create_shm_perms;
  allow xauth_t self:unix_stream_socket create_stream_socket_perms;
@@ -31433,7 +31466,7 @@ index 8b40377..8c9110f 100644
  # NVIDIA Needs execstack
  
 -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-+allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
 +
  dontaudit xserver_t self:capability chown;
 +#allow xserver_t self:capability2 compromise_kernel;
@@ -33094,7 +33127,7 @@ index 3efd5b6..3db526f 100644
 +	allow $1 login_pgm:key manage_key_perms;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..fde4518 100644
+index 09b791d..2d255df 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -33178,6 +33211,15 @@ index 09b791d..fde4518 100644
  type updpwd_t;
  type updpwd_exec_t;
  domain_type(updpwd_t)
+@@ -90,7 +112,7 @@ logging_log_file(wtmp_t)
+ # Check password local policy
+ #
+ 
+-allow chkpwd_t self:capability { dac_override setuid };
++allow chkpwd_t self:capability { dac_read_search dac_override setuid };
+ dontaudit chkpwd_t self:capability sys_tty_config;
+ allow chkpwd_t self:process { getattr signal };
+ 
 @@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t)
  files_read_etc_files(chkpwd_t)
  # for nscd
@@ -33291,6 +33333,15 @@ index 09b791d..fde4518 100644
  miscfiles_read_generic_certs(pam_console_t)
  
  seutil_read_file_contexts(pam_console_t)
+@@ -330,7 +351,7 @@ optional_policy(`
+ # updpwd local policy
+ #
+ 
+-allow updpwd_t self:capability { chown dac_override };
++allow updpwd_t self:capability { chown dac_read_search dac_override };
+ allow updpwd_t self:process setfscreate;
+ allow updpwd_t self:fifo_file rw_fifo_file_perms;
+ allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
 @@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
  dev_read_urand(updpwd_t)
  
@@ -33634,9 +33685,18 @@ index d475c2d..55305d5 100644
 +	files_etc_filetrans($1, adjtime_t, file, "adjtime" )
 +')
 diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index edece47..cb014fd 100644
+index edece47..2e7b811 100644
 --- a/policy/modules/system/clock.te
 +++ b/policy/modules/system/clock.te
+@@ -20,7 +20,7 @@ role system_r types hwclock_t;
+ 
+ # Give hwclock the capabilities it requires.  dac_override is a surprise,
+ # but hwclock does require it.
+-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
++allow hwclock_t self:capability { dac_read_search dac_override sys_rawio sys_time sys_tty_config };
+ dontaudit hwclock_t self:capability sys_tty_config;
+ allow hwclock_t self:process signal_perms;
+ allow hwclock_t self:fifo_file rw_fifo_file_perms;
 @@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
  
  term_dontaudit_use_console(hwclock_t)
@@ -34014,10 +34074,10 @@ index e4376aa..2c98c56 100644
 +	allow $1 getty_unit_file_t:service start;
 +')
 diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea..22425f5 100644
+index f6743ea..ef08ff3 100644
 --- a/policy/modules/system/getty.te
 +++ b/policy/modules/system/getty.te
-@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
+@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
  type getty_var_run_t;
  files_pid_file(getty_var_run_t)
  
@@ -34035,6 +34095,14 @@ index f6743ea..22425f5 100644
  ########################################
  #
  # Getty local policy
+ #
+ 
+ # Use capabilities.
+-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
++allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+ dontaudit getty_t self:capability sys_tty_config;
+ allow getty_t self:process { getpgid setpgid getsession signal_perms };
+ allow getty_t self:fifo_file rw_fifo_file_perms;
 @@ -56,6 +67,7 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
  files_pid_filetrans(getty_t, getty_var_run_t, file)
  
@@ -39211,7 +39279,7 @@ index 808ba93..baca326 100644
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
 +')
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 54f8fa5..544b8e3 100644
+index 54f8fa5..b9dbbe0 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -39231,9 +39299,12 @@ index 54f8fa5..544b8e3 100644
  
  ifdef(`distro_gentoo',`
  	# openrc unfortunately mounts a tmpfs
-@@ -59,9 +59,11 @@ optional_policy(`
+@@ -57,11 +57,13 @@ optional_policy(`
+ # ldconfig local policy
+ #
  
- allow ldconfig_t self:capability { dac_override sys_chroot };
+-allow ldconfig_t self:capability { dac_override sys_chroot };
++allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot };
  
 +manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
  manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
@@ -39409,7 +39480,7 @@ index 0e3c2a9..ea9bd57 100644
 +	userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
 +')
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..d66491c 100644
+index 446fa99..fcf08ac 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -39444,7 +39515,7 @@ index 446fa99..d66491c 100644
 -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 -allow local_login_t self:process { setrlimit setexec };
-+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
 +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
  allow local_login_t self:fd use;
  allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -39546,7 +39617,7 @@ index 446fa99..d66491c 100644
  #
  
 -allow sulogin_t self:capability dac_override;
-+allow sulogin_t self:capability { dac_override sys_admin };
++allow sulogin_t self:capability { dac_read_search dac_override sys_admin };
  allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow sulogin_t self:fd use;
  allow sulogin_t self:fifo_file rw_fifo_file_perms;
@@ -40303,7 +40374,7 @@ index 4e94884..0690edf 100644
 +	filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..d9eb312 100644
+index 59b04c1..0114ad2 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -40458,6 +40529,15 @@ index 59b04c1..d9eb312 100644
  userdom_dontaudit_use_unpriv_user_fds(auditd_t)
  userdom_dontaudit_search_user_home_dirs(auditd_t)
  
+@@ -219,7 +258,7 @@ optional_policy(`
+ # audit dispatcher local policy
+ #
+ 
+-allow audisp_t self:capability { dac_override setpcap sys_nice };
++allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice };
+ allow audisp_t self:process { getcap signal_perms setcap setsched };
+ allow audisp_t self:fifo_file rw_fifo_file_perms;
+ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
 @@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t)
  
  domain_use_interactive_fds(audisp_t)
@@ -40543,7 +40623,7 @@ index 59b04c1..d9eb312 100644
  # sys_nice for rsyslog
  # cjp: why net_admin!
 -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
-+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
++allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
  dontaudit syslogd_t self:capability sys_tty_config;
 +dontaudit syslogd_t self:cap_userns sys_ptrace;
 +allow syslogd_t self:capability2 { syslog block_suspend };
@@ -41239,7 +41319,7 @@ index 58bc27f..842ce28 100644
 +
 +
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..262c9ec 100644
+index 79048c4..b0cb1e5 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -41323,7 +41403,13 @@ index 79048c4..262c9ec 100644
  	ccs_stream_connect(clvmd_t)
  ')
  
-@@ -170,15 +181,22 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -165,20 +176,27 @@ optional_policy(`
+ # DAC overrides and mknod for modifying /dev entries (vgmknodes)
+ # rawio needed for dmraid
+ # net_admin for multipath
+-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
++allow lvm_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+ dontaudit lvm_t self:capability sys_tty_config;
  allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
  # LVM will complain a lot if it cannot set its priority.
  allow lvm_t self:process setsched;
@@ -42099,7 +42185,7 @@ index 7449974..b792900 100644
 +	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8..6d92782 100644
+index 7a363b8..aa59857 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@@ -42205,7 +42291,7 @@ index 7a363b8..6d92782 100644
  #
  
 -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
-+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
++allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config };
  allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
  
  allow insmod_t self:udp_socket create_socket_perms;
@@ -44134,7 +44220,7 @@ index 3822072..d358162 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..67f4de1 100644
+index dc46420..1a0d4fb 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,16 @@ gen_require(`
@@ -44223,7 +44309,7 @@ index dc46420..67f4de1 100644
  
  type restorecond_var_run_t;
  files_pid_file(restorecond_var_run_t)
-@@ -92,34 +105,43 @@ type run_init_t;
+@@ -92,40 +105,49 @@ type run_init_t;
  type run_init_exec_t;
  application_domain(run_init_t, run_init_exec_t)
  domain_system_change_exemption(run_init_t)
@@ -44276,6 +44362,13 @@ index dc46420..67f4de1 100644
  ########################################
  #
  # Checkpolicy local policy
+ #
+ 
+-allow checkpolicy_t self:capability dac_override;
++allow checkpolicy_t self:capability { dac_read_search dac_override };
+ 
+ # able to create and modify binary policy files
+ manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
 @@ -137,6 +159,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
  read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
  read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
@@ -44293,6 +44386,15 @@ index dc46420..67f4de1 100644
  userdom_use_all_users_fds(checkpolicy_t)
  
  ifdef(`distro_ubuntu',`
+@@ -165,7 +188,7 @@ ifdef(`distro_ubuntu',`
+ # Load_policy local policy
+ #
+ 
+-allow load_policy_t self:capability dac_override;
++allow load_policy_t self:capability { dac_read_search dac_override };
+ 
+ # only allow read of policy config files
+ read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
 @@ -188,13 +211,13 @@ term_list_ptys(load_policy_t)
  
  init_use_script_fds(load_policy_t)
@@ -44337,7 +44439,7 @@ index dc46420..67f4de1 100644
  #
  
 -allow newrole_t self:capability { fowner setuid setgid dac_override };
-+allow newrole_t self:capability { fowner setpcap setuid setgid dac_override };
++allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override };
  allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  allow newrole_t self:process setexec;
  allow newrole_t self:fd use;
@@ -44899,7 +45001,7 @@ index dc46420..67f4de1 100644
 +	dbus_read_pid_files(setfiles_domain)
  ')
  
-+allow policy_manager_domain self:capability { dac_override sys_nice sys_resource };
++allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource };
 +dontaudit policy_manager_domain self:capability sys_tty_config;
 +allow policy_manager_domain self:process { signal setsched };
 +allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
@@ -45675,7 +45777,7 @@ index 2cea692..e3cb4f2 100644
 +	files_etc_filetrans($1, net_conf_t, file)
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..b7497fc 100644
+index a392fc4..41a5b08 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -45717,11 +45819,13 @@ index a392fc4..b7497fc 100644
  
  ifdef(`distro_debian',`
  	init_daemon_run_dir(net_conf_t, "network")
-@@ -48,10 +61,11 @@ ifdef(`distro_debian',`
+@@ -47,11 +60,12 @@ ifdef(`distro_debian',`
+ #
  # DHCP client local policy
  #
- allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
 -dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
++allow dhcpc_t self:capability { dac_read_search dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
 +dontaudit dhcpc_t self:capability sys_tty_config;
  # for access("/etc/bashrc", X_OK) on Red Hat
  dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -48035,7 +48139,7 @@ index 0000000..d1356af
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..54d6359
+index 0000000..35fc2b8
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
 @@ -0,0 +1,1020 @@
@@ -48197,7 +48301,7 @@ index 0000000..54d6359
 +#
 +
 +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config sys_admin };
++allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
 +allow systemd_logind_t self:capability2 block_suspend;
 +allow systemd_logind_t self:process getcap;
 +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -48359,7 +48463,7 @@ index 0000000..54d6359
 +# systemd_machined local policy
 +#
 +
-+allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace kill };
++allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill };
 +allow systemd_machined_t systemd_unit_file_t:service { status start }; 
 +allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
 +
@@ -48414,7 +48518,7 @@ index 0000000..54d6359
 +# systemd-networkd local policy
 +#
 +
-+allow systemd_networkd_t self:capability { dac_override net_admin net_raw setuid fowner chown setgid setpcap };
++allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap };
 +allow systemd_networkd_t self:process { getcap setcap };
 +
 +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -48477,7 +48581,7 @@ index 0000000..54d6359
 +# Local policy
 +#
 +
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search dac_override };
 +allow systemd_passwd_agent_t self:process { setsockcreate };
 +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 +
@@ -48521,7 +48625,7 @@ index 0000000..54d6359
 +# Local policy
 +#
 +
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod sys_admin };
++allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
 +allow systemd_tmpfiles_t self:process { setfscreate };
 +
 +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -48792,7 +48896,7 @@ index 0000000..54d6359
 +# Timedated policy
 +#
 +
-+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
++allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search dac_override };
 +allow systemd_timedated_t self:process { getattr getsched setfscreate };
 +allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
 +allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index cffafc09..9b20fd09 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..f893465 100644
+index eb50f07..4e5a592 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1081,7 +1081,7 @@ index eb50f07..f893465 100644
  #
  
 -allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search dac_override setuid setgid };
 +allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
 +allow abrt_dump_oops_t self:process {setfscreate setcap};
  allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
@@ -1180,7 +1180,7 @@ index eb50f07..f893465 100644
  # Upload watch local policy
  #
  
-+allow abrt_upload_watch_t self:capability { dac_override chown fsetid };
++allow abrt_upload_watch_t self:capability { dac_read_search dac_override chown fsetid };
 +
 +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
 +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -1296,7 +1296,7 @@ index bd5ec9a..554177c 100644
 +	allow $1 accountsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/accountsd.te b/accountsd.te
-index 3593510..9617b13 100644
+index 3593510..7c13845 100644
 --- a/accountsd.te
 +++ b/accountsd.te
 @@ -4,6 +4,10 @@ gen_require(`
@@ -1310,7 +1310,7 @@ index 3593510..9617b13 100644
  ########################################
  #
  # Declarations
-@@ -11,11 +15,15 @@ gen_require(`
+@@ -11,17 +15,21 @@ gen_require(`
  
  type accountsd_t;
  type accountsd_exec_t;
@@ -1327,6 +1327,13 @@ index 3593510..9617b13 100644
  ########################################
  #
  # Local policy
+ #
+ 
+-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
++allow accountsd_t self:capability { chown dac_read_search dac_override setuid setgid sys_ptrace };
+ allow accountsd_t self:process signal;
+ allow accountsd_t self:fifo_file rw_fifo_file_perms;
+ allow accountsd_t self:passwd { rootok passwd chfn chsh };
 @@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
  dev_read_sysfs(accountsd_t)
  
@@ -1531,9 +1538,18 @@ index 3b41be6..97d99f9 100644
  	afs_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/afs.te b/afs.te
-index 90ce637..07db31b 100644
+index 90ce637..8cf712d 100644
 --- a/afs.te
 +++ b/afs.te
+@@ -72,7 +72,7 @@ role system_r types afs_vlserver_t;
+ # afs client local policy
+ #
+ 
+-allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config };
++allow afs_t self:capability { dac_read_search dac_override sys_admin sys_nice sys_tty_config };
+ allow afs_t self:process { setsched signal };
+ allow afs_t self:fifo_file rw_file_perms;
+ allow afs_t self:unix_stream_socket { accept listen };
 @@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
  
  kernel_rw_afs_state(afs_t)
@@ -1586,7 +1602,7 @@ index 90ce637..07db31b 100644
  corenet_all_recvfrom_netlabel(afs_bosserver_t)
  corenet_udp_sendrecv_generic_if(afs_bosserver_t)
  corenet_udp_sendrecv_generic_node(afs_bosserver_t)
-@@ -136,10 +152,13 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
+@@ -136,24 +152,24 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
  corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
  
  files_list_home(afs_bosserver_t)
@@ -1601,7 +1617,12 @@ index 90ce637..07db31b 100644
  ########################################
  #
  # fileserver local policy
-@@ -151,9 +170,6 @@ allow afs_fsserver_t self:process { setsched signal_perms };
+ #
+ 
+-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
++allow afs_fsserver_t self:capability { kill dac_read_search dac_override chown fowner sys_nice };
+ dontaudit afs_fsserver_t self:capability fsetid;
+ allow afs_fsserver_t self:process { setsched signal_perms };
  allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
  allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
  
@@ -1785,7 +1806,7 @@ index 01cbb67..94a4a24 100644
  
  	files_list_etc($1)
 diff --git a/aide.te b/aide.te
-index 03831e6..94a723f 100644
+index 03831e6..3d35fff 100644
 --- a/aide.te
 +++ b/aide.te
 @@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1801,7 +1822,7 @@ index 03831e6..94a723f 100644
  #
  
 -allow aide_t self:capability { dac_override fowner };
-+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
++allow aide_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin };
 +allow aide_t self:process signal;
  
  manage_files_pattern(aide_t, aide_db_t, aide_db_t)
@@ -2296,7 +2317,7 @@ index 7f4dfbc..e5c9f45 100644
  /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/amanda.te b/amanda.te
-index 519051c..8b7ad5f 100644
+index 519051c..89302e2 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2333,7 +2354,7 @@ index 519051c..8b7ad5f 100644
  
 -allow amanda_t self:capability { chown dac_override setuid kill };
 -allow amanda_t self:process { setpgid signal };
-+allow amanda_t self:capability { chown dac_override setuid kill sys_admin };
++allow amanda_t self:capability { chown dac_read_search dac_override setuid kill sys_admin };
 +allow amanda_t self:process { getsched setsched setpgid signal };
  allow amanda_t self:fifo_file rw_fifo_file_perms;
  allow amanda_t self:unix_stream_socket { accept listen };
@@ -2398,6 +2419,15 @@ index 519051c..8b7ad5f 100644
  
  auth_use_nsswitch(amanda_t)
  auth_read_shadow(amanda_t)
+@@ -141,7 +157,7 @@ logging_send_syslog_msg(amanda_t)
+ # Recover local policy
+ #
+ 
+-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
++allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search dac_override };
+ allow amanda_recover_t self:process { sigkill sigstop signal };
+ allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
+ allow amanda_recover_t self:unix_stream_socket create_socket_perms;
 @@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t)
  corecmd_exec_shell(amanda_recover_t)
  corecmd_exec_bin(amanda_recover_t)
@@ -2497,10 +2527,10 @@ index 60d4f8c..18ef077 100644
   	domain_system_change_exemption($1)
   	role_transition $2 amavis_initrc_exec_t system_r;
 diff --git a/amavis.te b/amavis.te
-index 91fa72a..0b1afd6 100644
+index 91fa72a..1736250 100644
 --- a/amavis.te
 +++ b/amavis.te
-@@ -39,7 +39,7 @@ type amavis_quarantine_t;
+@@ -39,14 +39,14 @@ type amavis_quarantine_t;
  files_type(amavis_quarantine_t)
  
  type amavis_spool_t;
@@ -2509,6 +2539,14 @@ index 91fa72a..0b1afd6 100644
  
  ########################################
  #
+ # Local policy
+ #
+ 
+-allow amavis_t self:capability { kill chown dac_override setgid setuid };
++allow amavis_t self:capability { kill chown dac_read_search  dac_override setgid setuid };
+ dontaudit amavis_t self:capability sys_tty_config;
+ allow amavis_t self:process signal_perms;
+ allow amavis_t self:fifo_file rw_fifo_file_perms;
 @@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
  manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
  filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
@@ -3242,7 +3280,7 @@ index 0000000..36251b9
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..c679dd3
+index 0000000..d202f69
 --- /dev/null
 +++ b/antivirus.te
 @@ -0,0 +1,274 @@
@@ -3312,7 +3350,7 @@ index 0000000..c679dd3
 +# antivirus domain local policy
 +#
 +
-+allow antivirus_domain self:capability { dac_override chown kill fsetid setgid setuid sys_admin };
++allow antivirus_domain self:capability { dac_read_search dac_override chown kill fsetid setgid setuid sys_admin };
 +dontaudit antivirus_domain self:capability sys_tty_config;
 +allow antivirus_domain self:process signal_perms;
 +
@@ -5537,7 +5575,7 @@ index f6eb485..fe461a3 100644
 +		ps_process_pattern(httpd_t, $1)
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..516985d 100644
+index 6649962..6dd10dd 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6175,7 +6213,7 @@ index 6649962..516985d 100644
  
 -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
 -dontaudit httpd_t self:capability net_admin;
-+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
++allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
 +dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
@@ -7681,7 +7719,8 @@ index 6649962..516985d 100644
 +# httpd_rotatelogs local policy
  #
  
- allow httpd_rotatelogs_t self:capability dac_override;
+-allow httpd_rotatelogs_t self:capability dac_override;
++allow httpd_rotatelogs_t self:capability { dac_read_search dac_override };
  
  manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 -read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
@@ -8054,10 +8093,10 @@ index f3c0aba..f6e25ed 100644
 +	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4d..f46078f 100644
+index 080bc4d..a78dbce 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
-@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
+@@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t)
  type apcupsd_var_run_t;
  files_pid_file(apcupsd_var_run_t)
  
@@ -8070,6 +8109,13 @@ index 080bc4d..f46078f 100644
  ########################################
  #
  # Local policy
+ #
+ 
+-allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
++allow apcupsd_t self:capability { dac_read_search dac_override setgid sys_tty_config };
+ allow apcupsd_t self:process signal;
+ allow apcupsd_t self:fifo_file rw_file_perms;
+ allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
 @@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
  allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
  files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
@@ -8262,7 +8308,7 @@ index 1a7a97e..2c7252a 100644
  	domain_system_change_exemption($1)
  	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 7fd431b..a1b6c41 100644
+index 7fd431b..f944ecc 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@@ -8278,7 +8324,7 @@ index 7fd431b..a1b6c41 100644
  #
  
 -allow apm_t self:capability { dac_override sys_admin };
-+allow apm_t self:capability { dac_override sys_admin sys_resource };
++allow apm_t self:capability { dac_read_search dac_override sys_admin sys_resource };
  
  kernel_read_system_state(apm_t)
  
@@ -8391,9 +8437,18 @@ index cde81d2..2fe0201 100644
  ')
  
 diff --git a/apt.te b/apt.te
-index efa8530..f928b63 100644
+index efa8530..ae5d0c9 100644
 --- a/apt.te
 +++ b/apt.te
+@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
+ # Local policy
+ #
+ 
+-allow apt_t self:capability { chown dac_override fowner fsetid };
++allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid };
+ allow apt_t self:process { signal setpgid fork };
+ allow apt_t self:fd use;
+ allow apt_t self:fifo_file rw_fifo_file_perms;
 @@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
  corecmd_exec_bin(apt_t)
  corecmd_exec_shell(apt_t)
@@ -8590,7 +8645,7 @@ index 2077053..198a02a 100644
  	domain_system_change_exemption($1)
  	role_transition $2 asterisk_initrc_exec_t system_r;
 diff --git a/asterisk.te b/asterisk.te
-index 7e41350..e8e1672 100644
+index 7e41350..1e0f4c4 100644
 --- a/asterisk.te
 +++ b/asterisk.te
 @@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -8602,6 +8657,15 @@ index 7e41350..e8e1672 100644
  
  type asterisk_tmp_t;
  files_tmp_file(asterisk_tmp_t)
+@@ -39,7 +39,7 @@ init_daemon_run_dir(asterisk_var_run_t, "asterisk")
+ # Local policy
+ #
+ 
+-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
++allow asterisk_t self:capability { dac_read_search dac_override chown setgid setuid sys_nice net_admin };
+ dontaudit asterisk_t self:capability { sys_module sys_tty_config };
+ allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
+ allow asterisk_t self:fifo_file rw_fifo_file_perms;
 @@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
  
  manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
@@ -8941,7 +9005,7 @@ index f24e369..4484a98 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index 27d2f40..daed3ef 100644
+index 27d2f40..1297f5b 100644
 --- a/automount.te
 +++ b/automount.te
 @@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -8959,7 +9023,7 @@ index 27d2f40..daed3ef 100644
  #
  
 -allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
-+allow automount_t self:capability {  setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability {  setgid setuid sys_nice sys_resource dac_read_search dac_override sys_admin };
 +allow automount_t self:capability2 block_suspend;
  dontaudit automount_t self:capability sys_tty_config;
  allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
@@ -9104,10 +9168,10 @@ index 9078c3d..2f6b250 100644
 +	allow $1 avahi_unit_file_t:service all_service_perms;
  ')
 diff --git a/avahi.te b/avahi.te
-index b8355b3..ad2aa45 100644
+index b8355b3..51ce1b6 100644
 --- a/avahi.te
 +++ b/avahi.te
-@@ -13,10 +13,14 @@ type avahi_initrc_exec_t;
+@@ -13,17 +13,21 @@ type avahi_initrc_exec_t;
  init_script_file(avahi_initrc_exec_t)
  
  type avahi_var_lib_t;
@@ -9123,6 +9187,14 @@ index b8355b3..ad2aa45 100644
  
  ########################################
  #
+ # Local policy
+ #
+ 
+-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
++allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+ dontaudit avahi_t self:capability sys_tty_config;
+ allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+ allow avahi_t self:fifo_file rw_fifo_file_perms;
 @@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
  corecmd_exec_bin(avahi_t)
  corecmd_exec_shell(avahi_t)
@@ -9231,9 +9303,18 @@ index c1b16c3..ffbf2cb 100644
 +read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
 +files_search_var_lib(awstats_script_t)
 diff --git a/backup.te b/backup.te
-index 7811450..d8a8bd6 100644
+index 7811450..e787033 100644
 --- a/backup.te
 +++ b/backup.te
+@@ -21,7 +21,7 @@ files_type(backup_store_t)
+ # Local policy
+ #
+ 
+-allow backup_t self:capability dac_override;
++allow backup_t self:capability { dac_read_search  dac_override };
+ allow backup_t self:process signal;
+ allow backup_t self:fifo_file rw_fifo_file_perms;
+ allow backup_t self:tcp_socket create_socket_perms;
 @@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
  corecmd_exec_bin(backup_t)
  corecmd_exec_shell(backup_t)
@@ -9827,7 +9908,7 @@ index 531a8f2..3fcf187 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 1241123..fc5eb99 100644
+index 1241123..73543d3 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9854,7 +9935,7 @@ index 1241123..fc5eb99 100644
  #
  
 -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
-+allow named_t self:capability { chown dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource };
++allow named_t self:capability { chown dac_read_search dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource };
  dontaudit named_t self:capability sys_tty_config;
 +allow named_t self:capability2 block_suspend;
  allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
@@ -9958,11 +10039,13 @@ index 1241123..fc5eb99 100644
  	kerberos_use(named_t)
  ')
  
-@@ -215,7 +251,8 @@ optional_policy(`
+@@ -214,8 +250,9 @@ optional_policy(`
+ # NDC local policy
  #
  
- allow ndc_t self:capability { dac_override net_admin };
+-allow ndc_t self:capability { dac_override net_admin };
 -allow ndc_t self:process signal_perms;
++allow ndc_t self:capability { dac_read_search dac_override net_admin };
 +allow ndc_t self:capability2 block_suspend;
 +allow ndc_t self:process { fork signal_perms };
  allow ndc_t self:fifo_file rw_fifo_file_perms;
@@ -10044,12 +10127,15 @@ index e73fb79..2badfc0 100644
  	domain_system_change_exemption($1)
  	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/bitlbee.te b/bitlbee.te
-index f5c1a48..d8e7d55 100644
+index f5c1a48..102fa8e 100644
 --- a/bitlbee.te
 +++ b/bitlbee.te
-@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
+@@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t)
+ # Local policy
+ #
  
- allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
+-allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
++allow bitlbee_t self:capability { dac_read_search dac_override kill setgid setuid sys_nice };
  allow bitlbee_t self:process { setsched signal };
 +
  allow bitlbee_t self:fifo_file rw_fifo_file_perms;
@@ -10577,10 +10663,10 @@ index c723a0a..1c29d21 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
  ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 851769e..3dc3f36 100644
+index 851769e..4b11e96 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
-@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
+@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t)
  type bluetooth_var_run_t;
  files_pid_file(bluetooth_var_run_t)
  
@@ -10590,6 +10676,13 @@ index 851769e..3dc3f36 100644
  ########################################
  #
  # Local policy
+ #
+ 
+-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
++allow bluetooth_t self:capability { dac_read_search dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+ dontaudit bluetooth_t self:capability sys_tty_config;
+ allow bluetooth_t self:process { getcap setcap getsched signal_perms };
+ allow bluetooth_t self:fifo_file rw_fifo_file_perms;
 @@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
  
  manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
@@ -11918,7 +12011,7 @@ index 8de2ab9..3b41945 100644
 +	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
  ')
 diff --git a/cachefilesd.te b/cachefilesd.te
-index a3760bc..660e5d3 100644
+index a3760bc..22ed920 100644
 --- a/cachefilesd.te
 +++ b/cachefilesd.te
 @@ -1,52 +1,125 @@
@@ -11981,6 +12074,7 @@ index a3760bc..660e5d3 100644
 +	rpm_use_script_fds(cachefilesd_t)
 +')
  
+-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
 +###############################################################################
 +#
 +# cachefilesd local policy
@@ -11993,7 +12087,7 @@ index a3760bc..660e5d3 100644
 +# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
 +# rules.
 +#
- allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search dac_override };
 +allow cachefilesd_t self:process signal_perms;
  
 +# Allow manipulation of pid file
@@ -12082,9 +12176,18 @@ index cd9c528..ba793b7 100644
  ')
  
 diff --git a/calamaris.te b/calamaris.te
-index 7e57460..b0cf254 100644
+index 7e57460..8d8cd78 100644
 --- a/calamaris.te
 +++ b/calamaris.te
+@@ -23,7 +23,7 @@ files_type(calamaris_www_t)
+ # Local policy
+ #
+ 
+-allow calamaris_t self:capability dac_override;
++allow calamaris_t self:capability { dac_read_search dac_override };
+ allow calamaris_t self:process { signal_perms setsched };
+ allow calamaris_t self:fifo_file rw_fifo_file_perms;
+ allow calamaris_t self:unix_stream_socket { accept listen };
 @@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
  
  corecmd_exec_bin(calamaris_t)
@@ -12268,9 +12371,18 @@ index fbc20f6..4de4a00 100644
  	ps_process_pattern($2, cdrecord_t)
  ')
 diff --git a/cdrecord.te b/cdrecord.te
-index 16883c9..0f4ccb0 100644
+index 16883c9..97e9a42 100644
 --- a/cdrecord.te
 +++ b/cdrecord.te
+@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
+ # Local policy
+ #
+ 
+-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
++allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search dac_override sys_rawio };
+ allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
+ allow cdrecord_t self:unix_stream_socket { accept listen };
+ 
 @@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
  domain_interactive_fd(cdrecord_t)
  domain_use_interactive_fds(cdrecord_t)
@@ -12947,7 +13059,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index 80a88a2..71c25c3 100644
+index 80a88a2..514eb47 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -12975,7 +13087,15 @@ index 80a88a2..71c25c3 100644
  domain_setpriority_all_domains(cgclear_t)
  
  fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,23 +66,26 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -57,30 +59,33 @@ fs_unmount_cgroup(cgclear_t)
+ # cgconfig local policy
+ #
+ 
+-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
++allow cgconfig_t self:capability { dac_read_search dac_override fowner fsetid chown sys_admin sys_tty_config };
+ 
+ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+ 
  kernel_list_unlabeled(cgconfig_t)
  kernel_read_system_state(cgconfig_t)
  
@@ -12993,7 +13113,7 @@ index 80a88a2..71c25c3 100644
  #
  # cgred local policy
  #
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search dac_override sys_ptrace };
 +allow cgred_t self:process signal_perms;
  
 -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
@@ -13183,7 +13303,7 @@ index 0000000..aa308eb
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..5955ff0
+index 0000000..435a5cd
 --- /dev/null
 +++ b/chrome.te
 @@ -0,0 +1,256 @@
@@ -13221,7 +13341,7 @@ index 0000000..5955ff0
 +# chrome_sandbox local policy
 +#
 +allow chrome_sandbox_t self:capability2 block_suspend;
-+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
++allow chrome_sandbox_t self:capability { chown dac_read_search dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
 +dontaudit chrome_sandbox_t self:capability sys_nice;
 +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
 +allow chrome_sandbox_t self:process setsched;
@@ -13652,7 +13772,7 @@ index 32e8265..ac74503 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..ded8e64 100644
+index e5b621c..cfc64f1 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -13671,7 +13791,7 @@ index e5b621c..ded8e64 100644
  
 -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
 -allow chronyd_t self:process { getcap setcap setrlimit signal };
-+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
++allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
 +allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
  allow chronyd_t self:shm create_shm_perms;
 +allow chronyd_t self:udp_socket create_socket_perms;
@@ -14290,7 +14410,7 @@ index 4cc4a5c..a6c6322 100644
 +
  ')
 diff --git a/clamav.te b/clamav.te
-index ce3836a..8dc2b45 100644
+index ce3836a..10595e6 100644
 --- a/clamav.te
 +++ b/clamav.te
 @@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false)
@@ -14312,8 +14432,12 @@ index ce3836a..8dc2b45 100644
  type clamd_tmp_t;
  files_tmp_file(clamd_tmp_t)
  
-@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t)
- allow clamd_t self:capability { kill setgid setuid dac_override };
+@@ -70,9 +73,10 @@ logging_log_file(freshclam_var_log_t)
+ # Clamd local policy
+ #
+ 
+-allow clamd_t self:capability { kill setgid setuid dac_override };
++allow clamd_t self:capability { kill setgid setuid dac_read_search dac_override };
  dontaudit clamd_t self:capability sys_tty_config;
  allow clamd_t self:process signal;
 +
@@ -14356,7 +14480,7 @@ index ce3836a..8dc2b45 100644
  	amavis_create_pid_files(clamd_t)
  ')
  
-@@ -165,6 +161,31 @@ optional_policy(`
+@@ -165,12 +161,37 @@ optional_policy(`
  	mta_send_mail(clamd_t)
  ')
  
@@ -14388,6 +14512,13 @@ index ce3836a..8dc2b45 100644
  ########################################
  #
  # Freshclam local policy
+ #
+ 
+-allow freshclam_t self:capability { setgid setuid dac_override };
++allow freshclam_t self:capability { setgid setuid dac_read_search dac_override };
+ allow freshclam_t self:fifo_file rw_fifo_file_perms;
+ allow freshclam_t self:unix_stream_socket { accept listen };
+ allow freshclam_t self:tcp_socket { accept listen };
 @@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
  
  logging_send_syslog_msg(freshclam_t)
@@ -14407,6 +14538,15 @@ index ce3836a..8dc2b45 100644
  	cron_system_entry(freshclam_t, freshclam_exec_t)
  ')
  
+@@ -249,7 +273,7 @@ optional_policy(`
+ # Clamscam local policy
+ #
+ 
+-allow clamscan_t self:capability { setgid setuid dac_override };
++allow clamscan_t self:capability { setgid setuid dac_read_search dac_override };
+ allow clamscan_t self:fifo_file rw_fifo_file_perms;
+ allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
+ allow clamscan_t self:unix_dgram_socket create_socket_perms;
 @@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
  kernel_read_kernel_sysctls(clamscan_t)
  kernel_read_system_state(clamscan_t)
@@ -14650,7 +14790,7 @@ index 0000000..55fe0d6
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..27c0ed9
+index 0000000..21e6ae7
 --- /dev/null
 +++ b/cloudform.te
 @@ -0,0 +1,249 @@
@@ -14720,7 +14860,7 @@ index 0000000..27c0ed9
 +# cloud-init local policy
 +#
 +
-+allow cloud_init_t self:capability { fowner chown fsetid dac_override };
++allow cloud_init_t self:capability { fowner chown fsetid dac_read_search dac_override };
 +
 +allow cloud_init_t self:udp_socket create_socket_perms;
 +
@@ -14828,7 +14968,7 @@ index 0000000..27c0ed9
 +# deltacloudd local policy
 +#
 +
-+allow deltacloudd_t self:capability { dac_override setuid setgid };
++allow deltacloudd_t self:capability { dac_read_search dac_override setuid setgid };
 +
 +allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
 +allow deltacloudd_t self:udp_socket create_socket_perms;
@@ -15068,10 +15208,16 @@ index c223f81..8b567c1 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
  ')
 diff --git a/cobbler.te b/cobbler.te
-index 5f306dd..cf347c6 100644
+index 5f306dd..36fb0e4 100644
 --- a/cobbler.te
 +++ b/cobbler.te
-@@ -67,6 +67,7 @@ dontaudit cobblerd_t self:capability sys_tty_config;
+@@ -62,11 +62,12 @@ files_tmp_file(cobbler_tmp_t)
+ # Local policy
+ #
+ 
+-allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
++allow cobblerd_t self:capability { chown dac_read_search dac_override fowner fsetid sys_nice };
+ dontaudit cobblerd_t self:capability sys_tty_config;
  allow cobblerd_t self:process { getsched setsched signal };
  allow cobblerd_t self:fifo_file rw_fifo_file_perms;
  allow cobblerd_t self:tcp_socket { accept listen };
@@ -15393,7 +15539,7 @@ index 0000000..d5920c0
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 0000000..d60494e
+index 0000000..b802a99
 --- /dev/null
 +++ b/cockpit.te
 @@ -0,0 +1,121 @@
@@ -15487,7 +15633,7 @@ index 0000000..d60494e
 +#
 +
 +# cockpit-session changes to the actual logged in user
-+allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid sys_resource};
++allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource};
 +allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
 +
 +read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
@@ -15721,7 +15867,7 @@ index 954309e..6780142 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..228b603 100644
+index 6471fa8..90a9319 100644
 --- a/collectd.te
 +++ b/collectd.te
 @@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@@ -15743,7 +15889,7 @@ index 6471fa8..228b603 100644
  #
  
 -allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override setuid setgid };
++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search dac_override setuid setgid };
  allow collectd_t self:process { getsched setsched signal };
  allow collectd_t self:fifo_file rw_fifo_file_perms;
  allow collectd_t self:packet_socket create_socket_perms;
@@ -16545,7 +16691,7 @@ index 881d92f..a2d588a 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index ce9f040..e1e84a5 100644
+index ce9f040..2a52b42 100644
 --- a/condor.te
 +++ b/condor.te
 @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16571,7 +16717,7 @@ index ce9f040..e1e84a5 100644
  # Global local policy
  #
  
-+allow condor_domain self:capability dac_override;
++allow condor_domain self:capability { dac_read_search dac_override };
 +allow condor_domain self:capability2 block_suspend;
 +
  allow condor_domain self:process signal_perms;
@@ -16671,12 +16817,21 @@ index ce9f040..e1e84a5 100644
  # Procd local policy
  #
  
- allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
++allow condor_procd_t self:capability { fowner chown kill dac_read_search dac_override sys_ptrace };
 +allow condor_procd_t self:cap_userns { sys_ptrace };
  
  allow condor_procd_t condor_domain:process sigkill;
  
-@@ -206,6 +229,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -199,13 +222,15 @@ domain_read_all_domains_state(condor_procd_t)
+ # Schedd local policy
+ #
+ 
+-allow condor_schedd_t self:capability { setuid chown setgid dac_override };
++allow condor_schedd_t self:capability { setuid chown setgid dac_read_search dac_override };
+ 
+ allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
+ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -16685,7 +16840,7 @@ index ce9f040..e1e84a5 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -214,6 +239,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,12 +239,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
@@ -16699,6 +16854,13 @@ index ce9f040..e1e84a5 100644
  #####################################
  #
  # Startd local policy
+ #
+ 
+-allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
++allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search dac_override };
+ allow condor_startd_t self:process execmem;
+ 
+ manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
 @@ -238,11 +270,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
@@ -17122,7 +17284,7 @@ index 5b830ec..78025c5 100644
 +	ps_process_pattern($1, consolekit_t)
 +')
 diff --git a/consolekit.te b/consolekit.te
-index bd18063..47c8fd0 100644
+index bd18063..94407f8 100644
 --- a/consolekit.te
 +++ b/consolekit.te
 @@ -19,21 +19,23 @@ type consolekit_var_run_t;
@@ -17137,7 +17299,8 @@ index bd18063..47c8fd0 100644
  # Local policy
  #
  
- allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search dac_override sys_nice sys_ptrace };
 +
  allow consolekit_t self:process { getsched signal };
  allow consolekit_t self:fifo_file rw_fifo_file_perms;
@@ -17357,10 +17520,10 @@ index 694a037..d859681 100644
 +	allow $1 corosync_unit_file_t:service all_service_perms;
  ')
 diff --git a/corosync.te b/corosync.te
-index d5aa1e4..837e0a8 100644
+index d5aa1e4..9a25701 100644
 --- a/corosync.te
 +++ b/corosync.te
-@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
+@@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t)
  type corosync_var_run_t;
  files_pid_file(corosync_var_run_t)
  
@@ -17370,6 +17533,13 @@ index d5aa1e4..837e0a8 100644
  ########################################
  #
  # Local policy
+ #
+ 
+-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
++allow corosync_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+ # for hearbeat
+ allow corosync_t self:capability { net_raw chown };
+ allow corosync_t self:process { setpgid setrlimit setsched signal signull };
 @@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
  domain_read_all_domains_state(corosync_t)
  
@@ -17961,7 +18131,7 @@ index 10f820f..acdb179 100644
  	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
  ')
 diff --git a/courier.te b/courier.te
-index ae3bc70..9090d75 100644
+index ae3bc70..d64452f 100644
 --- a/courier.te
 +++ b/courier.te
 @@ -18,7 +18,7 @@ type courier_etc_t;
@@ -17973,6 +18143,15 @@ index ae3bc70..9090d75 100644
  
  type courier_var_lib_t;
  files_type(courier_var_lib_t)
+@@ -34,7 +34,7 @@ mta_agent_executable(courier_exec_t)
+ # Common local policy
+ #
+ 
+-allow courier_domain self:capability dac_override;
++allow courier_domain self:capability { dac_read_search dac_override };
+ dontaudit courier_domain self:capability sys_tty_config;
+ allow courier_domain self:process { setpgid signal_perms };
+ allow courier_domain self:fifo_file rw_fifo_file_perms;
 @@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
  files_pid_filetrans(courier_domain, courier_var_run_t, dir)
  
@@ -19354,7 +19533,7 @@ index 1303b30..f13c532 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 7de3859..b66e53f 100644
+index 7de3859..61dcff6 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -11,46 +11,54 @@ gen_require(`
@@ -20270,7 +20449,7 @@ index 7de3859..b66e53f 100644
 +#
 +
 +# dac_override is to create the file in the directory under /tmp
-+allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
++allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search  dac_override };
 +allow crontab_domain self:process { getcap setsched signal_perms };
 +allow crontab_domain self:fifo_file rw_fifo_file_perms;
 +
@@ -21080,7 +21259,7 @@ index 3023be7..5afde80 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
  ')
 diff --git a/cups.te b/cups.te
-index c91813c..da04f2d 100644
+index c91813c..8c014f7 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21220,7 +21399,7 @@ index c91813c..da04f2d 100644
  #
  
 -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
  dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 -allow cupsd_t self:capability2 block_suspend;
 -allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
@@ -21474,7 +21653,7 @@ index c91813c..da04f2d 100644
  #
  
 -allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
-+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
++allow cupsd_config_t self:capability { chown dac_read_search dac_override sys_tty_config };
  dontaudit cupsd_config_t self:capability sys_tty_config;
 -allow cupsd_config_t self:process { getsched signal_perms };
 -allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -21610,11 +21789,13 @@ index c91813c..da04f2d 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -550,8 +602,8 @@ optional_policy(`
+@@ -549,9 +601,9 @@ optional_policy(`
+ # Pdf local policy
  #
  
- allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
 -allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
++allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search dac_override };
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 +allow cups_pdf_t cupsd_rw_etc_t:dir search;
  
@@ -21912,7 +22093,7 @@ index 64775fd..91a6056 100644
 +	admin_pattern($1, cvs_home_t)
  ')
 diff --git a/cvs.te b/cvs.te
-index 0f77550..cd608bc 100644
+index 0f77550..36e4a38 100644
 --- a/cvs.te
 +++ b/cvs.te
 @@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
@@ -21965,7 +22146,7 @@ index 0f77550..cd608bc 100644
  dev_read_urand(cvs_t)
  
  files_read_etc_runtime_files(cvs_t)
-@@ -86,18 +101,16 @@ auth_use_nsswitch(cvs_t)
+@@ -86,19 +101,17 @@ auth_use_nsswitch(cvs_t)
  
  init_read_utmp(cvs_t)
  
@@ -21983,10 +22164,12 @@ index 0f77550..cd608bc 100644
  # cjp: typeattribute doesnt work in conditionals yet
  auth_can_read_shadow_passwords(cvs_t)
 -tunable_policy(`allow_cvs_read_shadow',`
+-	allow cvs_t self:capability dac_override;
 +tunable_policy(`cvs_read_shadow',`
- 	allow cvs_t self:capability dac_override;
++	allow cvs_t self:capability { dac_read_search dac_override };
  	auth_tunable_read_shadow(cvs_t)
  ')
+ 
 @@ -116,8 +129,10 @@ optional_policy(`
  
  optional_policy(`
@@ -22073,7 +22256,7 @@ index 83bfda6..92d9fb2 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cyrus_initrc_exec_t system_r;
 diff --git a/cyrus.te b/cyrus.te
-index 4283f2d..30b684c 100644
+index 4283f2d..41de1bd 100644
 --- a/cyrus.te
 +++ b/cyrus.te
 @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
@@ -22081,7 +22264,7 @@ index 4283f2d..30b684c 100644
  #
  
 -allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
-+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
++allow cyrus_t self:capability { fsetid dac_read_search dac_override net_bind_service setgid setuid sys_resource };
  dontaudit cyrus_t self:capability sys_tty_config;
  allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow cyrus_t self:process setrlimit;
@@ -23249,7 +23432,7 @@ index 62d22cb..01f6380 100644
 +
  ')
 diff --git a/dbus.te b/dbus.te
-index c9998c8..27182fd 100644
+index c9998c8..b3f7ab2 100644
 --- a/dbus.te
 +++ b/dbus.te
 @@ -4,17 +4,15 @@ gen_require(`
@@ -23304,10 +23487,11 @@ index c9998c8..27182fd 100644
 +# System bus local policy
  #
  
+-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
 +# dac_override: /var/run/dbus is owned by messagebus on Debian
 +# cjp: dac_override should probably go in a distro_debian
 +allow system_dbusd_t self:capability2 block_suspend;
- allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
++allow system_dbusd_t self:capability { sys_resource dac_read_search dac_override setgid setpcap setuid };
  dontaudit system_dbusd_t self:capability sys_tty_config;
  allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -24446,7 +24630,7 @@ index 8ce99ff..1bc5d3a 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/devicekit.te b/devicekit.te
-index 77a5003..86a7ed2 100644
+index 77a5003..cb628f9 100644
 --- a/devicekit.te
 +++ b/devicekit.te
 @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@@ -24499,7 +24683,7 @@ index 77a5003..86a7ed2 100644
  #
  
 -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
 +
  allow devicekit_disk_t self:process { getsched signal_perms };
  allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
@@ -24602,7 +24786,7 @@ index 77a5003..86a7ed2 100644
  #
  
 -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
++allow devicekit_power_t self:capability { dac_read_search dac_override net_admin sys_admin sys_tty_config sys_nice };
 +#allow devicekit_power_t self:capability2 compromise_kernel;
  allow devicekit_power_t self:process { getsched signal_perms };
  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
@@ -24784,7 +24968,7 @@ index c697edb..954c090 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..02c58ea 100644
+index 98a24b9..d6cb9e7 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -24802,7 +24986,7 @@ index 98a24b9..02c58ea 100644
  #
  
 -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
-+allow dhcpd_t self:capability { chown dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
++allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
  dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
  allow dhcpd_t self:process { getcap setcap signal_perms };
  allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -24854,7 +25038,7 @@ index 98a24b9..02c58ea 100644
 +')
 +
 +ifdef(`distro_gentoo',`
-+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
++	allow dhcpd_t self:capability { chown dac_read_search dac_override setgid setuid sys_chroot };
 +')
 +
 +optional_policy(`
@@ -25555,7 +25739,7 @@ index 0000000..b3784d8
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..6cca2dd
+index 0000000..03988c9
 --- /dev/null
 +++ b/dirsrv.te
 @@ -0,0 +1,204 @@
@@ -25612,7 +25796,7 @@ index 0000000..6cca2dd
 +# dirsrv local policy
 +#
 +allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms};
-+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner };
 +allow dirsrv_t self:fifo_file manage_fifo_file_perms;
 +allow dirsrv_t self:sem create_sem_perms;
 +allow dirsrv_t self:tcp_socket create_stream_socket_perms;
@@ -26206,10 +26390,10 @@ index 19aa0b8..a79982c 100644
 +
 +
 diff --git a/dnsmasq.te b/dnsmasq.te
-index 37a3b7b..9af09cc 100644
+index 37a3b7b..78c681c 100644
 --- a/dnsmasq.te
 +++ b/dnsmasq.te
-@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
+@@ -24,12 +24,15 @@ logging_log_file(dnsmasq_var_log_t)
  type dnsmasq_var_run_t;
  files_pid_file(dnsmasq_var_run_t)
  
@@ -26219,6 +26403,13 @@ index 37a3b7b..9af09cc 100644
  ########################################
  #
  # Local policy
+ #
+ 
+-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw };
++allow dnsmasq_t self:capability { chown dac_read_search dac_override net_admin setgid setuid net_raw };
+ dontaudit dnsmasq_t self:capability sys_tty_config;
+ allow dnsmasq_t self:process { getcap setcap signal_perms };
+ allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
 @@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
  allow dnsmasq_t self:rawip_socket create_socket_perms;
  
@@ -26845,7 +27036,7 @@ index d5badb7..c2431fc 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e..3d8233b 100644
+index 0aabc7e..994752c 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@@ -27109,7 +27300,8 @@ index 0aabc7e..3d8233b 100644
 +# dovecot auth local policy
  #
  
- allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
+-allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
++allow dovecot_auth_t self:capability { chown dac_read_search dac_override ipc_lock setgid setuid sys_nice };
  allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
 -allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
 +allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -27286,6 +27478,19 @@ index 0aabc7e..3d8233b 100644
 +	# Handle sieve scripts
  	sendmail_domtrans(dovecot_deliver_t)
  ')
+diff --git a/dpkg.te b/dpkg.te
+index 50af48c..5ab4901 100644
+--- a/dpkg.te
++++ b/dpkg.te
+@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
+ # Local policy
+ #
+ 
+-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
++allow dpkg_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+ allow dpkg_t self:process { setpgid fork getsched setfscreate };
+ allow dpkg_t self:fd use;
+ allow dpkg_t self:fifo_file rw_fifo_file_perms;
 diff --git a/drbd.fc b/drbd.fc
 index 671a3fb..47b4958 100644
 --- a/drbd.fc
@@ -28028,7 +28233,7 @@ index 0000000..4498b11
 +
 +sysnet_read_config(ejabberd_t)
 diff --git a/entropyd.te b/entropyd.te
-index b8b8328..111084c 100644
+index b8b8328..e3dc7c7 100644
 --- a/entropyd.te
 +++ b/entropyd.te
 @@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
@@ -28040,6 +28245,15 @@ index b8b8328..111084c 100644
  
  type entropyd_t;
  type entropyd_exec_t;
+@@ -29,7 +29,7 @@ files_pid_file(entropyd_var_run_t)
+ # Local policy
+ #
+ 
+-allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
++allow entropyd_t self:capability { dac_read_search dac_override ipc_lock sys_admin };
+ dontaudit entropyd_t self:capability sys_tty_config;
+ allow entropyd_t self:process signal_perms;
+ 
 @@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
  dev_read_rand(entropyd_t)
  dev_write_rand(entropyd_t)
@@ -29004,7 +29218,7 @@ index cf0e567..7bebd26 100644
 +    apache_read_log(fail2ban_client_t)
 +')
 diff --git a/fcoe.te b/fcoe.te
-index ce358fb..8cc3ca2 100644
+index ce358fb..cdc11a7 100644
 --- a/fcoe.te
 +++ b/fcoe.te
 @@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t)
@@ -29012,7 +29226,7 @@ index ce358fb..8cc3ca2 100644
  #
  
 -allow fcoemon_t self:capability { dac_override kill net_admin };
-+allow fcoemon_t self:capability { net_admin net_raw dac_override };
++allow fcoemon_t self:capability { net_admin net_raw dac_read_search dac_override };
  allow fcoemon_t self:fifo_file rw_fifo_file_perms;
  allow fcoemon_t self:unix_stream_socket { accept listen };
  allow fcoemon_t self:netlink_socket create_socket_perms;
@@ -29362,10 +29576,10 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..e6904e2 100644
+index 98072a3..42ee4d3 100644
 --- a/firewalld.te
 +++ b/firewalld.te
-@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
+@@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t)
  type firewalld_tmp_t;
  files_tmp_file(firewalld_tmp_t)
  
@@ -29381,6 +29595,13 @@ index 98072a3..e6904e2 100644
  ########################################
  #
  # Local policy
+ #
+ 
+-allow firewalld_t self:capability { dac_override net_admin };
++allow firewalld_t self:capability { dac_read_search dac_override net_admin };
+ dontaudit firewalld_t self:capability sys_tty_config;
+ allow firewalld_t self:fifo_file rw_fifo_file_perms;
+ allow firewalld_t self:unix_stream_socket { accept listen };
 @@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms;
  
  manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
@@ -29646,7 +29867,7 @@ index 280f875..f3a67c9 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/firstboot.te b/firstboot.te
-index 5010f04..3b73741 100644
+index 5010f04..0341ae1 100644
 --- a/firstboot.te
 +++ b/firstboot.te
 @@ -1,7 +1,7 @@
@@ -29677,8 +29898,12 @@ index 5010f04..3b73741 100644
  
  type firstboot_etc_t;
  files_config_file(firstboot_etc_t)
-@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t)
- allow firstboot_t self:capability { dac_override setgid };
+@@ -29,31 +24,28 @@ files_config_file(firstboot_etc_t)
+ # Local policy
+ #
+ 
+-allow firstboot_t self:capability { dac_override setgid };
++allow firstboot_t self:capability { dac_read_search dac_override setgid };
  allow firstboot_t self:process setfscreate;
  allow firstboot_t self:fifo_file rw_fifo_file_perms;
 -allow firstboot_t self:tcp_socket { accept listen };
@@ -31742,7 +31967,7 @@ index 0000000..d745c67
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..0685927
+index 0000000..33dbdf7
 --- /dev/null
 +++ b/gear.te
 @@ -0,0 +1,136 @@
@@ -31773,7 +31998,7 @@ index 0000000..0685927
 +#
 +# gear local policy
 +#
-+allow gear_t self:capability { chown net_admin fowner dac_override };
++allow gear_t self:capability { chown net_admin fowner dac_read_search dac_override };
 +dontaudit gear_t self:capability sys_ptrace;
 +allow gear_t self:capability2 block_suspend;
 +allow gear_t self:process { getattr signal_perms };
@@ -35722,7 +35947,7 @@ index ab09d61..72d67c2 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
  ')
 diff --git a/gnome.te b/gnome.te
-index 63893eb..3508b98 100644
+index 63893eb..5664744 100644
 --- a/gnome.te
 +++ b/gnome.te
 @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@@ -35856,7 +36081,7 @@ index 63893eb..3508b98 100644
  
 -allow gconfd_t gconf_etc_t:dir list_dir_perms;
 -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
-+allow gconfdefaultsm_t self:capability { dac_override sys_nice };
++allow gconfdefaultsm_t self:capability { dac_read_search dac_override sys_nice };
 +allow gconfdefaultsm_t self:process getsched;
 +allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
  
@@ -36114,7 +36339,7 @@ index 3f55702..25c7ab8 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/gnomeclock.te b/gnomeclock.te
-index 7cd7435..79bff0d 100644
+index 7cd7435..8f26e98 100644
 --- a/gnomeclock.te
 +++ b/gnomeclock.te
 @@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0)
@@ -36139,7 +36364,7 @@ index 7cd7435..79bff0d 100644
  #
  
 -allow gnomeclock_t self:capability { sys_nice sys_time };
-+allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
++allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search dac_override };
  allow gnomeclock_t self:process { getattr getsched signal };
  allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
 -allow gnomeclock_t self:unix_stream_socket { accept listen };
@@ -37022,7 +37247,7 @@ index 0e97e82..2569781 100644
 +    miscfiles_manage_public_files(gpg_web_t)
  ')
 diff --git a/gpm.te b/gpm.te
-index 69734fd..d99009a 100644
+index 69734fd..a659808 100644
 --- a/gpm.te
 +++ b/gpm.te
 @@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
@@ -37034,6 +37259,15 @@ index 69734fd..d99009a 100644
  
  type gpm_tmp_t;
  files_tmp_file(gpm_tmp_t)
+@@ -29,7 +29,7 @@ files_type(gpmctl_t)
+ # Local policy
+ #
+ 
+-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
++allow gpm_t self:capability { setpcap setuid dac_read_search dac_override sys_admin sys_tty_config };
+ allow gpm_t self:process { signal signull getcap setcap };
+ allow gpm_t self:unix_stream_socket { accept listen };
+ 
 @@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t)
  dev_rw_input_dev(gpm_t)
  dev_rw_mouse(gpm_t)
@@ -37328,7 +37562,7 @@ index 0000000..8a2013a
 +')
 diff --git a/gssproxy.te b/gssproxy.te
 new file mode 100644
-index 0000000..27abcbb
+index 0000000..79e22c5
 --- /dev/null
 +++ b/gssproxy.te
 @@ -0,0 +1,74 @@
@@ -37356,7 +37590,7 @@ index 0000000..27abcbb
 +#
 +# gssproxy local policy
 +#
-+allow gssproxy_t self:capability { setuid setgid dac_override };
++allow gssproxy_t self:capability { setuid setgid dac_read_search dac_override };
 +allow gssproxy_t self:capability2 block_suspend;
 +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
 +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -37454,7 +37688,7 @@ index e151378..04d173d 100644
  fs_getattr_xattr_fs(zookeeper_server_t)
  
 diff --git a/hal.te b/hal.te
-index bbccc79..435ac42 100644
+index bbccc79..b027202 100644
 --- a/hal.te
 +++ b/hal.te
 @@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
@@ -37474,6 +37708,15 @@ index bbccc79..435ac42 100644
  kernel_request_load_module(hald_t)
  
  corecmd_exec_all_executables(hald_t)
+@@ -339,7 +338,7 @@ optional_policy(`
+ # ACL local policy
+ #
+ 
+-allow hald_acl_t self:capability { dac_override fowner sys_resource };
++allow hald_acl_t self:capability { dac_read_search dac_override fowner sys_resource };
+ allow hald_acl_t self:process { getattr signal };
+ allow hald_acl_t self:fifo_file rw_fifo_file_perms;
+ 
 @@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
  
  dev_rw_input_dev(hald_keymap_t)
@@ -38662,9 +38905,18 @@ index 580b533..c267cea 100644
  	domain_system_change_exemption($1)
  	role_transition $2 icecast_initrc_exec_t system_r;
 diff --git a/icecast.te b/icecast.te
-index a9e573a..6420131 100644
+index a9e573a..9a9245f 100644
 --- a/icecast.te
 +++ b/icecast.te
+@@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t)
+ # Local policy
+ #
+ 
+-allow icecast_t self:capability { dac_override setgid setuid sys_nice };
++allow icecast_t self:capability { dac_read_search dac_override setgid setuid sys_nice };
+ allow icecast_t self:process { getsched setsched signal };
+ allow icecast_t self:fifo_file rw_fifo_file_perms;
+ allow icecast_t self:unix_stream_socket create_stream_socket_perms;
 @@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t)
  dev_read_urand(icecast_t)
  dev_read_rand(icecast_t)
@@ -39037,7 +39289,7 @@ index eb87f23..d3d32c3 100644
  
  	init_labeled_script_domtrans($1, innd_initrc_exec_t)
 diff --git a/inn.te b/inn.te
-index d39f0cc..d141652 100644
+index d39f0cc..2422996 100644
 --- a/inn.te
 +++ b/inn.te
 @@ -15,6 +15,9 @@ files_config_file(innd_etc_t)
@@ -39050,7 +39302,7 @@ index d39f0cc..d141652 100644
  type innd_log_t;
  logging_log_file(innd_log_t)
  
-@@ -26,6 +29,7 @@ files_pid_file(innd_var_run_t)
+@@ -26,13 +29,14 @@ files_pid_file(innd_var_run_t)
  
  type news_spool_t;
  files_mountpoint(news_spool_t)
@@ -39058,6 +39310,14 @@ index d39f0cc..d141652 100644
  
  ########################################
  #
+ # Local policy
+ #
+ 
+-allow innd_t self:capability { dac_override kill setgid setuid };
++allow innd_t self:capability { dac_read_search dac_override kill setgid setuid };
+ dontaudit innd_t self:capability sys_tty_config;
+ allow innd_t self:process { setsched signal_perms };
+ allow innd_t self:fifo_file rw_fifo_file_perms;
 @@ -43,10 +47,9 @@ allow innd_t self:tcp_socket { accept listen };
  read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
  read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
@@ -39655,7 +39915,7 @@ index 0000000..d611c53
 +')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..d806e25
+index 0000000..28955dd
 --- /dev/null
 +++ b/ipa.te
 @@ -0,0 +1,273 @@
@@ -39752,7 +40012,7 @@ index 0000000..d806e25
 +#
 +
 +
-+allow ipa_helper_t self:capability { net_admin dac_override chown };
++allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
 +
 +#kernel bug
 +dontaudit ipa_helper_t self:capability2  block_suspend;
@@ -40609,7 +40869,7 @@ index 1a35420..8101022 100644
  	logging_search_logs($1)
  	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index ca020fa..d546e07 100644
+index ca020fa..9c628b2 100644
 --- a/iscsi.te
 +++ b/iscsi.te
 @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -40636,7 +40896,7 @@ index ca020fa..d546e07 100644
  
 -allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
 -dontaudit iscsid_t self:capability sys_ptrace;
-+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
++allow iscsid_t self:capability { dac_read_search dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
  allow iscsid_t self:process { setrlimit setsched signal };
  allow iscsid_t self:fifo_file rw_fifo_file_perms;
  allow iscsid_t self:unix_stream_socket { accept connectto listen };
@@ -42530,7 +42790,7 @@ index 3a00b3a..92f125f 100644
 +')
 +
 diff --git a/kdump.te b/kdump.te
-index 715fc21..446ebb4 100644
+index 715fc21..794264a 100644
 --- a/kdump.te
 +++ b/kdump.te
 @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
@@ -42565,7 +42825,7 @@ index 715fc21..446ebb4 100644
  #
  
 -allow kdump_t self:capability { sys_boot dac_override };
-+allow kdump_t self:capability { sys_admin sys_boot dac_override };
++allow kdump_t self:capability { sys_admin sys_boot dac_read_search dac_override };
 +#allow kdump_t self:capability2 compromise_kernel;
 +
 +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
@@ -42606,11 +42866,12 @@ index 715fc21..446ebb4 100644
 +# kdumpctl local policy
  #
  
+-allow kdumpctl_t self:capability { dac_override sys_chroot };
 +#cjp:almost all rules are needed by dracut
 +
 +kdump_domtrans(kdumpctl_t)
 +
- allow kdumpctl_t self:capability { dac_override sys_chroot };
++allow kdumpctl_t self:capability { dac_read_search dac_override sys_chroot };
  allow kdumpctl_t self:process setfscreate;
 +
  allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
@@ -43909,7 +44170,7 @@ index f6c00d8..79ea4d8 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 8833d59..ac3f3ee 100644
+index 8833d59..9b9eb11 100644
 --- a/kerberos.te
 +++ b/kerberos.te
 @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -43966,9 +44227,10 @@ index 8833d59..ac3f3ee 100644
  # kadmind local policy
  #
  
-+# Use capabilities. Surplus capabilities may be allowed.
- allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
 -dontaudit kadmind_t self:capability sys_tty_config;
++# Use capabilities. Surplus capabilities may be allowed.
++allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search dac_override sys_nice };
  allow kadmind_t self:capability2 block_suspend;
 +dontaudit kadmind_t self:capability sys_tty_config;
  allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
@@ -44090,9 +44352,10 @@ index 8833d59..ac3f3ee 100644
  # Krb5kdc local policy
  #
  
-+# Use capabilities. Surplus capabilities may be allowed.
- allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
 -dontaudit krb5kdc_t self:capability sys_tty_config;
++# Use capabilities. Surplus capabilities may be allowed.
++allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search dac_override sys_nice };
  allow krb5kdc_t self:capability2 block_suspend;
 +dontaudit krb5kdc_t self:capability sys_tty_config;
  allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
@@ -44761,9 +45024,18 @@ index aa2a337..7ff229f 100644
  	files_search_var_lib($1)
  	admin_pattern($1, kismet_var_lib_t)
 diff --git a/kismet.te b/kismet.te
-index 8ad0d4d..4e66536 100644
+index 8ad0d4d..01e5037 100644
 --- a/kismet.te
 +++ b/kismet.te
+@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t)
+ # Local policy
+ #
+ 
+-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
++allow kismet_t self:capability { dac_read_search dac_override kill net_admin net_raw setuid setgid };
+ allow kismet_t self:process signal_perms;
+ allow kismet_t self:fifo_file rw_fifo_file_perms;
+ allow kismet_t self:packet_socket create_socket_perms;
 @@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
  
  corecmd_exec_bin(kismet_t)
@@ -45410,9 +45682,18 @@ index 5297064..6ba8108 100644
  	domain_system_change_exemption($1)
  	role_transition $2 kudzu_initrc_exec_t system_r;
 diff --git a/kudzu.te b/kudzu.te
-index 1664036..51dd14f 100644
+index 1664036..ee7a9a1 100644
 --- a/kudzu.te
 +++ b/kudzu.te
+@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t)
+ # Local policy
+ #
+ 
+-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
++allow kudzu_t self:capability { dac_read_search dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+ dontaudit kudzu_t self:capability sys_tty_config;
+ allow kudzu_t self:process { signal_perms execmem };
+ allow kudzu_t self:fifo_file rw_fifo_file_perms;
 @@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t)
  kernel_read_kernel_sysctls(kudzu_t)
  kernel_read_network_state(kudzu_t)
@@ -46355,7 +46636,7 @@ index bd20e8c..3393a01 100644
 -	admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
 -')
 diff --git a/likewise.te b/likewise.te
-index d8c2442..ef30d42 100644
+index d8c2442..f5dff31 100644
 --- a/likewise.te
 +++ b/likewise.te
 @@ -26,7 +26,7 @@ type likewise_var_lib_t;
@@ -46388,6 +46669,15 @@ index d8c2442..ef30d42 100644
  #################################
  #
  # dcerpcd local policy
+@@ -102,7 +95,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t)
+ # lsassd local policy
+ #
+ 
+-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
++allow lsassd_t self:capability { fowner chown fsetid dac_read_search dac_override sys_time };
+ allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+ 
 @@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t)
  corecmd_exec_shell(lsassd_t)
  
@@ -46396,6 +46686,24 @@ index d8c2442..ef30d42 100644
  corenet_tcp_sendrecv_generic_if(lsassd_t)
  corenet_tcp_sendrecv_generic_node(lsassd_t)
  
+@@ -165,7 +157,7 @@ optional_policy(`
+ # lwiod local policy
+ #
+ 
+-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
++allow lwiod_t self:capability { fowner chown fsetid dac_read_search dac_override sys_resource };
+ allow lwiod_t self:process setrlimit;
+ allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+ 
+@@ -221,7 +213,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
+ # netlogond local policy
+ #
+ 
+-allow netlogond_t self:capability dac_override;
++allow netlogond_t self:capability { dac_read_search dac_override };
+ 
+ manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+ 
 @@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
  stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
  
@@ -46752,7 +47060,7 @@ index dff21a7..b6981c8 100644
  	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/lircd.te b/lircd.te
-index 483c87b..df73ba0 100644
+index 483c87b..eecd4c1 100644
 --- a/lircd.te
 +++ b/lircd.te
 @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -46769,7 +47077,7 @@ index 483c87b..df73ba0 100644
  #
  
 -allow lircd_t self:capability { chown kill sys_admin };
-+allow lircd_t self:capability { setuid setgid dac_override chown kill sys_admin };
++allow lircd_t self:capability { setuid setgid dac_read_search dac_override chown kill sys_admin };
  allow lircd_t self:process signal;
  allow lircd_t self:fifo_file rw_fifo_file_perms;
  allow lircd_t self:tcp_socket { accept listen };
@@ -47769,7 +48077,7 @@ index 6256371..ce2acb8 100644
  	can_exec($1, lpr_exec_t)
  ')
 diff --git a/lpd.te b/lpd.te
-index 39d3164..4b1b70c 100644
+index 39d3164..1ec2cd2 100644
 --- a/lpd.te
 +++ b/lpd.te
 @@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
@@ -47781,6 +48089,15 @@ index 39d3164..4b1b70c 100644
  ubac_constrained(print_spool_t)
  
  type printer_t;
+@@ -62,7 +62,7 @@ files_config_file(printconf_t)
+ # Checkpc local policy
+ #
+ 
+-allow checkpc_t self:capability { setgid setuid dac_override };
++allow checkpc_t self:capability { setgid setuid dac_read_search dac_override };
+ allow checkpc_t self:process signal_perms;
+ allow checkpc_t self:unix_stream_socket create_socket_perms;
+ allow checkpc_t self:tcp_socket create_socket_perms;
 @@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms;
  
  kernel_read_system_state(checkpc_t)
@@ -47837,6 +48154,15 @@ index 39d3164..4b1b70c 100644
  
  sysnet_read_config(lpd_t)
  
+@@ -214,7 +208,7 @@ optional_policy(`
+ # Lpr local policy
+ #
+ 
+-allow lpr_t self:capability { setuid dac_override net_bind_service chown };
++allow lpr_t self:capability { setuid dac_read_search dac_override net_bind_service chown };
+ allow lpr_t self:unix_stream_socket { accept listen };
+ 
+ allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
 @@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t)
  kernel_read_crypto_sysctls(lpr_t)
  kernel_read_kernel_sysctls(lpr_t)
@@ -48690,7 +49016,7 @@ index 108c0f1..a248501 100644
  	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
  ')
 diff --git a/mailman.te b/mailman.te
-index ac81c7f..f24f0ef 100644
+index ac81c7f..a9faca9 100644
 --- a/mailman.te
 +++ b/mailman.te
 @@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
@@ -48750,7 +49076,7 @@ index ac81c7f..f24f0ef 100644
  
 -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
 -allow mailman_mail_t self:process { signal signull };
-+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config };
++allow mailman_mail_t self:capability { kill dac_read_search dac_override setuid setgid sys_nice sys_tty_config };
 +allow mailman_mail_t self:process { setsched signal signull };
 +allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
  
@@ -48874,10 +49200,16 @@ index 214cb44..bd1d48e 100644
 +	files_list_pids($1)
  ')
 diff --git a/mailscanner.te b/mailscanner.te
-index 6b6e2e1..9889cef 100644
+index 6b6e2e1..3fb3393 100644
 --- a/mailscanner.te
 +++ b/mailscanner.te
-@@ -34,6 +34,7 @@ allow mscan_t self:process signal;
+@@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t)
+ # Local policy
+ #
+ 
+-allow mscan_t self:capability { setuid chown setgid dac_override };
++allow mscan_t self:capability { setuid chown setgid dac_read_search dac_override };
+ allow mscan_t self:process signal;
  allow mscan_t self:fifo_file rw_fifo_file_perms;
  
  read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
@@ -50100,7 +50432,7 @@ index cba62db..562833a 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 4dc99f4..c11bec2 100644
+index 4dc99f4..48e3f38 100644
 --- a/milter.te
 +++ b/milter.te
 @@ -5,73 +5,117 @@ policy_module(milter, 1.5.0)
@@ -50202,10 +50534,11 @@ index 4dc99f4..c11bec2 100644
 +#   http://hcpnet.free.fr/milter-greylist/
  #
  
+-allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
 +# It removes any existing socket (not owned by root) whilst running as root,
 +# fixes permissions, renices itself and then calls setgid() and setuid() to
 +# drop privileges
- allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
++allow greylist_milter_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice };
  allow greylist_milter_t self:process { setsched getsched };
  
 +allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
@@ -50258,9 +50591,10 @@ index 4dc99f4..c11bec2 100644
 +#   http://www.benzedrine.cx/milter-regex.html
  #
  
+-allow regex_milter_t self:capability { setuid setgid dac_override };
 +# It removes any existing socket (not owned by root) whilst running as root
 +# and then calls setgid() and setuid() to drop privileges
- allow regex_milter_t self:capability { setuid setgid dac_override };
++allow regex_milter_t self:capability { setuid setgid dac_read_search dac_override };
  
 +# The milter's socket directory lives under /var/spool
  files_search_spool(regex_milter_t)
@@ -51108,7 +51442,7 @@ index 0000000..f5b98e6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..c3fda0f
+index 0000000..f647022
 --- /dev/null
 +++ b/mock.te
 @@ -0,0 +1,288 @@
@@ -51158,7 +51492,7 @@ index 0000000..c3fda0f
 +# mock local policy
 +#
 +
-+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search  dac_override sys_nice mknod fsetid setgid fowner };
 +allow mock_t self:capability2 block_suspend;
 +allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
 +# Needed because mock can run java and mono withing build environment
@@ -51316,7 +51650,7 @@ index 0000000..c3fda0f
 +#
 +# mock_build local policy
 +#
-+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
 +dontaudit mock_build_t self:capability audit_write;
 +allow mock_build_t self:process { fork setsched setpgid signal_perms };
 +allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@@ -54299,10 +54633,10 @@ index 5fa77c7..2e01c7d 100644
  	domain_system_change_exemption($1)
  	role_transition $2 mpd_initrc_exec_t system_r;
 diff --git a/mpd.te b/mpd.te
-index fe72523..953e3bf 100644
+index fe72523..062ad64 100644
 --- a/mpd.te
 +++ b/mpd.te
-@@ -62,6 +62,12 @@ files_type(mpd_var_lib_t)
+@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
  type mpd_user_data_t;
  userdom_user_home_content(mpd_user_data_t) # customizable
  
@@ -54315,7 +54649,13 @@ index fe72523..953e3bf 100644
  ########################################
  #
  # Local policy
-@@ -74,6 +80,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
+ #
+ 
+-allow mpd_t self:capability { dac_override kill setgid setuid };
++allow mpd_t self:capability { dac_read_search dac_override kill setgid setuid };
+ allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
+ allow mpd_t self:fifo_file rw_fifo_file_perms;
+ allow mpd_t self:unix_stream_socket { accept connectto listen };
  allow mpd_t self:unix_dgram_socket sendto;
  allow mpd_t self:tcp_socket { accept listen };
  allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -55833,7 +56173,7 @@ index ed81cac..cd52baf 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index ff1d68c..86d8c9b 100644
+index ff1d68c..94b1dfc 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -55945,12 +56285,13 @@ index ff1d68c..86d8c9b 100644
  # System local policy
  #
  
-+# newalias required this, not sure if it is needed in 'if' file
- allow system_mail_t self:capability { dac_override fowner };
+-allow system_mail_t self:capability { dac_override fowner };
 -
 -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
 -
 -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
++# newalias required this, not sure if it is needed in 'if' file
++allow system_mail_t self:capability { dac_read_search dac_override fowner };
 +dontaudit system_mail_t self:capability net_admin;
  
  allow system_mail_t mail_home_t:file manage_file_perms;
@@ -56284,7 +56625,8 @@ index ff1d68c..86d8c9b 100644
 +')
  
  optional_policy(`
- 	allow user_mail_t self:capability dac_override;
+-	allow user_mail_t self:capability dac_override;
++	allow user_mail_t self:capability {dac_read_search dac_override };
  
 +	# Read user temporary files.
 +	# postfix seems to need write access if the file handle is opened read/write
@@ -56638,7 +56980,7 @@ index b744fe3..cb0e2af 100644
 +	admin_pattern($1, munin_content_t)
  ')
 diff --git a/munin.te b/munin.te
-index b708708..f4c0e61 100644
+index b708708..1ea095c 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@@ -56690,6 +57032,15 @@ index b708708..f4c0e61 100644
  
  optional_policy(`
  	nscd_use(munin_plugin_domain)
+@@ -89,7 +88,7 @@ optional_policy(`
+ # Local policy
+ #
+ 
+-allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
++allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio };
+ dontaudit munin_t self:capability sys_tty_config;
+ allow munin_t self:process { getsched setsched signal_perms };
+ allow munin_t self:unix_stream_socket { accept connectto listen };
 @@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -56775,7 +57126,7 @@ index b708708..f4c0e61 100644
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -272,6 +264,10 @@ optional_policy(`
+@@ -272,34 +264,50 @@ optional_policy(`
  	fstools_exec(disk_munin_plugin_t)
  ')
  
@@ -56786,14 +57137,15 @@ index b708708..f4c0e61 100644
  ####################################
  #
  # Mail local policy
-@@ -279,27 +275,39 @@ optional_policy(`
- 
- allow mail_munin_plugin_t self:capability dac_override;
+ #
  
+-allow mail_munin_plugin_t self:capability dac_override;
++allow mail_munin_plugin_t self:capability { dac_read_search dac_override };
++
 +allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
 +allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 +allow mail_munin_plugin_t self:udp_socket create_socket_perms;
-+
+ 
  rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
 +kernel_read_net_sysctls(mail_munin_plugin_t)
@@ -57526,7 +57878,7 @@ index 687af38..5381f1b 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe..318ee4d 100644
+index 7584bbe..a89f6d6 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@@ -57582,7 +57934,7 @@ index 7584bbe..318ee4d 100644
  #
  
 -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
-+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
++allow mysqld_t self:capability { dac_read_search dac_override ipc_lock setgid setuid sys_resource net_bind_service };
  dontaudit mysqld_t self:capability sys_tty_config;
  allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
  allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -57719,7 +58071,7 @@ index 7584bbe..318ee4d 100644
  #
  
 -allow mysqld_safe_t self:capability { chown dac_override fowner kill };
-+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
++allow mysqld_safe_t self:capability { chown dac_read_search dac_override fowner kill sys_nice sys_resource };
 +dontaudit mysqld_safe_t self:capability sys_ptrace;
  allow mysqld_safe_t self:process { setsched getsched setrlimit };
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -57785,7 +58137,7 @@ index 7584bbe..318ee4d 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -209,7 +239,7 @@ optional_policy(`
+@@ -209,20 +239,21 @@ optional_policy(`
  
  ########################################
  #
@@ -57793,8 +58145,10 @@ index 7584bbe..318ee4d 100644
 +# MySQL Manager Policy
  #
  
- allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +248,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+-allow mysqlmanagerd_t self:capability { dac_override kill };
++allow mysqlmanagerd_t self:capability { dac_read_search dac_override kill };
+ allow mysqlmanagerd_t self:process signal;
+ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -58976,7 +59330,7 @@ index 0641e97..f3b1111 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 7b3e682..c1f487c 100644
+index 7b3e682..00af8b3 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@@ -59032,7 +59386,7 @@ index 7b3e682..c1f487c 100644
  type nrpe_t;
  type nrpe_exec_t;
  init_daemon_domain(nrpe_t, nrpe_exec_t)
-@@ -63,19 +86,21 @@ files_pid_file(nrpe_var_run_t)
+@@ -63,30 +86,33 @@ files_pid_file(nrpe_var_run_t)
  
  allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
  
@@ -59061,7 +59415,12 @@ index 7b3e682..c1f487c 100644
  
  ########################################
  #
-@@ -87,6 +112,7 @@ dontaudit nagios_t self:capability sys_tty_config;
+ # Nagios local policy
+ #
+ 
+-allow nagios_t self:capability { dac_override setgid setuid };
++allow nagios_t self:capability { dac_read_search dac_override setgid setuid };
+ dontaudit nagios_t self:capability sys_tty_config;
  allow nagios_t self:process { setpgid signal_perms };
  allow nagios_t self:fifo_file rw_fifo_file_perms;
  allow nagios_t self:tcp_socket { accept listen };
@@ -59298,11 +59657,13 @@ index 7b3e682..c1f487c 100644
  optional_policy(`
  	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
  ')
-@@ -310,15 +399,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -309,16 +398,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+ # Mail local policy
  #
  
- allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
 -allow nagios_mail_plugin_t self:tcp_socket { accept listen };
++allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search dac_override };
 +allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 +allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
 +allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
@@ -59358,7 +59719,12 @@ index 7b3e682..c1f487c 100644
  ')
  
  optional_policy(`
-@@ -406,28 +507,36 @@ allow nagios_system_plugin_t self:capability dac_override;
+@@ -402,32 +503,40 @@ optional_policy(`
+ # System local policy
+ #
+ 
+-allow nagios_system_plugin_t self:capability dac_override;
++allow nagios_system_plugin_t self:capability { dac_read_search dac_override };
  dontaudit nagios_system_plugin_t self:capability { setuid setgid };
  
  read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
@@ -59503,7 +59869,7 @@ index 0000000..8d7c751
 +')
 diff --git a/namespace.te b/namespace.te
 new file mode 100644
-index 0000000..e289f2d
+index 0000000..814e62e
 --- /dev/null
 +++ b/namespace.te
 @@ -0,0 +1,41 @@
@@ -59524,7 +59890,7 @@ index 0000000..e289f2d
 +# namespace_init local policy
 +#
 +
-+allow namespace_init_t self:capability dac_override;
++allow namespace_init_t self:capability { dac_read_search  dac_override};
 +
 +allow namespace_init_t self:fifo_file manage_fifo_file_perms;
 +allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
@@ -60268,7 +60634,7 @@ index 86dc29d..c7d9376 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..b073836 100644
+index 55f2009..4419e35 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -60302,7 +60668,7 @@ index 55f2009..b073836 100644
 -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
 +# networkmanager will ptrace itself if gdb is installed
 +# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
 +dontaudit NetworkManager_t self:capability sys_tty_config;
 +
 +ifdef(`hide_broken_symptoms',`
@@ -60695,7 +61061,7 @@ index 55f2009..b073836 100644
  ')
  
  optional_policy(`
-@@ -338,6 +431,13 @@ optional_policy(`
+@@ -338,12 +431,19 @@ optional_policy(`
  	vpn_relabelfrom_tun_socket(NetworkManager_t)
  ')
  
@@ -60709,6 +61075,13 @@ index 55f2009..b073836 100644
  ########################################
  #
  # wpa_cli local policy
+ #
+ 
+-allow wpa_cli_t self:capability dac_override;
++allow wpa_cli_t self:capability { dac_read_search dac_override };
+ allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
+ 
+ allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
 @@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
@@ -61162,7 +61535,7 @@ index 46e55c3..afe399a 100644
 +	allow $1 nis_unit_file_t:service all_service_perms;
  ')
 diff --git a/nis.te b/nis.te
-index 3a6b035..ff6d218 100644
+index 3a6b035..5145db5 100644
 --- a/nis.te
 +++ b/nis.te
 @@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
@@ -61276,7 +61649,12 @@ index 3a6b035..ff6d218 100644
  	init_dbus_chat_script(ypbind_t)
  
  	optional_policy(`
-@@ -149,7 +148,8 @@ allow yppasswdd_t self:capability dac_override;
+@@ -145,11 +144,12 @@ optional_policy(`
+ # yppasswdd local policy
+ #
+ 
+-allow yppasswdd_t self:capability dac_override;
++allow yppasswdd_t self:capability { dac_read_search dac_override };
  dontaudit yppasswdd_t self:capability sys_tty_config;
  allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
  allow yppasswdd_t self:process { getsched setfscreate signal_perms };
@@ -61553,7 +61931,7 @@ index 0000000..e328327
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..a10559b
+index 0000000..2259a51
 --- /dev/null
 +++ b/nova.te
 @@ -0,0 +1,203 @@
@@ -61624,7 +62002,7 @@ index 0000000..a10559b
 +# nova general domain local policy
 +#
 +
-+allow nova_domain self:capability { dac_override net_admin net_bind_service };
++allow nova_domain self:capability { dac_read_search dac_override net_admin net_bind_service };
 +allow nova_domain self:process {  getcap setcap signal_perms setfscreate };
 +allow nova_domain self:fifo_file rw_fifo_file_perms;
 +allow nova_domain self:tcp_socket create_stream_socket_perms;
@@ -62416,7 +62794,7 @@ index a9c60ff..ad4f14a 100644
 +	refpolicywarn(`$0($*) has been deprecated.')
  ')
 diff --git a/nsd.te b/nsd.te
-index 47bb1d2..45ea5b7 100644
+index 47bb1d2..1e55673 100644
 --- a/nsd.te
 +++ b/nsd.te
 @@ -9,9 +9,7 @@ type nsd_t;
@@ -62457,7 +62835,7 @@ index 47bb1d2..45ea5b7 100644
  #
  
 -allow nsd_t self:capability { chown dac_override kill setgid setuid };
-+allow nsd_t self:capability { chown dac_override kill setgid setuid net_admin };
++allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin };
  dontaudit nsd_t self:capability sys_tty_config;
  allow nsd_t self:process signal_perms;
 +allow nsd_t self:tcp_socket create_stream_socket_perms;
@@ -62541,8 +62919,9 @@ index 47bb1d2..45ea5b7 100644
 +# Zone update cron job local policy
  #
  
+-allow nsd_crond_t self:capability { dac_override kill };
 +# kill capability for root cron job and non-root daemon
- allow nsd_crond_t self:capability { dac_override kill };
++allow nsd_crond_t self:capability { dac_read_search dac_override kill };
  dontaudit nsd_crond_t self:capability sys_nice;
  allow nsd_crond_t self:process { setsched signal_perms };
  allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
@@ -62741,7 +63120,7 @@ index 97df768..852d1c6 100644
 +	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
  ')
 diff --git a/nslcd.te b/nslcd.te
-index 421bf1a..fd870fc 100644
+index 421bf1a..1be3b6b 100644
 --- a/nslcd.te
 +++ b/nslcd.te
 @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
@@ -62755,7 +63134,7 @@ index 421bf1a..fd870fc 100644
 -allow nslcd_t self:capability { setgid setuid dac_override };
 -allow nslcd_t self:process signal;
 -allow nslcd_t self:unix_stream_socket { accept listen };
-+allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice };
++allow nslcd_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice };
 +allow nslcd_t self:process { setsched signal signull };
 +allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -63622,7 +64001,7 @@ index 0000000..7d839fe
 +	pulseaudio_setattr_home_dir(nsplugin_t)
 +')
 diff --git a/ntop.te b/ntop.te
-index 8ec7859..6c23623 100644
+index 8ec7859..c696f67 100644
 --- a/ntop.te
 +++ b/ntop.te
 @@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t)
@@ -63630,7 +64009,7 @@ index 8ec7859..6c23623 100644
  #
  
 -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
-+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_override };
++allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search dac_override };
  dontaudit ntop_t self:capability sys_tty_config;
  allow ntop_t self:process signal_perms;
  allow ntop_t self:fifo_file rw_fifo_file_perms;
@@ -63931,7 +64310,7 @@ index e96a309..4245308 100644
 +')
 +
 diff --git a/ntp.te b/ntp.te
-index f81b113..6d039fb 100644
+index f81b113..4e9e52e 100644
 --- a/ntp.te
 +++ b/ntp.te
 @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -63944,7 +64323,14 @@ index f81b113..6d039fb 100644
  type ntp_conf_t;
  files_config_file(ntp_conf_t)
  
-@@ -50,9 +53,12 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
+@@ -44,15 +47,18 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
+ # Local policy
+ #
+ 
+-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
++allow ntpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+ dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
+ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
  allow ntpd_t self:fifo_file rw_fifo_file_perms;
  allow ntpd_t self:shm create_shm_perms;
  allow ntpd_t self:tcp_socket { accept listen };
@@ -63968,7 +64354,14 @@ index f81b113..6d039fb 100644
  logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
  
  manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +87,16 @@ kernel_read_system_state(ntpd_t)
+@@ -77,27 +81,23 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+ files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+ 
+ can_exec(ntpd_t, ntpd_exec_t)
++can_exec(ntpd_t, ntpdate_exec_t)
+ 
+ kernel_read_kernel_sysctls(ntpd_t)
+ kernel_read_system_state(ntpd_t)
  kernel_read_network_state(ntpd_t)
  kernel_request_load_module(ntpd_t)
  
@@ -63992,7 +64385,7 @@ index f81b113..6d039fb 100644
  
  corecmd_exec_bin(ntpd_t)
  corecmd_exec_shell(ntpd_t)
-@@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +110,15 @@ domain_use_interactive_fds(ntpd_t)
  domain_dontaudit_list_all_domains_state(ntpd_t)
  
  files_read_etc_runtime_files(ntpd_t)
@@ -64009,7 +64402,7 @@ index f81b113..6d039fb 100644
  
  auth_use_nsswitch(ntpd_t)
  
-@@ -124,12 +125,14 @@ init_exec_script_files(ntpd_t)
+@@ -124,12 +126,14 @@ init_exec_script_files(ntpd_t)
  
  logging_send_syslog_msg(ntpd_t)
  
@@ -64026,7 +64419,7 @@ index f81b113..6d039fb 100644
  	cron_system_entry(ntpd_t, ntpdate_exec_t)
  ')
  
-@@ -152,9 +155,18 @@ optional_policy(`
+@@ -152,9 +156,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64365,7 +64758,7 @@ index 57c0161..c554eb6 100644
 +    ps_process_pattern($1, nut_t)
  ')
 diff --git a/nut.te b/nut.te
-index 5b2cb0d..ccaa0d4 100644
+index 5b2cb0d..605b54b 100644
 --- a/nut.te
 +++ b/nut.te
 @@ -7,154 +7,155 @@ policy_module(nut, 1.3.0)
@@ -64409,7 +64802,7 @@ index 5b2cb0d..ccaa0d4 100644
  #
  
 -allow nut_domain self:capability { setgid setuid dac_override kill };
-+allow nut_domain self:capability { setgid setuid dac_override };
++allow nut_domain self:capability { setgid setuid dac_read_search dac_override };
 +
  allow nut_domain self:process signal_perms;
 -allow nut_domain self:fifo_file rw_fifo_file_perms;
@@ -65156,7 +65549,7 @@ index c87bd2a..6180fba 100644
 +	allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
  ')
 diff --git a/oddjob.te b/oddjob.te
-index e403097..9080b3f 100644
+index e403097..c60887d 100644
 --- a/oddjob.te
 +++ b/oddjob.te
 @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
@@ -65227,7 +65620,8 @@ index e403097..9080b3f 100644
 +# oddjob_mkhomedir local policy
  #
  
- allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search dac_override };
  allow oddjob_mkhomedir_t self:process setfscreate;
  allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
 -allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
@@ -65766,7 +66160,7 @@ index 0000000..7581b52
 +')
 diff --git a/openfortivpn.te b/openfortivpn.te
 new file mode 100644
-index 0000000..3142896
+index 0000000..5a3c62b
 --- /dev/null
 +++ b/openfortivpn.te
 @@ -0,0 +1,67 @@
@@ -65794,7 +66188,7 @@ index 0000000..3142896
 +#
 +
 +# User certificates are typically not world-readable and are owned by the user
-+allow openfortivpn_t self:capability dac_override;
++allow openfortivpn_t self:capability { dac_read_search dac_override };
 +
 +# Talking to pppd via the PTY
 +allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
@@ -66891,7 +67285,7 @@ index 0000000..c20cac3
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..c8e810c
+index 0000000..a98990f
 --- /dev/null
 +++ b/openshift.te
 @@ -0,0 +1,634 @@
@@ -67447,7 +67841,7 @@ index 0000000..c8e810c
 +#
 +# openshift_cron local policy
 +#
-+allow openshift_cron_t self:capability { dac_override net_admin sys_admin };
++allow openshift_cron_t self:capability { dac_read_search dac_override net_admin sys_admin };
 +allow openshift_cron_t self:process signal_perms;
 +allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
 +allow openshift_cron_t self:udp_socket create_socket_perms;
@@ -68836,7 +69230,7 @@ index 0000000..6ae382c
 +
 diff --git a/oracleasm.te b/oracleasm.te
 new file mode 100644
-index 0000000..c4b5ddb
+index 0000000..41f3e07
 --- /dev/null
 +++ b/oracleasm.te
 @@ -0,0 +1,66 @@
@@ -68865,7 +69259,7 @@ index 0000000..c4b5ddb
 +# oracleasm local policy
 +#
 +
-+allow oracleasm_t self:capability { dac_override fsetid fowner chown };
++allow oracleasm_t self:capability { dac_read_search dac_override fsetid fowner chown };
 +allow oracleasm_t self:fifo_file rw_fifo_file_perms;
 +allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
 +
@@ -69374,7 +69768,7 @@ index 9682d9a..f1f421f 100644
 +	')
  ')
 diff --git a/pacemaker.te b/pacemaker.te
-index 6e6efb6..3dc917d 100644
+index 6e6efb6..d56c049 100644
 --- a/pacemaker.te
 +++ b/pacemaker.te
 @@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0)
@@ -69391,7 +69785,7 @@ index 6e6efb6..3dc917d 100644
  type pacemaker_t;
  type pacemaker_exec_t;
  init_daemon_domain(pacemaker_t, pacemaker_exec_t)
-@@ -12,17 +19,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
+@@ -12,31 +19,36 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
  type pacemaker_initrc_exec_t;
  init_script_file(pacemaker_initrc_exec_t)
  
@@ -69417,10 +69811,11 @@ index 6e6efb6..3dc917d 100644
  
  ########################################
  #
-@@ -30,13 +40,15 @@ files_pid_file(pacemaker_var_run_t)
+ # Local policy
  #
  
- allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
++allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search dac_override setuid };
 +allow pacemaker_t self:capability2 block_suspend;
  allow pacemaker_t self:process { setrlimit signal setpgid };
  allow pacemaker_t self:fifo_file rw_fifo_file_perms;
@@ -69500,13 +69895,15 @@ index 6e097c9..503c97a 100644
  	domain_system_change_exemption($1)
  	role_transition $2 pads_initrc_exec_t system_r;
 diff --git a/pads.te b/pads.te
-index 078adc4..77513a4 100644
+index 078adc4..f0c65e5 100644
 --- a/pads.te
 +++ b/pads.te
-@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t)
+@@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t)
+ # Declarations
  #
  
- allow pads_t self:capability { dac_override net_raw };
+-allow pads_t self:capability { dac_override net_raw };
++allow pads_t self:capability { dac_read_search  dac_override net_raw };
 +allow pads_t self:netlink_route_socket create_netlink_socket_perms;
  allow pads_t self:packet_socket create_socket_perms;
  allow pads_t self:socket create_socket_perms;
@@ -69732,7 +70129,7 @@ index bf59ef7..0e33327 100644
 +')
 +
 diff --git a/passenger.te b/passenger.te
-index 08ec33b..3ad995c 100644
+index 08ec33b..e73b8a6 100644
 --- a/passenger.te
 +++ b/passenger.te
 @@ -1,4 +1,4 @@
@@ -69759,8 +70156,9 @@ index 08ec33b..3ad995c 100644
 +# passanger local policy
  #
  
- allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
 -allow passenger_t self:process { setpgid setsched sigkill signal };
++allow passenger_t self:capability { chown dac_read_search dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
 +allow passenger_t self:capability2 block_suspend;
 +allow passenger_t self:process { setpgid setsched getsession signal_perms };
  allow passenger_t self:fifo_file rw_fifo_file_perms;
@@ -70094,7 +70492,7 @@ index 0000000..abb250d
 +')
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..69b47dc
+index 0000000..3729152
 --- /dev/null
 +++ b/pcp.te
 @@ -0,0 +1,313 @@
@@ -70149,7 +70547,7 @@ index 0000000..69b47dc
 +# pcp domain local  policy
 +#
 +
-+allow pcp_domain self:capability { setuid setgid dac_override };
++allow pcp_domain self:capability { setuid setgid dac_read_search dac_override };
 +allow pcp_domain self:process signal_perms;
 +allow pcp_domain self:tcp_socket create_stream_socket_perms;
 +allow pcp_domain self:udp_socket create_socket_perms;
@@ -70849,7 +71247,7 @@ index d2fc677..86dce34 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 608f454..270648d 100644
+index 608f454..8cccfd7 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -70929,7 +71327,7 @@ index 608f454..270648d 100644
 +# pegasus openlmi account local policy
 +#
 +
-+allow pegasus_openlmi_account_t self:capability { chown dac_override fowner fsetid };
++allow pegasus_openlmi_account_t self:capability { chown dac_read_search dac_override fowner fsetid };
 +allow pegasus_openlmi_account_t self:process setfscreate;
 +
 +auth_manage_passwd(pegasus_openlmi_account_t)
@@ -70966,7 +71364,7 @@ index 608f454..270648d 100644
 +# pegasus openlmi logicalfile local policy
 +#
 +
-+allow pegasus_openlmi_logicalfile_t self:capability { dac_override };
++allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search dac_override };
 +files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
 +files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
 +
@@ -71193,7 +71591,7 @@ index 608f454..270648d 100644
  #
  
 -allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
-+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service sys_ptrace };
++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search dac_override net_admin net_bind_service sys_ptrace };
  dontaudit pegasus_t self:capability sys_tty_config;
 -allow pegasus_t self:process signal;
 +allow pegasus_t self:process { setsched signal };
@@ -73022,7 +73420,7 @@ index 0000000..f18fcc6
 +')
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..94da39a
+index 0000000..cde75a2
 --- /dev/null
 +++ b/pki.te
 @@ -0,0 +1,285 @@
@@ -73100,7 +73498,7 @@ index 0000000..94da39a
 +# pki-tomcat local policy
 +#
 +
-+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid };
++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search dac_override sys_nice fsetid };
 +dontaudit  pki_tomcat_t self:capability net_admin;
 +allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
 +
@@ -73235,7 +73633,7 @@ index 0000000..94da39a
 +#
 +
 +
-+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
++allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search dac_override fowner fsetid kill chown};
 +allow pki_apache_domain self:process { setsched signal getsched  signull execstack execmem sigkill};
 +
 +allow pki_apache_domain self:sem all_sem_perms;
@@ -73653,7 +74051,7 @@ index 30e751f..61feb3a 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..c57d1cf 100644
+index 3078ce9..ac0b7a5 100644
 --- a/plymouthd.te
 +++ b/plymouthd.te
 @@ -15,7 +15,7 @@ type plymouthd_exec_t;
@@ -73676,7 +74074,7 @@ index 3078ce9..c57d1cf 100644
  allow plymouthd_t self:capability { sys_admin sys_tty_config };
 -dontaudit plymouthd_t self:capability dac_override;
  allow plymouthd_t self:capability2 block_suspend;
-+dontaudit plymouthd_t self:capability dac_override;
++dontaudit plymouthd_t self:capability{ dac_read_search  dac_override };
  allow plymouthd_t self:process { signal getsched };
 +allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms;
  allow plymouthd_t self:fifo_file rw_fifo_file_perms;
@@ -73774,14 +74172,16 @@ index 3078ce9..c57d1cf 100644
  		hal_dontaudit_write_log(plymouth_t)
  		hal_dontaudit_rw_pipes(plymouth_t)
 diff --git a/podsleuth.te b/podsleuth.te
-index 9123f71..c06ace5 100644
+index 9123f71..232e28a 100644
 --- a/podsleuth.te
 +++ b/podsleuth.te
-@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
+@@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
+ # Local policy
  #
  
- allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
 -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
++allow podsleuth_t self:capability { kill dac_read_search dac_override sys_admin sys_rawio };
 +allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
 +
  allow podsleuth_t self:fifo_file rw_fifo_file_perms;
@@ -74952,19 +75352,23 @@ index 9764bfe..8870de7 100644
  
 -miscfiles_read_localization(polipo_daemon)
 diff --git a/portage.if b/portage.if
-index 67e8c12..18b89d7 100644
+index 67e8c12..058c994 100644
 --- a/portage.if
 +++ b/portage.if
-@@ -67,6 +67,7 @@ interface(`portage_compile_domain',`
+@@ -67,9 +67,10 @@ interface(`portage_compile_domain',`
  		class dbus send_msg;
  		type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
  		type portage_tmpfs_t;
 +		type portage_sandbox_t;
  	')
  
- 	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+-	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
++	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search dac_override net_raw };
+ 	dontaudit $1 self:capability sys_chroot;
+ 	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
+ 	allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
 diff --git a/portage.te b/portage.te
-index b410c67..2713b26 100644
+index b410c67..f1ec41d 100644
 --- a/portage.te
 +++ b/portage.te
 @@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
@@ -74975,6 +75379,15 @@ index b410c67..2713b26 100644
  files_search_var_lib(gcc_config_t)
  files_search_pids(gcc_config_t)
  # complains loudly about not being able to list
+@@ -239,7 +238,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
+ #
+ 
+ allow portage_fetch_t self:process signal;
+-allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
++allow portage_fetch_t self:capability { dac_read_search dac_override fowner fsetid chown };
+ allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
+ allow portage_fetch_t self:tcp_socket { accept listen };
+ allow portage_fetch_t self:unix_stream_socket create_socket_perms;
 @@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t)
  domain_use_interactive_fds(portage_fetch_t)
  
@@ -75210,7 +75623,7 @@ index c0e8785..3070aa0 100644
 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
 +/var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_t,s0)
 diff --git a/postfix.if b/postfix.if
-index ded95ec..3cf7146 100644
+index ded95ec..db49c57 100644
 --- a/postfix.if
 +++ b/postfix.if
 @@ -1,4 +1,4 @@
@@ -75304,7 +75717,7 @@ index ded95ec..3cf7146 100644
 -	#
 -	# Declarations
 -	#
-+	allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
++	allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search dac_override };
 +	allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
 +	allow postfix_$1_t self:tcp_socket create_socket_perms;
 +	allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -75361,7 +75774,8 @@ index ded95ec..3cf7146 100644
 -	# Policy
 -	#
 -
- 	allow postfix_$1_t self:capability dac_override;
+-	allow postfix_$1_t self:capability dac_override;
++	allow postfix_$1_t self:capability { dac_read_search dac_override };
  
  	domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
  
@@ -76094,7 +76508,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..4273d32 100644
+index 5cfb83e..87a1d85 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -76287,7 +76701,7 @@ index 5cfb83e..4273d32 100644
 -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
 +dontaudit postfix_master_t self:capability { net_admin };
 +# chown is to set the correct ownership of queue dirs
-+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
++allow postfix_master_t self:capability { chown dac_read_search dac_override kill setgid setuid net_bind_service sys_tty_config };
  allow postfix_master_t self:capability2 block_suspend;
 +
  allow postfix_master_t self:process setrlimit;
@@ -76612,14 +77026,15 @@ index 5cfb83e..4273d32 100644
 -# Map local policy
 +# Postfix map local policy
  #
--
- allow postfix_map_t self:capability { dac_override setgid setuid };
--allow postfix_map_t self:tcp_socket { accept listen };
++allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid };
 +allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
 +allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 +allow postfix_map_t self:tcp_socket create_stream_socket_perms;
 +allow postfix_map_t self:udp_socket create_socket_perms;
  
+-allow postfix_map_t self:capability { dac_override setgid setuid };
+-allow postfix_map_t self:tcp_socket { accept listen };
+-
 -allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
 -allow postfix_map_t postfix_etc_t:file manage_file_perms;
 -allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
@@ -77138,7 +77553,7 @@ index b9e71b5..a7502cd 100644
  	domain_system_change_exemption($1)
  	role_transition $2 postgrey_initrc_exec_t system_r;
 diff --git a/postgrey.te b/postgrey.te
-index fd58805..3b2474d 100644
+index fd58805..2ff8a1e 100644
 --- a/postgrey.te
 +++ b/postgrey.te
 @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -77150,6 +77565,15 @@ index fd58805..3b2474d 100644
  
  type postgrey_var_lib_t;
  files_type(postgrey_var_lib_t)
+@@ -29,7 +29,7 @@ files_pid_file(postgrey_var_run_t)
+ # Local policy
+ #
+ 
+-allow postgrey_t self:capability { chown dac_override setgid setuid };
++allow postgrey_t self:capability { chown dac_read_search dac_override setgid setuid };
+ dontaudit postgrey_t self:capability sys_tty_config;
+ allow postgrey_t self:process signal_perms;
+ allow postgrey_t self:fifo_file create_fifo_file_perms;
 @@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t)
  
  corecmd_search_bin(postgrey_t)
@@ -77742,7 +78166,7 @@ index cd8b8b9..2cfa88a 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ppp.te b/ppp.te
-index d616ca3..76f9b25 100644
+index d616ca3..0b38ca5 100644
 --- a/ppp.te
 +++ b/ppp.te
 @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -77826,7 +78250,7 @@ index d616ca3..76f9b25 100644
  #
  
 -allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
-+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice sys_chroot };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search dac_override sys_nice sys_chroot };
  dontaudit pppd_t self:capability sys_tty_config;
 -allow pppd_t self:process { getsched setsched signal };
 +dontaudit pppd_t self:capability2 block_suspend;
@@ -78266,7 +78690,7 @@ index 20d4697..e6605c1 100644
 +	files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
 +')
 diff --git a/prelink.te b/prelink.te
-index 8e26216..98068fc 100644
+index 8e26216..c1d33ac 100644
 --- a/prelink.te
 +++ b/prelink.te
 @@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
@@ -78283,7 +78707,15 @@ index 8e26216..98068fc 100644
  
  type prelink_cache_t;
  files_type(prelink_cache_t)
-@@ -47,24 +44,27 @@ allow prelink_t self:fifo_file rw_fifo_file_perms;
+@@ -40,31 +37,34 @@ files_type(prelink_var_lib_t)
+ # Local policy
+ #
+ 
+-allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
++allow prelink_t self:capability { chown dac_read_search dac_override fowner fsetid setfcap sys_resource };
+ allow prelink_t self:process { execheap execmem execstack signal };
+ allow prelink_t self:fifo_file rw_fifo_file_perms;
+ 
  allow prelink_t prelink_cache_t:file manage_file_perms;
  files_etc_filetrans(prelink_t, prelink_cache_t, file)
  
@@ -78648,7 +79080,7 @@ index c83a838..f41a4f7 100644
  	admin_pattern($1, prelude_lml_tmp_t)
  ')
 diff --git a/prelude.te b/prelude.te
-index 8f44609..e1f4f70 100644
+index 8f44609..dd70653 100644
 --- a/prelude.te
 +++ b/prelude.te
 @@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
@@ -78660,6 +79092,15 @@ index 8f44609..e1f4f70 100644
  
  type prelude_log_t;
  logging_log_file(prelude_log_t)
+@@ -54,7 +54,7 @@ files_pid_file(prelude_lml_var_run_t)
+ # Prelude local policy
+ #
+ 
+-allow prelude_t self:capability { dac_override sys_tty_config };
++allow prelude_t self:capability { dac_read_search dac_override sys_tty_config };
+ allow prelude_t self:fifo_file rw_fifo_file_perms;
+ allow prelude_t self:unix_stream_socket { accept listen };
+ allow prelude_t self:tcp_socket { accept listen };
 @@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t)
  
  corecmd_search_bin(prelude_t)
@@ -78685,6 +79126,15 @@ index 8f44609..e1f4f70 100644
  optional_policy(`
  	mysql_stream_connect(prelude_t)
  	mysql_tcp_connect(prelude_t)
+@@ -125,7 +121,7 @@ optional_policy(`
+ # Audisp local policy
+ #
+ 
+-allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
++allow prelude_audisp_t self:capability { dac_read_search dac_override ipc_lock setpcap };
+ allow prelude_audisp_t self:process { getcap setcap };
+ allow prelude_audisp_t self:fifo_file rw_fifo_file_perms;
+ allow prelude_audisp_t self:unix_stream_socket { accept listen };
 @@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t)
  
  corecmd_search_bin(prelude_audisp_t)
@@ -78709,6 +79159,15 @@ index 8f44609..e1f4f70 100644
  sysnet_dns_name_resolve(prelude_audisp_t)
  
  ########################################
+@@ -171,7 +163,7 @@ sysnet_dns_name_resolve(prelude_audisp_t)
+ # Correlator local policy
+ #
+ 
+-allow prelude_correlator_t self:capability dac_override;
++allow prelude_correlator_t self:capability { dac_read_search dac_override };
+ allow prelude_correlator_t self:tcp_socket { accept listen };
+ 
+ manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t)
 @@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t)
  
  corecmd_search_bin(prelude_correlator_t)
@@ -78732,10 +79191,12 @@ index 8f44609..e1f4f70 100644
  sysnet_dns_name_resolve(prelude_correlator_t)
  
  ########################################
-@@ -212,6 +199,8 @@ sysnet_dns_name_resolve(prelude_correlator_t)
+@@ -211,7 +198,9 @@ sysnet_dns_name_resolve(prelude_correlator_t)
+ # Lml local declarations
  #
  
- allow prelude_lml_t self:capability dac_override;
+-allow prelude_lml_t self:capability dac_override;
++allow prelude_lml_t self:capability { dac_read_search dac_override };
 +allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
 +allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
  allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
@@ -79009,7 +79470,7 @@ index 00edeab..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
  ')
 diff --git a/procmail.te b/procmail.te
-index cc426e6..fe5d842 100644
+index cc426e6..91a1f53 100644
 --- a/procmail.te
 +++ b/procmail.te
 @@ -14,7 +14,7 @@ type procmail_home_t;
@@ -79021,8 +79482,12 @@ index cc426e6..fe5d842 100644
  
  type procmail_tmp_t;
  files_tmp_file(procmail_tmp_t)
-@@ -27,10 +27,14 @@ files_tmp_file(procmail_tmp_t)
- allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+@@ -24,13 +24,17 @@ files_tmp_file(procmail_tmp_t)
+ # Local policy
+ #
+ 
+-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
++allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search dac_override };
  allow procmail_t self:process { setsched signal signull };
  allow procmail_t self:fifo_file rw_fifo_file_perms;
 -allow procmail_t self:tcp_socket { accept listen };
@@ -79743,9 +80208,18 @@ index d4dcf78..3cce82e 100644
  	admin_pattern($1, psad_tmp_t)
  ')
 diff --git a/psad.te b/psad.te
-index b5d717b..0de086e 100644
+index b5d717b..9fd153b 100644
 --- a/psad.te
 +++ b/psad.te
+@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t)
+ # Local policy
+ #
+ 
+-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
++allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search dac_override };
+ dontaudit psad_t self:capability sys_tty_config;
+ allow psad_t self:process signal_perms;
+ allow psad_t self:fifo_file rw_fifo_file_perms;
 @@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
  corecmd_exec_bin(psad_t)
  corecmd_exec_shell(psad_t)
@@ -79789,6 +80263,19 @@ index 28d2abc..c2cfb5e 100644
  
 -miscfiles_read_localization(ptchown_t)
 +auth_read_passwd(ptchown_t)
+diff --git a/publicfile.te b/publicfile.te
+index 3246bef..dd66a21 100644
+--- a/publicfile.te
++++ b/publicfile.te
+@@ -17,7 +17,7 @@ files_type(publicfile_content_t)
+ # Local policy
+ #
+ 
+-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
++allow publicfile_t self:capability { dac_read_search  dac_override setgid setuid sys_chroot };
+ 
+ allow publicfile_t publicfile_content_t:dir list_dir_perms;
+ allow publicfile_t publicfile_content_t:file read_file_perms;
 diff --git a/pulseaudio.fc b/pulseaudio.fc
 index 6864479..0e7d875 100644
 --- a/pulseaudio.fc
@@ -80899,7 +81386,7 @@ index 7cb8b1f..bef7217 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index 618dcfe..bba4a3e 100644
+index 618dcfe..d5d0cfc 100644
 --- a/puppet.te
 +++ b/puppet.te
 @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -81065,7 +81552,7 @@ index 618dcfe..bba4a3e 100644
 -
 -tunable_policy(`puppet_manage_all_files',`
 -	files_manage_non_auth_files(puppet_t)
-+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search dac_override sys_nice sys_tty_config };
 +allow puppetagent_t self:process { signal signull getsched setsched };
 +allow puppetagent_t self:fifo_file rw_fifo_file_perms;
 +allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
@@ -81241,7 +81728,8 @@ index 618dcfe..bba4a3e 100644
 +# PuppetCA personal policy
  #
  
- allow puppetca_t self:capability { dac_override setgid setuid };
+-allow puppetca_t self:capability { dac_override setgid setuid };
++allow puppetca_t self:capability { dac_read_search dac_override setgid setuid };
  allow puppetca_t self:fifo_file rw_fifo_file_perms;
  
 -allow puppetca_t puppet_etc_t:dir list_dir_perms;
@@ -83995,7 +84483,7 @@ index afc0068..589a7fd 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..e39f835 100644
+index 8644d8b..97a9b7e 100644
 --- a/quantum.te
 +++ b/quantum.te
 @@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0)
@@ -84085,7 +84573,7 @@ index 8644d8b..e39f835 100644
 -
 -dev_list_sysfs(quantum_t)
 -dev_read_urand(quantum_t)
-+allow neutron_t self:capability { chown dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
++allow neutron_t self:capability { chown dac_read_search dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
 +allow neutron_t self:capability2 block_suspend;
 +allow neutron_t self:process { setsched setrlimit setcap signal_perms };
 +
@@ -84528,7 +85016,7 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
  ')
 diff --git a/quota.te b/quota.te
-index f47c8e8..af09c76 100644
+index f47c8e8..ba74734 100644
 --- a/quota.te
 +++ b/quota.te
 @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@@ -84556,7 +85044,12 @@ index f47c8e8..af09c76 100644
  type quota_nld_var_run_t;
  files_pid_file(quota_nld_var_run_t)
  
-@@ -37,6 +32,7 @@ allow quota_t self:capability { sys_admin dac_override };
+@@ -33,10 +28,11 @@ files_pid_file(quota_nld_var_run_t)
+ # Local policy
+ #
+ 
+-allow quota_t self:capability { sys_admin dac_override };
++allow quota_t self:capability { sys_admin dac_read_search dac_override };
  dontaudit quota_t self:capability sys_tty_config;
  allow quota_t self:process signal_perms;
  
@@ -84990,7 +85483,7 @@ index 4460582..4c66c25 100644
 +
  ')
 diff --git a/radius.te b/radius.te
-index 403a4fe..c659271 100644
+index 403a4fe..193195e 100644
 --- a/radius.te
 +++ b/radius.te
 @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -85020,7 +85513,7 @@ index 403a4fe..c659271 100644
  #
  
 -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
-+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
++allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
  dontaudit radiusd_t self:capability sys_tty_config;
 -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
 +allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace};
@@ -85179,7 +85672,7 @@ index ac7058d..48739ac 100644
  	init_labeled_script_domtrans($1, radvd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/radvd.te b/radvd.te
-index 6d162e4..9027807 100644
+index 6d162e4..502ca16 100644
 --- a/radvd.te
 +++ b/radvd.te
 @@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t)
@@ -85187,7 +85680,7 @@ index 6d162e4..9027807 100644
  #
  
 -allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
-+allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_override };
++allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_read_search dac_override };
  dontaudit radvd_t self:capability sys_tty_config;
  allow radvd_t self:process signal_perms;
  allow radvd_t self:fifo_file rw_fifo_file_perms;
@@ -85445,7 +85938,7 @@ index 951db7f..00e699d 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
  ')
 diff --git a/raid.te b/raid.te
-index c99753f..6d4d0e9 100644
+index c99753f..55294ac 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
@@ -85476,9 +85969,10 @@ index c99753f..6d4d0e9 100644
  # Local policy
  #
  
- allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
 -dontaudit mdadm_t self:capability sys_tty_config;
 -allow mdadm_t self:process { getsched setsched signal_perms };
++allow mdadm_t self:capability { dac_read_search dac_override sys_admin ipc_lock };
 +dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
 +allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
  allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -87361,10 +87855,10 @@ index a9ce68e..92520aa 100644
 +	allow $1 remote_login_t:process signull;
  ')
 diff --git a/remotelogin.te b/remotelogin.te
-index ae30871..43fd6e8 100644
+index ae30871..15a669c 100644
 --- a/remotelogin.te
 +++ b/remotelogin.te
-@@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t)
+@@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t)
  auth_login_pgm_domain(remote_login_t)
  auth_login_entry_type(remote_login_t)
  
@@ -87377,8 +87871,9 @@ index ae30871..43fd6e8 100644
 +# Remote login remote policy
  #
  
- allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-@@ -23,68 +20,79 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl
+-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
++allow remote_login_t self:capability { dac_read_search dac_read_search dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow remote_login_t self:process { setrlimit setexec };
  allow remote_login_t self:fd use;
  allow remote_login_t self:fifo_file rw_fifo_file_perms;
@@ -87476,9 +87971,18 @@ index ae30871..43fd6e8 100644
  ')
  
 diff --git a/resmgr.te b/resmgr.te
-index f6eb358..e4fc73d 100644
+index f6eb358..b631919 100644
 --- a/resmgr.te
 +++ b/resmgr.te
+@@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t)
+ # Local policy
+ #
+ 
+-allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
++allow resmgrd_t self:capability { dac_read_search dac_override sys_admin sys_rawio };
+ dontaudit resmgrd_t self:capability sys_tty_config;
+ allow resmgrd_t self:process signal_perms;
+ 
 @@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
  
  domain_use_interactive_fds(resmgrd_t)
@@ -87723,7 +88227,7 @@ index 1c2f9aa..a4133dc 100644
 +    allow $1 rgmanager_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/rgmanager.te b/rgmanager.te
-index c8a1e16..2d409bf 100644
+index c8a1e16..f9d6fb3 100644
 --- a/rgmanager.te
 +++ b/rgmanager.te
 @@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
@@ -87758,7 +88262,8 @@ index c8a1e16..2d409bf 100644
 +# rgmanager local policy
  #
  
- allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
++allow rgmanager_t self:capability { dac_read_search dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
  allow rgmanager_t self:process { setsched signal };
 +
  allow rgmanager_t self:fifo_file rw_fifo_file_perms;
@@ -88958,7 +89463,7 @@ index c8bdea2..beb2872 100644
 +	allow $1 haproxy_unit_file_t:service {status start};
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..5e106cf 100644
+index 6cf79c4..0dbfae6 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -89078,7 +89583,7 @@ index 6cf79c4..5e106cf 100644
 +# cluster domain local policy
 +#
 +
-+allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
++allow cluster_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
 +# for hearbeat
 +allow cluster_t self:capability { net_raw chown };
 +allow cluster_t self:capability2 block_suspend;
@@ -89298,7 +89803,7 @@ index 6cf79c4..5e106cf 100644
  #
  
 -allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
-+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
++allow dlm_controld_t self:capability { dac_read_search dac_override net_admin sys_admin sys_resource };
  allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
  
 +files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir)
@@ -89500,7 +90005,7 @@ index 6cf79c4..5e106cf 100644
 +#
 +
 +# bug in haproxy and process vs pid owner
-+allow haproxy_t self:capability { dac_override kill };
++allow haproxy_t self:capability { dac_read_search dac_override kill };
 +
 +allow haproxy_t self:capability { chown fowner setgid setuid sys_chroot sys_resource net_admin net_raw };
 +allow haproxy_t self:capability2 block_suspend;
@@ -90774,7 +91279,7 @@ index 2ab3ed1..23d579c 100644
  	role_transition $2 ricci_initrc_exec_t system_r;
  	allow $2 system_r;
 diff --git a/ricci.te b/ricci.te
-index 0ba2569..64a0237 100644
+index 0ba2569..161850d 100644
 --- a/ricci.te
 +++ b/ricci.te
 @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
@@ -90875,6 +91380,15 @@ index 0ba2569..64a0237 100644
  
  optional_policy(`
  	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
+@@ -418,7 +401,7 @@ optional_policy(`
+ # Modservice local policy
+ #
+ 
+-allow ricci_modservice_t self:capability { dac_override sys_nice };
++allow ricci_modservice_t self:capability {dac_read_search  dac_override sys_nice };
+ allow ricci_modservice_t self:process setsched;
+ allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
+ 
 @@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t)
  corecmd_exec_bin(ricci_modservice_t)
  corecmd_exec_shell(ricci_modservice_t)
@@ -91263,11 +91777,15 @@ index 050479d..0e1b364 100644
  		type rlogind_home_t;
  	')
 diff --git a/rlogin.te b/rlogin.te
-index ee27948..c2826a1 100644
+index ee27948..34d2ee9 100644
 --- a/rlogin.te
 +++ b/rlogin.te
-@@ -34,7 +34,9 @@ files_pid_file(rlogind_var_run_t)
- allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+@@ -31,10 +31,12 @@ files_pid_file(rlogind_var_run_t)
+ # Local policy
+ #
+ 
+-allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
++allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override };
  allow rlogind_t self:process signal_perms;
  allow rlogind_t self:fifo_file rw_fifo_file_perms;
 -allow rlogind_t self:tcp_socket { accept listen };
@@ -92247,7 +92765,7 @@ index 0bf13c2..79a2a9c 100644
 +    allow $1 gssd_t:process { noatsecure rlimitinh };
 +')
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..f97a61a 100644
+index 2da9fca..49c37e8 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -92370,7 +92888,8 @@ index 2da9fca..f97a61a 100644
 +# RPC local policy
  #
  
- allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
+-allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
++allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search dac_override setgid setuid };
  allow rpcd_t self:capability2 block_suspend;
 +
  allow rpcd_t self:process { getcap setcap };
@@ -92786,7 +93305,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..8891c9d 100644
+index 54de77c..db13fcf 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
 @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@@ -92812,7 +93331,7 @@ index 54de77c..8891c9d 100644
  #
  
 -allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
-+allow rpcbind_t self:capability { chown dac_override setgid setuid sys_tty_config };
++allow rpcbind_t self:capability { chown dac_read_search dac_override setgid setuid sys_tty_config };
  allow rpcbind_t self:fifo_file rw_fifo_file_perms;
  allow rpcbind_t self:unix_stream_socket { accept listen };
  allow rpcbind_t self:tcp_socket { accept listen };
@@ -93618,7 +94137,7 @@ index ef3b225..b15d901 100644
  	admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
  
 diff --git a/rpm.te b/rpm.te
-index 6fc360e..77ca468 100644
+index 6fc360e..2f24b1e 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,13 @@
@@ -93679,8 +94198,9 @@ index 6fc360e..77ca468 100644
  # rpm Local policy
  #
  
+-allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
 +allow rpm_t self:capability2 block_suspend;
- allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
++allow rpm_t self:capability { chown dac_read_search dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
  allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
  allow rpm_t self:process { getattr setexec setfscreate setrlimit };
  allow rpm_t self:fd use;
@@ -94150,7 +94670,7 @@ index 7ad29c0..2e87d76 100644
  	domtrans_pattern($1, rshd_exec_t, rshd_t)
  ')
 diff --git a/rshd.te b/rshd.te
-index 864e089..925203c 100644
+index 864e089..a28dccd 100644
 --- a/rshd.te
 +++ b/rshd.te
 @@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1)
@@ -94173,8 +94693,9 @@ index 864e089..925203c 100644
  # Local policy
  #
 -
- allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+-allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
 -allow rshd_t self:process { signal_perms setsched setpgid setexec };
++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_read_search dac_override };
 +allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
  allow rshd_t self:fifo_file rw_fifo_file_perms;
  allow rshd_t self:tcp_socket create_stream_socket_perms;
@@ -96228,7 +96749,7 @@ index 50d07fb..a34db48 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..09e193b 100644
+index 2b7c441..c7a4751 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -97097,7 +97618,7 @@ index 2b7c441..09e193b 100644
 -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
 -allow smbmount_t self:process signal_perms;
 -allow smbmount_t self:tcp_socket { accept listen };
-+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
++allow smbmount_t self:capability { sys_rawio sys_admin dac_read_search dac_override chown }; # FIXME: is all of this really necessary?
 +allow smbmount_t self:process { fork signal_perms };
 +allow smbmount_t self:tcp_socket create_stream_socket_perms;
 +allow smbmount_t self:udp_socket connect;
@@ -97193,7 +97714,8 @@ index 2b7c441..09e193b 100644
 +# SWAT Local policy
  #
  
- allow swat_t self:capability { dac_override setuid setgid sys_resource };
+-allow swat_t self:capability { dac_override setuid setgid sys_resource };
++allow swat_t self:capability { dac_read_search dac_override setuid setgid sys_resource };
 +allow swat_t self:capability2 block_suspend;
  allow swat_t self:process { setrlimit signal_perms };
  allow swat_t self:fifo_file rw_fifo_file_perms;
@@ -97333,7 +97855,7 @@ index 2b7c441..09e193b 100644
  
 -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
 -dontaudit winbind_t self:capability sys_tty_config;
-+allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability { kill dac_read_search dac_override ipc_lock setuid sys_nice };
 +allow winbind_t self:capability2 block_suspend;
 +dontaudit winbind_t self:capability { net_admin sys_tty_config };
  allow winbind_t self:process { signal_perms getsched setsched };
@@ -97575,9 +98097,18 @@ index 2b7c441..09e193b 100644
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
 diff --git a/sambagui.te b/sambagui.te
-index e18b0a2..dc2a745 100644
+index e18b0a2..1b1db01 100644
 --- a/sambagui.te
 +++ b/sambagui.te
+@@ -18,7 +18,7 @@ role sambagui_roles types sambagui_t;
+ # Local policy
+ #
+ 
+-allow sambagui_t self:capability dac_override;
++allow sambagui_t self:capability { dac_read_search dac_override };
+ allow sambagui_t self:fifo_file rw_fifo_file_perms;
+ 
+ kernel_read_system_state(sambagui_t)
 @@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
  
  dev_dontaudit_read_urand(sambagui_t)
@@ -99016,7 +99547,7 @@ index cd6c213..6d3cdc4 100644
 +	')
  ')
 diff --git a/sanlock.te b/sanlock.te
-index 0045465..5be86bf 100644
+index 0045465..ee3b993 100644
 --- a/sanlock.te
 +++ b/sanlock.te
 @@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0)
@@ -99092,7 +99623,8 @@ index 0045465..5be86bf 100644
 +# sanlock local policy
  #
 -
- allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
+-allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
++allow sanlock_t self:capability { chown dac_read_search dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
  allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
 +
  allow sanlock_t self:fifo_file rw_fifo_file_perms;
@@ -99195,7 +99727,7 @@ index 0045465..5be86bf 100644
 +# sanlk_resetd local policy
 +#
 +
-+allow sanlk_resetd_t self:capability dac_override;
++allow sanlk_resetd_t self:capability { dac_read_search dac_override };
 +allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms;
 +allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto;
 +
@@ -99269,7 +99801,7 @@ index 8c3c151..93b7227 100644
  	domain_system_change_exemption($1)
  	role_transition $2 saslauthd_initrc_exec_t system_r;
 diff --git a/sasl.te b/sasl.te
-index 6c3bc20..14e8575 100644
+index 6c3bc20..eb05a49 100644
 --- a/sasl.te
 +++ b/sasl.te
 @@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
@@ -99336,7 +99868,7 @@ index 6c3bc20..14e8575 100644
  fs_getattr_all_fs(saslauthd_t)
  fs_search_auto_mountpoints(saslauthd_t)
  
-@@ -78,20 +70,25 @@ selinux_compute_access_vector(saslauthd_t)
+@@ -78,34 +70,39 @@ selinux_compute_access_vector(saslauthd_t)
  
  auth_use_pam(saslauthd_t)
  
@@ -99362,11 +99894,12 @@ index 6c3bc20..14e8575 100644
 +# cjp: typeattribute doesnt work in conditionals
  auth_can_read_shadow_passwords(saslauthd_t)
 -tunable_policy(`allow_saslauthd_read_shadow',`
+-	allow saslauthd_t self:capability dac_override;
 +tunable_policy(`saslauthd_read_shadow',`
- 	allow saslauthd_t self:capability dac_override;
++	allow saslauthd_t self:capability { dac_read_search dac_override };
  	auth_tunable_read_shadow(saslauthd_t) 
  ')
-@@ -99,13 +96,13 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+ 
  optional_policy(`
  	kerberos_read_keytab(saslauthd_t)
  	kerberos_manage_host_rcache(saslauthd_t)
@@ -99529,7 +100062,7 @@ index 0000000..7a058a8
 +')
 diff --git a/sbd.te b/sbd.te
 new file mode 100644
-index 0000000..469868d
+index 0000000..55576aa
 --- /dev/null
 +++ b/sbd.te
 @@ -0,0 +1,55 @@
@@ -99554,7 +100087,7 @@ index 0000000..469868d
 +#
 +# sbd local policy
 +#
-+allow sbd_t self:capability { dac_override ipc_lock sys_boot sys_nice sys_admin};
++allow sbd_t self:capability { dac_read_search dac_override ipc_lock sys_boot sys_nice sys_admin};
 +allow sbd_t self:process { fork setsched signal_perms };
 +allow sbd_t self:fifo_file rw_fifo_file_perms;
 +allow sbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -99798,7 +100331,7 @@ index 98c9e0a..562666e 100644
  	files_search_pids($1)
  	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 299756b..a256f80 100644
+index 299756b..5719ae9 100644
 --- a/sblim.te
 +++ b/sblim.te
 @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -99880,7 +100413,7 @@ index 299756b..a256f80 100644
  
 -allow sblim_gatherd_t self:capability dac_override;
 -allow sblim_gatherd_t self:process signal;
-+allow sblim_gatherd_t self:capability { dac_override sys_nice sys_ptrace };
++allow sblim_gatherd_t self:capability { dac_read_search dac_override sys_nice sys_ptrace };
 +allow sblim_gatherd_t self:process { setsched signal };
  allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
  allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@@ -100132,7 +100665,7 @@ index be5cce2..b81f5df 100644
 +')
 +
 diff --git a/screen.te b/screen.te
-index 5466a73..ba26a6a 100644
+index 5466a73..33598f3 100644
 --- a/screen.te
 +++ b/screen.te
 @@ -5,9 +5,7 @@ policy_module(screen, 2.6.0)
@@ -100168,7 +100701,7 @@ index 5466a73..ba26a6a 100644
  
 -allow screen_domain self:capability { setuid setgid fsetid };
 +allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
-+dontaudit screen_domain self:capability dac_override;
++dontaudit screen_domain self:capability { dac_read_search dac_override };
  allow screen_domain self:process signal_perms;
 -allow screen_domain self:fd use;
  allow screen_domain self:fifo_file rw_fifo_file_perms;
@@ -100316,7 +100849,7 @@ index c78a569..9007451 100644
 -	allow sectoolm_t $2:unix_dgram_socket sendto;
 -')
 diff --git a/sectoolm.te b/sectoolm.te
-index 4bc8c13..726ef2c 100644
+index 4bc8c13..e05d74d 100644
 --- a/sectoolm.te
 +++ b/sectoolm.te
 @@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0)
@@ -100337,7 +100870,7 @@ index 4bc8c13..726ef2c 100644
  #
  
 -allow sectoolm_t self:capability { dac_override net_admin sys_nice };
-+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
++allow sectoolm_t self:capability { dac_read_search dac_override net_admin sys_nice sys_ptrace };
  allow sectoolm_t self:process { getcap getsched	signull setsched };
  dontaudit sectoolm_t self:process { execstack execmem };
  allow sectoolm_t self:fifo_file rw_fifo_file_perms;
@@ -100720,7 +101253,7 @@ index 35ad2a7..afdc7da 100644
 +	admin_pattern($1, mail_spool_t)
  ')
 diff --git a/sendmail.te b/sendmail.te
-index 12700b4..2ede411 100644
+index 12700b4..8ba2995 100644
 --- a/sendmail.te
 +++ b/sendmail.te
 @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -100732,7 +101265,7 @@ index 12700b4..2ede411 100644
  #
  
 -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
-+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
++allow sendmail_t self:capability { dac_read_search dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
 +dontaudit sendmail_t self:capability net_admin;
 +dontaudit sendmail_t self:capability2 block_suspend;
  allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
@@ -101499,7 +102032,7 @@ index 0000000..c9d2d9c
 +
 diff --git a/sge.te b/sge.te
 new file mode 100644
-index 0000000..b2096dd
+index 0000000..1c1ec06
 --- /dev/null
 +++ b/sge.te
 @@ -0,0 +1,196 @@
@@ -101549,7 +102082,7 @@ index 0000000..b2096dd
 +# sge_execd local policy
 +#
 +
-+allow sge_execd_t self:capability { dac_override kill setuid chown setgid };
++allow sge_execd_t self:capability { dac_read_search dac_override kill setuid chown setgid };
 +allow sge_execd_t self:process { setsched signal setpgid };
 +
 +allow sge_execd_t sge_shepherd_t:process signal;
@@ -101582,7 +102115,7 @@ index 0000000..b2096dd
 +# sge_shepherd local policy
 +#
 +
-+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
++allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search dac_override };
 +allow sge_shepherd_t self:process { setsched setrlimit setpgid };
 +allow sge_shepherd_t self:process signal_perms;
 +
@@ -101883,12 +102416,15 @@ index 1aeef8a..d5ce40a 100644
  	admin_pattern($1, shorewall_etc_t)
  
 diff --git a/shorewall.te b/shorewall.te
-index 7710b9f..b33b936 100644
+index 7710b9f..04af4ec 100644
 --- a/shorewall.te
 +++ b/shorewall.te
-@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
+@@ -32,8 +32,9 @@ logging_log_file(shorewall_log_t)
+ # Local policy
+ #
  
- allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
++allow shorewall_t self:capability { dac_read_search dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
  dontaudit shorewall_t self:capability sys_tty_config;
 +allow shorewall_t self:process signal_perms;
  allow shorewall_t self:fifo_file rw_fifo_file_perms;
@@ -102116,9 +102652,18 @@ index d1706bf..3aa7c9f 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/shutdown.te b/shutdown.te
-index e2544e1..d3fbd78 100644
+index e2544e1..2196974 100644
 --- a/shutdown.te
 +++ b/shutdown.te
+@@ -24,7 +24,7 @@ files_pid_file(shutdown_var_run_t)
+ # Local policy
+ #
+ 
+-allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
++allow shutdown_t self:capability { dac_read_search dac_override kill setuid sys_nice sys_tty_config };
+ allow shutdown_t self:process { setsched signal signull };
+ allow shutdown_t self:fifo_file manage_fifo_file_perms;
+ allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
 @@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t)
  
  mls_file_write_to_clearance(shutdown_t)
@@ -102344,9 +102889,18 @@ index e0644b5..ea347cc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 fsdaemon_initrc_exec_t system_r;
 diff --git a/smartmon.te b/smartmon.te
-index 9cf6582..db6cc30 100644
+index 9cf6582..052179c 100644
 --- a/smartmon.te
 +++ b/smartmon.te
+@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
+ # Local policy
+ #
+ 
+-allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
++allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin };
+ dontaudit fsdaemon_t self:capability sys_tty_config;
+ allow fsdaemon_t self:process { getcap setcap signal_perms };
+ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
 @@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
  
  corecmd_exec_all_executables(fsdaemon_t)
@@ -103111,7 +103665,7 @@ index 0000000..88490d5
 +
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..939b8be
+index 0000000..5c2cbe0
 --- /dev/null
 +++ b/snapper.te
 @@ -0,0 +1,83 @@
@@ -103140,7 +103694,7 @@ index 0000000..939b8be
 +# snapperd local policy
 +#
 +
-+allow snapperd_t self:capability { dac_override sys_admin };
++allow snapperd_t self:capability { dac_read_search dac_override sys_admin };
 +allow snapperd_t self:process setsched;
 +
 +allow snapperd_t self:fifo_file rw_fifo_file_perms;
@@ -103363,13 +103917,15 @@ index 7a9cc9d..23cb658 100644
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/snmp.te b/snmp.te
-index 9dcaeb8..490a046 100644
+index 9dcaeb8..e8446db 100644
 --- a/snmp.te
 +++ b/snmp.te
-@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
+@@ -26,15 +26,17 @@ files_type(snmpd_var_lib_t)
+ # Local policy
  #
  
- allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
++allow snmpd_t self:capability { chown dac_read_search dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
 +
  dontaudit snmpd_t self:capability { sys_module sys_tty_config };
  allow snmpd_t self:process { signal_perms getsched setsched };
@@ -103494,11 +104050,15 @@ index 7d86b34..5f58180 100644
 +	files_list_pids($1)
  ')
 diff --git a/snort.te b/snort.te
-index 1af72df..ffccc41 100644
+index 1af72df..d545f2a 100644
 --- a/snort.te
 +++ b/snort.te
-@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
- allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+@@ -29,13 +29,16 @@ files_pid_file(snort_var_run_t)
+ # Local policy
+ #
+ 
+-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
++allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search dac_override };
  dontaudit snort_t self:capability sys_tty_config;
  allow snort_t self:process signal_perms;
 +allow snort_t self:netlink_route_socket create_netlink_socket_perms;
@@ -103591,7 +104151,7 @@ index 634c6b4..f6db7a7 100644
 +')
 +
 diff --git a/sosreport.te b/sosreport.te
-index f2f507d..7db383e 100644
+index f2f507d..0ac6752 100644
 --- a/sosreport.te
 +++ b/sosreport.te
 @@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -103613,9 +104173,12 @@ index f2f507d..7db383e 100644
  optional_policy(`
  	pulseaudio_tmpfs_content(sosreport_tmpfs_t)
  ')
-@@ -33,10 +33,12 @@ optional_policy(`
+@@ -31,12 +31,14 @@ optional_policy(`
+ # Local policy
+ #
  
- allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search dac_override };
  dontaudit sosreport_t self:capability sys_ptrace;
 -allow sosreport_t self:process { setsched signull };
 +allow sosreport_t self:process { setpgid setsched signal_perms };
@@ -103826,9 +104389,18 @@ index a5abc5a..b9eff74 100644
  	domain_system_change_exemption($1)
  	role_transition $2 soundd_initrc_exec_t system_r;
 diff --git a/soundserver.te b/soundserver.te
-index 0919e0c..56a984b 100644
+index 0919e0c..df28aad 100644
 --- a/soundserver.te
 +++ b/soundserver.te
+@@ -32,7 +32,7 @@ files_pid_file(soundd_var_run_t)
+ # Declarations
+ #
+ 
+-allow soundd_t self:capability dac_override;
++allow soundd_t self:capability { dac_read_search dac_override };
+ dontaudit soundd_t self:capability sys_tty_config;
+ allow soundd_t self:process { setpgid signal_perms };
+ allow soundd_t self:shm create_shm_perms;
 @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
  kernel_list_proc(soundd_t)
  kernel_read_proc_symlinks(soundd_t)
@@ -104375,7 +104947,7 @@ index 1499b0b..e695a62 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..1e34535 100644
+index cc58e35..85e9f59 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@@ -104727,7 +105299,7 @@ index cc58e35..1e34535 100644
 +spamassassin_filetrans_home_content(spamc_t)
 +spamassassin_filetrans_admin_home_content(spamc_t)
 +# for /root/.pyzor
-+allow spamc_t self:capability dac_override;
++allow spamc_t self:capability { dac_read_search  dac_override };
  
  list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
  read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -104847,11 +105419,12 @@ index cc58e35..1e34535 100644
 +# Server local policy
  #
  
+-allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
 +# Spamassassin, when run as root and using per-user config files,
 +# setuids to the user running spamc.  Comment this if you are not
 +# using this ability.
 +
- allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
++allow spamd_t self:capability { kill setuid setgid dac_read_search dac_override sys_tty_config };
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
@@ -105507,7 +106080,7 @@ index 5e1f053..e7820bc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 squid_initrc_exec_t system_r;
 diff --git a/squid.te b/squid.te
-index 03472ed..e03b69a 100644
+index 03472ed..9148ef5 100644
 --- a/squid.te
 +++ b/squid.te
 @@ -29,7 +29,7 @@ type squid_cache_t;
@@ -105519,7 +106092,7 @@ index 03472ed..e03b69a 100644
  
  type squid_initrc_exec_t;
  init_script_file(squid_initrc_exec_t)
-@@ -37,15 +37,22 @@ init_script_file(squid_initrc_exec_t)
+@@ -37,21 +37,28 @@ init_script_file(squid_initrc_exec_t)
  type squid_log_t;
  logging_log_file(squid_log_t)
  
@@ -105544,6 +106117,13 @@ index 03472ed..e03b69a 100644
  ########################################
  #
  # Local policy
+ #
+ 
+-allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
++allow squid_t self:capability { setgid kill setuid dac_read_search dac_override sys_resource };
+ dontaudit squid_t self:capability sys_tty_config;
+ allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+ allow squid_t self:fifo_file rw_fifo_file_perms;
 @@ -68,6 +75,7 @@ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
  manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
  manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -106838,10 +107418,10 @@ index 0000000..80c6480
 +	')
 +')
 diff --git a/systemtap.te b/stapserver.te
-similarity index 64%
+similarity index 63%
 rename from systemtap.te
 rename to stapserver.te
-index ffde368..f8c70e4 100644
+index ffde368..f33142f 100644
 --- a/systemtap.te
 +++ b/stapserver.te
 @@ -1,4 +1,4 @@
@@ -106882,7 +107462,7 @@ index ffde368..f8c70e4 100644
 +allow stapserver_t self:capability { setuid setgid };
 +allow stapserver_t self:process setsched;
 +
-+allow stapserver_t self:capability { dac_override kill sys_ptrace};
++allow stapserver_t self:capability { dac_read_search dac_override kill sys_ptrace};
 +allow stapserver_t self:process { setrlimit signal };
 +
  allow stapserver_t self:fifo_file rw_fifo_file_perms;
@@ -107664,10 +108244,15 @@ index 01a9d0a..154872e 100644
  
  userdom_dontaudit_use_unpriv_user_fds(sxid_t)
 diff --git a/sysstat.te b/sysstat.te
-index b92f677..6dc2de3 100644
+index b92f677..a2690e3 100644
 --- a/sysstat.te
 +++ b/sysstat.te
-@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
+@@ -20,13 +20,11 @@ logging_log_file(sysstat_log_t)
+ # Local policy
+ #
+ 
+-allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
++allow sysstat_t self:capability { dac_read_search dac_override sys_admin sys_resource sys_tty_config };
  allow sysstat_t self:fifo_file rw_fifo_file_perms;
  
  manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
@@ -108110,9 +108695,18 @@ index b42ec1d..91b8f71 100644
  	tcsd_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/tcsd.te b/tcsd.te
-index b26d44a..5ab05dc 100644
+index b26d44a..5a79afd 100644
 --- a/tcsd.te
 +++ b/tcsd.te
+@@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t)
+ # Local policy
+ #
+ 
+-allow tcsd_t self:capability { dac_override setuid };
++allow tcsd_t self:capability { dac_read_search  dac_override setuid };
+ allow tcsd_t self:process { signal sigkill };
+ allow tcsd_t self:tcp_socket { accept listen };
+ 
 @@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
  dev_read_urand(tcsd_t)
  dev_rw_tpm(tcsd_t)
@@ -109174,11 +109768,15 @@ index 9afcbc9..7b8ddb4 100644
  	xserver_rw_xdm_pipes(telepathy_domain)
  ')
 diff --git a/telnet.te b/telnet.te
-index d7c8633..a91c027 100644
+index d7c8633..0d3d439 100644
 --- a/telnet.te
 +++ b/telnet.te
-@@ -30,16 +30,19 @@ files_pid_file(telnetd_var_run_t)
- allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+@@ -27,19 +27,22 @@ files_pid_file(telnetd_var_run_t)
+ # Local policy
+ #
+ 
+-allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
++allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override };
  allow telnetd_t self:process signal_perms;
  allow telnetd_t self:fifo_file rw_fifo_file_perms;
 -allow telnetd_t self:tcp_socket { accept listen };
@@ -109740,7 +110338,7 @@ index 5406b6e..dc5b46e 100644
  	admin_pattern($1, tgtd_tmpfs_t)
  ')
 diff --git a/tgtd.te b/tgtd.te
-index d010963..e7e55c7 100644
+index d010963..7308fa9 100644
 --- a/tgtd.te
 +++ b/tgtd.te
 @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
@@ -109749,7 +110347,7 @@ index d010963..e7e55c7 100644
  
 -allow tgtd_t self:capability sys_resource;
 -allow tgtd_t self:capability2 block_suspend;
-+allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin };
++allow tgtd_t self:capability { dac_read_search dac_override ipc_lock sys_resource sys_rawio sys_admin };
 +allow tgtd_t self:capability2 { block_suspend wake_alarm };
  allow tgtd_t self:process { setrlimit signal };
  allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -109882,7 +110480,7 @@ index 0000000..5e3637e
 +')
 diff --git a/thin.te b/thin.te
 new file mode 100644
-index 0000000..39d17b7
+index 0000000..e66fc8c
 --- /dev/null
 +++ b/thin.te
 @@ -0,0 +1,115 @@
@@ -109961,7 +110559,7 @@ index 0000000..39d17b7
 +# thin local policy
 +#
 +
-+allow thin_t self:capability { setuid kill setgid dac_override };
++allow thin_t self:capability { setuid kill setgid dac_read_search  dac_override };
 +allow thin_t self:capability2 block_suspend;
 +
 +allow thin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -111591,9 +112189,18 @@ index 34973ee..1c9a4c6 100644
  
  userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
 diff --git a/tripwire.te b/tripwire.te
-index 03aa6b7..a9ff883 100644
+index 03aa6b7..53c0c73 100644
 --- a/tripwire.te
 +++ b/tripwire.te
+@@ -47,7 +47,7 @@ role twprint_roles types twprint_t;
+ # Local policy
+ #
+ 
+-allow tripwire_t self:capability { setgid setuid dac_override };
++allow tripwire_t self:capability { setgid setuid dac_read_search dac_override };
+ 
+ allow tripwire_t tripwire_etc_t:dir list_dir_perms;
+ allow tripwire_t tripwire_etc_t:file read_file_perms;
 @@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t)
  
  logging_send_syslog_msg(tripwire_t)
@@ -111653,7 +112260,7 @@ index e29db63..061fb98 100644
  	domain_system_change_exemption($1)
  	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 393a330..0691d4a 100644
+index 393a330..76390e2 100644
 --- a/tuned.te
 +++ b/tuned.te
 @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -111671,9 +112278,10 @@ index 393a330..0691d4a 100644
  #
  
 -allow tuned_t self:capability { sys_admin sys_nice };
-+allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio };
- dontaudit tuned_t self:capability { dac_override sys_tty_config };
+-dontaudit tuned_t self:capability { dac_override sys_tty_config };
 -allow tuned_t self:process { setsched signal };
++allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio };
++dontaudit tuned_t self:capability { dac_read_search dac_override sys_tty_config };
 +allow tuned_t self:process {  setsched signal };
  allow tuned_t self:fifo_file rw_fifo_file_perms;
 +allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -112303,9 +112911,18 @@ index b68bd49..da0c691 100644
  userdom_dontaudit_search_user_home_dirs(uml_switch_t)
  
 diff --git a/updfstab.te b/updfstab.te
-index 5ceb912..dfec9ac 100644
+index 5ceb912..232e9ac 100644
 --- a/updfstab.te
 +++ b/updfstab.te
+@@ -14,7 +14,7 @@ init_system_domain(updfstab_t, updfstab_exec_t)
+ # Local policy
+ #
+ 
+-allow updfstab_t self:capability dac_override;
++allow updfstab_t self:capability { dac_read_search  dac_override };
+ dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
+ allow updfstab_t self:process signal_perms;
+ allow updfstab_t self:fifo_file rw_fifo_file_perms;
 @@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t)
  logging_search_logs(updfstab_t)
  logging_send_syslog_msg(updfstab_t)
@@ -112563,7 +113180,7 @@ index c416a83..cd83b89 100644
 +/usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
 +/usr/bin/consolehelper		--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
 diff --git a/userhelper.if b/userhelper.if
-index 98b51fd..2a003a5 100644
+index 98b51fd..c7e44ca 100644
 --- a/userhelper.if
 +++ b/userhelper.if
 @@ -1,4 +1,4 @@
@@ -112612,7 +113229,7 @@ index 98b51fd..2a003a5 100644
 -	# Consolehelper local policy
 +	# Local policy
  	#
-+	allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
++	allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search  dac_override chown sys_tty_config };
 +	allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 +	allow $1_userhelper_t self:process setexec;
 +	allow $1_userhelper_t self:fd use;
@@ -112889,7 +113506,7 @@ index 98b51fd..2a003a5 100644
  ## <summary>
  ##	Execute the consolehelper program
 diff --git a/userhelper.te b/userhelper.te
-index 42cfce0..1733490 100644
+index 42cfce0..b7e3e25 100644
 --- a/userhelper.te
 +++ b/userhelper.te
 @@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1)
@@ -112922,7 +113539,7 @@ index 42cfce0..1733490 100644
 -dontaudit consolehelper_type userhelper_conf_t:file audit_access;
 -read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
 +allow consolehelper_domain self:shm create_shm_perms;
-+allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice }; 
++allow consolehelper_domain self:capability { setgid setuid dac_read_search dac_override sys_nice }; 
 +allow consolehelper_domain self:process { signal_perms getsched setsched };
  
 -domain_use_interactive_fds(consolehelper_type)
@@ -113108,10 +113725,10 @@ index 7deec55..c542887 100644
  	')
  
 diff --git a/usernetctl.te b/usernetctl.te
-index f973af8..de458c2 100644
+index f973af8..8606439 100644
 --- a/usernetctl.te
 +++ b/usernetctl.te
-@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.7.0)
+@@ -6,19 +6,19 @@ policy_module(usernetctl, 1.7.0)
  #
  
  attribute_role usernetctl_roles;
@@ -113125,6 +113742,14 @@ index f973af8..de458c2 100644
  
  ########################################
  #
+ # Local policy
+ #
+ 
+-allow usernetctl_t self:capability { setuid setgid dac_override };
++allow usernetctl_t self:capability { setuid setgid dac_read_search dac_override };
+ allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow usernetctl_t self:fd use;
+ allow usernetctl_t self:fifo_file rw_fifo_file_perms;
 @@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t)
  files_read_etc_runtime_files(usernetctl_t)
  files_list_pids(usernetctl_t)
@@ -113314,9 +113939,18 @@ index f8e52fc..b283c25 100644
  
 -miscfiles_read_localization(uuidd_t)
 diff --git a/uwimap.te b/uwimap.te
-index acdc78a..7a18090 100644
+index acdc78a..9e5ee47 100644
 --- a/uwimap.te
 +++ b/uwimap.te
+@@ -20,7 +20,7 @@ files_pid_file(imapd_var_run_t)
+ # Local policy
+ #
+ 
+-allow imapd_t self:capability { dac_override setgid setuid sys_resource };
++allow imapd_t self:capability { dac_read_search  dac_override setgid setuid sys_resource };
+ dontaudit imapd_t self:capability sys_tty_config;
+ allow imapd_t self:process signal_perms;
+ allow imapd_t self:fifo_file rw_fifo_file_perms;
 @@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
  kernel_list_proc(imapd_t)
  kernel_read_proc_symlinks(imapd_t)
@@ -113381,7 +114015,7 @@ index 1c35171..2cba4df 100644
  	domain_system_change_exemption($1)
  	role_transition $2 varnishd_initrc_exec_t system_r;
 diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..1189323 100644
+index 9d4d8cb..e73bd98 100644
 --- a/varnishd.te
 +++ b/varnishd.te
 @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -113406,7 +114040,7 @@ index 9d4d8cb..1189323 100644
  #
  
 -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
-+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner fsetid };
++allow varnishd_t self:capability { kill dac_read_search dac_override ipc_lock setuid setgid chown fowner fsetid };
  dontaudit varnishd_t self:capability sys_tty_config;
 -allow varnishd_t self:process signal;
 +allow varnishd_t self:process { execmem signal };
@@ -113431,13 +114065,15 @@ index 9d4d8cb..1189323 100644
  tunable_policy(`varnishd_connect_any',`
  	corenet_sendrecv_all_client_packets(varnishd_t)
 diff --git a/vbetool.te b/vbetool.te
-index 2a61f75..b026ab7 100644
+index 2a61f75..fa84e40 100644
 --- a/vbetool.te
 +++ b/vbetool.te
-@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t;
+@@ -26,7 +26,8 @@ role vbetool_roles types vbetool_t;
+ # Local policy
  #
  
- allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+-allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
++allow vbetool_t self:capability { dac_read_search dac_override sys_tty_config sys_admin };
 +#allow vbetool_t self:capability2 compromise_kernel;
  allow vbetool_t self:process execmem;
  
@@ -113613,9 +114249,18 @@ index 22edd58..c3a5364 100644
  	domain_system_change_exemption($1)
  	role_transition $2 vhostmd_initrc_exec_t system_r;
 diff --git a/vhostmd.te b/vhostmd.te
-index 3d11c6a..b19a117 100644
+index 3d11c6a..c5d8428 100644
 --- a/vhostmd.te
 +++ b/vhostmd.te
+@@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t)
+ # Local policy
+ #
+ 
+-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
++allow vhostmd_t self:capability { dac_read_search dac_override ipc_lock setuid setgid };
+ allow vhostmd_t self:process { setsched getsched signal };
+ allow vhostmd_t self:fifo_file rw_fifo_file_perms;
+ 
 @@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t)
  dev_read_sysfs(vhostmd_t)
  
@@ -116017,7 +116662,7 @@ index facdee8..2a619ba 100644
 +	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..49d4083 100644
+index f03dcf5..5ce41db 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,422 @@
@@ -116689,7 +117334,7 @@ index f03dcf5..49d4083 100644
  #
  
 -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
++allow virtd_t self:capability { chown dac_read_search dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
 +#allow virtd_t self:capability2 compromise_kernel;
  allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
 +ifdef(`hide_broken_symptoms',`
@@ -117390,7 +118035,7 @@ index f03dcf5..49d4083 100644
 +typealias virsh_t alias xm_t;
 +typealias virsh_exec_t alias xm_exec_t;
 +
-+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
++allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
 +allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
 +allow virsh_t self:fifo_file rw_fifo_file_perms;
 +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -117534,7 +118179,7 @@ index f03dcf5..49d4083 100644
 -# Lxc local policy
 +# virt_lxc local policy
  #
-+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
++allow virtd_lxc_t self:capability { dac_read_search dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
 +allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms };
 +#allow virtd_lxc_t self:capability2 compromise_kernel;
  
@@ -118372,8 +119017,8 @@ index f03dcf5..49d4083 100644
 +	systemd_dbus_chat_logind(sandbox_net_domain)
 +')
 +
-+allow sandbox_caps_domain self:capability { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
-+allow sandbox_caps_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
++allow sandbox_caps_domain self:capability { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
++allow sandbox_caps_domain self:cap_userns { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
 +
 +list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
 +read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
@@ -118658,7 +119303,7 @@ index 20a1fb2..470ea95 100644
  	allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
  	allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 diff --git a/vmware.te b/vmware.te
-index 4ad1894..840409e 100644
+index 4ad1894..b589158 100644
 --- a/vmware.te
 +++ b/vmware.te
 @@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -118667,7 +119312,7 @@ index 4ad1894..840409e 100644
  
 -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
 +allow vmware_host_t self:capability { net_admin sys_module };
-+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override };
++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search dac_override };
  dontaudit vmware_host_t self:capability sys_tty_config;
  allow vmware_host_t self:process { execstack execmem signal_perms };
  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
@@ -118733,6 +119378,15 @@ index 4ad1894..840409e 100644
  
  optional_policy(`
  	samba_read_config(vmware_host_t)
+@@ -182,7 +187,7 @@ optional_policy(`
+ # Guest local policy
+ #
+ 
+-allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
++allow vmware_t self:capability { dac_read_search dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+ dontaudit vmware_t self:capability sys_tty_config;
+ allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow vmware_t self:process { execmem execstack };
 @@ -244,9 +249,7 @@ dev_search_sysfs(vmware_t)
  
  domain_use_interactive_fds(vmware_t)
@@ -119524,9 +120178,18 @@ index 64baf67..76c753b 100644
 -/var/www/usage(/.*)?	gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
 +/var/www/usage(/.*)?	gen_context(system_u:object_r:webalizer_rw_content_t,s0)
 diff --git a/webalizer.te b/webalizer.te
-index ae919b9..32cbf8c 100644
+index ae919b9..cdd9359 100644
 --- a/webalizer.te
 +++ b/webalizer.te
+@@ -33,7 +33,7 @@ files_type(webalizer_write_t)
+ # Local policy
+ #
+ 
+-allow webalizer_t self:capability dac_override;
++allow webalizer_t self:capability { dac_read_search dac_override };
+ allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow webalizer_t self:fd use;
+ allow webalizer_t self:fifo_file rw_fifo_file_perms;
 @@ -55,29 +55,36 @@ can_exec(webalizer_t, webalizer_exec_t)
  kernel_read_kernel_sysctls(webalizer_t)
  kernel_read_system_state(webalizer_t)
@@ -120492,7 +121155,7 @@ index f93558c..16e29c1 100644
  
  	files_search_pids($1)
 diff --git a/xen.te b/xen.te
-index 6f736a9..0fa964c 100644
+index 6f736a9..c1ba3ba 100644
 --- a/xen.te
 +++ b/xen.te
 @@ -4,39 +4,31 @@ policy_module(xen, 1.13.0)
@@ -120735,7 +121398,7 @@ index 6f736a9..0fa964c 100644
 -dontaudit xend_t self:capability { sys_ptrace };
 -allow xend_t self:process { setrlimit signal sigkill };
 -dontaudit xend_t self:process ptrace;
-+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
++allow xend_t self:capability { dac_read_search dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
 +allow xend_t self:process { signal sigkill };
 +
 +# needed by qemu_dm
@@ -120931,7 +121594,13 @@ index 6f736a9..0fa964c 100644
  	virt_search_images(xend_t)
  	virt_read_config(xend_t)
  ')
-@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit;
+@@ -360,18 +376,14 @@ optional_policy(`
+ # Xen console local policy
+ #
+ 
+-allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
++allow xenconsoled_t self:capability { dac_read_search dac_override fsetid ipc_lock };
+ allow xenconsoled_t self:process setrlimit;
  allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
  allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
  
@@ -120976,11 +121645,13 @@ index 6f736a9..0fa964c 100644
  xen_stream_connect_xenstore(xenconsoled_t)
  
  optional_policy(`
-@@ -416,24 +422,26 @@ optional_policy(`
+@@ -415,25 +421,27 @@ optional_policy(`
+ # Xen store local policy
  #
  
- allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
+-allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
 -allow xenstored_t self:unix_stream_socket { accept listen };
++allow xenstored_t self:capability { dac_read_search dac_override ipc_lock sys_resource };
 +allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
 +allow xenstored_t self:unix_dgram_socket create_socket_perms;
  
@@ -121184,9 +121855,18 @@ index 6f736a9..0fa964c 100644
 -	fs_manage_xenfs_files(xm_ssh_t)
 -')
 diff --git a/xfs.te b/xfs.te
-index 0928c5d..d270a72 100644
+index 0928c5d..b9bcf88 100644
 --- a/xfs.te
 +++ b/xfs.te
+@@ -23,7 +23,7 @@ files_pid_file(xfs_var_run_t)
+ # Local policy
+ #
+ 
+-allow xfs_t self:capability { dac_override setgid setuid };
++allow xfs_t self:capability { dac_read_search dac_override setgid setuid };
+ dontaudit xfs_t self:capability sys_tty_config;
+ allow xfs_t self:process { signal_perms setpgid };
+ allow xfs_t self:unix_stream_socket { accept listen };
 @@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
  kernel_read_kernel_sysctls(xfs_t)
  kernel_read_system_state(xfs_t)
@@ -121526,9 +122206,18 @@ index 04096a0..98a8205 100644
  
  xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
 diff --git a/yam.te b/yam.te
-index 2695db2..123c042 100644
+index 2695db2..c1ec893 100644
 --- a/yam.te
 +++ b/yam.te
+@@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t)
+ # Local policy
+ #
+ 
+-allow yam_t self:capability { chown fowner fsetid dac_override };
++allow yam_t self:capability { chown fowner fsetid dac_read_search dac_override };
+ allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
+ allow yam_t self:fd use;
+ allow yam_t self:fifo_file rw_fifo_file_perms;
 @@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t)
  
  logging_send_syslog_msg(yam_t)
@@ -122284,7 +122973,7 @@ index 36e32df..3d08962 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
  ')
 diff --git a/zarafa.te b/zarafa.te
-index 3fded1c..91ce270 100644
+index 3fded1c..8bea5e8 100644
 --- a/zarafa.te
 +++ b/zarafa.te
 @@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
@@ -122474,6 +123163,8 @@ index 3fded1c..91ce270 100644
  #
 +corenet_tcp_bind_pop_port(zarafa_gateway_t)
  
+-allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
+-allow zarafa_domain self:process { setrlimit signal };
 +#######################################
 +#
 +# zarafa-ical local policy
@@ -122493,8 +123184,7 @@ index 3fded1c..91ce270 100644
 +#
 +
 +# bad permission on /etc/zarafa
- allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
--allow zarafa_domain self:process { setrlimit signal };
++allow zarafa_domain self:capability { kill dac_read_search dac_override chown setgid setuid };
 +allow zarafa_domain self:process { signal_perms };
  allow zarafa_domain self:fifo_file rw_fifo_file_perms;
 -allow zarafa_domain self:tcp_socket { accept listen };
@@ -123234,7 +123924,7 @@ index 0000000..fb0519e
 +
 diff --git a/zoneminder.te b/zoneminder.te
 new file mode 100644
-index 0000000..184e3d5
+index 0000000..c9ad1b3
 --- /dev/null
 +++ b/zoneminder.te
 @@ -0,0 +1,187 @@
@@ -123295,7 +123985,7 @@ index 0000000..184e3d5
 +#
 +# zoneminder local policy
 +#
-+allow zoneminder_t self:capability { chown dac_override };
++allow zoneminder_t self:capability { chown dac_read_search dac_override };
 +allow zoneminder_t self:process { signal_perms setpgid };
 +allow zoneminder_t self:shm create_shm_perms;
 +allow zoneminder_t self:fifo_file rw_fifo_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8e530485..68312567 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 266%{?dist}
+Release: 267%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -683,6 +683,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Aug 07 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-267
+- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy
+
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.13.1-266
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild