diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 7ba4bbae..f05841c2 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1616,7 +1616,7 @@ index c6ca761..0c86bfd 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 8128de8..0bb92ab 100644
+index 8128de8..b0a385b 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2)
@@ -1700,7 +1700,11 @@ index 8128de8..0bb92ab 100644
  
  domain_use_interactive_fds(ping_t)
  
-@@ -132,11 +137,9 @@ kernel_read_system_state(ping_t)
+@@ -129,14 +134,13 @@ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+ 
+ kernel_read_system_state(ping_t)
++kernel_read_network_state(ping_t)
  
  auth_use_nsswitch(ping_t)
  
@@ -1714,7 +1718,7 @@ index 8128de8..0bb92ab 100644
  
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
-@@ -147,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
  	')
  ')
  
@@ -1740,7 +1744,7 @@ index 8128de8..0bb92ab 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -159,6 +176,15 @@ optional_policy(`
+@@ -159,6 +177,15 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -1756,7 +1760,7 @@ index 8128de8..0bb92ab 100644
  ########################################
  #
  # Traceroute local policy
-@@ -172,7 +198,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
  kernel_read_system_state(traceroute_t)
  kernel_read_network_state(traceroute_t)
  
@@ -1764,7 +1768,7 @@ index 8128de8..0bb92ab 100644
  corenet_all_recvfrom_netlabel(traceroute_t)
  corenet_tcp_sendrecv_generic_if(traceroute_t)
  corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -196,6 +221,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -1772,7 +1776,7 @@ index 8128de8..0bb92ab 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -204,11 +230,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
  
  logging_send_syslog_msg(traceroute_t)
  
@@ -3017,7 +3021,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..330ed39 100644
+index 644d4d7..d2dbf35 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3085,11 +3089,12 @@ index 644d4d7..330ed39 100644
  /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +146,11 @@ ifdef(`distro_debian',`
+@@ -134,10 +146,12 @@ ifdef(`distro_debian',`
  
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 -/lib/systemd/systemd.*		--	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib64/security/pam_krb5/pam_krb5_cchelper	--	gen_context(system_u:object_r:bin_t,s0)
  /lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
 +/lib/udev/devices/MAKEDEV	-l	gen_context(system_u:object_r:bin_t,s0)
  /lib/udev/scsi_id		--	gen_context(system_u:object_r:bin_t,s0)
@@ -3098,7 +3103,7 @@ index 644d4d7..330ed39 100644
  
  ifdef(`distro_gentoo',`
  /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +164,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +165,7 @@ ifdef(`distro_gentoo',`
  #
  # /sbin
  #
@@ -3107,7 +3112,7 @@ index 644d4d7..330ed39 100644
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +180,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +181,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -3115,7 +3120,7 @@ index 644d4d7..330ed39 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -178,33 +192,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +193,49 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3174,7 +3179,7 @@ index 644d4d7..330ed39 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +245,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3210,7 +3215,7 @@ index 644d4d7..330ed39 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +281,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3226,7 +3231,7 @@ index 644d4d7..330ed39 100644
  /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +302,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -3247,7 +3252,7 @@ index 644d4d7..330ed39 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +328,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -3263,7 +3268,7 @@ index 644d4d7..330ed39 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +351,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -3288,7 +3293,7 @@ index 644d4d7..330ed39 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +384,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +385,27 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -3317,7 +3322,7 @@ index 644d4d7..330ed39 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +453,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +454,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -3334,7 +3339,7 @@ index 644d4d7..330ed39 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +471,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +472,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -3348,10 +3353,33 @@ index 644d4d7..330ed39 100644
 +/usr/lib/ruby/gems/.*/agents(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/virtualbox/VBoxManage		--	gen_context(system_u:object_r:bin_t,s0)
 diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..87d577e 100644
+index 9e9263a..979f47f 100644
 --- a/policy/modules/kernel/corecommands.if
 +++ b/policy/modules/kernel/corecommands.if
-@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
+@@ -8,6 +8,22 @@
+ ##	run init.
+ ## </required>
+ 
++#####################################
++## <summary>
++##  corecmd stub bin_t interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`corecmd_stub_bin',`
++    gen_require(`
++        type bin_t;
++    ')
++')
++
+ ########################################
+ ## <summary>
+ ##	Make the specified type usable for files
+@@ -122,6 +138,7 @@ interface(`corecmd_search_bin',`
  		type bin_t;
  	')
  
@@ -3359,7 +3387,7 @@ index 9e9263a..87d577e 100644
  	search_dirs_pattern($1, bin_t, bin_t)
  ')
  
-@@ -158,6 +159,7 @@ interface(`corecmd_list_bin',`
+@@ -158,6 +175,7 @@ interface(`corecmd_list_bin',`
  		type bin_t;
  	')
  
@@ -3367,7 +3395,7 @@ index 9e9263a..87d577e 100644
  	list_dirs_pattern($1, bin_t, bin_t)
  ')
  
-@@ -203,7 +205,7 @@ interface(`corecmd_getattr_bin_files',`
+@@ -203,7 +221,7 @@ interface(`corecmd_getattr_bin_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -3376,7 +3404,7 @@ index 9e9263a..87d577e 100644
  ##	</summary>
  ## </param>
  #
-@@ -231,6 +233,7 @@ interface(`corecmd_read_bin_files',`
+@@ -231,6 +249,7 @@ interface(`corecmd_read_bin_files',`
  		type bin_t;
  	')
  
@@ -3384,7 +3412,7 @@ index 9e9263a..87d577e 100644
  	read_files_pattern($1, bin_t, bin_t)
  ')
  
-@@ -254,6 +257,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
+@@ -254,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
  
  ########################################
  ## <summary>
@@ -3409,7 +3437,7 @@ index 9e9263a..87d577e 100644
  ##	Read symbolic links in bin directories.
  ## </summary>
  ## <param name="domain">
-@@ -285,6 +306,7 @@ interface(`corecmd_read_bin_pipes',`
+@@ -285,6 +322,7 @@ interface(`corecmd_read_bin_pipes',`
  		type bin_t;
  	')
  
@@ -3417,7 +3445,7 @@ index 9e9263a..87d577e 100644
  	read_fifo_files_pattern($1, bin_t, bin_t)
  ')
  
-@@ -303,6 +325,7 @@ interface(`corecmd_read_bin_sockets',`
+@@ -303,6 +341,7 @@ interface(`corecmd_read_bin_sockets',`
  		type bin_t;
  	')
  
@@ -3425,7 +3453,7 @@ index 9e9263a..87d577e 100644
  	read_sock_files_pattern($1, bin_t, bin_t)
  ')
  
-@@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',`
+@@ -345,6 +384,10 @@ interface(`corecmd_exec_bin',`
  	read_lnk_files_pattern($1, bin_t, bin_t)
  	list_dirs_pattern($1, bin_t, bin_t)
  	can_exec($1, bin_t)
@@ -3436,7 +3464,7 @@ index 9e9263a..87d577e 100644
  ')
  
  ########################################
-@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
+@@ -362,6 +405,7 @@ interface(`corecmd_manage_bin_files',`
  		type bin_t;
  	')
  
@@ -3444,7 +3472,7 @@ index 9e9263a..87d577e 100644
  	manage_files_pattern($1, bin_t, bin_t)
  ')
  
-@@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',`
+@@ -398,6 +442,7 @@ interface(`corecmd_mmap_bin_files',`
  		type bin_t;
  	')
  
@@ -3452,7 +3480,7 @@ index 9e9263a..87d577e 100644
  	mmap_files_pattern($1, bin_t, bin_t)
  ')
  
-@@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',`
+@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',`
  
  ########################################
  ## <summary>
@@ -3477,7 +3505,7 @@ index 9e9263a..87d577e 100644
  ##	Get the attributes of all executable files.
  ## </summary>
  ## <param name="domain">
-@@ -1012,6 +1059,10 @@ interface(`corecmd_exec_all_executables',`
+@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',`
  	can_exec($1, exec_type)
  	list_dirs_pattern($1, bin_t, bin_t)
  	read_lnk_files_pattern($1, bin_t, exec_type)
@@ -3488,7 +3516,7 @@ index 9e9263a..87d577e 100644
  ')
  
  ########################################
-@@ -1049,6 +1100,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',`
  		type bin_t;
  	')
  
@@ -3496,7 +3524,7 @@ index 9e9263a..87d577e 100644
  	manage_files_pattern($1, bin_t, exec_type)
  	manage_lnk_files_pattern($1, bin_t, bin_t)
  ')
-@@ -1091,3 +1143,36 @@ interface(`corecmd_mmap_all_executables',`
+@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',`
  
  	mmap_files_pattern($1, bin_t, exec_type)
  ')
@@ -3567,7 +3595,7 @@ index f9b25c1..9af1f7a 100644
 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
 +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..4aecd37 100644
+index 07126bd..d6ec4a8 100644
 --- a/policy/modules/kernel/corenetwork.if.in
 +++ b/policy/modules/kernel/corenetwork.if.in
 @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@@ -3636,10 +3664,29 @@ index 07126bd..4aecd37 100644
  ##	Bind TCP sockets to generic nodes.
  ## </summary>
  ## <desc>
-@@ -855,6 +893,25 @@ interface(`corenet_udp_bind_generic_node',`
+@@ -855,6 +893,44 @@ interface(`corenet_udp_bind_generic_node',`
  
  ########################################
  ## <summary>
++##	Dontaudit attempts to bind TCP sockets to generic nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++## <infoflow type="read" weight="1"/>
++#
++interface(`corenet_dontaudit_tcp_bind_generic_node',`
++	gen_require(`
++		type node_t;
++	')
++
++	dontaudit $1 node_t:tcp_socket node_bind;
++')
++
++########################################
++## <summary>
 +##	Dontaudit attempts to bind UDP sockets to generic nodes.
 +## </summary>
 +## <param name="domain">
@@ -3662,7 +3709,7 @@ index 07126bd..4aecd37 100644
  ##	Bind raw sockets to genric nodes.
  ## </summary>
  ## <param name="domain">
-@@ -928,6 +985,24 @@ interface(`corenet_inout_generic_node',`
+@@ -928,6 +1004,24 @@ interface(`corenet_inout_generic_node',`
  
  ########################################
  ## <summary>
@@ -3687,7 +3734,7 @@ index 07126bd..4aecd37 100644
  ##	Send and receive TCP network traffic on all nodes.
  ## </summary>
  ## <param name="domain">
-@@ -1102,6 +1177,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+@@ -1102,6 +1196,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
  
  ########################################
  ## <summary>
@@ -3712,7 +3759,7 @@ index 07126bd..4aecd37 100644
  ##	Bind TCP sockets to all nodes.
  ## </summary>
  ## <param name="domain">
-@@ -1157,6 +1250,24 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1157,6 +1269,24 @@ interface(`corenet_raw_bind_all_nodes',`
  
  ########################################
  ## <summary>
@@ -3737,7 +3784,7 @@ index 07126bd..4aecd37 100644
  ##	Send and receive TCP network traffic on generic ports.
  ## </summary>
  ## <param name="domain">
-@@ -1167,10 +1278,30 @@ interface(`corenet_raw_bind_all_nodes',`
+@@ -1167,10 +1297,30 @@ interface(`corenet_raw_bind_all_nodes',`
  #
  interface(`corenet_tcp_sendrecv_generic_port',`
  	gen_require(`
@@ -3770,7 +3817,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -1185,10 +1316,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+@@ -1185,10 +1335,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
  #
  interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
  	gen_require(`
@@ -3783,7 +3830,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -1203,10 +1334,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+@@ -1203,10 +1353,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
  #
  interface(`corenet_udp_send_generic_port',`
  	gen_require(`
@@ -3796,7 +3843,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -1221,10 +1352,10 @@ interface(`corenet_udp_send_generic_port',`
+@@ -1221,10 +1371,10 @@ interface(`corenet_udp_send_generic_port',`
  #
  interface(`corenet_udp_receive_generic_port',`
  	gen_require(`
@@ -3809,7 +3856,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -1244,6 +1375,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1244,6 +1394,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
  
  ########################################
  ## <summary>
@@ -3836,7 +3883,7 @@ index 07126bd..4aecd37 100644
  ##	Bind TCP sockets to generic ports.
  ## </summary>
  ## <param name="domain">
-@@ -1254,16 +1405,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1254,16 +1424,35 @@ interface(`corenet_udp_sendrecv_generic_port',`
  #
  interface(`corenet_tcp_bind_generic_port',`
  	gen_require(`
@@ -3874,7 +3921,7 @@ index 07126bd..4aecd37 100644
  ##	Do not audit bind TCP sockets to generic ports.
  ## </summary>
  ## <param name="domain">
-@@ -1274,10 +1444,10 @@ interface(`corenet_tcp_bind_generic_port',`
+@@ -1274,10 +1463,10 @@ interface(`corenet_tcp_bind_generic_port',`
  #
  interface(`corenet_dontaudit_tcp_bind_generic_port',`
  	gen_require(`
@@ -3887,7 +3934,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -1292,16 +1462,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+@@ -1292,16 +1481,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
  #
  interface(`corenet_udp_bind_generic_port',`
  	gen_require(`
@@ -3924,15 +3971,14 @@ index 07126bd..4aecd37 100644
  ##	Connect TCP sockets to generic ports.
  ## </summary>
  ## <param name="domain">
-@@ -1312,10 +1500,28 @@ interface(`corenet_udp_bind_generic_port',`
+@@ -1312,10 +1519,28 @@ interface(`corenet_udp_bind_generic_port',`
  #
  interface(`corenet_tcp_connect_generic_port',`
  	gen_require(`
 -		type port_t;
 +		type port_t, unreserved_port_t, ephemeral_port_t;
- 	')
- 
--	allow $1 port_t:tcp_socket name_connect;
++	')
++
 +	allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
 +')
 +
@@ -3949,13 +3995,14 @@ index 07126bd..4aecd37 100644
 +interface(`corenet_dccp_sendrecv_all_ports',`
 +	gen_require(`
 +		attribute port_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 port_t:tcp_socket name_connect;
 +	allow $1 port_type:dccp_socket { send_msg recv_msg };
  ')
  
  ########################################
-@@ -1439,6 +1645,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+@@ -1439,6 +1664,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
  
  ########################################
  ## <summary>
@@ -3981,7 +4028,7 @@ index 07126bd..4aecd37 100644
  ##	Bind TCP sockets to all ports.
  ## </summary>
  ## <param name="domain">
-@@ -1458,6 +1683,24 @@ interface(`corenet_tcp_bind_all_ports',`
+@@ -1458,6 +1702,24 @@ interface(`corenet_tcp_bind_all_ports',`
  
  ########################################
  ## <summary>
@@ -4006,7 +4053,7 @@ index 07126bd..4aecd37 100644
  ##	Do not audit attepts to bind TCP sockets to any ports.
  ## </summary>
  ## <param name="domain">
-@@ -1513,6 +1756,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+@@ -1513,6 +1775,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
  
  ########################################
  ## <summary>
@@ -4031,7 +4078,7 @@ index 07126bd..4aecd37 100644
  ##	Connect TCP sockets to all ports.
  ## </summary>
  ## <desc>
-@@ -1559,6 +1820,25 @@ interface(`corenet_tcp_connect_all_ports',`
+@@ -1559,6 +1839,25 @@ interface(`corenet_tcp_connect_all_ports',`
  
  ########################################
  ## <summary>
@@ -4057,7 +4104,7 @@ index 07126bd..4aecd37 100644
  ##	Do not audit attempts to connect TCP sockets
  ##	to all ports.
  ## </summary>
-@@ -1578,6 +1858,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
+@@ -1578,6 +1877,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
  
  ########################################
  ## <summary>
@@ -4082,7 +4129,7 @@ index 07126bd..4aecd37 100644
  ##	Send and receive TCP network traffic on generic reserved ports.
  ## </summary>
  ## <param name="domain">
-@@ -1647,6 +1945,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,6 +1964,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
  
  ########################################
  ## <summary>
@@ -4108,7 +4155,7 @@ index 07126bd..4aecd37 100644
  ##	Bind TCP sockets to generic reserved ports.
  ## </summary>
  ## <param name="domain">
-@@ -1685,6 +2002,24 @@ interface(`corenet_udp_bind_reserved_port',`
+@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',`
  
  ########################################
  ## <summary>
@@ -4133,7 +4180,7 @@ index 07126bd..4aecd37 100644
  ##	Connect TCP sockets to generic reserved ports.
  ## </summary>
  ## <param name="domain">
-@@ -1703,6 +2038,24 @@ interface(`corenet_tcp_connect_reserved_port',`
+@@ -1703,6 +2057,24 @@ interface(`corenet_tcp_connect_reserved_port',`
  
  ########################################
  ## <summary>
@@ -4158,7 +4205,7 @@ index 07126bd..4aecd37 100644
  ##	Send and receive TCP network traffic on all reserved ports.
  ## </summary>
  ## <param name="domain">
-@@ -1752,12 +2105,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1752,12 +2124,210 @@ interface(`corenet_udp_receive_all_reserved_ports',`
  		attribute reserved_port_type;
  	')
  
@@ -4371,7 +4418,7 @@ index 07126bd..4aecd37 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1765,14 +2316,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
+@@ -1765,14 +2335,17 @@ interface(`corenet_udp_receive_all_reserved_ports',`
  ##	</summary>
  ## </param>
  #
@@ -4393,7 +4440,7 @@ index 07126bd..4aecd37 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1780,36 +2334,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+@@ -1780,36 +2353,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
  ##	</summary>
  ## </param>
  #
@@ -4437,7 +4484,7 @@ index 07126bd..4aecd37 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1817,36 +2370,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+@@ -1817,36 +2389,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
  ##	</summary>
  ## </param>
  #
@@ -4488,7 +4535,7 @@ index 07126bd..4aecd37 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1854,17 +2406,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+@@ -1854,17 +2425,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
  ##	</summary>
  ## </param>
  #
@@ -4509,7 +4556,7 @@ index 07126bd..4aecd37 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1872,67 +2424,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+@@ -1872,67 +2443,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
  ##	</summary>
  ## </param>
  #
@@ -4596,7 +4643,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -1955,6 +2508,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+@@ -1955,6 +2527,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
  
  ########################################
  ## <summary>
@@ -4622,7 +4669,7 @@ index 07126bd..4aecd37 100644
  ##	Do not audit attempts to connect TCP sockets
  ##	all rpc ports.
  ## </summary>
-@@ -1993,6 +2565,24 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',`
  
  ########################################
  ## <summary>
@@ -4647,7 +4694,7 @@ index 07126bd..4aecd37 100644
  ##	Do not audit attempts to read or write the TUN/TAP
  ##	virtual network device.
  ## </summary>
-@@ -2049,6 +2639,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2658,25 @@ interface(`corenet_rw_ppp_dev',`
  
  ########################################
  ## <summary>
@@ -4673,7 +4720,7 @@ index 07126bd..4aecd37 100644
  ##	Bind TCP sockets to all RPC ports.
  ## </summary>
  ## <param name="domain">
-@@ -2068,6 +2677,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2696,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
  
  ########################################
  ## <summary>
@@ -4698,7 +4745,7 @@ index 07126bd..4aecd37 100644
  ##	Do not audit attempts to bind TCP sockets to all RPC ports.
  ## </summary>
  ## <param name="domain">
-@@ -2194,6 +2821,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2840,25 @@ interface(`corenet_tcp_recv_netlabel',`
  
  ########################################
  ## <summary>
@@ -4724,7 +4771,7 @@ index 07126bd..4aecd37 100644
  ##	Receive TCP packets from a NetLabel connection.
  ## </summary>
  ## <param name="domain">
-@@ -2213,7 +2859,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,7 +2878,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
  
  ########################################
  ## <summary>
@@ -4733,7 +4780,7 @@ index 07126bd..4aecd37 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2221,10 +2867,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2221,10 +2886,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
  ##	</summary>
  ## </param>
  #
@@ -4751,7 +4798,7 @@ index 07126bd..4aecd37 100644
  	# XXX - at some point the oubound/send access check will be removed
  	# but for right now we need to keep this in place so as not to break
  	# older systems
-@@ -2249,6 +2900,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2919,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
  
  ########################################
  ## <summary>
@@ -4778,7 +4825,7 @@ index 07126bd..4aecd37 100644
  ##	Do not audit attempts to receive TCP packets from a NetLabel
  ##	connection.
  ## </summary>
-@@ -2269,6 +2940,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2959,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
  
  ########################################
  ## <summary>
@@ -4806,7 +4853,7 @@ index 07126bd..4aecd37 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2533,15 +3225,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,15 +3244,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
  ## <infoflow type="read" weight="10"/>
  #
  interface(`corenet_all_recvfrom_unlabeled',`
@@ -4826,7 +4873,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -2567,11 +3254,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
+@@ -2567,11 +3273,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
  #
  interface(`corenet_all_recvfrom_netlabel',`
  	gen_require(`
@@ -4864,7 +4911,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -2585,6 +3295,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3314,7 @@ interface(`corenet_all_recvfrom_netlabel',`
  ## </param>
  #
  interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -4872,7 +4919,7 @@ index 07126bd..4aecd37 100644
  	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
  	kernel_dontaudit_udp_recvfrom_unlabeled($1)
  	kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3324,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3343,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
  	')
  
  	dontaudit $1 netlabel_peer_t:peer recv;
@@ -4909,7 +4956,7 @@ index 07126bd..4aecd37 100644
  ')
  
  ########################################
-@@ -2727,6 +3466,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3485,7 @@ interface(`corenet_raw_recvfrom_labeled',`
  ## </param>
  #
  interface(`corenet_all_recvfrom_labeled',`
@@ -4917,7 +4964,7 @@ index 07126bd..4aecd37 100644
  	corenet_tcp_recvfrom_labeled($1, $2)
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3874,53 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3893,53 @@ interface(`corenet_unconfined',`
  
  	typeattribute $1 corenet_unconfined_type;
  ')
@@ -5027,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..49513c7 100644
+index 4edc40d..f678b45 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5200,7 +5247,8 @@ index 4edc40d..49513c7 100644
  network_port(mail, tcp,2000,s0, tcp,3905,s0)
  network_port(matahari, tcp,49000,s0, udp,49000,s0)
  network_port(memcache, tcp,11211,s0, udp,11211,s0)
- network_port(milter) # no defined portcon
+-network_port(milter) # no defined portcon
++network_port(milter, tcp, 8891, s0) # no defined portcon
  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 +network_port(mongod, tcp,27017,s0)
  network_port(monopd, tcp,1234,s0)
@@ -5332,7 +5380,16 @@ index 4edc40d..49513c7 100644
  
  ########################################
  #
-@@ -342,9 +388,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -330,6 +376,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+ 
+ build_option(`enable_mls',`
+ network_interface(lo, lo, s0 - mls_systemhigh)
++allow netlabel_peer_t lo_netif_t:netif ingress;
++allow netlabel_peer_type lo_netif_t:netif egress;
+ ',`
+ typealias netif_t alias { lo_netif_t netif_lo_t };
+ ')
+@@ -342,9 +390,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -7634,7 +7691,7 @@ index 6a1e4d1..adafd25 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..431baa5 100644
+index cf04cb5..274ef6d 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7760,7 +7817,7 @@ index cf04cb5..431baa5 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,261 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,265 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -7809,6 +7866,10 @@ index cf04cb5..431baa5 100644
 +')
 +
 +optional_policy(`
++	abrt_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
 +	alsa_filetrans_named_content(unconfined_domain_type)
 +')
 +
@@ -8023,7 +8084,7 @@ index cf04cb5..431baa5 100644
 +	')
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..d0e6d1c 100644
+index c2c6e05..96aeeef 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -8220,7 +8281,7 @@ index c2c6e05..d0e6d1c 100644
  /var/.*				gen_context(system_u:object_r:var_t,s0)
  /var/\.journal			<<none>>
  
-@@ -237,11 +243,21 @@ ifndef(`distro_redhat',`
+@@ -237,11 +243,22 @@ ifndef(`distro_redhat',`
  
  /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
  
@@ -8230,6 +8291,7 @@ index c2c6e05..d0e6d1c 100644
  
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
  
+-/var/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
 +/var/lib/stickshift/.stickshift-proxy.d(/.*)?   gen_context(system_u:object_r:etc_t,s0)
 +/var/lib/stickshift/.limits.d(/.*)?        gen_context(system_u:object_r:etc_t,s0)
 +
@@ -8237,12 +8299,13 @@ index c2c6e05..d0e6d1c 100644
 +/var/lib/openshift/.stickshift-proxy.d(/.*)?   gen_context(system_u:object_r:etc_t,s0)
 +/var/lib/openshift/.limits.d(/.*)?        gen_context(system_u:object_r:etc_t,s0)
 +
- /var/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock			-d	gen_context(system_u:object_r:var_lock_t,s0)
 +/var/lock			-l	gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock/.*			<<none>>
  
  /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/log/lost\+found/.*		<<none>>
-@@ -262,6 +278,7 @@ ifndef(`distro_redhat',`
+@@ -262,6 +279,7 @@ ifndef(`distro_redhat',`
  
  /var/tmp		-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
  /var/tmp		-l	gen_context(system_u:object_r:tmp_t,s0)
@@ -8250,17 +8313,137 @@ index c2c6e05..d0e6d1c 100644
  /var/tmp/.*			<<none>>
  /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/tmp/lost\+found/.*		<<none>>
-@@ -270,3 +287,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +288,5 @@ ifndef(`distro_redhat',`
  ifdef(`distro_debian',`
  /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..8a9355a 100644
+index 64ff4d7..90999af 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
-@@ -55,6 +55,7 @@
+@@ -19,6 +19,119 @@
+ ##	Comains the file initial SID.
+ ## </required>
+ 
++#####################################
++## <summary>
++##  files stub etc_t interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`files_stub_etc',`
++    gen_require(`
++        type etc_t;
++    ')
++')
++
++#####################################
++## <summary>
++##  files stub var_lock_t interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`files_stub_var_lock',`
++    gen_require(`
++        type var_lock_t;
++    ')
++')
++
++#####################################
++## <summary>
++##  files stub var_log_t interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`files_stub_var_log',`
++    gen_require(`
++        type var_log_t;
++    ')
++')
++
++#####################################
++## <summary>
++##  files stub var_lib_t interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`files_stub_var_lib',`
++    gen_require(`
++        type var_lib_t;
++    ')
++')
++
++#####################################
++## <summary>
++##  files stub var_run_t interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`files_stub_var_run',`
++    gen_require(`
++        type var_run_t;
++    ')
++')
++
++#####################################
++## <summary>
++##  files stub var_run_t interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`files_stub_var_spool',`
++    gen_require(`
++        type var_spool_t;
++    ')
++')
++
++#####################################
++## <summary>
++##  files stub tmp_t interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`files_stub_tmp',`
++    gen_require(`
++        type tmp_t;
++    ')
++')
++
++
+ ########################################
+ ## <summary>
+ ##	Make the specified type usable for files
+@@ -55,6 +168,7 @@
  ##		<li>files_pid_file()</li>
  ##		<li>files_security_file()</li>
  ##		<li>files_security_mountpoint()</li>
@@ -8268,7 +8451,87 @@ index 64ff4d7..8a9355a 100644
  ##		<li>files_tmp_file()</li>
  ##		<li>files_tmpfs_file()</li>
  ##		<li>logging_log_file()</li>
-@@ -521,7 +522,7 @@ interface(`files_mounton_non_security',`
+@@ -125,30 +239,31 @@ interface(`files_security_file',`
+ 	typeattribute $1 file_type, security_file_type, non_auth_file_type;
+ ')
+ 
++
+ ########################################
+ ## <summary>
+ ##	Make the specified type usable for
+-##	lock files.
++##	filesystem mount points.
+ ## </summary>
+ ## <param name="type">
+ ##	<summary>
+-##	Type to be used for lock files.
++##	Type to be used for mount points.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_lock_file',`
++interface(`files_mountpoint',`
+ 	gen_require(`
+-		attribute lockfile;
++		attribute mountpoint;
+ 	')
+ 
+ 	files_type($1)
+-	typeattribute $1 lockfile;
++	typeattribute $1 mountpoint;
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##	Make the specified type usable for
+-##	filesystem mount points.
++##	security file filesystem mount points.
+ ## </summary>
+ ## <param name="type">
+ ##	<summary>
+@@ -156,33 +271,33 @@ interface(`files_lock_file',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_mountpoint',`
++interface(`files_security_mountpoint',`
+ 	gen_require(`
+ 		attribute mountpoint;
+ 	')
+ 
+-	files_type($1)
++	files_security_file($1)
+ 	typeattribute $1 mountpoint;
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##	Make the specified type usable for
+-##	security file filesystem mount points.
++##	lock files.
+ ## </summary>
+ ## <param name="type">
+ ##	<summary>
+-##	Type to be used for mount points.
++##	Type to be used for lock files.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_security_mountpoint',`
++interface(`files_lock_file',`
+ 	gen_require(`
+-		attribute mountpoint;
++		attribute lockfile;
+ 	')
+ 
+-	files_security_file($1)
+-	typeattribute $1 mountpoint;
++	files_type($1)
++	typeattribute $1 lockfile;
+ ')
+ 
+ ########################################
+@@ -521,7 +636,7 @@ interface(`files_mounton_non_security',`
  		attribute non_security_file_type;
  	')
  
@@ -8277,7 +8540,7 @@ index 64ff4d7..8a9355a 100644
  	allow $1 non_security_file_type:file mounton;
  ')
  
-@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +735,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
  
  ########################################
  ## <summary>
@@ -8341,7 +8604,7 @@ index 64ff4d7..8a9355a 100644
  ##	Read all files.
  ## </summary>
  ## <param name="domain">
-@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +855,82 @@ interface(`files_read_non_security_files',`
  		attribute non_security_file_type;
  	')
  
@@ -8424,7 +8687,7 @@ index 64ff4d7..8a9355a 100644
  ##	Read all directories on the filesystem, except
  ##	the listed exceptions.
  ## </summary>
-@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1195,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
  
  ########################################
  ## <summary>
@@ -8450,7 +8713,7 @@ index 64ff4d7..8a9355a 100644
  ##	Get the attributes of all named sockets.
  ## </summary>
  ## <param name="domain">
-@@ -991,6 +1138,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1252,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
  
  ########################################
  ## <summary>
@@ -8476,7 +8739,7 @@ index 64ff4d7..8a9355a 100644
  ##	Do not audit attempts to get the attributes
  ##	of non security named sockets.
  ## </summary>
-@@ -1073,10 +1239,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1353,8 @@ interface(`files_relabel_all_files',`
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8489,7 +8752,7 @@ index 64ff4d7..8a9355a 100644
  
  	# satisfy the assertions:
  	seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1346,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1460,6 @@ interface(`files_list_all',`
  
  ########################################
  ## <summary>
@@ -8514,7 +8777,7 @@ index 64ff4d7..8a9355a 100644
  ##	Do not audit attempts to search the
  ##	contents of any directories on extended
  ##	attribute filesystems.
-@@ -1443,9 +1589,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1703,6 @@ interface(`files_relabel_non_auth_files',`
  	# device nodes with file types.
  	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
  	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -8524,7 +8787,7 @@ index 64ff4d7..8a9355a 100644
  ')
  
  #############################################
-@@ -1583,6 +1726,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1840,24 @@ interface(`files_getattr_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -8549,7 +8812,7 @@ index 64ff4d7..8a9355a 100644
  ##	Set the attributes of all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1673,6 +1834,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +1948,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -8574,11 +8837,33 @@ index 64ff4d7..8a9355a 100644
  ##	Do not audit attempts to write to mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1691,6 +1870,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,7 +1984,7 @@ interface(`files_dontaudit_write_all_mountpoints',`
  
  ########################################
  ## <summary>
+-##	List the contents of the root directory.
 +##	Write all file type directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1699,12 +1992,30 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_root',`
++interface(`files_write_all_dirs',`
+ 	gen_require(`
+-		type root_t;
++		attribute file_type;
+ 	')
+ 
+-	allow $1 root_t:dir list_dir_perms;
++	allow $1 file_type:dir write;
++')
++
++########################################
++## <summary>
++##	List the contents of the root directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8586,20 +8871,16 @@ index 64ff4d7..8a9355a 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_write_all_dirs',`
++interface(`files_list_root',`
 +	gen_require(`
-+		attribute file_type;
++		type root_t;
 +	')
 +
-+	allow $1 file_type:dir write;
-+')
-+
-+########################################
-+## <summary>
- ##	List the contents of the root directory.
- ## </summary>
- ## <param name="domain">
-@@ -1874,25 +2071,25 @@ interface(`files_delete_root_dir_entry',`
++	allow $1 root_t:dir list_dir_perms;
+ 	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
+ 
+@@ -1874,25 +2185,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -8631,7 +8912,7 @@ index 64ff4d7..8a9355a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1905,7 +2102,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2216,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -8640,7 +8921,7 @@ index 64ff4d7..8a9355a 100644
  ')
  
  ########################################
-@@ -1928,6 +2125,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2239,24 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -8665,7 +8946,7 @@ index 64ff4d7..8a9355a 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2627,6 +2842,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +2956,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -8690,7 +8971,7 @@ index 64ff4d7..8a9355a 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2698,6 +2931,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3045,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -8698,7 +8979,7 @@ index 64ff4d7..8a9355a 100644
  ')
  
  ########################################
-@@ -2706,7 +2940,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3054,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -8707,145 +8988,58 @@ index 64ff4d7..8a9355a 100644
  ##	</summary>
  ## </param>
  #
-@@ -2762,25 +2996,26 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3110,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
--##	Delete system configuration files in /etc.
 +##	Do not audit attempts to check the 
 +##	access on etc files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_delete_etc_files',`
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_access_check_etc',`
- 	gen_require(`
- 		type etc_t;
- 	')
- 
--	delete_files_pattern($1, etc_t, etc_t)
++	gen_require(`
++		type etc_t;
++	')
++
 +	dontaudit $1 etc_t:dir_file_class_set audit_access;
- ')
++')
++
++########################################
++## <summary>
+ ##	Delete system configuration files in /etc.
+ ## </summary>
+ ## <param name="domain">
+@@ -2780,6 +3147,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
--##	Execute generic files in /etc.
-+##	Delete system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2788,19 +3023,17 @@ interface(`files_delete_etc_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_exec_etc_files',`
-+interface(`files_delete_etc_files',`
- 	gen_require(`
- 		type etc_t;
- 	')
- 
--	allow $1 etc_t:dir list_dir_perms;
--	read_lnk_files_pattern($1, etc_t, etc_t)
--	exec_files_pattern($1, etc_t, etc_t)
-+	delete_files_pattern($1, etc_t, etc_t)
- ')
- 
--#######################################
-+########################################
- ## <summary>
--##	Relabel from and to generic files in /etc.
 +##	Remove entries from the etc directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2808,18 +3041,17 @@ interface(`files_exec_etc_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_relabel_etc_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_etc_dir_entry',`
- 	gen_require(`
- 		type etc_t;
- 	')
- 
--	allow $1 etc_t:dir list_dir_perms;
--	relabel_files_pattern($1, etc_t, etc_t)
++	gen_require(`
++		type etc_t;
++	')
++
 +	allow $1 etc_t:dir del_entry_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read symbolic links in /etc.
-+##	Execute generic files in /etc.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2827,17 +3059,56 @@ interface(`files_relabel_etc_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_etc_symlinks',`
-+interface(`files_exec_etc_files',`
- 	gen_require(`
- 		type etc_t;
- 	')
- 
-+	allow $1 etc_t:dir list_dir_perms;
- 	read_lnk_files_pattern($1, etc_t, etc_t)
-+	exec_files_pattern($1, etc_t, etc_t)
- ')
- 
--########################################
-+#######################################
- ## <summary>
--##	Create, read, write, and delete symbolic links in /etc.
-+##	Relabel from and to generic files in /etc.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabel_etc_files',`
-+	gen_require(`
-+		type etc_t;
-+	')
-+
-+	allow $1 etc_t:dir list_dir_perms;
-+	relabel_files_pattern($1, etc_t, etc_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read symbolic links in /etc.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_read_etc_symlinks',`
-+	gen_require(`
-+		type etc_t;
-+	')
-+
-+	read_lnk_files_pattern($1, etc_t, etc_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete symbolic links in /etc.
+ ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -2945,24 +3216,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3330,6 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -8870,7 +9064,7 @@ index 64ff4d7..8a9355a 100644
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3003,9 +3256,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3370,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -8881,7 +9075,7 @@ index 64ff4d7..8a9355a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3013,18 +3264,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3378,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -8903,7 +9097,7 @@ index 64ff4d7..8a9355a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3042,6 +3292,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3406,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -8930,7 +9124,7 @@ index 64ff4d7..8a9355a 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3059,6 +3329,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3443,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -8938,7 +9132,7 @@ index 64ff4d7..8a9355a 100644
  ')
  
  ########################################
-@@ -3080,6 +3351,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3465,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -8946,7 +9140,7 @@ index 64ff4d7..8a9355a 100644
  ')
  
  ########################################
-@@ -3132,6 +3404,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3518,25 @@ interface(`files_getattr_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -8972,7 +9166,7 @@ index 64ff4d7..8a9355a 100644
  ##	Do not audit attempts to search directories on new filesystems
  ##	that have not yet been labeled.
  ## </summary>
-@@ -3208,6 +3499,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3613,25 @@ interface(`files_delete_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -8998,7 +9192,7 @@ index 64ff4d7..8a9355a 100644
  ##	Create, read, write, and delete directories
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3455,6 +3765,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3879,25 @@ interface(`files_rw_isid_type_blk_files',`
  
  ########################################
  ## <summary>
@@ -9024,7 +9218,7 @@ index 64ff4d7..8a9355a 100644
  ##	Create, read, write, and delete block device nodes
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3796,20 +4125,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4239,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -9068,64 +9262,98 @@ index 64ff4d7..8a9355a 100644
  ')
  
  ########################################
-@@ -4199,6 +4546,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,156 +4660,176 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Allow the specified type to associate
+-##	to a filesystem with the type of the
+-##	temporary directory (/tmp).
 +##  Read manageable system configuration files in /etc
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+-##	<summary>
+-##	Type of the file to associate.
+-##	</summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_associate_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_read_system_conf_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:filesystem associate;
 +    allow $1 etc_t:dir list_dir_perms;
 +    read_files_pattern($1, etc_t, system_conf_t)
 +    read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Get the	attributes of the tmp directory (/tmp).
 +##  Manage manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_getattr_tmp_dirs',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_manage_system_conf_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir getattr;
 +    manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
 +    files_filetrans_system_conf_named_files($1)
-+')
-+
+ ')
+ 
+-########################################
 +#####################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to get the
+-##	attributes of the tmp directory (/tmp).
 +##  File name transition for system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_filetrans_system_conf_named_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir getattr;
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -9142,124 +9370,171 @@ index 64ff4d7..8a9355a 100644
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_search_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_relabelto_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir search_dir_perms;
 +    relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain to not audit.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_relabelfrom_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir search_dir_perms;
 +    relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +###################################
-+## <summary>
+ ## <summary>
+-##	Read the tmp directory (/tmp).
 +##  Create files in /etc with the type used for
 +##  the manageable system config files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  The type of the process performing this action.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_list_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_etc_filetrans_system_conf',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir list_dir_perms;
 +    filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
- ########################################
- ## <summary>
- ##	Allow the specified type to associate
-@@ -4221,6 +4695,26 @@ interface(`files_associate_tmp',`
- 
- ########################################
- ## <summary>
-+##	Allow the specified type to associate
-+##	to a filesystem with the type of the
-+##	/ file system
-+## </summary>
-+## <param name="file_type">
-+##	<summary>
-+##	Type of the file to associate.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_associate_rootfs',`
-+	gen_require(`
-+		type root_t;
-+	')
-+
-+	allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ##	Get the	attributes of the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
-@@ -4234,17 +4728,37 @@ interface(`files_getattr_tmp_dirs',`
- 		type tmp_t;
- 	')
- 
-+	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir getattr;
  ')
  
  ########################################
  ## <summary>
+-##	Do not audit listing of the tmp directory (/tmp).
++##	Allow the specified type to associate
++##	to a filesystem with the type of the
++##	temporary directory (/tmp).
+ ## </summary>
+-## <param name="domain">
++## <param name="file_type">
+ ##	<summary>
+-##	Domain not to audit.
++##	Type of the file to associate.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_list_tmp',`
++interface(`files_associate_tmp',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	dontaudit $1 tmp_t:dir list_dir_perms;
++	allow $1 tmp_t:filesystem associate;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Remove entries from the tmp directory.
++##	Allow the specified type to associate
++##	to a filesystem with the type of the
++##	/ file system
+ ## </summary>
+-## <param name="domain">
++## <param name="file_type">
+ ##	<summary>
+-##	Domain allowed access.
++##	Type of the file to associate.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
++interface(`files_associate_rootfs',`
+ 	gen_require(`
+-		type tmp_t;
++		type root_t;
+ 	')
+ 
+-	allow $1 tmp_t:dir del_entry_dir_perms;
++	allow $1 root_t:filesystem associate;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files in the tmp directory (/tmp).
++##	Get the	attributes of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4356,53 +4837,56 @@ interface(`files_delete_tmp_dir_entry',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_files',`
++interface(`files_getattr_tmp_dirs',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	read_files_pattern($1, tmp_t, tmp_t)
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:dir getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage temporary directories in /tmp.
 +##	Do not audit attempts to check the 
 +##	access on tmp files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_access_check_tmp',`
-+	gen_require(`
-+		type etc_t;
-+	')
-+
-+	dontaudit $1 tmp_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to get the
- ##	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -9268,77 +9543,242 @@ index 64ff4d7..8a9355a 100644
  ##	</summary>
  ## </param>
  #
-@@ -4271,6 +4785,7 @@ interface(`files_search_tmp',`
- 		type tmp_t;
+-interface(`files_manage_generic_tmp_dirs',`
++interface(`files_dontaudit_access_check_tmp',`
+ 	gen_require(`
+-		type tmp_t;
++		type etc_t;
  	')
  
-+	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir search_dir_perms;
+-	manage_dirs_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmp_t:dir_file_class_set audit_access;
  ')
  
-@@ -4307,6 +4822,7 @@ interface(`files_list_tmp',`
- 		type tmp_t;
- 	')
- 
-+	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir list_dir_perms;
- ')
- 
-@@ -4316,7 +4832,7 @@ interface(`files_list_tmp',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4328,6 +4844,25 @@ interface(`files_dontaudit_list_tmp',`
- 	dontaudit $1 tmp_t:dir list_dir_perms;
- ')
- 
-+#######################################
-+## <summary>
-+##  Allow read and write to the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain not to audit.
-+##  </summary>
-+## </param>
-+#
-+interface(`files_rw_generic_tmp_dir',`
-+    gen_require(`
-+        type tmp_t;
-+    ')
-+
-+    files_search_tmp($1)
-+    allow $1 tmp_t:dir rw_dir_perms;
-+')
-+
- ########################################
- ## <summary>
- ##	Remove entries from the tmp directory.
-@@ -4343,6 +4878,7 @@ interface(`files_delete_tmp_dir_entry',`
- 		type tmp_t;
- 	')
- 
-+	files_search_tmp($1)
- 	allow $1 tmp_t:dir del_entry_dir_perms;
- ')
- 
-@@ -4384,13 +4920,39 @@ interface(`files_manage_generic_tmp_dirs',`
- 
  ########################################
  ## <summary>
 -##	Manage temporary files and directories in /tmp.
-+##	Allow shared library text relocations in tmp files.
++##	Do not audit attempts to get the
++##	attributes of the tmp directory (/tmp).
  ## </summary>
--## <param name="domain">
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_dontaudit_getattr_tmp_dirs',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	manage_files_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmp_t:dir getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links in the tmp directory (/tmp).
++##	Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4410,35 +4894,36 @@ interface(`files_manage_generic_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
++interface(`files_search_tmp',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+ 	read_lnk_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic named sockets in the tmp directory (/tmp).
++##	Do not audit attempts to search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_tmp_sockets',`
++interface(`files_dontaudit_search_tmp',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	rw_sock_files_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmp_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of all tmp directories.
++##	Read the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4446,77 +4931,74 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_list_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List all tmp directories.
++##	Do not audit listing of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_dontaudit_list_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
++	dontaudit $1 tmp_t:dir list_dir_perms;
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	directory types.
++##  Allow read and write to the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
--## </param>
++##  <summary>
++##  Domain not to audit.
++##  </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
+-	gen_require(`
+-		attribute tmpfile;
+-		type var_t;
+-	')
++interface(`files_rw_generic_tmp_dir',`
++    gen_require(`
++        type tmp_t;
++    ')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
++    files_search_tmp($1)
++    allow $1 tmp_t:dir rw_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
++##	Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_delete_tmp_dir_entry',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	dontaudit $1 tmpfile:file getattr;
++	files_search_tmp($1)
++	allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
++##	Read files in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4524,58 +5006,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_read_generic_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:file getattr;
++	read_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	file types.
++##	Manage temporary directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_manage_generic_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
+-		type var_t;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_files_pattern($1, tmpfile, tmpfile)
++	manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp sock_file.
++##	Allow shared library text relocations in tmp files.
+ ## </summary>
 +## <desc>
 +##	<p>
 +##	Allow shared library text relocations in tmp files.
@@ -9347,203 +9787,566 @@ index 64ff4d7..8a9355a 100644
 +##	This is added to support java policy.
 +##	</p>
 +## </desc>
-+## <param name="domain">
-+##	<summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
 +interface(`files_execmod_tmp',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
-+	allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+## <summary>
-+##	Manage temporary files and directories in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
- #
- interface(`files_manage_generic_tmp_files',`
  	gen_require(`
-@@ -4438,6 +5000,42 @@ interface(`files_rw_generic_tmp_sockets',`
+ 		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 tmpfile:sock_file getattr;
++	allow $1 tmpfile:file execmod;
+ ')
  
  ########################################
  ## <summary>
+-##	Read all tmp files.
++##	Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4583,51 +5068,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
++interface(`files_manage_generic_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	read_files_pattern($1, tmpfile, tmpfile)
++	manage_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the tmp directories, with a private
+-##	type using a type transition.
++##	Read symbolic links in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_read_generic_tmp_symlinks',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	filetrans_pattern($1, tmp_t, $2, $3, $4)
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete the contents of /tmp.
++##	Read and write generic named sockets in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4635,22 +5104,17 @@ interface(`files_tmp_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_purge_tmp',`
++interface(`files_rw_generic_tmp_sockets',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
+-	delete_dirs_pattern($1, tmpfile, tmpfile)
+-	delete_files_pattern($1, tmpfile, tmpfile)
+-	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+-	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+-	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the /usr directory.
 +##	Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4658,17 +5122,17 @@ interface(`files_purge_tmp',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_usr_dirs',`
 +interface(`files_relabelfrom_tmp_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		type tmp_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 usr_t:dir setattr;
 +	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the content of /usr.
 +##	Relabel a file from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4676,18 +5140,17 @@ interface(`files_setattr_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_usr',`
 +interface(`files_relabelfrom_tmp_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		type tmp_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 usr_t:dir search_dir_perms;
 +	relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4456,6 +5054,60 @@ interface(`files_setattr_all_tmp_dirs',`
+ ')
  
  ########################################
  ## <summary>
+-##	List the contents of generic
+-##	directories in /usr.
++##	Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4695,35 +5158,35 @@ interface(`files_search_usr',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_usr',`
++interface(`files_setattr_all_tmp_dirs',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
++	allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit write of /usr dirs
 +##	Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_dirs',`
 +interface(`files_read_inherited_tmp_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 usr_t:dir write;
 +	allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
-+
-+########################################
-+## <summary>
-+##	Allow caller to append inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_append_inherited_tmp_files',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
-+	allow $1 tmpfile:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Allow caller to read and write inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_rw_inherited_tmp_file',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
-+	allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4501,7 +5153,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4561,7 +5213,7 @@ interface(`files_relabel_all_tmp_files',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4593,6 +5245,44 @@ interface(`files_read_all_tmp_files',`
+ ')
  
  ########################################
  ## <summary>
+-##	Add and remove entries from /usr directories.
++##	Allow caller to append inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4731,36 +5194,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_usr_dirs',`
++interface(`files_append_inherited_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir rw_dir_perms;
++	allow $1 tmpfile:file append_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to add and remove
+-##	entries from /usr directories.
++##	Allow caller to read and write inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_usr_dirs',`
++interface(`files_rw_inherited_tmp_file',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 usr_t:dir rw_dir_perms;
++	allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic directories in /usr in the caller domain.
++##	List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4768,111 +5230,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_dirs',`
++interface(`files_list_all_tmp',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	delete_dirs_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic files in /usr in the caller domain.
++##	Relabel to and from all temporary
++##	directory types.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_delete_usr_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	delete_files_pattern($1, usr_t, usr_t)
++	allow $1 var_t:dir search_dir_perms;
++	relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of files in /usr.
++##	Do not audit attempts to get the attributes
++##	of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	getattr_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic files in /usr.
++##	Allow attempts to get the attributes
++##	of all tmp files.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read generic
+-##	files in /usr. These files are various program
+-##	files that do not have more specific SELinux types.
+-##	Some examples of these files are:
+-##	</p>
+-##	<ul>
+-##		<li>/usr/include/*</li>
+-##		<li>/usr/share/doc/*</li>
+-##		<li>/usr/share/info/*</li>
+-##	</ul>
+-##	<p>
+-##	Generally, it is safe for many domains to have
+-##	this access.
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_read_usr_files',`
++interface(`files_getattr_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
+-	read_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Execute generic programs in /usr in the caller domain.
++##	Relabel to and from all temporary
++##	file types.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_exec_usr_files',`
++interface(`files_relabel_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
+-	exec_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	dontaudit write of /usr files
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4880,35 +5331,17 @@ interface(`files_exec_usr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_files',`
+-	gen_require(`
+-		type usr_t;
+-	')
+-
+-	dontaudit $1 usr_t:file write;
+-')
+-
+-########################################
+-## <summary>
+-##	Create, read, write, and delete files in the /usr directory.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`files_manage_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	manage_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:sock_file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel a file to the type used in /usr.
++##	Read all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4916,67 +5349,70 @@ interface(`files_manage_usr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_relabelto_usr_files',`
++interface(`files_read_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	relabelto_files_pattern($1, usr_t, usr_t)
++	read_files_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel a file from the type used in /usr.
 +##	Do not audit attempts to read or write
 +##	all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_relabelfrom_usr_files',`
 +interface(`files_dontaudit_tmp_file_leaks',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	relabelfrom_files_pattern($1, usr_t, usr_t)
 +	dontaudit $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links in /usr.
 +##	Do allow attempts to read or write
 +##	all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_rw_tmp_file_leaks',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
-+	allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Create an object in the tmp directories, with a private
- ##	type using a type transition.
  ## </summary>
-@@ -4646,6 +5336,16 @@ interface(`files_purge_tmp',`
- 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
- 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
- 	delete_sock_files_pattern($1, tmpfile, tmpfile)
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_usr_symlinks',`
++interface(`files_rw_tmp_file_leaks',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /usr directory
++##	Create an object in the tmp directories, with a private
++##	type using a type transition.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
++## <param name="private type">
+ ##	<summary>
+-##	The type of the object to be created
++##	The type of the object to be created.
+ ##	</summary>
+ ## </param>
+-## <param name="object_class">
++## <param name="object">
+ ##	<summary>
+-##	The object class.
++##	The object class of the object being created.
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -4985,35 +5421,50 @@ interface(`files_read_usr_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_usr_filetrans',`
++interface(`files_tmp_filetrans',`
+ 	gen_require(`
+-		type usr_t;
++		type tmp_t;
+ 	')
+ 
+-	filetrans_pattern($1, usr_t, $2, $3, $4)
++	filetrans_pattern($1, tmp_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search /usr/src.
++##	Delete the contents of /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_src',`
++interface(`files_purge_tmp',`
+ 	gen_require(`
+-		type src_t;
++		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 src_t:dir search_dir_perms;
++	allow $1 tmpfile:dir list_dir_perms;
++	delete_dirs_pattern($1, tmpfile, tmpfile)
++	delete_files_pattern($1, tmpfile, tmpfile)
++	delete_lnk_files_pattern($1, tmpfile, tmpfile)
++	delete_fifo_files_pattern($1, tmpfile, tmpfile)
++	delete_sock_files_pattern($1, tmpfile, tmpfile)
 +	delete_chr_files_pattern($1, tmpfile, tmpfile)
 +	delete_blk_files_pattern($1, tmpfile, tmpfile)
 +	files_list_isid_type_dirs($1)
@@ -9557,39 +10360,1160 @@ index 64ff4d7..8a9355a 100644
  ')
  
  ########################################
-@@ -5223,6 +5923,24 @@ interface(`files_list_var',`
+ ## <summary>
+-##	Get the attributes of files in /usr/src.
++##	Set the attributes of the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5021,20 +5472,17 @@ interface(`files_dontaudit_search_src',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_src_files',`
++interface(`files_setattr_usr_dirs',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+-	getattr_files_pattern($1, src_t, src_t)
+-
+-	# /usr/src/linux symlink:
+-	read_lnk_files_pattern($1, usr_t, src_t)
++	allow $1 usr_t:dir setattr;
+ ')
  
  ########################################
  ## <summary>
-+##	Do not audit listing of the var directory (/var).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_list_var',`
-+	gen_require(`
-+		type var_t;
-+	')
-+
-+	dontaudit $1 var_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Create, read, write, and delete directories
- ##	in the /var directory.
+-##	Read files in /usr/src.
++##	Search the content of /usr.
  ## </summary>
-@@ -5578,6 +6296,25 @@ interface(`files_read_var_lib_symlinks',`
- 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ## <param name="domain">
+ ##	<summary>
+@@ -5042,20 +5490,18 @@ interface(`files_getattr_usr_src_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_usr_src_files',`
++interface(`files_search_usr',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+ 	allow $1 usr_t:dir search_dir_perms;
+-	read_files_pattern($1, { usr_t src_t }, src_t)
+-	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+-	allow $1 src_t:dir list_dir_perms;
  ')
  
+ ########################################
+ ## <summary>
+-##	Execute programs in /usr/src in the caller domain.
++##	List the contents of generic
++##	directories in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5063,38 +5509,35 @@ interface(`files_read_usr_src_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_src_files',`
++interface(`files_list_usr',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+-	list_dirs_pattern($1, usr_t, src_t)
+-	exec_files_pattern($1, src_t, src_t)
+-	read_lnk_files_pattern($1, src_t, src_t)
++	allow $1 usr_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Install a system.map into the /boot directory.
++##	Do not audit write of /usr dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_create_kernel_symbol_table',`
++interface(`files_dontaudit_write_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+-	allow $1 system_map_t:file { create_file_perms rw_file_perms };
++	dontaudit $1 usr_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read system.map in the /boot directory.
++##	Add and remove entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5102,37 +5545,36 @@ interface(`files_create_kernel_symbol_table',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_kernel_symbol_table',`
++interface(`files_rw_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir list_dir_perms;
+-	read_files_pattern($1, boot_t, system_map_t)
++	allow $1 usr_t:dir rw_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete a system.map in the /boot directory.
++##	Do not audit attempts to add and remove
++##	entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_rw_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir list_dir_perms;
+-	delete_files_pattern($1, boot_t, system_map_t)
++	dontaudit $1 usr_t:dir rw_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of /var.
++##	Delete generic directories in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5140,35 +5582,35 @@ interface(`files_delete_kernel_symbol_table',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_var',`
++interface(`files_delete_usr_dirs',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
++	delete_dirs_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write to /var.
++##	Delete generic files in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_var_dirs',`
++interface(`files_delete_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 var_t:dir write;
++	delete_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to write to /var.dirs
++##	Get the attributes of files in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5176,36 +5618,55 @@ interface(`files_dontaudit_write_var_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_write_var_dirs',`
++interface(`files_getattr_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir write;
++	getattr_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search
+-##	the contents of /var.
++##	Read generic files in /usr.
+ ## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read generic
++##	files in /usr. These files are various program
++##	files that do not have more specific SELinux types.
++##	Some examples of these files are:
++##	</p>
++##	<ul>
++##		<li>/usr/include/*</li>
++##		<li>/usr/share/doc/*</li>
++##		<li>/usr/share/info/*</li>
++##	</ul>
++##	<p>
++##	Generally, it is safe for many domains to have
++##	this access.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_dontaudit_search_var',`
++interface(`files_read_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 var_t:dir search_dir_perms;
++	allow $1 usr_t:dir list_dir_perms;
++	read_files_pattern($1, usr_t, usr_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of /var.
++##	Execute generic programs in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5213,36 +5674,37 @@ interface(`files_dontaudit_search_var',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_var',`
++interface(`files_exec_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir list_dir_perms;
++	allow $1 usr_t:dir list_dir_perms;
++	exec_files_pattern($1, usr_t, usr_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete directories
+-##	in the /var directory.
++##	dontaudit write of /usr files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_var_dirs',`
++interface(`files_dontaudit_write_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir manage_dir_perms;
++	dontaudit $1 usr_t:file write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files in the /var directory.
++##	Create, read, write, and delete files in the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5250,17 +5712,17 @@ interface(`files_manage_var_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_files',`
++interface(`files_manage_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	read_files_pattern($1, var_t, var_t)
++	manage_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Append files in the /var directory.
++##	Relabel a file to the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5268,17 +5730,17 @@ interface(`files_read_var_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_append_var_files',`
++interface(`files_relabelto_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	append_files_pattern($1, var_t, var_t)
++	relabelto_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write files in the /var directory.
++##	Relabel a file from the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5286,73 +5748,86 @@ interface(`files_append_var_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_var_files',`
++interface(`files_relabelfrom_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	rw_files_pattern($1, var_t, var_t)
++	relabelfrom_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read and write
+-##	files in the /var directory.
++##	Read symbolic links in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_usr_symlinks',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 var_t:file rw_file_perms;
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files in the /var directory.
++##	Create objects in the /usr directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_manage_var_files',`
++interface(`files_usr_filetrans',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	manage_files_pattern($1, var_t, var_t)
++	filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links in the /var directory.
++##	Do not audit attempts to search /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_symlinks',`
++interface(`files_dontaudit_search_src',`
+ 	gen_require(`
+-		type var_t;
++		type src_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, var_t, var_t)
++	dontaudit $1 src_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete symbolic
+-##	links in the /var directory.
++##	Get the attributes of files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5360,50 +5835,41 @@ interface(`files_read_var_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_getattr_usr_src_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	manage_lnk_files_pattern($1, var_t, var_t)
++	getattr_files_pattern($1, src_t, src_t)
++
++	# /usr/src/linux symlink:
++	read_lnk_files_pattern($1, usr_t, src_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /var directory
++##	Read files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
+-##	The object class.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_var_filetrans',`
++interface(`files_read_usr_src_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	filetrans_pattern($1, var_t, $2, $3, $4)
++	allow $1 usr_t:dir search_dir_perms;
++	read_files_pattern($1, { usr_t src_t }, src_t)
++	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++	allow $1 src_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of the /var/lib directory.
++##	Execute programs in /usr/src in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5411,69 +5877,57 @@ interface(`files_var_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_var_lib_dirs',`
++interface(`files_exec_usr_src_files',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	getattr_dirs_pattern($1, var_t, var_lib_t)
++	list_dirs_pattern($1, usr_t, src_t)
++	exec_files_pattern($1, src_t, src_t)
++	read_lnk_files_pattern($1, src_t, src_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the /var/lib directory.
++##	Install a system.map into the /boot directory.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Search the /var/lib directory.  This is
+-##	necessary to access files or directories under
+-##	/var/lib that have a private type.  For example, a
+-##	domain accessing a private library file in the
+-##	/var/lib directory:
+-##	</p>
+-##	<p>
+-##	allow mydomain_t mylibfile_t:file read_file_perms;
+-##	files_search_var_lib(mydomain_t)
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_search_var_lib',`
++interface(`files_create_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++	allow $1 system_map_t:file { create_file_perms rw_file_perms };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search the
+-##	contents of /var/lib.
++##	Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_dontaudit_search_var_lib',`
++interface(`files_read_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	dontaudit $1 var_lib_t:dir search_dir_perms;
++	allow $1 boot_t:dir list_dir_perms;
++	read_files_pattern($1, boot_t, system_map_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the /var/lib directory.
++##	Delete a system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5481,17 +5935,18 @@ interface(`files_dontaudit_search_var_lib',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_var_lib',`
++interface(`files_delete_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 boot_t:dir list_dir_perms;
++	delete_files_pattern($1, boot_t, system_map_t)
+ ')
+ 
+-###########################################
 +########################################
+ ## <summary>
+-##	Read-write /var/lib directories
++##	Search the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5499,51 +5954,35 @@ interface(`files_list_var_lib',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_search_var',`
+ 	gen_require(`
+-		type var_lib_t;
++		type var_t;
+ 	')
+ 
+-	rw_dirs_pattern($1, var_lib_t, var_lib_t)
++	allow $1 var_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /var/lib directory
++##	Do not audit attempts to write to /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
+-##	The object class.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_var_lib_filetrans',`
++interface(`files_dontaudit_write_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_lib_t, $2, $3, $4)
++	dontaudit $1 var_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic files in /var/lib.
++##	Allow attempts to write to /var.dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5551,40 +5990,36 @@ interface(`files_var_lib_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_files',`
++interface(`files_write_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lib_t:dir list_dir_perms;
+-	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	allow $1 var_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic symbolic links in /var/lib
++##	Do not audit attempts to search
++##	the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_symlinks',`
++interface(`files_dontaudit_search_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	dontaudit $1 var_t:dir search_dir_perms;
+ ')
+ 
+-# cjp: the next two interfaces really need to be fixed
+-# in some way.  They really neeed their own types.
+-
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete the
+-##	pseudorandom number generator seed.
++##	List the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5592,38 +6027,36 @@ interface(`files_read_var_lib_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_urandom_seed',`
++interface(`files_list_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_lib_t, var_lib_t)
++	allow $1 var_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow domain to manage mount tables
+-##	necessary for rpcd, nfsd, etc.
++##	Do not audit listing of the var directory (/var).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_dontaudit_list_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_lib_t, var_lib_t)
++	dontaudit $1 var_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the generic lock directories.
++##	Create, read, write, and delete directories
++##	in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5631,17 +6064,17 @@ interface(`files_manage_mounttab',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_manage_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	setattr_dirs_pattern($1, var_t, var_lock_t)
++	allow $1 var_t:dir manage_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the locks directory (/var/lock).
++##	Read files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5649,38 +6082,35 @@ interface(`files_setattr_lock_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
++interface(`files_read_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_lock_t)
++	read_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search the
+-##	locks directory (/var/lock).
++##	Append files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_append_var_files',`
+ 	gen_require(`
+-		type var_lock_t;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_lock_t:dir search_dir_perms;
++	append_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List generic lock directories.
++##	Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5688,80 +6118,73 @@ interface(`files_dontaudit_search_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_locks',`
++interface(`files_rw_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_lock_t)
++	rw_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Add and remove entries in the /var/lock
+-##	directories.
++##	Do not audit attempts to read and write
++##	files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_lock_dirs',`
++interface(`files_dontaudit_rw_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	rw_dirs_pattern($1, var_t, var_lock_t)
++	dontaudit $1 var_t:file rw_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-## 	Create lock directories
++##	Create, read, write, and delete files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+-## 	<summary>
+-##	Domain allowed access
++##	<summary>
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_create_lock_dirs',`
++interface(`files_manage_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	create_dirs_pattern($1, var_lock_t, var_lock_t)
++	manage_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all lock directory types.
++##	Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_lock_dirs',`
++interface(`files_read_var_symlinks',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	relabel_dirs_pattern($1, lockfile, lockfile)
++	read_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of generic lock files.
++##	Create, read, write, and delete symbolic
++##	links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5769,41 +6192,50 @@ interface(`files_relabel_all_lock_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_manage_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_lock_t:dir list_dir_perms;
+-	getattr_files_pattern($1, var_lock_t, var_lock_t)
++	manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic lock files.
++##	Create objects in the /var directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_var_filetrans',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, var_lock_t, var_lock_t)
++	filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	lock files.
++##	Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5811,65 +6243,69 @@ interface(`files_delete_generic_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_locks',`
++interface(`files_getattr_var_lib_dirs',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	manage_dirs_pattern($1, var_lock_t, var_lock_t)
+-	manage_files_pattern($1, var_lock_t, var_lock_t)
++	getattr_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all lock files.
++##	Search the /var/lib directory.
+ ## </summary>
++## <desc>
++##	<p>
++##	Search the /var/lib directory.  This is
++##	necessary to access files or directories under
++##	/var/lib that have a private type.  For example, a
++##	domain accessing a private library file in the
++##	/var/lib directory:
++##	</p>
++##	<p>
++##	allow mydomain_t mylibfile_t:file read_file_perms;
++##	files_search_var_lib(mydomain_t)
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_delete_all_locks',`
++interface(`files_search_var_lib',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, lockfile, lockfile)
++	search_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all lock files.
++##	Do not audit attempts to search the
++##	contents of /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_dontaudit_search_var_lib',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	allow $1 lockfile:dir list_dir_perms;
+-	read_files_pattern($1, lockfile, lockfile)
+-	read_lnk_files_pattern($1, lockfile, lockfile)
++	dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	manage all lock files.
++##	List the contents of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5877,37 +6313,49 @@ interface(`files_read_all_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_locks',`
++interface(`files_list_var_lib',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	manage_dirs_pattern($1, lockfile, lockfile)
+-	manage_files_pattern($1, lockfile, lockfile)
+-	manage_lnk_files_pattern($1, lockfile, lockfile)
++	list_dirs_pattern($1, var_t, var_lib_t)
++')
++
++###########################################
 +## <summary>
-+##	manage generic symbolic links
-+##	in the /var/lib directory.
++##	Read-write /var/lib directories
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -9597,55 +11521,245 @@ index 64ff4d7..8a9355a 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_manage_var_lib_symlinks',`
++interface(`files_rw_var_lib_dirs',`
 +	gen_require(`
 +		type var_lib_t;
 +	')
 +
-+	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way.  They really neeed their own types.
- 
-@@ -5623,7 +6360,7 @@ interface(`files_manage_mounttab',`
++	rw_dirs_pattern($1, var_lib_t, var_lib_t)
+ ')
  
  ########################################
  ## <summary>
--##	Set the attributes of the generic lock directories.
-+##	List generic lock directories.
+-##	Create an object in the locks directory, with a private
+-##	type using a type transition.
++##	Create objects in the /var/lib directory
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5631,12 +6368,13 @@ interface(`files_manage_mounttab',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
++## <param name="file_type">
+ ##	<summary>
+-##	The type of the object to be created.
++##	The type of the object to be created
+ ##	</summary>
+ ## </param>
+-## <param name="object">
++## <param name="object_class">
+ ##	<summary>
+-##	The object class of the object being created.
++##	The object class.
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -5916,39 +6364,37 @@ interface(`files_manage_all_locks',`
  ##	</summary>
  ## </param>
  #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
+-interface(`files_lock_filetrans',`
++interface(`files_var_lib_filetrans',`
  	gen_require(`
- 		type var_t, var_lock_t;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
  	')
  
--	setattr_dirs_pattern($1, var_t, var_lock_t)
-+	files_search_locks($1)
-+	list_dirs_pattern($1, var_t, var_lock_t)
+ 	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	filetrans_pattern($1, var_lock_t, $2, $3, $4)
++	filetrans_pattern($1, var_lib_t, $2, $3, $4)
  ')
  
- ########################################
-@@ -5654,6 +6392,7 @@ interface(`files_search_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
-+	files_search_pids($1)
- 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- 	search_dirs_pattern($1, var_t, var_lock_t)
- ')
-@@ -5680,7 +6419,26 @@ interface(`files_dontaudit_search_locks',`
- 
  ########################################
  ## <summary>
--##	List generic lock directories.
+-##	Do not audit attempts to get the attributes
+-##	of the /var/run directory.
++##	Read generic files in /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_pid_dirs',`
++interface(`files_read_var_lib_files',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir getattr;
++	allow $1 var_lib_t:dir list_dir_perms;
++	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the /var/run directory.
++##	Read generic symbolic links in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5956,19 +6402,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_pid_dirs',`
++interface(`files_read_var_lib_symlinks',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir setattr;
++	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of runtime process
+-##	ID directories (/var/run).
++##	manage generic symbolic links
++##	in the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5976,39 +6421,41 @@ interface(`files_setattr_pid_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_pids',`
++interface(`files_manage_var_lib_symlinks',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_run_t)
++	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+ ')
+ 
++# cjp: the next two interfaces really need to be fixed
++# in some way.  They really neeed their own types.
++
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search
+-##	the /var/run directory.
++##	Create, read, write, and delete the
++##	pseudorandom number generator seed.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
++interface(`files_manage_urandom_seed',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir search_dir_perms;
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_lib_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the runtime process
+-##	ID directories (/var/run).
++##	Allow domain to manage mount tables
++##	necessary for rpcd, nfsd, etc.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6016,18 +6463,1012 @@ interface(`files_dontaudit_search_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_manage_mounttab',`
++	gen_require(`
++		type var_t, var_lib_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++##	List generic lock directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Search the locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	search_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search the
++##	locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_locks',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_lock_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to read/write inherited
 +##	locks (/var/lock).
 +## </summary>
@@ -9666,116 +11780,301 @@ index 64ff4d7..8a9355a 100644
 +########################################
 +## <summary>
 +##	Set the attributes of the /var/lock directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5688,13 +6446,12 @@ interface(`files_dontaudit_search_locks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_locks',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_setattr_lock_dirs',`
- 	gen_require(`
--		type var_t, var_lock_t;
++	gen_require(`
 +		type var_lock_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_lock_t)
++	')
++
 +	allow $1 var_lock_t:dir setattr;
- ')
- 
- ########################################
-@@ -5713,7 +6470,7 @@ interface(`files_rw_lock_dirs',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++## <summary>
++##	Add and remove entries in the /var/lock
++##	directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_rw_lock_dirs',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
 +	files_search_locks($1)
- 	rw_dirs_pattern($1, var_t, var_lock_t)
- ')
- 
-@@ -5746,7 +6503,6 @@ interface(`files_create_lock_dirs',`
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
- interface(`files_relabel_all_lock_dirs',`
- 	gen_require(`
-@@ -5774,8 +6530,7 @@ interface(`files_getattr_generic_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	rw_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## 	Create lock directories
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	create_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Relabel to and from all lock directory types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_all_lock_dirs',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Get the attributes of generic lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_getattr_generic_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
 +	files_search_locks($1)
- 	allow $1 var_lock_t:dir list_dir_perms;
- 	getattr_files_pattern($1, var_lock_t, var_lock_t)
- ')
-@@ -5791,13 +6546,12 @@ interface(`files_getattr_generic_locks',`
- ## </param>
- #
- interface(`files_delete_generic_locks',`
--	gen_require(`
++	allow $1 var_lock_t:dir list_dir_perms;
++	getattr_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Delete generic lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_generic_locks',`
 +       gen_require(`
- 		type var_t, var_lock_t;
--	')
++		type var_t, var_lock_t;
 +       ')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, var_lock_t, var_lock_t)
++
 +       files_search_locks($1)
 +       delete_files_pattern($1, var_lock_t, var_lock_t)
- ')
- 
- ########################################
-@@ -5816,9 +6570,7 @@ interface(`files_manage_generic_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	manage_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
 +	files_search_locks($1)
- 	manage_files_pattern($1, var_lock_t, var_lock_t)
- ')
- 
-@@ -5860,8 +6612,7 @@ interface(`files_read_all_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
++	manage_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Delete all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	delete_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Read all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
 +	files_search_locks($1)
- 	allow $1 lockfile:dir list_dir_perms;
- 	read_files_pattern($1, lockfile, lockfile)
- 	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6634,7 @@ interface(`files_manage_all_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
++	allow $1 lockfile:dir list_dir_perms;
++	read_files_pattern($1, lockfile, lockfile)
++	read_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	manage all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
 +	files_search_locks($1)
- 	manage_dirs_pattern($1, lockfile, lockfile)
- 	manage_files_pattern($1, lockfile, lockfile)
- 	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6671,7 @@ interface(`files_lock_filetrans',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	manage_dirs_pattern($1, lockfile, lockfile)
++	manage_files_pattern($1, lockfile, lockfile)
++	manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Create an object in the locks directory, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_lock_filetrans',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
 +	files_search_locks($1)
- 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
- ')
- 
-@@ -5985,6 +6734,43 @@ interface(`files_search_pids',`
- 	search_dirs_pattern($1, var_t, var_run_t)
- ')
- 
++	filetrans_pattern($1, var_lock_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_run_t:dir getattr;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	allow $1 var_run_t:dir setattr;
++')
++
++########################################
++## <summary>
++##	Search the contents of runtime process
++##	ID directories (/var/run).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	search_dirs_pattern($1, var_t, var_run_t)
++')
++
 +######################################
 +## <summary>
 +## Add and remove entries from pid directories.
@@ -9813,13 +12112,28 @@ index 64ff4d7..8a9355a 100644
 +        allow $1 var_run_t:dir create_dir_perms;
 +')
 +
- ########################################
- ## <summary>
- ##	Do not audit attempts to search
-@@ -6007,6 +6793,25 @@ interface(`files_dontaudit_search_pids',`
- 
- ########################################
- ## <summary>
++########################################
++## <summary>
++##	Do not audit attempts to search
++##	the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_pids',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to search
 +##	the all /var/run directory.
 +## </summary>
@@ -9839,66 +12153,260 @@ index 64ff4d7..8a9355a 100644
 +
 +########################################
 +## <summary>
- ##	List the contents of the runtime process
- ##	ID directories (/var/run).
- ## </summary>
-@@ -6122,7 +6927,6 @@ interface(`files_pid_filetrans',`
- 	')
- 
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
- 
-@@ -6231,46 +7035,230 @@ interface(`files_dontaudit_ioctl_all_pids',`
- 
- ########################################
- ## <summary>
--##	Read all process ID files.
++##	List the contents of the runtime process
++##	ID directories (/var/run).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	list_dirs_pattern($1, var_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Read generic process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_generic_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	list_dirs_pattern($1, var_t, var_run_t)
++	read_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Write named generic process ID pipes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_write_generic_pid_pipes',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	allow $1 var_run_t:fifo_file write;
++')
++
++########################################
++## <summary>
++##	Create an object in the process ID directory, with a private type.
++## </summary>
++## <desc>
++##	<p>
++##	Create an object in the process ID directory (e.g., /var/run)
++##	with a private type.  Typically this is used for creating
++##	private PID files in /var/run with the private type instead
++##	of the general PID file type. To accomplish this goal,
++##	either the program must be SELinux-aware, or use this interface.
++##	</p>
++##	<p>
++##	Related interfaces:
++##	</p>
++##	<ul>
++##		<li>files_pid_file()</li>
++##	</ul>
++##	<p>
++##	Example usage with a domain that can create and
++##	write its PID file with a private PID file type in the
++##	/var/run directory:
++##	</p>
++##	<p>
++##	type mypidfile_t;
++##	files_pid_file(mypidfile_t)
++##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
++##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`files_pid_filetrans',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_run_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## 	Create a generic lock directory within the run directories
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_pid_filetrans_lock_dir',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	files_pid_filetrans($1, var_lock_t, dir, $2)
++')
++
++########################################
++## <summary>
++##	Read and write generic process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_rw_generic_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	list_dirs_pattern($1, var_t, var_run_t)
++	rw_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes of
++##	daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file getattr;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to write to daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_write_all_pids',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file write;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to ioctl daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_ioctl_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file ioctl;
++')
++
++########################################
++## <summary>
 +##	Relable all pid directories
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_read_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_relabel_all_pid_dirs',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, pidfile)
--	read_files_pattern($1, pidfile, pidfile)
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	relabel_dirs_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Delete all process IDs.
++')
++
++########################################
++## <summary>
 +##	Delete all pid sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_pid_sockets',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:dir rmdir;
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	allow $1 pidfile:sock_file delete_sock_file_perms;
 +')
 +
@@ -10092,15 +12600,35 @@ index 64ff4d7..8a9355a 100644
 +	allow $1 var_t:dir search_dir_perms;
 +	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 +	allow $1 var_run_t:dir rmdir;
- 	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- 	delete_files_pattern($1, pidfile, pidfile)
- 	delete_fifo_files_pattern($1, pidfile, pidfile)
-@@ -6300,29 +7288,73 @@ interface(`files_delete_all_pid_dirs',`
- 
- ########################################
- ## <summary>
--##	Create, read, write and delete all
--##	var_run (pid) content
++	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++	delete_files_pattern($1, pidfile, pidfile)
++	delete_fifo_files_pattern($1, pidfile, pidfile)
++	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++##	Delete all process ID directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++	gen_require(`
++		attribute pidfile;
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
 +##	Make the specified type a file
 +##	used for spool files.
 +## </summary>
@@ -10150,76 +12678,330 @@ index 64ff4d7..8a9355a 100644
 +########################################
 +## <summary>
 +##	Create all spool sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain alloed access.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_spool_sockets',`
- 	gen_require(`
--		attribute pidfile;
-+		attribute spoolfile;
- 	')
- 
--	manage_dirs_pattern($1, pidfile, pidfile)
--	manage_files_pattern($1, pidfile, pidfile)
--	manage_lnk_files_pattern($1, pidfile, pidfile)
-+	allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Mount filesystems on all polyinstantiation
--##	member directories.
-+##	Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6330,12 +7362,33 @@ interface(`files_manage_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_spool_sockets',`
- 	gen_require(`
--		attribute polymember;
-+		attribute spoolfile;
- 	')
- 
--	allow $1 polymember:dir mounton;
-+	allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel to and from all spool
-+##	directory types.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
++interface(`files_create_all_spool_sockets',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		attribute spoolfile;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
++	allow $1 spoolfile:sock_file create_sock_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic process ID files.
++##	Delete all spool sockets
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6035,123 +7476,336 @@ interface(`files_list_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_delete_all_spool_sockets',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		attribute spoolfile;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
++	allow $1 spoolfile:sock_file delete_sock_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write named generic process ID pipes
++##	Relabel to and from all spool
++##	directory types.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_write_generic_pid_pipes',`
 +interface(`files_relabel_all_spool_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		attribute spoolfile;
 +		type var_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:fifo_file write;
 +	relabel_dirs_pattern($1, spoolfile, spoolfile)
  ')
  
  ########################################
-@@ -6562,3 +7615,459 @@ interface(`files_unconfined',`
- 
- 	typeattribute $1 files_unconfined_type;
- ')
+ ## <summary>
+-##	Create an object in the process ID directory, with a private type.
++##	Search the contents of generic spool
++##	directories (/var/spool).
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Create an object in the process ID directory (e.g., /var/run)
+-##	with a private type.  Typically this is used for creating
+-##	private PID files in /var/run with the private type instead
+-##	of the general PID file type. To accomplish this goal,
+-##	either the program must be SELinux-aware, or use this interface.
+-##	</p>
+-##	<p>
+-##	Related interfaces:
+-##	</p>
+-##	<ul>
+-##		<li>files_pid_file()</li>
+-##	</ul>
+-##	<p>
+-##	Example usage with a domain that can create and
+-##	write its PID file with a private PID file type in the
+-##	/var/run directory:
+-##	</p>
+-##	<p>
+-##	type mypidfile_t;
+-##	files_pid_file(mypidfile_t)
+-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
++#
++interface(`files_search_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search generic
++##	spool directories.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The type of the object to be created.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+-## <param name="object">
++#
++interface(`files_dontaudit_search_spool',`
++	gen_require(`
++		type var_spool_t;
++	')
++
++	dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	List the contents of generic spool
++##	(/var/spool) directories.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The object class of the object being created.
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	spool directories (/var/spool).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_spool_dirs',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Read generic spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	list_dirs_pattern($1, var_t, var_spool_t)
++	read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create objects in the spool directory
++##	with a private type with a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="file">
++##	<summary>
++##	Type to which the created node will be transitioned.
++##	</summary>
++## </param>
++## <param name="class">
++##	<summary>
++##	Object class(es) (single or set including {}) for which this
++##	the transition will occur.
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+ ##	<summary>
+-##	The name of the object being created.
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_spool_filetrans',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Allow access to manage all polyinstantiated
++##	directories on the system.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_polyinstantiate_all',`
++	gen_require(`
++		attribute polydir, polymember, polyparent;
++		type poly_t;
++	')
++
++	# Need to give access to /selinux/member
++	selinux_compute_member($1)
++
++	# Need sys_admin capability for mounting
++	allow $1 self:capability { chown fsetid sys_admin fowner };
++
++	# Need to give access to the directories to be polyinstantiated
++	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++	# Need to give access to the polyinstantiated subdirectories
++	allow $1 polymember:dir search_dir_perms;
++
++	# Need to give access to parent directories where original
++	# is remounted for polyinstantiation aware programs (like gdm)
++	allow $1 polyparent:dir { getattr mounton };
++
++	# Need to give permission to create directories where applicable
++	allow $1 self:process setfscreate;
++	allow $1 polymember: dir { create setattr relabelto };
++	allow $1 polydir: dir { write add_name open };
++	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++	# Default type for mountpoints
++	allow $1 poly_t:dir { create mounton };
++	fs_unmount_xattr_fs($1)
++
++	fs_mount_tmpfs($1)
++	fs_unmount_tmpfs($1)
++
++	ifdef(`distro_redhat',`
++		# namespace.init
++		files_search_tmp($1)
++		files_search_home($1)
++		corecmd_exec_bin($1)
++		seutil_domtrans_setfiles($1)
++	')
++')
++
++########################################
++## <summary>
++##	Unconfined access to files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_unconfined',`
++	gen_require(`
++		attribute files_unconfined_type;
++	')
++
++	typeattribute $1 files_unconfined_type;
++')
 +
 +########################################
 +## <summary>
@@ -10233,28 +13015,37 @@ index 64ff4d7..8a9355a 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
 +## <rolecap/>
-+#
+ #
+-interface(`files_pid_filetrans',`
 +interface(`files_manage_root_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		type root_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	filetrans_pattern($1, var_run_t, $2, $3, $4)
 +	manage_files_pattern($1, root_t, root_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-## 	Create a generic lock directory within the run directories
 +##     Create a default directory
-+## </summary>
+ ## </summary>
 +## <desc>
 +##     <p>
 +##     Create a default_t direcrory
 +##     </p>
 +## </desc>
-+## <param name="domain">
+ ## <param name="domain">
+-## 	<summary>
+-##	Domain allowed access
 +##     <summary>
 +##     Domain allowed access.
 +##     </summary>
@@ -10277,272 +13068,367 @@ index 64ff4d7..8a9355a 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +## <param name="object">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	The class of the object being created.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_pid_filetrans_lock_dir',`
+-	gen_require(`
+-		type var_lock_t;
+-	')
 +interface(`files_root_filetrans_default',`
 +       gen_require(`
 +               type root_t, default_t;
 +       ')
-+
+ 
+-	files_pid_filetrans($1, var_lock_t, dir, $2)
 +       filetrans_pattern($1, root_t, default_t, $2)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic process ID files.
 +##	manage generic symbolic links
 +##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
 +interface(`files_manage_generic_pids_symlinks',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		type var_run_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	rw_files_pattern($1, var_run_t, var_run_t)
 +	manage_lnk_files_pattern($1,var_run_t,var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes of
+-##	daemon runtime data files.
 +##	Do not audit attempts to getattr
 +##	all tmpfs files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_pids',`
 +interface(`files_dontaudit_getattr_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_run_t;
 +		attribute tmpfsfile;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file getattr;
 +	allow $1 tmpfsfile:file getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write to daemon runtime data files.
 +##	Allow read write all tmpfs files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_pids',`
 +interface(`files_rw_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
 +		attribute tmpfsfile;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file write;
 +	allow $1 tmpfsfile:file { read write };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to ioctl daemon runtime data files.
 +##	Do not audit attempts to read security files 
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_ioctl_all_pids',`
 +interface(`files_dontaudit_read_security_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_run_t;
 +		attribute security_file_type;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file ioctl;
 +	dontaudit $1 security_file_type:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all process ID files.
 +##	rw any files inherited from another process
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
 +## <param name="object_type">
 +##  <summary>
 +##  Object type.
 +##  </summary>
 +## </param>
-+#
+ #
+-interface(`files_read_all_pids',`
 +interface(`files_rw_all_inherited_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, pidfile)
+-	read_files_pattern($1, pidfile, pidfile)
 +	allow $1 { file_type $2 }:file rw_inherited_file_perms;
 +	allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
 +	allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
 +	allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process IDs.
 +##	Allow any file point to be the entrypoint of this domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
 +interface(`files_entrypoint_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute file_type;
-+	')
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir rmdir;
+-	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+-	delete_files_pattern($1, pidfile, pidfile)
+-	delete_fifo_files_pattern($1, pidfile, pidfile)
+-	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
 +	allow $1 file_type:file entrypoint;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process ID directories.
 +##	Do not audit attempts to rw inherited file perms
 +##	of non security files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
 +interface(`files_dontaudit_all_non_security_leaks',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute non_security_file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	delete_dirs_pattern($1, pidfile, pidfile)
 +	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write and delete all
+-##	var_run (pid) content
 +##	Do not audit attempts to read or write
 +##	all leaked files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain alloed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
 +interface(`files_dontaudit_leaks',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, pidfile, pidfile)
+-	manage_files_pattern($1, pidfile, pidfile)
+-	manage_lnk_files_pattern($1, pidfile, pidfile)
 +	dontaudit $1 file_type:file rw_inherited_file_perms;
 +	dontaudit $1 file_type:lnk_file { read };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount filesystems on all polyinstantiation
+-##	member directories.
 +##	Allow domain to create_file_ass all types
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
 +interface(`files_create_as_is_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polymember;
 +		attribute file_type;
 +		class kernel_service create_files_as;
-+	')
-+
+ 	')
+ 
+-	allow $1 polymember:dir mounton;
 +	allow $1 file_type:kernel_service create_files_as;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of generic spool
+-##	directories (/var/spool).
 +##	Do not audit attempts to check the 
 +##	access on all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
 +interface(`files_dontaudit_all_access_check',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_spool_t)
 +	dontaudit $1 file_type:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search generic
+-##	spool directories.
 +##	Do not audit attempts to write to all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6368,186 +8007,169 @@ interface(`files_search_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
 +interface(`files_dontaudit_write_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_spool_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_spool_t:dir search_dir_perms;
 +	dontaudit $1 file_type:dir_file_class_set write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of generic spool
+-##	(/var/spool) directories.
 +##	Allow domain to delete to all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
 +interface(`files_delete_all_non_security_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute non_security_file_type;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
 +	allow $1 non_security_file_type:dir del_entry_dir_perms;
 +	allow $1 non_security_file_type:file_class_set delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool directories (/var/spool).
 +##	Transition named content in the var_run_t directory
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##      Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
 +interface(`files_filetrans_named_content',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		type mnt_t;
 +		type usr_t;
 +		type var_t;
 +		type tmp_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_dirs_pattern($1, var_spool_t, var_spool_t)
 +	files_pid_filetrans($1, mnt_t, dir, "media")
 +	files_root_filetrans($1, etc_runtime_t, file, ".readahead")
 +	files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -10564,13 +13450,15 @@ index 64ff4d7..8a9355a 100644
 +	files_etc_filetrans_etc_runtime($1, file, "hwconf")
 +	files_etc_filetrans_etc_runtime($1, file, "iptables.save")
 +	files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic spool files.
 +##	Make the specified type a
 +##	base file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <desc>
 +##	<p>
 +##	Identify file type as base file type.  Tools will use this attribute,
@@ -10578,103 +13466,185 @@ index 64ff4d7..8a9355a 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type to be used as a base files.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <infoflow type="none"/>
-+#
+ #
+-interface(`files_read_generic_spool',`
 +interface(`files_base_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute base_file_type;
-+	')
+ 	')
+-
+-	list_dirs_pattern($1, var_t, var_spool_t)
+-	read_files_pattern($1, var_spool_t, var_spool_t)
 +	files_type($1)
 +	typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool files.
 +##	Make the specified type a
 +##	base read only file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <desc>
 +##	<p>
 +##	Make the specified type readable for all domains.
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type to be used as a base read only files.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <infoflow type="none"/>
-+#
+ #
+-interface(`files_manage_generic_spool',`
 +interface(`files_ro_base_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute base_ro_file_type;
-+	')
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_spool_t, var_spool_t)
 +	files_base_file($1)
 +	typeattribute $1 base_ro_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the spool directory
+-##	with a private type with a type transition.
 +##	Read all ro base files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file">
+-##	<summary>
+-##	Type to which the created node will be transitioned.
+-##	</summary>
+-## </param>
+-## <param name="class">
+-##	<summary>
+-##	Object class(es) (single or set including {}) for which this
+-##	the transition will occur.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`files_spool_filetrans',`
 +interface(`files_read_all_base_ro_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute base_ro_file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
 +	list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
 +	read_files_pattern($1, base_ro_file_type, base_ro_file_type)
 +	read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow access to manage all polyinstantiated
+-##	directories on the system.
 +##	Execute all base ro files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`files_polyinstantiate_all',`
 +interface(`files_exec_all_base_ro_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polydir, polymember, polyparent;
+-		type poly_t;
 +		attribute base_ro_file_type;
-+	')
-+
+ 	')
+ 
+-	# Need to give access to /selinux/member
+-	selinux_compute_member($1)
+-
+-	# Need sys_admin capability for mounting
+-	allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+-	# Need to give access to the directories to be polyinstantiated
+-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+-	# Need to give access to the polyinstantiated subdirectories
+-	allow $1 polymember:dir search_dir_perms;
+-
+-	# Need to give access to parent directories where original
+-	# is remounted for polyinstantiation aware programs (like gdm)
+-	allow $1 polyparent:dir { getattr mounton };
+-
+-	# Need to give permission to create directories where applicable
+-	allow $1 self:process setfscreate;
+-	allow $1 polymember: dir { create setattr relabelto };
+-	allow $1 polydir: dir { write add_name open };
+-	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+-	# Default type for mountpoints
+-	allow $1 poly_t:dir { create mounton };
+-	fs_unmount_xattr_fs($1)
+-
+-	fs_mount_tmpfs($1)
+-	fs_unmount_tmpfs($1)
+-
+-	ifdef(`distro_redhat',`
+-		# namespace.init
+-		files_search_tmp($1)
+-		files_search_home($1)
+-		corecmd_exec_bin($1)
+-		seutil_domtrans_setfiles($1)
+-	')
 +	can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unconfined access to files.
 +##	Allow the specified domain to modify the systemd configuration of 
 +##	any file.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
 +interface(`files_config_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute files_unconfined_type;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	typeattribute $1 files_unconfined_type;
 +	allow $1 file_type:service all_service_perms;
-+')
+ ')
 +
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 148d87a..822f6be 100644
@@ -12180,7 +15150,7 @@ index 8416beb..60b2ce1 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..3c5f139 100644
+index 9e603f5..97dbeb4 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -12228,7 +15198,18 @@ index 9e603f5..3c5f139 100644
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-@@ -145,11 +153,6 @@ fs_type(spufs_t)
+@@ -125,6 +133,10 @@ type oprofilefs_t;
+ fs_type(oprofilefs_t)
+ genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+ 
++type pstorefs_t;
++fs_type(pstorefs_t)
++genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0)
++
+ type ramfs_t;
+ fs_type(ramfs_t)
+ files_mountpoint(ramfs_t)
+@@ -145,11 +157,6 @@ fs_type(spufs_t)
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -12240,7 +15221,7 @@ index 9e603f5..3c5f139 100644
  type sysv_t;
  fs_noxattr_type(sysv_t)
  files_mountpoint(sysv_t)
-@@ -167,6 +170,8 @@ type vxfs_t;
+@@ -167,6 +174,8 @@ type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
  genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -12249,7 +15230,7 @@ index 9e603f5..3c5f139 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +181,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +185,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -12258,7 +15239,7 @@ index 9e603f5..3c5f139 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +262,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -12267,7 +15248,7 @@ index 9e603f5..3c5f139 100644
  files_mountpoint(removable_t)
  
  #
-@@ -274,6 +283,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -15364,10 +18345,10 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..8c061b9 100644
+index 88d0028..83e6404 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1)
  # Declarations
  #
  
@@ -15444,6 +18425,10 @@ index 88d0028..8c061b9 100644
 +userdom_exec_admin_home_files(sysadm_t)
 +
 +optional_policy(`
++	abrt_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
 +	alsa_filetrans_named_content(sysadm_t)
 +')
 +
@@ -15453,7 +18438,7 @@ index 88d0028..8c061b9 100644
  
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
-@@ -55,13 +90,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',`
  	init_exec_rc(sysadm_t)
  ')
  
@@ -15468,7 +18453,7 @@ index 88d0028..8c061b9 100644
  	domain_ptrace_all_domains(sysadm_t)
  ')
  
-@@ -71,9 +100,9 @@ optional_policy(`
+@@ -71,9 +104,9 @@ optional_policy(`
  
  optional_policy(`
  	apache_run_helper(sysadm_t, sysadm_r)
@@ -15479,7 +18464,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -87,6 +116,7 @@ optional_policy(`
+@@ -87,6 +120,7 @@ optional_policy(`
  
  optional_policy(`
  	asterisk_stream_connect(sysadm_t)
@@ -15487,7 +18472,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -110,6 +140,10 @@ optional_policy(`
+@@ -110,6 +144,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15498,7 +18483,7 @@ index 88d0028..8c061b9 100644
  	certwatch_run(sysadm_t, sysadm_r)
  ')
  
-@@ -122,11 +156,19 @@ optional_policy(`
+@@ -122,11 +160,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15520,7 +18505,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -140,6 +182,10 @@ optional_policy(`
+@@ -140,6 +186,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15531,7 +18516,7 @@ index 88d0028..8c061b9 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,11 +202,11 @@ optional_policy(`
+@@ -156,11 +206,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15545,7 +18530,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -179,6 +225,13 @@ optional_policy(`
+@@ -179,6 +229,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -15559,7 +18544,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -186,15 +239,20 @@ optional_policy(`
+@@ -186,15 +243,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15571,19 +18556,19 @@ index 88d0028..8c061b9 100644
 -	libs_run_ldconfig(sysadm_t, sysadm_r)
 +	kerberos_exec_kadmind(sysadm_t)
 +	kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+	kudzu_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	lockdev_role(sysadm_r, sysadm_t)
++	kudzu_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
 +	libs_run_ldconfig(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
-@@ -214,22 +272,20 @@ optional_policy(`
+@@ -214,22 +276,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -15612,7 +18597,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -241,14 +297,27 @@ optional_policy(`
+@@ -241,14 +301,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15640,7 +18625,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -256,10 +325,20 @@ optional_policy(`
+@@ -256,10 +329,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15661,7 +18646,7 @@ index 88d0028..8c061b9 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +349,36 @@ optional_policy(`
+@@ -270,31 +353,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15705,7 +18690,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -319,12 +403,18 @@ optional_policy(`
+@@ -319,12 +407,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15725,7 +18710,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -349,7 +439,18 @@ optional_policy(`
+@@ -349,7 +443,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15745,7 +18730,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -360,19 +461,15 @@ optional_policy(`
+@@ -360,19 +465,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15767,7 +18752,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -384,10 +481,6 @@ optional_policy(`
+@@ -384,10 +485,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15778,7 +18763,7 @@ index 88d0028..8c061b9 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +488,9 @@ optional_policy(`
+@@ -395,6 +492,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -15788,7 +18773,7 @@ index 88d0028..8c061b9 100644
  ')
  
  optional_policy(`
-@@ -402,31 +498,34 @@ optional_policy(`
+@@ -402,31 +502,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15829,7 +18814,7 @@ index 88d0028..8c061b9 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -439,10 +538,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +542,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -15840,7 +18825,7 @@ index 88d0028..8c061b9 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -463,15 +558,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +562,75 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -18912,7 +21897,7 @@ index 5fc0391..3540387 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..146340a 100644
+index d1f64a0..3be3d00 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,35 @@
@@ -18951,10 +21936,11 @@ index d1f64a0..146340a 100644
  
  #
  # /dev
-@@ -22,13 +44,20 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -22,13 +44,21 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  /etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  
++/etc/X11/xorg\.conf\.d(/.*)?	gen_context(system_u:object_r:xserver_etc_t,s0)
 +/etc/[mg]dm(/.*)?		  	gen_context(system_u:object_r:xdm_etc_t,s0)
 +/etc/[mg]dm/Init(/.*)?	  	gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
 +/etc/[mg]dm/PostLogin(/.*)?  	gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
@@ -18973,7 +21959,7 @@ index d1f64a0..146340a 100644
  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +75,31 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,31 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  # /tmp
  #
  
@@ -19011,7 +21997,7 @@ index d1f64a0..146340a 100644
  
  /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
  
-@@ -92,25 +126,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +127,49 @@ ifndef(`distro_debian',`
  
  /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -19067,7 +22053,7 @@ index d1f64a0..146340a 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..8a8ed32 100644
+index 6bf0ecc..d4ed029 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -19315,7 +22301,7 @@ index 6bf0ecc..8a8ed32 100644
  	')
  
  	allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,24 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,34 @@ template(`xserver_user_x_domain_template',`
  	allow $2 xauth_home_t:file read_file_perms;
  	allow $2 iceauth_home_t:file read_file_perms;
  
@@ -19328,6 +22314,16 @@ index 6bf0ecc..8a8ed32 100644
 +	userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
 +	userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
 +	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:0")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:1")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:2")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:3")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:4")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:5")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:6")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:7")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:8")
++	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:9")
 +	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped")
 +	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old")
 +	userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
@@ -19342,7 +22338,7 @@ index 6bf0ecc..8a8ed32 100644
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
  	# Allow connections to X server.
-@@ -472,20 +524,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +534,26 @@ template(`xserver_user_x_domain_template',`
  	# for .xsession-errors
  	userdom_dontaudit_write_user_home_content_files($2)
  
@@ -19372,7 +22368,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -517,6 +575,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +585,7 @@ interface(`xserver_use_user_fonts',`
  	# Read per user fonts
  	allow $1 user_fonts_t:dir list_dir_perms;
  	allow $1 user_fonts_t:file read_file_perms;
@@ -19380,7 +22376,7 @@ index 6bf0ecc..8a8ed32 100644
  
  	# Manipulate the global font cache
  	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +606,42 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +616,42 @@ interface(`xserver_domtrans_xauth',`
  	domtrans_pattern($1, xauth_exec_t, xauth_t)
  ')
  
@@ -19423,7 +22419,7 @@ index 6bf0ecc..8a8ed32 100644
  ########################################
  ## <summary>
  ##	Create a Xauthority file in the user home directory.
-@@ -598,6 +693,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +703,7 @@ interface(`xserver_read_user_xauth',`
  
  	allow $1 xauth_home_t:file read_file_perms;
  	userdom_search_user_home_dirs($1)
@@ -19431,7 +22427,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -615,7 +711,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +721,7 @@ interface(`xserver_setattr_console_pipes',`
  		type xconsole_device_t;
  	')
  
@@ -19440,7 +22436,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -638,6 +734,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +744,25 @@ interface(`xserver_rw_console',`
  
  ########################################
  ## <summary>
@@ -19466,7 +22462,7 @@ index 6bf0ecc..8a8ed32 100644
  ##	Use file descriptors for xdm.
  ## </summary>
  ## <param name="domain">
-@@ -651,7 +766,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +776,7 @@ interface(`xserver_use_xdm_fds',`
  		type xdm_t;
  	')
  
@@ -19475,7 +22471,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -670,7 +785,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +795,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
  		type xdm_t;
  	')
  
@@ -19484,7 +22480,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -688,7 +803,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +813,7 @@ interface(`xserver_rw_xdm_pipes',`
  		type xdm_t;
  	')
  
@@ -19493,7 +22489,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -703,12 +818,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +828,11 @@ interface(`xserver_rw_xdm_pipes',`
  ## </param>
  #
  interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -19507,7 +22503,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -765,11 +879,31 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +889,71 @@ interface(`xserver_manage_xdm_spool_files',`
  #
  interface(`xserver_stream_connect_xdm',`
  	gen_require(`
@@ -19538,10 +22534,50 @@ index 6bf0ecc..8a8ed32 100644
 +
 +	userdom_search_user_home_dirs($1)
 +	allow $1 xdm_home_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	Read xserver configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_read_config',`
++	gen_require(`
++		type xserver_etc_t;
++	')
++
++	files_search_etc($1)
++	read_files_pattern($1, xserver_etc_t, xserver_etc_t)
++	read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
++')
++
++########################################
++## <summary>
++##	Manage xserver configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_manage_config',`
++	gen_require(`
++		type xserver_etc_t;
++	')
++
++	files_search_etc($1)
++	manage_files_pattern($1, xserver_etc_t, xserver_etc_t)
++	manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
  ')
  
  ########################################
-@@ -793,6 +927,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +977,25 @@ interface(`xserver_read_xdm_rw_config',`
  
  ########################################
  ## <summary>
@@ -19567,7 +22603,7 @@ index 6bf0ecc..8a8ed32 100644
  ##	Set the attributes of XDM temporary directories.
  ## </summary>
  ## <param name="domain">
-@@ -806,7 +959,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1009,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
  		type xdm_tmp_t;
  	')
  
@@ -19594,7 +22630,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -846,7 +1017,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1067,26 @@ interface(`xserver_read_xdm_pid',`
  	')
  
  	files_search_pids($1)
@@ -19622,7 +22658,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -869,6 +1059,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1109,24 @@ interface(`xserver_read_xdm_lib_files',`
  
  ########################################
  ## <summary>
@@ -19647,7 +22683,7 @@ index 6bf0ecc..8a8ed32 100644
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -938,7 +1146,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1196,26 @@ interface(`xserver_getattr_log',`
  	')
  
  	logging_search_logs($1)
@@ -19675,7 +22711,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -957,7 +1184,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1234,7 @@ interface(`xserver_dontaudit_write_log',`
  		type xserver_log_t;
  	')
  
@@ -19684,7 +22720,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -1004,6 +1231,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1281,45 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
@@ -19730,7 +22766,7 @@ index 6bf0ecc..8a8ed32 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -1017,7 +1283,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1333,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -19739,7 +22775,7 @@ index 6bf0ecc..8a8ed32 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1079,6 +1345,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1395,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -19782,7 +22818,7 @@ index 6bf0ecc..8a8ed32 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1093,7 +1395,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1445,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -19791,7 +22827,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -1111,8 +1413,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1463,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -19803,7 +22839,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -1226,6 +1530,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1580,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -19830,7 +22866,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -1251,7 +1575,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1625,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -19839,7 +22875,7 @@ index 6bf0ecc..8a8ed32 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1261,13 +1585,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1635,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -19864,7 +22900,7 @@ index 6bf0ecc..8a8ed32 100644
  ')
  
  ########################################
-@@ -1284,10 +1618,577 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1668,577 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -20445,7 +23481,7 @@ index 6bf0ecc..8a8ed32 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..7a3a6c0 100644
+index 2696452..8ac9130 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -20624,7 +23660,7 @@ index 2696452..7a3a6c0 100644
  # type for /var/lib/xkb
  type xkb_var_lib_t;
  files_type(xkb_var_lib_t)
-@@ -193,14 +249,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -193,14 +249,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
  init_system_domain(xserver_t, xserver_exec_t)
  ubac_constrained(xserver_t)
  
@@ -20632,7 +23668,9 @@ index 2696452..7a3a6c0 100644
 -typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
 -typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
 -userdom_user_tmp_file(xserver_tmp_t)
--
++type xserver_etc_t;
++files_config_file(xserver_etc_t)
+ 
  type xserver_tmpfs_t;
 -typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
 -typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
@@ -20641,7 +23679,7 @@ index 2696452..7a3a6c0 100644
  userdom_user_tmpfs_file(xserver_tmpfs_t)
  
  type xsession_exec_t;
-@@ -225,21 +276,33 @@ optional_policy(`
+@@ -225,21 +279,33 @@ optional_policy(`
  #
  
  allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -20684,7 +23722,7 @@ index 2696452..7a3a6c0 100644
  ')
  
  ########################################
-@@ -247,48 +310,83 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +313,83 @@ tunable_policy(`use_samba_home_dirs',`
  # Xauth local policy
  #
  
@@ -20768,18 +23806,18 @@ index 2696452..7a3a6c0 100644
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
  ')
  
  optional_policy(`
++	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
++')
++
++optional_policy(`
 +	ssh_use_ptys(xauth_t)
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +397,106 @@ optional_policy(`
+@@ -299,64 +400,106 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -20896,7 +23934,7 @@ index 2696452..7a3a6c0 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +505,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +508,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -20926,7 +23964,7 @@ index 2696452..7a3a6c0 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +535,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +538,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -20979,7 +24017,7 @@ index 2696452..7a3a6c0 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -430,9 +587,27 @@ files_list_mnt(xdm_t)
+@@ -430,9 +590,28 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -21004,10 +24042,11 @@ index 2696452..7a3a6c0 100644
 +fs_manage_cgroup_files(xdm_t)
 +
 +mls_socket_write_to_clearance(xdm_t)
++mls_trusted_object(xdm_t)
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +616,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -21051,7 +24090,7 @@ index 2696452..7a3a6c0 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +658,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -21101,7 +24140,7 @@ index 2696452..7a3a6c0 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +708,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -21128,7 +24167,7 @@ index 2696452..7a3a6c0 100644
  ')
  
  optional_policy(`
-@@ -514,12 +735,72 @@ optional_policy(`
+@@ -514,12 +739,72 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21201,7 +24240,7 @@ index 2696452..7a3a6c0 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +818,78 @@ optional_policy(`
+@@ -537,28 +822,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21289,7 +24328,7 @@ index 2696452..7a3a6c0 100644
  ')
  
  optional_policy(`
-@@ -570,6 +901,14 @@ optional_policy(`
+@@ -570,6 +905,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21304,7 +24343,7 @@ index 2696452..7a3a6c0 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -21317,7 +24356,7 @@ index 2696452..7a3a6c0 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -21333,7 +24372,18 @@ index 2696452..7a3a6c0 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -617,6 +970,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+ 
+ filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
+ 
++allow xserver_t xserver_etc_t:dir list_dir_perms;
++read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
++read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t)
++
+ manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+@@ -628,12 +985,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -21355,7 +24405,7 @@ index 2696452..7a3a6c0 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1005,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -21369,7 +24419,7 @@ index 2696452..7a3a6c0 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1023,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1031,27 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -21400,21 +24450,25 @@ index 2696452..7a3a6c0 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,8 +1054,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1062,16 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
+-
 +fs_rw_tmpfs_files(xserver_t)
- 
- mls_xwin_read_to_clearance(xserver_t)
-+mls_process_write_to_clearance(xserver_t)
++
 +mls_file_read_to_clearance(xserver_t)
 +mls_file_write_all_levels(xserver_t)
 +mls_file_upgrade(xserver_t)
++mls_process_write_to_clearance(xserver_t)
++mls_socket_read_to_clearance(xserver_t)
++mls_sysvipc_read_to_clearance(xserver_t)
++mls_sysvipc_write_to_clearance(xserver_t)
++mls_trusted_object(xserver_t)
+ mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
- selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1073,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1085,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -21438,7 +24492,7 @@ index 2696452..7a3a6c0 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1092,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1104,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -21447,7 +24501,7 @@ index 2696452..7a3a6c0 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1136,44 @@ optional_policy(`
+@@ -775,16 +1148,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21493,7 +24547,7 @@ index 2696452..7a3a6c0 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1182,10 @@ optional_policy(`
+@@ -793,6 +1194,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21504,7 +24558,7 @@ index 2696452..7a3a6c0 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1201,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1213,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -21518,7 +24572,7 @@ index 2696452..7a3a6c0 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1212,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1224,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -21527,7 +24581,7 @@ index 2696452..7a3a6c0 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1225,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1237,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -21562,7 +24616,7 @@ index 2696452..7a3a6c0 100644
  ')
  
  optional_policy(`
-@@ -902,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -21571,7 +24625,7 @@ index 2696452..7a3a6c0 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1344,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1356,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -21603,7 +24657,7 @@ index 2696452..7a3a6c0 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1390,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1402,40 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -22640,7 +25694,7 @@ index 3efd5b6..792df83 100644
 +')
 +
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..a8a2a2d 100644
+index 104037e..28dbe0b 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -22937,15 +25991,16 @@ index 104037e..a8a2a2d 100644
  optional_policy(`
  	kerberos_use(nsswitch_domain)
  ')
-@@ -456,6 +493,7 @@ optional_policy(`
+@@ -456,6 +493,8 @@ optional_policy(`
  
  optional_policy(`
  	sssd_stream_connect(nsswitch_domain)
 +	sssd_read_public_files(nsswitch_domain)
++	sssd_read_lib_files(nsswitch_domain)
  ')
  
  optional_policy(`
-@@ -463,3 +501,132 @@ optional_policy(`
+@@ -463,3 +502,132 @@ optional_policy(`
  	samba_read_var_files(nsswitch_domain)
  	samba_dontaudit_write_var_files(nsswitch_domain)
  ')
@@ -23661,10 +26716,32 @@ index 9a4d3a7..9d960bb 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..c0ec978 100644
+index 24e7804..f03be17 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -106,6 +106,8 @@ interface(`init_domain',`
+@@ -1,5 +1,21 @@
+ ## <summary>System initialization programs (init and init scripts).</summary>
+ 
++######################################
++## <summary>
++##  initrc stub interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++#
++interface(`init_stub_initrc',`
++	gen_require(`
++		type initrc_t;
++	')
++')
++
+ ########################################
+ ## <summary>
+ ##	Create a file type used for init scripts.
+@@ -106,6 +122,8 @@ interface(`init_domain',`
  	role system_r types $1;
  
  	domtrans_pattern(init_t, $2, $1)
@@ -23673,7 +26750,7 @@ index 24e7804..c0ec978 100644
  
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
-@@ -192,50 +194,43 @@ interface(`init_ranged_domain',`
+@@ -192,50 +210,43 @@ interface(`init_ranged_domain',`
  interface(`init_daemon_domain',`
  	gen_require(`
  		attribute direct_run_init, direct_init, direct_init_entry;
@@ -23746,7 +26823,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -283,17 +278,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +294,20 @@ interface(`init_daemon_domain',`
  interface(`init_ranged_daemon_domain',`
  	gen_require(`
  		type initrc_t;
@@ -23768,7 +26845,7 @@ index 24e7804..c0ec978 100644
  	')
  ')
  
-@@ -336,23 +334,19 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',`
  #
  interface(`init_system_domain',`
  	gen_require(`
@@ -23799,7 +26876,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -401,20 +395,41 @@ interface(`init_system_domain',`
+@@ -401,20 +411,41 @@ interface(`init_system_domain',`
  interface(`init_ranged_system_domain',`
  	gen_require(`
  		type initrc_t;
@@ -23841,7 +26918,7 @@ index 24e7804..c0ec978 100644
  ########################################
  ## <summary>
  ##	Mark the file type as a daemon run dir, allowing initrc_t
-@@ -469,7 +484,6 @@ interface(`init_domtrans',`
+@@ -469,7 +500,6 @@ interface(`init_domtrans',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -23849,7 +26926,7 @@ index 24e7804..c0ec978 100644
  #
  interface(`init_exec',`
  	gen_require(`
-@@ -478,6 +492,48 @@ interface(`init_exec',`
+@@ -478,6 +508,48 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -23898,7 +26975,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -566,6 +622,58 @@ interface(`init_sigchld',`
+@@ -566,6 +638,58 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -23957,7 +27034,7 @@ index 24e7804..c0ec978 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -576,10 +684,66 @@ interface(`init_sigchld',`
+@@ -576,10 +700,66 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -24026,7 +27103,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -743,22 +907,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +923,23 @@ interface(`init_write_initctl',`
  interface(`init_telinit',`
  	gen_require(`
  		type initctl_t;
@@ -24059,7 +27136,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -787,7 +952,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +968,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -24068,7 +27145,7 @@ index 24e7804..c0ec978 100644
  ##	</summary>
  ## </param>
  #
-@@ -830,11 +995,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -24083,7 +27160,7 @@ index 24e7804..c0ec978 100644
  
  	ifdef(`distro_gentoo',`
  		gen_require(`
-@@ -845,11 +1011,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',`
  	')
  
  	ifdef(`enable_mcs',`
@@ -24097,7 +27174,7 @@ index 24e7804..c0ec978 100644
  	')
  ')
  
-@@ -865,19 +1031,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -24143,7 +27220,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -933,9 +1121,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -24158,7 +27235,7 @@ index 24e7804..c0ec978 100644
  	files_search_etc($1)
  ')
  
-@@ -1026,7 +1219,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1235,9 @@ interface(`init_ptrace',`
  		type init_t;
  	')
  
@@ -24169,7 +27246,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -1125,6 +1320,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1336,25 @@ interface(`init_getattr_all_script_files',`
  
  ########################################
  ## <summary>
@@ -24195,7 +27272,7 @@ index 24e7804..c0ec978 100644
  ##	Read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1144,6 +1358,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1374,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -24220,7 +27297,7 @@ index 24e7804..c0ec978 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1195,12 +1427,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1443,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -24234,7 +27311,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -1440,6 +1667,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1683,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -24262,7 +27339,7 @@ index 24e7804..c0ec978 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1526,6 +1774,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1526,6 +1790,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -24288,17 +27365,26 @@ index 24e7804..c0ec978 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1584,6 +1851,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,21 +1867,39 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
+-##	Create files in a init script
+-##	temporary data directory.
 +##	Read and write init script inherited temporary data.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
 +#
 +interface(`init_rw_inherited_script_tmp_files',`
 +	gen_require(`
@@ -24310,19 +27396,32 @@ index 24e7804..c0ec978 100644
 +
 +########################################
 +## <summary>
- ##	Create files in a init script
- ##	temporary data directory.
- ## </summary>
-@@ -1656,11 +1941,48 @@ interface(`init_read_utmp',`
++##	Create files in a init script
++##	temporary data directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
+ ##	The object class.
+ ##	</summary>
+ ## </param>
+@@ -1656,6 +1957,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
--##	Do not audit attempts to write utmp.
 +##	Read utmp.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@@ -24356,15 +27455,10 @@ index 24e7804..c0ec978 100644
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to write utmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -1744,7 +2066,7 @@ interface(`init_dontaudit_rw_utmp',`
+ ##	Do not audit attempts to write utmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -1744,7 +2082,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -24373,7 +27467,7 @@ index 24e7804..c0ec978 100644
  ')
  
  ########################################
-@@ -1785,6 +2107,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2123,133 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -24507,7 +27601,7 @@ index 24e7804..c0ec978 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2268,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,283 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -24792,7 +27886,7 @@ index 24e7804..c0ec978 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..4d9b509 100644
+index dd3be8d..8913598 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,24 @@ gen_require(`
@@ -25030,7 +28124,7 @@ index dd3be8d..4d9b509 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +271,177 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +271,178 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -25141,6 +28235,7 @@ index dd3be8d..4d9b509 100644
 +fs_mount_all_fs(init_t)
 +fs_unmount_all_fs(init_t)
 +fs_remount_all_fs(init_t)
++fs_list_all(init_t)
 +fs_list_auto_mountpoints(init_t)
 +fs_register_binary_executable_type(init_t)
 +fs_relabel_tmpfs_sock_file(init_t)
@@ -25216,7 +28311,7 @@ index dd3be8d..4d9b509 100644
  ')
  
  optional_policy(`
-@@ -216,6 +449,27 @@ optional_policy(`
+@@ -216,6 +450,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25244,7 +28339,7 @@ index dd3be8d..4d9b509 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -225,8 +479,9 @@ optional_policy(`
+@@ -225,8 +480,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -25256,7 +28351,7 @@ index dd3be8d..4d9b509 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +512,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -25273,7 +28368,7 @@ index dd3be8d..4d9b509 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +537,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -25316,7 +28411,7 @@ index dd3be8d..4d9b509 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +574,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -25328,7 +28423,7 @@ index dd3be8d..4d9b509 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +586,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -25339,7 +28434,7 @@ index dd3be8d..4d9b509 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +597,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +598,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -25349,7 +28444,7 @@ index dd3be8d..4d9b509 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +606,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +607,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -25357,7 +28452,7 @@ index dd3be8d..4d9b509 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +613,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +614,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -25365,7 +28460,7 @@ index dd3be8d..4d9b509 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +621,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +622,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -25383,7 +28478,7 @@ index dd3be8d..4d9b509 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +639,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +640,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -25397,7 +28492,7 @@ index dd3be8d..4d9b509 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +654,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +655,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -25411,7 +28506,7 @@ index dd3be8d..4d9b509 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +667,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +668,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -25419,7 +28514,7 @@ index dd3be8d..4d9b509 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +679,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +680,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -25427,7 +28522,7 @@ index dd3be8d..4d9b509 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +698,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +699,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -25451,7 +28546,7 @@ index dd3be8d..4d9b509 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +731,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +732,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -25459,7 +28554,7 @@ index dd3be8d..4d9b509 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +765,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +766,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -25470,7 +28565,7 @@ index dd3be8d..4d9b509 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +789,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +790,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -25479,7 +28574,7 @@ index dd3be8d..4d9b509 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +804,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +805,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -25487,7 +28582,7 @@ index dd3be8d..4d9b509 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +825,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +826,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -25495,7 +28590,7 @@ index dd3be8d..4d9b509 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +835,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +836,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25540,7 +28635,7 @@ index dd3be8d..4d9b509 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +880,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +881,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -25572,7 +28667,7 @@ index dd3be8d..4d9b509 100644
  	')
  ')
  
-@@ -576,6 +915,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +916,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -25612,7 +28707,7 @@ index dd3be8d..4d9b509 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +960,8 @@ optional_policy(`
+@@ -588,6 +961,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -25621,7 +28716,7 @@ index dd3be8d..4d9b509 100644
  ')
  
  optional_policy(`
-@@ -609,6 +983,7 @@ optional_policy(`
+@@ -609,6 +984,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -25629,7 +28724,7 @@ index dd3be8d..4d9b509 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1000,17 @@ optional_policy(`
+@@ -625,6 +1001,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25647,7 +28742,7 @@ index dd3be8d..4d9b509 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1027,13 @@ optional_policy(`
+@@ -641,9 +1028,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -25661,7 +28756,7 @@ index dd3be8d..4d9b509 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1046,11 @@ optional_policy(`
+@@ -656,15 +1047,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25679,7 +28774,7 @@ index dd3be8d..4d9b509 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1071,15 @@ optional_policy(`
+@@ -685,6 +1072,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25695,7 +28790,7 @@ index dd3be8d..4d9b509 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1120,7 @@ optional_policy(`
+@@ -725,6 +1121,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -25703,7 +28798,7 @@ index dd3be8d..4d9b509 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1138,14 @@ optional_policy(`
+@@ -742,7 +1139,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25718,7 +28813,7 @@ index dd3be8d..4d9b509 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1168,10 @@ optional_policy(`
+@@ -765,6 +1169,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25729,7 +28824,7 @@ index dd3be8d..4d9b509 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1181,20 @@ optional_policy(`
+@@ -774,10 +1182,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25750,7 +28845,7 @@ index dd3be8d..4d9b509 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1203,10 @@ optional_policy(`
+@@ -786,6 +1204,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25761,7 +28856,7 @@ index dd3be8d..4d9b509 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1228,6 @@ optional_policy(`
+@@ -807,8 +1229,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -25770,7 +28865,7 @@ index dd3be8d..4d9b509 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1236,10 @@ optional_policy(`
+@@ -817,6 +1237,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25781,7 +28876,7 @@ index dd3be8d..4d9b509 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1249,12 @@ optional_policy(`
+@@ -826,10 +1250,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -25794,7 +28889,7 @@ index dd3be8d..4d9b509 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1281,27 @@ optional_policy(`
+@@ -856,12 +1282,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25823,7 +28918,7 @@ index dd3be8d..4d9b509 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1311,18 @@ optional_policy(`
+@@ -871,6 +1312,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -25842,7 +28937,7 @@ index dd3be8d..4d9b509 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1338,10 @@ optional_policy(`
+@@ -886,6 +1339,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25853,7 +28948,7 @@ index dd3be8d..4d9b509 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1352,185 @@ optional_policy(`
+@@ -896,3 +1353,185 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29383,7 +32478,7 @@ index 72c746e..f035d9f 100644
 +/usr/sbin/umount\.ecryptfs_private	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 +/usr/sbin/umount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..300c3f7 100644
+index 4584457..0755e25 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
 @@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -29482,7 +32577,7 @@ index 4584457..300c3f7 100644
 +		type mount_var_run_t;
 +	')
 +
-+	allow $1 mount_var_run_t:file read_file_perms;
++	read_files_pattern($1, mount_var_run_t, mount_var_run_t)
 +	files_search_pids($1)
 +')
 +
@@ -29671,7 +32766,7 @@ index 4584457..300c3f7 100644
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..bfb146f 100644
+index 6a50270..ac90315 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -29868,7 +32963,7 @@ index 6a50270..bfb146f 100644
  term_dontaudit_manage_pty_dirs(mount_t)
  
  auth_use_nsswitch(mount_t)
-@@ -121,16 +187,19 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t)
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -29883,6 +32978,8 @@ index 6a50270..bfb146f 100644
  
  seutil_read_config(mount_t)
  
++systemd_passwd_agent_domtrans(mount_t)
++
  userdom_use_all_users_fds(mount_t)
 +userdom_manage_user_home_content_dirs(mount_t)
 +userdom_read_user_home_content_symlinks(mount_t)
@@ -29890,7 +32987,7 @@ index 6a50270..bfb146f 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -146,26 +215,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -29930,7 +33027,7 @@ index 6a50270..bfb146f 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +249,8 @@ optional_policy(`
+@@ -179,6 +251,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -29939,7 +33036,7 @@ index 6a50270..bfb146f 100644
  ')
  
  optional_policy(`
-@@ -186,6 +258,36 @@ optional_policy(`
+@@ -186,6 +260,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29976,7 +33073,7 @@ index 6a50270..bfb146f 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +296,124 @@ optional_policy(`
+@@ -194,24 +298,124 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33390,10 +36487,10 @@ index 0000000..fc080a1
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..90e063a
+index 0000000..60e3e89
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,632 @@
+@@ -0,0 +1,641 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -33429,6 +36526,7 @@ index 0000000..90e063a
 +
 +type random_seed_t;
 +files_security_file(random_seed_t)
++files_mountpoint(random_seed_t)
 +
 +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
 +# systemd components
@@ -33722,6 +36820,7 @@ index 0000000..90e063a
 +auth_manage_faillog(systemd_tmpfiles_t)
 +auth_relabel_faillog(systemd_tmpfiles_t)
 +auth_manage_var_auth(systemd_tmpfiles_t)
++auth_manage_login_records(systemd_tmpfiles_t)
 +auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
 +auth_relabel_login_records(systemd_tmpfiles_t)
 +auth_setattr_login_records(systemd_tmpfiles_t)
@@ -33871,6 +36970,8 @@ index 0000000..90e063a
 +
 +userdom_dbus_send_all_users(systemd_localed_t)
 +
++xserver_read_config(systemd_localed_t)
++
 +optional_policy(`
 +	dbus_connect_system_bus(systemd_localed_t)
 +	dbus_system_bus_client(systemd_localed_t)
@@ -33972,6 +37073,7 @@ index 0000000..90e063a
 +optional_policy(`
 +	gnome_manage_usr_config(systemd_timedated_t)
 +	gnome_manage_home_config(systemd_timedated_t)
++	gnome_manage_home_config_dirs(systemd_timedated_t)
 +')
 +
 +optional_policy(`
@@ -33988,6 +37090,10 @@ index 0000000..90e063a
 +	policykit_read_reload(systemd_timedated_t)
 +')
 +
++optional_policy(`
++	xserver_manage_config(systemd_timedated_t)
++')
++
 +########################################
 +#
 +# systemd_sysctl domains local policy
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 59ef21bc..ff0cb24b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -64,7 +64,7 @@ index e4f84de..94697ea 100644
 +/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/abrt.if b/abrt.if
-index 058d908..b7620e3 100644
+index 058d908..702b716 100644
 --- a/abrt.if
 +++ b/abrt.if
 @@ -1,4 +1,26 @@
@@ -156,7 +156,7 @@ index 058d908..b7620e3 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -154,17 +174,54 @@ interface(`abrt_domtrans_helper',`
+@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',`
  #
  interface(`abrt_run_helper',`
  	gen_require(`
@@ -186,18 +186,23 @@ index 058d908..b7620e3 100644
 +
 +	read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 +	read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	abrt cache files.
 +##	Append abrt cache
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
+-	refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
+-	abrt_manage_cache($1)
 +interface(`abrt_append_cache',`
 +	gen_require(`
 +		type abrt_var_cache_t;
@@ -210,18 +215,15 @@ index 058d908..b7620e3 100644
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
--##	abrt cache files.
+-##	abrt cache content.
 +##	Read/Write inherited abrt cache
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -172,15 +229,18 @@ interface(`abrt_run_helper',`
- ##	</summary>
- ## </param>
- #
--interface(`abrt_cache_manage',`
--	refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
--	abrt_manage_cache($1)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`abrt_rw_inherited_cache',`
 +	gen_require(`
 +		type abrt_var_cache_t;
@@ -229,12 +231,10 @@ index 058d908..b7620e3 100644
 +
 +	
 +	allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	abrt cache content.
++')
++
++########################################
++## <summary>
 +##	Manage abrt cache
  ## </summary>
  ## <param name="domain">
@@ -329,7 +329,7 @@ index 058d908..b7620e3 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -288,39 +387,146 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -470,7 +470,7 @@ index 058d908..b7620e3 100644
 +    list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
 +    read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
 +    read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+')
+ ')
 +
 +########################################
 +## <summary>
@@ -488,7 +488,33 @@ index 058d908..b7620e3 100644
 +	')
 +
 +	dontaudit $1 abrt_t:sock_file write;
- ')
++')
++
++########################################
++## <summary>
++##	Transition to abrt named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`abrt_filetrans_named_content',`
++	gen_require(`
++		type abrt_tmp_t;
++		type abrt_etc_t;
++		type abrt_var_cache_t;
++		type abrt_var_run_t;
++	')
++
++	files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
++	files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
++	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
++	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
++	files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
++')
++
 diff --git a/abrt.te b/abrt.te
 index cc43d25..304203f 100644
 --- a/abrt.te
@@ -3020,7 +3046,7 @@ index 550a69e..e714059 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 83e899c..7b2ad39 100644
+index 83e899c..e3bed6a 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -4204,7 +4230,7 @@ index 83e899c..7b2ad39 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1393,106 @@ interface(`apache_admin',`
+@@ -1218,9 +1393,129 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -4292,6 +4318,29 @@ index 83e899c..7b2ad39 100644
 +
 +########################################
 +## <summary>
++##	Execute a httpd_exec_t in the specified domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`apache_exec_domtrans',`
++	gen_require(`
++		type httpd_exec_t;
++	')
++
++	domtrans_pattern($1, httpd_exec_t, $2)
++')
++
++########################################
++## <summary>
 +##	Transition to apache home content
 +## </summary>
 +## <param name="domain">
@@ -7299,10 +7348,10 @@ index 089430a..7cd037b 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index a579c3b..e8961f7 100644
+index a579c3b..512d6b1 100644
 --- a/automount.te
 +++ b/automount.te
-@@ -22,6 +22,9 @@ type automount_tmp_t;
+@@ -22,12 +22,16 @@ type automount_tmp_t;
  files_tmp_file(automount_tmp_t)
  files_mountpoint(automount_tmp_t)
  
@@ -7312,7 +7361,15 @@ index a579c3b..e8961f7 100644
  ########################################
  #
  # Local policy
-@@ -62,7 +65,6 @@ kernel_dontaudit_search_xen_state(automount_t)
+ #
+ 
+-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability {  setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability2 block_suspend;
+ dontaudit automount_t self:capability sys_tty_config;
+ allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+ allow automount_t self:fifo_file rw_fifo_file_perms;
+@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
  corecmd_exec_bin(automount_t)
  corecmd_exec_shell(automount_t)
  
@@ -7320,7 +7377,7 @@ index a579c3b..e8961f7 100644
  corenet_all_recvfrom_netlabel(automount_t)
  corenet_tcp_sendrecv_generic_if(automount_t)
  corenet_udp_sendrecv_generic_if(automount_t)
-@@ -96,7 +98,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t)
  files_mounton_all_mountpoints(automount_t)
  files_mounton_mnt(automount_t)
  files_read_etc_runtime_files(automount_t)
@@ -7328,7 +7385,7 @@ index a579c3b..e8961f7 100644
  files_search_boot(automount_t)
  files_search_all(automount_t)
  files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +131,18 @@ auth_use_nsswitch(automount_t)
+@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
  logging_send_syslog_msg(automount_t)
  logging_search_logs(automount_t)
  
@@ -8311,7 +8368,7 @@ index c723a0a..3e8a553 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
  ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..88b8feb 100644
+index 6f09d24..9c48d18 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
 @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -8367,15 +8424,20 @@ index 6f09d24..88b8feb 100644
  miscfiles_read_fonts(bluetooth_t)
  miscfiles_read_hwdata(bluetooth_t)
  
-@@ -132,6 +143,7 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+@@ -130,8 +141,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+ userdom_dontaudit_use_user_terminals(bluetooth_t)
+ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
  
++# machine-info
++systemd_hostnamed_read_config(bluetooth_t)
++
  optional_policy(`
  	dbus_system_bus_client(bluetooth_t)
 +	dbus_connect_system_bus(bluetooth_t)
  
  	optional_policy(`
  		cups_dbus_chat(bluetooth_t)
-@@ -199,7 +211,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -199,7 +214,6 @@ dev_read_urand(bluetooth_helper_t)
  domain_read_all_domains_state(bluetooth_helper_t)
  
  files_read_etc_runtime_files(bluetooth_helper_t)
@@ -8626,7 +8688,7 @@ index 02fefaa..fbcef10 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..1dc00c7 100644
+index 7c92aa1..4d8b6ae 100644
 --- a/boinc.te
 +++ b/boinc.te
 @@ -1,11 +1,13 @@
@@ -8645,7 +8707,7 @@ index 7c92aa1..1dc00c7 100644
  type boinc_exec_t;
  init_daemon_domain(boinc_t, boinc_exec_t)
  
-@@ -21,31 +23,65 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t)
  type boinc_var_lib_t;
  files_type(boinc_var_lib_t)
  
@@ -8675,6 +8737,7 @@ index 7c92aa1..1dc00c7 100644
 +#
 +
 +allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:process signal;
 +allow boinc_domain self:sem create_sem_perms;
 +allow boinc_domain self:process execmem;
 +
@@ -8720,7 +8783,7 @@ index 7c92aa1..1dc00c7 100644
  
  manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
  manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +90,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +91,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
  manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
  fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
  
@@ -8814,7 +8877,7 @@ index 7c92aa1..1dc00c7 100644
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +137,61 @@ init_read_utmp(boinc_t)
+@@ -130,55 +138,61 @@ init_read_utmp(boinc_t)
  
  logging_send_syslog_msg(boinc_t)
  
@@ -15958,7 +16021,7 @@ index 06da9a0..ca832e1 100644
 +	ps_process_pattern($1, cupsd_t)
  ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..c8d914e 100644
+index 9f34c2e..45fe9a0 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16199,15 +16262,16 @@ index 9f34c2e..c8d914e 100644
  
  mls_fd_use_all_levels(cupsd_t)
  mls_file_downgrade(cupsd_t)
-@@ -235,6 +266,7 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t)
  
  term_search_ptys(cupsd_t)
  term_use_unallocated_ttys(cupsd_t)
 +term_use_ptmx(cupsd_t)
++term_use_usb_ttys(cupsd_t)
  
  selinux_compute_access_vector(cupsd_t)
  selinux_validate_context(cupsd_t)
-@@ -247,21 +279,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
  auth_rw_faillog(cupsd_t)
  auth_use_nsswitch(cupsd_t)
  
@@ -16233,7 +16297,7 @@ index 9f34c2e..c8d914e 100644
  userdom_dontaudit_search_user_home_content(cupsd_t)
  
  optional_policy(`
-@@ -275,6 +306,8 @@ optional_policy(`
+@@ -275,6 +307,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
  
@@ -16242,7 +16306,7 @@ index 9f34c2e..c8d914e 100644
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
-@@ -285,8 +318,10 @@ optional_policy(`
+@@ -285,8 +319,10 @@ optional_policy(`
  		hal_dbus_chat(cupsd_t)
  	')
  
@@ -16253,7 +16317,7 @@ index 9f34c2e..c8d914e 100644
  	')
  ')
  
-@@ -299,8 +334,8 @@ optional_policy(`
+@@ -299,8 +335,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16263,7 +16327,7 @@ index 9f34c2e..c8d914e 100644
  ')
  
  optional_policy(`
-@@ -309,7 +344,6 @@ optional_policy(`
+@@ -309,7 +345,6 @@ optional_policy(`
  
  optional_policy(`
  	lpd_exec_lpr(cupsd_t)
@@ -16271,7 +16335,7 @@ index 9f34c2e..c8d914e 100644
  	lpd_read_config(cupsd_t)
  	lpd_relabel_spool(cupsd_t)
  ')
-@@ -337,7 +371,7 @@ optional_policy(`
+@@ -337,7 +372,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16280,7 +16344,7 @@ index 9f34c2e..c8d914e 100644
  ')
  
  ########################################
-@@ -345,11 +379,9 @@ optional_policy(`
+@@ -345,11 +380,9 @@ optional_policy(`
  # Configuration daemon local policy
  #
  
@@ -16294,7 +16358,7 @@ index 9f34c2e..c8d914e 100644
  
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +407,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
  manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
  files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
  
@@ -16314,7 +16378,7 @@ index 9f34c2e..c8d914e 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +424,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
  corenet_sendrecv_all_client_packets(cupsd_config_t)
  corenet_tcp_connect_all_ports(cupsd_config_t)
  
@@ -16335,7 +16399,7 @@ index 9f34c2e..c8d914e 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +441,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -16347,7 +16411,7 @@ index 9f34c2e..c8d914e 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +468,12 @@ optional_policy(`
+@@ -452,9 +469,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16361,7 +16425,7 @@ index 9f34c2e..c8d914e 100644
  ')
  
  optional_policy(`
-@@ -490,10 +509,6 @@ optional_policy(`
+@@ -490,10 +510,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -16372,7 +16436,7 @@ index 9f34c2e..c8d914e 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +526,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -16405,7 +16469,7 @@ index 9f34c2e..c8d914e 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -546,7 +552,6 @@ optional_policy(`
+@@ -546,7 +553,6 @@ optional_policy(`
  #
  
  allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16413,7 +16477,7 @@ index 9f34c2e..c8d914e 100644
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,17 +567,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -16431,7 +16495,7 @@ index 9f34c2e..c8d914e 100644
  userdom_manage_user_home_content_dirs(cups_pdf_t)
  userdom_manage_user_home_content_files(cups_pdf_t)
  userdom_home_filetrans_user_home_dir(cups_pdf_t)
-@@ -582,128 +578,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_files(cups_pdf_t)
  ')
  
@@ -16562,7 +16626,7 @@ index 9f34c2e..c8d914e 100644
  
  ########################################
  #
-@@ -731,7 +611,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -16570,7 +16634,7 @@ index 9f34c2e..c8d914e 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +620,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -16584,7 +16648,7 @@ index 9f34c2e..c8d914e 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -755,8 +632,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -17630,7 +17694,7 @@ index afcf3a2..0730306 100644
 +	dontaudit system_bus_type $1:dbus send_msg;
  ')
 diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..4a56f17 100644
+index 2c2e7e1..5e0bf2f 100644
 --- a/dbus.te
 +++ b/dbus.te
 @@ -1,20 +1,18 @@
@@ -17668,16 +17732,17 @@ index 2c2e7e1..4a56f17 100644
  type session_dbusd_tmp_t;
  typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
  typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
-@@ -41,7 +36,7 @@ files_type(system_dbusd_var_lib_t)
+@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
  
  type system_dbusd_var_run_t;
  files_pid_file(system_dbusd_var_run_t)
 -init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
 +init_sock_file(system_dbusd_var_run_t)
++mls_trusted_object(system_dbusd_var_run_t)
  
  ifdef(`enable_mcs',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +46,56 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,57 @@ ifdef(`enable_mls',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -17749,10 +17814,11 @@ index 2c2e7e1..4a56f17 100644
 +storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
 +storage_rw_inherited_removable_device(system_dbusd_t)
 +
++mls_trusted_object(system_dbusd_t)
  mls_fd_use_all_levels(system_dbusd_t)
  mls_rangetrans_target(system_dbusd_t)
  mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +115,155 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +117,155 @@ term_dontaudit_use_console(system_dbusd_t)
  auth_use_nsswitch(system_dbusd_t)
  auth_read_pam_console_data(system_dbusd_t)
  
@@ -17922,7 +17988,7 @@ index 2c2e7e1..4a56f17 100644
  kernel_read_kernel_sysctls(session_bus_type)
  
  corecmd_list_bin(session_bus_type)
-@@ -191,23 +272,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +274,18 @@ corecmd_read_bin_files(session_bus_type)
  corecmd_read_bin_pipes(session_bus_type)
  corecmd_read_bin_sockets(session_bus_type)
  
@@ -17947,7 +18013,7 @@ index 2c2e7e1..4a56f17 100644
  files_dontaudit_search_var(session_bus_type)
  
  fs_getattr_romfs(session_bus_type)
-@@ -215,7 +291,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type)
  fs_list_inotifyfs(session_bus_type)
  fs_dontaudit_list_nfs(session_bus_type)
  
@@ -17955,7 +18021,7 @@ index 2c2e7e1..4a56f17 100644
  selinux_validate_context(session_bus_type)
  selinux_compute_access_vector(session_bus_type)
  selinux_compute_create_context(session_bus_type)
-@@ -225,18 +300,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +302,36 @@ selinux_compute_user_contexts(session_bus_type)
  auth_read_pam_console_data(session_bus_type)
  
  logging_send_audit_msgs(session_bus_type)
@@ -17997,7 +18063,7 @@ index 2c2e7e1..4a56f17 100644
  ')
  
  ########################################
-@@ -244,5 +337,6 @@ optional_policy(`
+@@ -244,5 +339,6 @@ optional_policy(`
  # Unconfined access to this module
  #
  
@@ -21587,6 +21653,17 @@ index a0da189..d8bc9d5 100644
  
  userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
  userdom_dontaudit_search_user_home_dirs(entropyd_t)
+diff --git a/evolution.fc b/evolution.fc
+index 597f305..8520653 100644
+--- a/evolution.fc
++++ b/evolution.fc
+@@ -1,5 +1,6 @@
+ HOME_DIR/\.camel_certs(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
+ HOME_DIR/\.evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
++HOME_DIR/\.cache/evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
+ 
+ /tmp/\.exchange-USER(/.*)?	gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
+ 
 diff --git a/evolution.te b/evolution.te
 index 94fb625..3742ee1 100644
 --- a/evolution.te
@@ -22464,7 +22541,7 @@ index 5cf6ac6..839999e 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index c8014f8..1072fcb 100644
+index c8014f8..02de884 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -22533,6 +22610,17 @@ index c8014f8..1072fcb 100644
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
+@@ -85,6 +100,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	gnome_read_generic_data_home_dirs(firewalld_t)
++')
++
++optional_policy(`
+ 	iptables_domtrans(firewalld_t)
+ ')
+ 
 diff --git a/firewallgui.if b/firewallgui.if
 index e6866d1..941f4ef 100644
 --- a/firewallgui.if
@@ -24200,10 +24288,10 @@ index fd02acc..0000000
 -
 -miscfiles_read_localization(glusterd_t)
 diff --git a/gnome.fc b/gnome.fc
-index e39de43..52e5a3a 100644
+index e39de43..5818f74 100644
 --- a/gnome.fc
 +++ b/gnome.fc
-@@ -1,15 +1,57 @@
+@@ -1,15 +1,58 @@
 -HOME_DIR/\.gconf(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 -HOME_DIR/\.gconfd(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 -HOME_DIR/\.gnome(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
@@ -24211,6 +24299,7 @@ index e39de43..52e5a3a 100644
 -HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gnome_keyring_home_t,s0)
 -HOME_DIR/\.gnome2_private(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.cache/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
 +HOME_DIR/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
 +HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
 +HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
@@ -24271,7 +24360,7 @@ index e39de43..52e5a3a 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..0a785a3 100644
+index d03fd43..b000017 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,154 @@
@@ -25360,7 +25449,7 @@ index d03fd43..0a785a3 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -704,12 +812,773 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +812,774 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
@@ -26054,6 +26143,7 @@ index d03fd43..0a785a3 100644
 +	filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
 +	filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
 +	userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
++	gnome_cache_filetrans($1, config_home_t, dir, "dconf")
 +	gnome_filetrans_gstreamer_home_content($1)
 +')
 +
@@ -35899,10 +35989,10 @@ index 4462c0e..84944d1 100644
  
  userdom_dontaudit_use_unpriv_user_fds(monopd_t)
 diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..379066c 100644
+index 6ffaba2..18e3a70 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -1,38 +1,61 @@
+@@ -1,38 +1,63 @@
 -HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -35925,7 +36015,9 @@ index 6ffaba2..379066c 100644
 +HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache\mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.thunderbird(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/POkemon.*(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -35999,7 +36091,7 @@ index 6ffaba2..379066c 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..97b8462 100644
+index 6194b80..648d041 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -1,146 +1,75 @@
@@ -36620,7 +36712,7 @@ index 6194b80..97b8462 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -530,45 +430,48 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +430,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -36690,11 +36782,13 @@ index 6194b80..97b8462 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
++	#userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "POkemon Advanced Adventure")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
++	gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..7131f6f 100644
+index 6a306ee..4c1c064 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -36953,10 +37047,10 @@ index 6a306ee..7131f6f 100644
 -userdom_manage_user_home_content_dirs(mozilla_t)
 -userdom_manage_user_home_content_files(mozilla_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
+-
+-userdom_write_user_tmp_sockets(mozilla_t)
 +userdom_use_inherited_user_ptys(mozilla_t)
  
--userdom_write_user_tmp_sockets(mozilla_t)
--
 -mozilla_run_plugin(mozilla_t, mozilla_roles)
 -mozilla_run_plugin_config(mozilla_t, mozilla_roles)
 +#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37434,25 +37528,21 @@ index 6a306ee..7131f6f 100644
  ')
  
  optional_policy(`
-@@ -523,36 +481,43 @@ optional_policy(`
+@@ -523,36 +481,47 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
-+	dbus_system_bus_client(mozilla_plugin_t)
-+	dbus_session_bus_client(mozilla_plugin_t)
-+	dbus_connect_session_bus(mozilla_plugin_t)
-+	dbus_read_lib_files(mozilla_plugin_t)
++	apache_list_modules(mozilla_plugin_t)
  ')
  
  optional_policy(`
 -	dbus_all_session_bus_client(mozilla_plugin_t)
 -	dbus_connect_all_session_bus(mozilla_plugin_t)
--	dbus_system_bus_client(mozilla_plugin_t)
-+	gnome_manage_config(mozilla_plugin_t)
-+	gnome_read_usr_config(mozilla_plugin_t)
-+	gnome_filetrans_home_content(mozilla_plugin_t)
-+	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
+ 	dbus_system_bus_client(mozilla_plugin_t)
++	dbus_session_bus_client(mozilla_plugin_t)
++	dbus_connect_session_bus(mozilla_plugin_t)
++	dbus_read_lib_files(mozilla_plugin_t)
  ')
  
  optional_policy(`
@@ -37460,6 +37550,13 @@ index 6a306ee..7131f6f 100644
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
++	gnome_manage_config(mozilla_plugin_t)
++	gnome_read_usr_config(mozilla_plugin_t)
++	gnome_filetrans_home_content(mozilla_plugin_t)
++	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
 +	gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
  ')
  
@@ -37492,7 +37589,7 @@ index 6a306ee..7131f6f 100644
  ')
  
  optional_policy(`
-@@ -560,7 +525,7 @@ optional_policy(`
+@@ -560,7 +529,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37501,7 +37598,7 @@ index 6a306ee..7131f6f 100644
  ')
  
  optional_policy(`
-@@ -568,108 +533,108 @@ optional_policy(`
+@@ -568,108 +537,108 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41695,7 +41792,7 @@ index 0641e97..d7d9a79 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 44ad3b7..7508aef 100644
+index 44ad3b7..f675581 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -41734,7 +41831,17 @@ index 44ad3b7..7508aef 100644
  
  ########################################
  #
-@@ -123,7 +124,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -110,7 +111,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+ 
+ manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
++manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
+ 
+ manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t)
  corecmd_exec_bin(nagios_t)
  corecmd_exec_shell(nagios_t)
  
@@ -41742,7 +41849,7 @@ index 44ad3b7..7508aef 100644
  corenet_all_recvfrom_netlabel(nagios_t)
  corenet_tcp_sendrecv_generic_if(nagios_t)
  corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +143,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t)
  
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
@@ -41750,7 +41857,7 @@ index 44ad3b7..7508aef 100644
  files_search_spool(nagios_t)
  
  fs_getattr_all_fs(nagios_t)
-@@ -153,8 +152,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t)
  
  logging_send_syslog_msg(nagios_t)
  
@@ -41759,7 +41866,7 @@ index 44ad3b7..7508aef 100644
  userdom_dontaudit_use_unpriv_user_fds(nagios_t)
  userdom_dontaudit_search_user_home_dirs(nagios_t)
  
-@@ -178,6 +175,7 @@ optional_policy(`
+@@ -178,6 +176,7 @@ optional_policy(`
  #
  # CGI local policy
  #
@@ -41767,7 +41874,7 @@ index 44ad3b7..7508aef 100644
  optional_policy(`
  	apache_content_template(nagios)
  	typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -231,7 +229,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
+@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
  
  kernel_read_kernel_sysctls(nrpe_t)
  kernel_read_software_raid_state(nrpe_t)
@@ -41775,7 +41882,7 @@ index 44ad3b7..7508aef 100644
  
  corecmd_exec_bin(nrpe_t)
  corecmd_exec_shell(nrpe_t)
-@@ -253,7 +250,6 @@ domain_use_interactive_fds(nrpe_t)
+@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t)
  domain_read_all_domains_state(nrpe_t)
  
  files_read_etc_runtime_files(nrpe_t)
@@ -41783,7 +41890,7 @@ index 44ad3b7..7508aef 100644
  
  fs_getattr_all_fs(nrpe_t)
  fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +258,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t)
  
  logging_send_syslog_msg(nrpe_t)
  
@@ -41792,7 +41899,7 @@ index 44ad3b7..7508aef 100644
  userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
  
  optional_policy(`
-@@ -310,15 +304,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
  allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -41811,7 +41918,7 @@ index 44ad3b7..7508aef 100644
  logging_send_syslog_msg(nagios_mail_plugin_t)
  
  sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +339,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
  kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
  
@@ -41819,7 +41926,7 @@ index 44ad3b7..7508aef 100644
  files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
-@@ -357,9 +352,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  # Services local policy
  #
  
@@ -41833,7 +41940,7 @@ index 44ad3b7..7508aef 100644
  
  corecmd_exec_bin(nagios_services_plugin_t)
  
-@@ -411,6 +408,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
@@ -41841,7 +41948,7 @@ index 44ad3b7..7508aef 100644
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
  corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +418,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t)
  
  domain_read_all_domains_state(nagios_system_plugin_t)
  
@@ -41854,7 +41961,7 @@ index 44ad3b7..7508aef 100644
  optional_policy(`
  	init_read_utmp(nagios_system_plugin_t)
  ')
-@@ -442,6 +440,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,6 +441,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
  
  init_domtrans_script(nagios_eventhandler_plugin_t)
  
@@ -41869,7 +41976,7 @@ index 44ad3b7..7508aef 100644
  ########################################
  #
  # Unconfined plugin policy
-@@ -450,3 +456,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+@@ -450,3 +457,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
  optional_policy(`
  	unconfined_domain(nagios_unconfined_plugin_t)
  ')
@@ -48094,10 +48201,10 @@ index 0000000..407386d
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..d859b72
+index 0000000..45e60e5
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,481 @@
+@@ -0,0 +1,526 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
@@ -48438,12 +48545,57 @@ index 0000000..d859b72
 +
 +allow openshift_user_domain openshift_domain:process ptrace;
 +
++mta_signal_user_agent(openshift_user_domain)
++
 +optional_policy(`
 +	ssh_rw_tcp_sockets(openshift_user_domain)
 +')
 +
 +############################################################################
 +#
++# Rules specific to openshift_net_domains
++#
++allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind };
++allow openshift_net_domain openshift_port_t:udp_socket name_bind;
++
++corenet_tcp_connect_mssql_port(openshift_net_domain)
++corenet_tcp_connect_mysqld_port(openshift_net_domain)
++corenet_tcp_connect_postgresql_port(openshift_net_domain)
++corenet_tcp_connect_git_port(openshift_net_domain)
++corenet_tcp_connect_oracle_port(openshift_net_domain)
++corenet_tcp_connect_flash_port(openshift_net_domain)
++corenet_tcp_connect_http_port(openshift_net_domain)
++corenet_tcp_connect_ftp_port(openshift_net_domain)
++#/* These ports are the ephemeral ports needed for ftp */
++corenet_tcp_connect_virt_migration_port(openshift_net_domain)
++corenet_tcp_connect_ssh_port(openshift_net_domain)
++corenet_tcp_connect_jacorb_port(openshift_net_domain)
++corenet_tcp_connect_jboss_management_port(openshift_net_domain)
++corenet_tcp_connect_jboss_debug_port(openshift_net_domain)
++corenet_tcp_connect_jboss_messaging_port(openshift_net_domain)
++corenet_tcp_connect_memcache_port(openshift_net_domain)
++corenet_tcp_connect_http_cache_port(openshift_net_domain)
++corenet_tcp_connect_amqp_port(openshift_net_domain)
++corenet_tcp_connect_generic_port(openshift_net_domain)
++corenet_tcp_connect_mongod_port(openshift_net_domain)
++corenet_tcp_connect_munin_port(openshift_net_domain)
++corenet_tcp_connect_pop_port(openshift_net_domain)
++corenet_tcp_connect_pulseaudio_port(openshift_net_domain)
++corenet_tcp_connect_smtp_port(openshift_net_domain)
++corenet_tcp_connect_whois_port(openshift_net_domain)
++corenet_udp_bind_generic_port(openshift_net_domain)
++corenet_tcp_bind_http_cache_port(openshift_domain)
++corenet_tcp_bind_jacorb_port(openshift_net_domain)
++corenet_tcp_bind_jboss_management_port(openshift_net_domain)
++corenet_tcp_bind_jboss_messaging_port(openshift_net_domain)
++corenet_tcp_bind_jboss_debug_port(openshift_net_domain)
++corenet_tcp_bind_mongod_port(openshift_net_domain)
++corenet_tcp_bind_mysqld_port(openshift_domain)
++corenet_tcp_bind_pulseaudio_port(openshift_net_domain)
++corenet_tcp_bind_postgresql_port(openshift_net_domain)
++
++############################################################################
++#
 +# Rules specific to openshift and openshift_app_t
 +#
 +kernel_read_vm_sysctls(openshift_t)
@@ -50827,15 +50979,17 @@ index 977b972..0000000
 -miscfiles_read_localization(pkcs_slotd_t)
 diff --git a/pkcsslotd.fc b/pkcsslotd.fc
 new file mode 100644
-index 0000000..dd1b8f2
+index 0000000..38fa01d
 --- /dev/null
 +++ b/pkcsslotd.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
 +/usr/lib/systemd/system/pkcsslotd.service		--	gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
 +
 +/usr/sbin/pkcsslotd		--	gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
 +
 +/var/lib/opencryptoki(/.*)?		gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
++
++/var/lock/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
 diff --git a/pkcsslotd.if b/pkcsslotd.if
 new file mode 100644
 index 0000000..848ddc9
@@ -50999,10 +51153,10 @@ index 0000000..848ddc9
 +')
 diff --git a/pkcsslotd.te b/pkcsslotd.te
 new file mode 100644
-index 0000000..d6d79b9
+index 0000000..f788d35
 --- /dev/null
 +++ b/pkcsslotd.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,66 @@
 +policy_module(pkcsslotd, 1.0.0)
 +
 +########################################
@@ -51017,6 +51171,9 @@ index 0000000..d6d79b9
 +type pkcsslotd_var_lib_t;
 +files_type(pkcsslotd_var_lib_t)
 +
++type pkcsslotd_lock_t;
++files_lock_file(pkcsslotd_lock_t)
++
 +type pkcsslotd_unit_file_t;
 +systemd_unit_file(pkcsslotd_unit_file_t)
 +
@@ -51034,14 +51191,16 @@ index 0000000..d6d79b9
 +# pkcsslotd local policy
 +#
 +
-+allow pkcsslotd_t self:capability { kill };
-+allow pkcsslotd_t self:process { fork };
++allow pkcsslotd_t self:capability { chown kill };
 +
 +allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
 +allow pkcsslotd_t self:sem create_sem_perms;
 +allow pkcsslotd_t self:shm create_shm_perms;
 +allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms;
 +
++manage_files_pattern(pkcsslotd_t, pkcsslotd_lock_t, pkcsslotd_lock_t)
++files_lock_filetrans(pkcsslotd_t, pkcsslotd_lock_t, file)
++
 +manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
 +manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
 +files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir })
@@ -51061,6 +51220,7 @@ index 0000000..d6d79b9
 +
 +domain_use_interactive_fds(pkcsslotd_t)
 +
++auth_read_passwd(pkcsslotd_t)
 +
 +logging_send_syslog_msg(pkcsslotd_t)
 diff --git a/pki.fc b/pki.fc
@@ -63845,7 +64005,7 @@ index 47de2d6..1f5dbf8 100644
 +/var/log/cluster/corosync\.log.*    --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 +/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..27c4de4 100644
+index 56bc01f..cbca7aa 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -63874,27 +64034,19 @@ index 56bc01f..27c4de4 100644
  	')
  
  	##############################
-@@ -28,7 +28,7 @@ template(`rhcs_domain_template',`
- 	type $1_tmpfs_t, cluster_tmpfs;
- 	files_tmpfs_file($1_tmpfs_t)
- 
--	type $1_var_log_t, cluster_log;
-+	type $1_var_log_t;
- 	logging_log_file($1_var_log_t)
- 
- 	type $1_var_run_t, cluster_pid;
-@@ -44,9 +44,7 @@ template(`rhcs_domain_template',`
+@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
+ 	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
  
- 	manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
+-	manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
 -	append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
 -	create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
 -	setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-+	manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
- 	manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+-	manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
  	logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
  
-@@ -56,20 +54,19 @@ template(`rhcs_domain_template',`
+ 	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+@@ -56,20 +51,19 @@ template(`rhcs_domain_template',`
  	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
  	files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
  
@@ -63921,7 +64073,7 @@ index 56bc01f..27c4de4 100644
  ## </param>
  #
  interface(`rhcs_domtrans_dlm_controld',`
-@@ -83,27 +80,8 @@ interface(`rhcs_domtrans_dlm_controld',`
+@@ -83,27 +77,8 @@ interface(`rhcs_domtrans_dlm_controld',`
  
  #####################################
  ## <summary>
@@ -63951,7 +64103,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,7 +100,7 @@ interface(`rhcs_stream_connect_dlm_controld',`
+@@ -122,7 +97,7 @@ interface(`rhcs_stream_connect_dlm_controld',`
  
  #####################################
  ## <summary>
@@ -63960,7 +64112,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -160,9 +138,27 @@ interface(`rhcs_domtrans_fenced',`
+@@ -160,9 +135,27 @@ interface(`rhcs_domtrans_fenced',`
  	domtrans_pattern($1, fenced_exec_t, fenced_t)
  ')
  
@@ -63989,7 +64141,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,10 +177,9 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -181,10 +174,9 @@ interface(`rhcs_rw_fenced_semaphores',`
  	manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
  ')
  
@@ -64002,7 +64154,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -192,19 +187,18 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -192,19 +184,18 @@ interface(`rhcs_rw_fenced_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -64026,7 +64178,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -223,8 +217,7 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -223,8 +214,7 @@ interface(`rhcs_stream_connect_fenced',`
  
  #####################################
  ## <summary>
@@ -64036,7 +64188,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -243,7 +236,7 @@ interface(`rhcs_domtrans_gfs_controld',`
+@@ -243,7 +233,7 @@ interface(`rhcs_domtrans_gfs_controld',`
  
  ####################################
  ## <summary>
@@ -64045,7 +64197,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -264,7 +257,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
+@@ -264,7 +254,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
  
  ########################################
  ## <summary>
@@ -64054,7 +64206,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,8 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -285,8 +275,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
  
  #####################################
  ## <summary>
@@ -64064,7 +64216,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -324,8 +316,8 @@ interface(`rhcs_domtrans_groupd',`
+@@ -324,8 +313,8 @@ interface(`rhcs_domtrans_groupd',`
  
  #####################################
  ## <summary>
@@ -64075,7 +64227,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -342,10 +334,9 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -342,10 +331,9 @@ interface(`rhcs_stream_connect_groupd',`
  	stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
  ')
  
@@ -64088,7 +64240,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -353,21 +344,20 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -353,21 +341,20 @@ interface(`rhcs_stream_connect_groupd',`
  ##	</summary>
  ## </param>
  #
@@ -64116,7 +64268,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -375,17 +365,20 @@ interface(`rhcs_rw_cluster_shm',`
+@@ -375,17 +362,20 @@ interface(`rhcs_rw_cluster_shm',`
  ##	</summary>
  ## </param>
  #
@@ -64142,7 +64294,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -393,20 +386,20 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +383,20 @@ interface(`rhcs_rw_cluster_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -64169,7 +64321,7 @@ index 56bc01f..27c4de4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -414,15 +407,32 @@ interface(`rhcs_rw_groupd_semaphores',`
+@@ -414,15 +404,32 @@ interface(`rhcs_rw_groupd_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -64207,7 +64359,7 @@ index 56bc01f..27c4de4 100644
  ')
  
  ######################################
-@@ -446,52 +456,322 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +453,322 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -64559,7 +64711,7 @@ index 56bc01f..27c4de4 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..a1461c9 100644
+index 2c2de9a..bbe8875 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -64590,7 +64742,7 @@ index 2c2de9a..a1461c9 100644
  attribute cluster_domain;
  attribute cluster_log;
  attribute cluster_pid;
-@@ -50,28 +71,259 @@ rhcs_domain_template(qdiskd)
+@@ -50,28 +71,263 @@ rhcs_domain_template(qdiskd)
  type qdiskd_var_lib_t;
  files_type(qdiskd_var_lib_t)
  
@@ -64634,11 +64786,18 @@ index 2c2de9a..a1461c9 100644
  allow cluster_domain self:unix_dgram_socket create_socket_perms;
  
 -logging_send_syslog_msg(cluster_domain)
-+optional_policy(`
-+	ccs_stream_connect(cluster_domain)
-+')
-+
-+optional_policy(`
+-
+-miscfiles_read_localization(cluster_domain)
++manage_dirs_pattern(cluster_domain, cluster_log, cluster_log)
++manage_files_pattern(cluster_domain, cluster_log, cluster_log)
++manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log)
+ 
+ optional_policy(`
+ 	ccs_stream_connect(cluster_domain)
+ ')
+ 
+ optional_policy(`
+-	corosync_stream_connect(cluster_domain)
 +	dbus_system_bus_client(cluster_domain)
 +')
 +
@@ -64646,8 +64805,7 @@ index 2c2de9a..a1461c9 100644
 +#
 +# cluster domain local policy
 +#
- 
--miscfiles_read_localization(cluster_domain)
++
 +allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
 +# for hearbeat
 +allow cluster_t self:capability { net_raw chown };
@@ -64741,14 +64899,12 @@ index 2c2de9a..a1461c9 100644
 +	files_manage_isid_type_dirs(cluster_t)
 +	fs_manage_tmpfs_files(cluster_t)
 +')
- 
- optional_policy(`
--	ccs_stream_connect(cluster_domain)
++
++optional_policy(`
 +    ccs_read_config(cluster_t)
- ')
- 
- optional_policy(`
--	corosync_stream_connect(cluster_domain)
++')
++
++optional_policy(`
 +    cmirrord_rw_shm(cluster_t)
 +')
 +
@@ -64855,7 +65011,7 @@ index 2c2de9a..a1461c9 100644
  ')
  
  #####################################
-@@ -98,6 +350,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,6 +354,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -64868,7 +65024,7 @@ index 2c2de9a..a1461c9 100644
  #######################################
  #
  # fenced local policy
-@@ -105,9 +363,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +367,13 @@ init_rw_script_tmp_files(dlm_controld_t)
  
  allow fenced_t self:capability { sys_rawio sys_resource };
  allow fenced_t self:process { getsched signal_perms };
@@ -64883,7 +65039,7 @@ index 2c2de9a..a1461c9 100644
  manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
  files_lock_filetrans(fenced_t, fenced_lock_t, file)
  
-@@ -118,9 +380,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +384,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -64894,7 +65050,7 @@ index 2c2de9a..a1461c9 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -148,9 +409,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +413,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -64905,7 +65061,7 @@ index 2c2de9a..a1461c9 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +419,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +423,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -64914,7 +65070,7 @@ index 2c2de9a..a1461c9 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +449,6 @@ optional_policy(`
+@@ -190,10 +453,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64925,7 +65081,7 @@ index 2c2de9a..a1461c9 100644
  	lvm_domtrans(fenced_t)
  	lvm_read_config(fenced_t)
  ')
-@@ -203,6 +458,13 @@ optional_policy(`
+@@ -203,6 +462,13 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -64939,7 +65095,7 @@ index 2c2de9a..a1461c9 100644
  #######################################
  #
  # foghorn local policy
-@@ -223,7 +485,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,7 +489,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
  dev_read_urand(foghorn_t)
  
@@ -64949,7 +65105,7 @@ index 2c2de9a..a1461c9 100644
  
  optional_policy(`
  	dbus_connect_system_bus(foghorn_t)
-@@ -257,6 +520,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +524,8 @@ storage_getattr_removable_dev(gfs_controld_t)
  
  init_rw_script_tmp_files(gfs_controld_t)
  
@@ -64958,7 +65114,7 @@ index 2c2de9a..a1461c9 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +540,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +544,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -64971,7 +65127,7 @@ index 2c2de9a..a1461c9 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +586,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +590,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -67425,10 +67581,10 @@ index c49828c..a323332 100644
  sysnet_dns_name_resolve(rpcbind_t)
  
 diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..cba31f2 100644
+index ebe91fc..54fe358 100644
 --- a/rpm.fc
 +++ b/rpm.fc
-@@ -1,61 +1,68 @@
+@@ -1,61 +1,69 @@
 -/bin/rpm	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
 -/etc/rc\.d/init\.d/bcfg2	--	gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -67451,6 +67607,7 @@ index ebe91fc..cba31f2 100644
 +/bin/yum-builddep		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/bin/yum-builddep	--	gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/repoquery		--	gen_context(system_u:object_r:rpm_exec_t,s0)		
 +/usr/bin/zif 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
  /usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -68698,12 +68855,28 @@ index d25301b..d92f567 100644
  
  /var/run/rsyncd\.lock	--	gen_context(system_u:object_r:rsync_var_run_t,s0)
 diff --git a/rsync.if b/rsync.if
-index f1140ef..c5bd83a 100644
+index f1140ef..ebc2190 100644
 --- a/rsync.if
 +++ b/rsync.if
-@@ -1,16 +1,16 @@
+@@ -1,16 +1,32 @@
 -## <summary>Fast incremental file transfer for synchronization.</summary>
 +## <summary>Fast incremental file transfer for synchronization</summary>
++
++#######################################
++## <summary>
++##      Sendmail stub interface.  No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`sendmail_stub',`
++gen_require(`
++type sendmail_t;
++')
++')
  
  ########################################
  ## <summary>
@@ -68723,7 +68896,7 @@ index f1140ef..c5bd83a 100644
  interface(`rsync_entry_type',`
  	gen_require(`
  		type rsync_exec_t;
-@@ -43,14 +43,13 @@ interface(`rsync_entry_type',`
+@@ -43,14 +59,13 @@ interface(`rsync_entry_type',`
  ##	Domain to transition to.
  ##	</summary>
  ## </param>
@@ -68740,7 +68913,7 @@ index f1140ef..c5bd83a 100644
  ')
  
  ########################################
-@@ -77,76 +76,31 @@ interface(`rsync_entry_spec_domtrans',`
+@@ -77,76 +92,31 @@ interface(`rsync_entry_spec_domtrans',`
  ##	Domain to transition to.
  ##	</summary>
  ## </param>
@@ -68820,7 +68993,7 @@ index f1140ef..c5bd83a 100644
  	can_exec($1, rsync_exec_t)
  ')
  
-@@ -165,13 +119,13 @@ interface(`rsync_read_config',`
+@@ -165,13 +135,13 @@ interface(`rsync_read_config',`
  		type rsync_etc_t;
  	')
  
@@ -68836,7 +69009,7 @@ index f1140ef..c5bd83a 100644
  ## </summary>
  ## <param name="domain">
  ## <summary>
-@@ -179,19 +133,18 @@ interface(`rsync_read_config',`
+@@ -179,19 +149,18 @@ interface(`rsync_read_config',`
  ## </summary>
  ## </param>
  #
@@ -68861,7 +69034,7 @@ index f1140ef..c5bd83a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -199,83 +152,54 @@ interface(`rsync_write_config',`
+@@ -199,83 +168,54 @@ interface(`rsync_write_config',`
  ##	</summary>
  ## </param>
  #
@@ -73588,7 +73761,7 @@ index d14b6bf..da5d41d 100644
 +/var/run/sendmail\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
 +/var/run/sm-client\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
 diff --git a/sendmail.if b/sendmail.if
-index 88e753f..ca74cd9 100644
+index 88e753f..e25aecc 100644
 --- a/sendmail.if
 +++ b/sendmail.if
 @@ -1,4 +1,4 @@
@@ -73597,6 +73770,15 @@ index 88e753f..ca74cd9 100644
  
  ########################################
  ## <summary>
+@@ -10,7 +10,7 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`sendmail_stub',`
++interface(`rsync_stub',`
+ 	gen_require(`
+ 		type sendmail_t;
+ 	')
 @@ -18,7 +18,8 @@ interface(`sendmail_stub',`
  
  ########################################
@@ -74296,7 +74478,7 @@ index 3a9a70b..039b0c8 100644
  	logging_list_logs($1)
  	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..c6f3302 100644
+index 49b12ae..a89828e 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
 @@ -1,4 +1,4 @@
@@ -74393,11 +74575,12 @@ index 49b12ae..c6f3302 100644
  files_list_all(setroubleshootd_t)
  files_getattr_all_files(setroubleshootd_t)
  files_getattr_all_pipes(setroubleshootd_t)
-@@ -108,26 +113,23 @@ init_dontaudit_write_utmp(setroubleshootd_t)
+@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
+ init_dontaudit_write_utmp(setroubleshootd_t)
  
  libs_exec_ld_so(setroubleshootd_t)
++libs_exec_ldconfig(setroubleshootd_t)
  
-+
  locallogin_dontaudit_use_fds(setroubleshootd_t)
  
  logging_send_audit_msgs(setroubleshootd_t)
@@ -75798,10 +75981,14 @@ index 0000000..92c3638
 +
 +sysnet_dns_name_resolve(smsd_t)
 diff --git a/snmp.fc b/snmp.fc
-index c73fa24..d852517 100644
+index c73fa24..9018dbc 100644
 --- a/snmp.fc
 +++ b/snmp.fc
-@@ -13,6 +13,8 @@
+@@ -10,9 +10,12 @@
+ 
+ /var/lib/net-snmp(/.*)?	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ /var/lib/snmp(/.*)?	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
++/var/spool/snmptt(/.*)?	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
  
  /var/log/snmpd\.log.*	--	gen_context(system_u:object_r:snmpd_log_t,s0)
  
@@ -78902,6 +79089,53 @@ index 0000000..39f1ca1
 +libs_exec_ldconfig(swift_t)
 +
 +logging_send_syslog_msg(swift_t)
+diff --git a/swift_alias.fc b/swift_alias.fc
+new file mode 100644
+index 0000000..b7db254
+--- /dev/null
++++ b/swift_alias.fc
+@@ -0,0 +1 @@
++# Empty
+diff --git a/swift_alias.if b/swift_alias.if
+new file mode 100644
+index 0000000..3fed1a3
+--- /dev/null
++++ b/swift_alias.if
+@@ -0,0 +1,2 @@
++
++## <summary>swift_alias policy module</summary>
+diff --git a/swift_alias.te b/swift_alias.te
+new file mode 100644
+index 0000000..6e39c4f
+--- /dev/null
++++ b/swift_alias.te
+@@ -0,0 +1,26 @@
++policy_module(swift_alias, 1.0.0)
++
++#
++# swift_alias.pp policy replaces swift.pp policy
++# which is a part of openstack-selinux.rpm package
++#
++
++########################################
++#
++# Declarations
++#
++
++#call stub interfaces for basic types
++init_stub_initrc()
++corecmd_stub_bin()
++files_stub_var_run()
++files_stub_var()
++systemd_stub_unit_file()
++
++typealias initrc_t alias swift_t;
++typealias bin_t alias swift_exec_t;
++typealias var_run_t alias swift_var_run_t;
++typealias systemd_unit_file_t alias swift_unit_file_t;
++typealias var_t alias swift_data_t;
++
++
 diff --git a/sxid.te b/sxid.te
 index c9824cb..1973f71 100644
 --- a/sxid.te
@@ -80960,10 +81194,10 @@ index 0000000..601aea3
 +/usr/lib/tumbler[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 diff --git a/thumb.if b/thumb.if
 new file mode 100644
-index 0000000..eb30b4c
+index 0000000..bfcd2c7
 --- /dev/null
 +++ b/thumb.if
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,126 @@
 +
 +## <summary>policy for thumb</summary>
 +
@@ -81088,6 +81322,7 @@ index 0000000..eb30b4c
 +
 +	userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
 +	userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
++	gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
@@ -83820,7 +84055,7 @@ index c30da4c..014e40c 100644
 +/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..175e66a 100644
+index 9dec06c..b991ec7 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -84798,7 +85033,7 @@ index 9dec06c..175e66a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,115 +603,244 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +603,245 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -84935,6 +85170,7 @@ index 9dec06c..175e66a 100644
  	files_search_pids($1)
 -	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
 +	stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
++	ps_process_pattern(svirt_lxc_domain, $1)
  ')
  
 +
@@ -85080,7 +85316,7 @@ index 9dec06c..175e66a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -976,18 +848,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +849,17 @@ interface(`virt_manage_log',`
  ##	</summary>
  ## </param>
  #
@@ -85103,7 +85339,7 @@ index 9dec06c..175e66a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,36 +866,17 @@ interface(`virt_search_images',`
+@@ -995,36 +867,17 @@ interface(`virt_search_images',`
  ##	</summary>
  ## </param>
  #
@@ -85144,7 +85380,7 @@ index 9dec06c..175e66a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1032,58 +884,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +885,57 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -85224,7 +85460,7 @@ index 9dec06c..175e66a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,95 +942,131 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +943,132 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -85412,13 +85648,14 @@ index 9dec06c..175e66a 100644
 -	admin_pattern($1, virt_lock_t)
 +	allow $1 svirt_lxc_domain:process transition;
 +	role $2 types svirt_lxc_domain;
++	allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
  
 -	dev_list_all_dev_nodes($1)
 -	allow $1 virt_ptynode:chr_file rw_term_perms;
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..d5e8852 100644
+index 1f22fba..e780b1b 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,94 +1,98 @@
@@ -85887,7 +86124,9 @@ index 1f22fba..d5e8852 100644
 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
 -
 -corenet_udp_sendrecv_generic_if(svirt_t)
@@ -85909,9 +86148,7 @@ index 1f22fba..d5e8852 100644
 -corenet_sendrecv_all_server_packets(svirt_t)
 -corenet_udp_bind_all_ports(svirt_t)
 -corenet_tcp_bind_all_ports(svirt_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -corenet_sendrecv_all_client_packets(svirt_t)
 -corenet_tcp_connect_all_ports(svirt_t)
 +corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -86140,13 +86377,13 @@ index 1f22fba..d5e8852 100644
 +sysnet_read_config(virtd_t)
  
 -userdom_read_all_users_state(virtd_t)
-+systemd_dbus_chat_logind(virtd_t)
-+systemd_write_inhibit_pipes(virtd_t)
- 
+-
 -ifdef(`hide_broken_symptoms',`
 -	dontaudit virtd_t self:capability { sys_module sys_ptrace };
 -')
--
++systemd_dbus_chat_logind(virtd_t)
++systemd_write_inhibit_pipes(virtd_t)
+ 
 -tunable_policy(`virt_use_fusefs',`
 -	fs_manage_fusefs_dirs(virtd_t)
 -	fs_manage_fusefs_files(virtd_t)
@@ -86177,13 +86414,15 @@ index 1f22fba..d5e8852 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -649,104 +475,323 @@ optional_policy(`
- optional_policy(`
- 	dbus_system_bus_client(virtd_t)
+@@ -646,107 +472,327 @@ optional_policy(`
+ 	consoletype_exec(virtd_t)
+ ')
  
--	optional_policy(`
--		avahi_dbus_chat(virtd_t)
--	')
+-optional_policy(`
+-	dbus_system_bus_client(virtd_t)
++optional_policy(`
++	dbus_system_bus_client(virtd_t)
++
 +	optional_policy(`
 +		avahi_dbus_chat(virtd_t)
 +	')
@@ -86363,6 +86602,7 @@ index 1f22fba..d5e8852 100644
 +
 +dev_list_sysfs(virt_domain)
 +dev_getattr_fs(virt_domain)
++dev_dontaudit_getattr_all(virt_domain)
 +dev_read_generic_symlinks(virt_domain)
 +dev_read_rand(virt_domain)
 +dev_read_sound(virt_domain)
@@ -86374,7 +86614,10 @@ index 1f22fba..d5e8852 100644
 +dev_rw_inherited_vhost(virt_domain)
 +
 +domain_use_interactive_fds(virt_domain)
-+
+ 
+-	optional_policy(`
+-		avahi_dbus_chat(virtd_t)
+-	')
 +files_read_mnt_symlinks(virt_domain)
 +files_read_var_files(virt_domain)
 +files_search_all(virt_domain)
@@ -86539,7 +86782,7 @@ index 1f22fba..d5e8852 100644
  
 -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
 -allow virsh_t self:process { getcap getsched setsched setcap signal };
-+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
 +allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
  allow virsh_t self:fifo_file rw_fifo_file_perms;
 -allow virsh_t self:unix_stream_socket { accept connectto listen };
@@ -86557,7 +86800,7 @@ index 1f22fba..d5e8852 100644
  
  manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +804,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -86570,12 +86813,12 @@ index 1f22fba..d5e8852 100644
 -dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 -
 -allow virsh_t svirt_lxc_domain:process transition;
--
--can_exec(virsh_t, virsh_exec_t)
 +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +virt_filetrans_named_content(virsh_t)
  
+-can_exec(virsh_t, virsh_exec_t)
+-
 -virt_domtrans(virsh_t)
 -virt_manage_images(virsh_t)
 -virt_manage_config(virsh_t)
@@ -86587,7 +86830,7 @@ index 1f22fba..d5e8852 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +823,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -86614,12 +86857,13 @@ index 1f22fba..d5e8852 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +842,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +843,22 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
 -term_use_all_terms(virsh_t)
 +term_use_all_inherited_terms(virsh_t)
++term_dontaudit_use_generic_ptys(virsh_t)
 +
 +userdom_search_admin_dir(virsh_t)
 +userdom_read_home_certs(virsh_t)
@@ -86645,7 +86889,7 @@ index 1f22fba..d5e8852 100644
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
  	fs_manage_nfs_files(virsh_t)
-@@ -847,6 +874,10 @@ optional_policy(`
+@@ -847,6 +876,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -86656,7 +86900,7 @@ index 1f22fba..d5e8852 100644
  	rpm_exec(virsh_t)
  ')
  
-@@ -854,7 +885,7 @@ optional_policy(`
+@@ -854,7 +887,7 @@ optional_policy(`
  	xen_manage_image_dirs(virsh_t)
  	xen_append_log(virsh_t)
  	xen_domtrans(virsh_t)
@@ -86665,7 +86909,7 @@ index 1f22fba..d5e8852 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,34 +910,44 @@ optional_policy(`
+@@ -879,34 +912,44 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -86719,11 +86963,13 @@ index 1f22fba..d5e8852 100644
  
  manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +957,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +959,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
  allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
 +files_associate_rootfs(svirt_lxc_file_t)
++
++seutil_read_file_contexts(virtd_lxc_t)
  
  storage_manage_fixed_disk(virtd_lxc_t)
 +storage_rw_fuse(virtd_lxc_t)
@@ -86735,7 +86981,7 @@ index 1f22fba..d5e8852 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +977,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +981,8 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -86746,7 +86992,7 @@ index 1f22fba..d5e8852 100644
  files_relabel_rootfs(virtd_lxc_t)
  files_mounton_non_security(virtd_lxc_t)
  files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +986,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +990,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
  files_list_isid_type_dirs(virtd_lxc_t)
  files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
  
@@ -86754,7 +87000,7 @@ index 1f22fba..d5e8852 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +998,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1002,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -86773,7 +87019,7 @@ index 1f22fba..d5e8852 100644
  
  term_use_generic_ptys(virtd_lxc_t)
  term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1012,44 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1016,36 @@ auth_use_nsswitch(virtd_lxc_t)
  
  logging_send_syslog_msg(virtd_lxc_t)
  
@@ -86809,22 +87055,16 @@ index 1f22fba..d5e8852 100644
 -# Common virt lxc domain local policy
 +# virt_lxc_domain local policy
  #
-+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
-+
-+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_lxc_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
-+allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
- 
+-
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
- allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
++allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
++allow svirt_lxc_domain self:key manage_key_perms;
++allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid setrlimit };
  allow svirt_lxc_domain self:fifo_file manage_file_perms;
  allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1058,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+ allow svirt_lxc_domain self:shm create_shm_perms;
+@@ -995,18 +1053,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
  allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
  allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
  
@@ -86833,18 +87073,25 @@ index 1f22fba..d5e8852 100644
 -allow svirt_lxc_domain virtd_lxc_t:process sigchld;
 -
 -allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
--
+ 
 -allow svirt_lxc_domain virsh_t:fd use;
 -allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
 -allow svirt_lxc_domain virsh_t:process sigchld;
--
++allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_lxc_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched setrlimit transition signal_perms };
+ 
 -allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
 -allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
--
++allow svirt_lxc_domain virtd_lxc_t:process sigchld;
++allow svirt_lxc_domain virtd_lxc_t:fd use;
++allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
++allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+ 
  manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1065,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1071,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -86863,7 +87110,7 @@ index 1f22fba..d5e8852 100644
  kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
  
  corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1084,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1090,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
  files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
  files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
  files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -86890,15 +87137,15 @@ index 1f22fba..d5e8852 100644
  auth_dontaudit_read_login_records(svirt_lxc_domain)
  auth_dontaudit_write_login_records(svirt_lxc_domain)
  auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1109,91 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1115,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
  
  libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
  
 -miscfiles_read_localization(svirt_lxc_domain)
  miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
  miscfiles_read_fonts(svirt_lxc_domain)
- 
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
++miscfiles_read_hwdata(svirt_lxc_domain)
++
 +systemd_read_unit_files(svirt_lxc_domain)
 +
 +userdom_use_inherited_user_terminals(svirt_lxc_domain)
@@ -86911,7 +87158,8 @@ index 1f22fba..d5e8852 100644
 +optional_policy(`
 +	mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +')
-+
+ 
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
 +	ssh_use_ptys(svirt_lxc_net_t)
 +')
@@ -86935,11 +87183,10 @@ index 1f22fba..d5e8852 100644
 -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
  dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-+allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
- allow svirt_lxc_net_t self:process setrlimit;
+-allow svirt_lxc_net_t self:process setrlimit;
 -allow svirt_lxc_net_t self:tcp_socket { accept listen };
 -allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
-+
++allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 +allow svirt_lxc_net_t self:udp_socket create_socket_perms;
 +allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
 +allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
@@ -87026,7 +87273,7 @@ index 1f22fba..d5e8852 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1206,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1211,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -87041,7 +87288,7 @@ index 1f22fba..d5e8852 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1224,8 @@ optional_policy(`
+@@ -1183,9 +1229,8 @@ optional_policy(`
  
  ########################################
  #
@@ -87052,7 +87299,7 @@ index 1f22fba..d5e8852 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1238,70 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1243,70 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -89272,7 +89519,7 @@ index 0cea2cd..7668014 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xfs_t)
 diff --git a/xguest.te b/xguest.te
-index 2882821..521232e 100644
+index 2882821..6618596 100644
 --- a/xguest.te
 +++ b/xguest.te
 @@ -1,4 +1,4 @@
@@ -89346,7 +89593,7 @@ index 2882821..521232e 100644
  		storage_raw_read_removable_device(xguest_t)
  		storage_raw_write_removable_device(xguest_t)
  	',`
-@@ -54,9 +54,21 @@ ifndef(`enable_mls',`
+@@ -54,9 +54,22 @@ ifndef(`enable_mls',`
  ')
  
  optional_policy(`
@@ -89355,6 +89602,7 @@ index 2882821..521232e 100644
 +')
 +
 +kernel_dontaudit_request_load_module(xguest_t)
++kernel_read_software_raid_state(xguest_t)
 +
 +tunable_policy(`selinuxuser_execstack',`
 +	allow xguest_t self:process execstack;
@@ -89369,7 +89617,7 @@ index 2882821..521232e 100644
  		files_dontaudit_getattr_boot_dirs(xguest_t)
  		files_search_mnt(xguest_t)
  
-@@ -65,10 +77,9 @@ optional_policy(`
+@@ -65,10 +78,9 @@ optional_policy(`
  		fs_manage_noxattr_fs_dirs(xguest_t)
  		fs_getattr_noxattr_fs(xguest_t)
  		fs_read_noxattr_fs_symlinks(xguest_t)
@@ -89381,7 +89629,7 @@ index 2882821..521232e 100644
  	')
  ')
  
-@@ -84,12 +95,17 @@ optional_policy(`
+@@ -84,12 +96,17 @@ optional_policy(`
  	')
  ')
  
@@ -89401,7 +89649,7 @@ index 2882821..521232e 100644
  ')
  
  optional_policy(`
-@@ -97,75 +113,82 @@ optional_policy(`
+@@ -97,75 +114,82 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 126dfb1e..b22aa168 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -15,11 +15,11 @@
 %endif
 %define POLICYVER 29
 %define POLICYCOREUTILSVER 2.1.14-12
-%define CHECKPOLICYVER 2.1.12-1
+%define CHECKPOLICYVER 2.1.12-3
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 20%{?dist}
+Release: 23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -253,7 +253,7 @@ fi;
 . %{_sysconfdir}/selinux/config; \
 if [ -e /etc/selinux/%2/.rebuild ]; then \
    rm /etc/selinux/%2/.rebuild; \
-   (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
+   (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
    /usr/sbin/semodule -B -n -s %2; \
 else \
     touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
@@ -526,6 +526,58 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Mar 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-23
+- Allow localectl to read /etc/X11/xorg.conf.d directory
+- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""
+- Allow mount to transition to systemd_passwd_agent
+- Make sure abrt directories are labeled correctly
+- Allow commands that are going to read mount pid files to search mount_var_run_t
+- label /usr/bin/repoquery as rpm_exec_t
+- Allow automount to block suspend
+- Add abrt_filetrans_named_content so that abrt directories get labeled correctly
+- Allow virt domains to setrlimit and read file_context
+
+* Mon Mar 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-22
+- Allow nagios to manage nagios spool files
+- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6
+- Add swift_alias.* policy files which contain typealiases for swift types
+- Add support for /run/lock/opencryptoki
+- Allow pkcsslotd chown capability
+- Allow pkcsslotd to read passwd
+- Add rsync_stub() interface
+- Allow systemd_timedate also manage gnome config homedirs
+- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t
+- Fix filetrans rules for kdm creates .xsession-errors
+- Allow sytemd_tmpfiles to create wtmp file
+- Really should not label content  under /var/lock, since it could have labels on it different from var_lock_t
+- Allow systemd to list all file system directories
+- Add some basic stub interfaces which will be used in PRODUCT policies
+
+* Wed Mar 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-21
+- Fix log transition rule for cluster domains
+- Start to group all cluster log together
+- Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update
+- cups uses usbtty_device_t devices
+- These fixes were all required to build a MLS virtual Machine with single level desktops
+- Allow domains to transiton using httpd_exec_t
+- Allow svirt domains to manage kernel key rings
+- Allow setroubleshoot to execute ldconfig
+- Allow firewalld to read generate gnome data
+- Allow bluetooth to read machine-info
+- Allow boinc domain to send signal to itself
+- Fix gnome_filetrans_home_content() interface
+- Allow mozilla_plugins to list apache modules, for use with gxine
+- Fix labels for POkemon in the users homedir
+- Allow xguest to read mdstat
+- Dontaudit virt_domains getattr on /dev/*
+- These fixes were all required to build a MLS virtual Machine with single level desktops
+- Need to back port this to RHEL6 for openshift
+- Add tcp/8891 as milter port
+- Allow nsswitch domains to read sssd_var_lib_t files
+- Allow ping to read network state.
+- Fix typo
+- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
+
 * Fri Mar 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-20
 - Adopt swift changes from lhh@redhat.com
 - Add rhcs_manage_cluster_pid_files() interface