From d9805455069c8108c72cbe37145c5066cd22547f Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Tue, 21 Dec 2010 09:32:36 +0000
Subject: [PATCH] - Update to upstream - Fixes for systemd policy - Fixes for
 passenger policy - Allow staff users to run mysqld in the staff_t domain,
 akonadi needs this - Add bin_t label for
 /usr/share/kde4/apps/kajongg/kajongg.py - auth_use_nsswitch does not need
 avahi to read passwords,needed for resolving data - Dontaudit (xdm_t) gok
 attempting to list contents of /var/account - Telepathy domains need to read
 urand - Need interface to getattr all file classes in a mock library for
 setroubleshoot

---
 policy-F15.patch    | 1197 +++++++++++++++++++++++++++++--------------
 selinux-policy.spec |   11 +
 2 files changed, 834 insertions(+), 374 deletions(-)

diff --git a/policy-F15.patch b/policy-F15.patch
index 8871ef6c..cc260573 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -208,6 +208,32 @@ index af90ef2..7534872 100644
 +	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
 +
  ') dnl end enable_mcs
+diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
+index e66c296..61f738b 100644
+--- a/policy/modules/admin/acct.if
++++ b/policy/modules/admin/acct.if
+@@ -78,3 +78,21 @@ interface(`acct_manage_data',`
+ 	manage_files_pattern($1, acct_data_t, acct_data_t)
+ 	manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
+ ')
++
++########################################
++## <summary>
++##	Dontaudit Attempts to list acct_data directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`acct_dontaudit_list_data',`
++	gen_require(`
++		type acct_data_t;
++	')
++
++	dontaudit $1 acct_data_t:dir list_dir_perms;	
++')
 diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
 index 90d5203..1392679 100644
 --- a/policy/modules/admin/alsa.if
@@ -1034,9 +1060,18 @@ index c633aea..b773bc3 100644
  type portage_cache_t;
  files_type(portage_cache_t)
 diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..7d2fcff 100644
+index af55369..bc4ae6d 100644
 --- a/policy/modules/admin/prelink.te
 +++ b/policy/modules/admin/prelink.te
+@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
+ # Local policy
+ #
+ 
+-allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
++allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
+ allow prelink_t self:process { execheap execmem execstack signal };
+ allow prelink_t self:fifo_file rw_fifo_file_perms;
+ 
 @@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -5074,10 +5109,10 @@ index 0000000..4f9cb05
 +')
 diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
 new file mode 100644
-index 0000000..7b483f3
+index 0000000..aedbcbe
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,314 @@
+@@ -0,0 +1,315 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -5187,6 +5222,7 @@ index 0000000..7b483f3
 +
 +domain_dontaudit_read_all_domains_state(nsplugin_t)
 +
++dev_read_urand(nsplugin_t)
 +dev_read_rand(nsplugin_t)
 +dev_read_sound(nsplugin_t)
 +dev_write_sound(nsplugin_t)
@@ -5816,7 +5852,7 @@ index c1d5f50..989f88c 100644
 +
 +
 diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 5ef2f7d..5a13201 100644
+index 5ef2f7d..d5ed1df 100644
 --- a/policy/modules/apps/qemu.te
 +++ b/policy/modules/apps/qemu.te
 @@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
@@ -5828,7 +5864,15 @@ index 5ef2f7d..5a13201 100644
  ## </p>
  ## </desc>
  gen_tunable(qemu_use_comm, false)
-@@ -90,7 +90,9 @@ tunable_policy(`qemu_use_usb',`
+@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t)
+ 
+ userdom_search_user_home_content(qemu_t)
+ userdom_read_user_tmpfs_files(qemu_t)
++userdom_stream_connect(qemu_t)
+ 
+ tunable_policy(`qemu_full_network',`
+ 	allow qemu_t self:udp_socket create_socket_perms;
+@@ -90,7 +91,9 @@ tunable_policy(`qemu_use_usb',`
  ')
  
  optional_policy(`
@@ -5839,7 +5883,7 @@ index 5ef2f7d..5a13201 100644
  ')
  
  optional_policy(`
-@@ -102,6 +104,10 @@ optional_policy(`
+@@ -102,6 +105,10 @@ optional_policy(`
  	xen_rw_image_files(qemu_t)
  ')
  
@@ -5850,7 +5894,7 @@ index 5ef2f7d..5a13201 100644
  ########################################
  #
  # Unconfined qemu local policy
-@@ -112,6 +118,8 @@ optional_policy(`
+@@ -112,6 +119,8 @@ optional_policy(`
  	typealias unconfined_qemu_t alias qemu_unconfined_t;
  	application_type(unconfined_qemu_t)
  	unconfined_domain(unconfined_qemu_t)
@@ -7104,10 +7148,10 @@ index 0000000..46368cc
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
 new file mode 100644
-index 0000000..7d62b71
+index 0000000..2ace399
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,333 @@
+@@ -0,0 +1,328 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@@ -7180,8 +7224,6 @@ index 0000000..7d62b71
 +corecmd_exec_shell(telepathy_msn_t)
 +corecmd_read_bin_symlinks(telepathy_msn_t)
 +
-+dev_read_urand(telepathy_msn_t)
-+
 +files_read_etc_files(telepathy_msn_t)
 +files_read_usr_files(telepathy_msn_t)
 +
@@ -7239,7 +7281,6 @@ index 0000000..7d62b71
 +corenet_tcp_connect_vnc_port(telepathy_gabble_t)
 +
 +dev_read_rand(telepathy_gabble_t)
-+dev_read_urand(telepathy_gabble_t)
 +
 +files_read_config_files(telepathy_gabble_t)
 +files_read_usr_files(telepathy_gabble_t)
@@ -7276,6 +7317,8 @@ index 0000000..7d62b71
 +corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
 +corenet_tcp_connect_ircd_port(telepathy_idle_t)
 +
++dev_read_rand(telepathy_idle_t)
++
 +files_read_etc_files(telepathy_idle_t)
 +
 +sysnet_read_config(telepathy_idle_t)
@@ -7334,8 +7377,6 @@ index 0000000..7d62b71
 +corenet_tcp_bind_presence_port(telepathy_salut_t)
 +corenet_tcp_connect_presence_port(telepathy_salut_t)
 +
-+dev_read_urand(telepathy_salut_t)
-+
 +files_read_etc_files(telepathy_salut_t)
 +
 +sysnet_read_config(telepathy_salut_t)
@@ -7360,8 +7401,6 @@ index 0000000..7d62b71
 +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
 +corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
 +
-+dev_read_urand(telepathy_sofiasip_t)
-+
 +kernel_request_load_module(telepathy_sofiasip_t)
 +
 +sysnet_read_config(telepathy_sofiasip_t)
@@ -7381,8 +7420,6 @@ index 0000000..7d62b71
 +
 +corecmd_exec_bin(telepathy_sunshine_t)
 +
-+dev_read_urand(telepathy_sunshine_t)
-+
 +files_read_etc_files(telepathy_sunshine_t)
 +files_read_usr_files(telepathy_sunshine_t)
 +
@@ -7411,6 +7448,8 @@ index 0000000..7d62b71
 +corenet_tcp_sendrecv_generic_node(telepathy_domain)
 +corenet_udp_bind_generic_node(telepathy_domain)
 +
++dev_read_urand(telepathy_domain)
++
 +kernel_read_system_state(telepathy_domain)
 +
 +fs_search_auto_mountpoints(telepathy_domain)
@@ -7807,7 +7846,7 @@ index 82842a0..4111a1d 100644
  		dbus_system_bus_client($1_wm_t)
  		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..6e68bd2 100644
+index 34c9d01..93e0ee8 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -7848,6 +7887,14 @@ index 34c9d01..6e68bd2 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+@@ -319,6 +324,7 @@ ifdef(`distro_redhat', `
+ /usr/share/fedora-usermgmt/wrapper --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hplip/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser --	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/kde4/apps/kajongg/kajongg.py --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
 diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
 index 9e9263a..24018ce 100644
 --- a/policy/modules/kernel/corecommands.if
@@ -8913,7 +8960,7 @@ index 3517db2..4dd4bef 100644
 +
 +/usr/lib/debug			<<none>>
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ed203b2..bfb7926 100644
+index ed203b2..7825dd2 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -9066,7 +9113,39 @@ index ed203b2..bfb7926 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2623,6 +2730,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2583,6 +2690,31 @@ interface(`files_create_boot_flag',`
+ 
+ ########################################
+ ## <summary>
++##	Delete a boot flag.
++## </summary>
++## <desc>
++##	<p>
++##	Delete a boot flag, such as
++##	/.autorelabel and /.autofsck.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_boot_flag',`
++	gen_require(`
++		type root_t, etc_runtime_t;
++	')
++
++	delete_files_pattern($1, root_t, etc_runtime_t)
++')
++
++########################################
++## <summary>
+ ##	Read files in /etc that are dynamically
+ ##	created on boot, such as mtab.
+ ## </summary>
+@@ -2623,6 +2755,24 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -9091,7 +9170,7 @@ index ed203b2..bfb7926 100644
  ##	Do not audit attempts to read files
  ##	in /etc that are dynamically
  ##	created on boot, such as mtab.
-@@ -3104,6 +3229,7 @@ interface(`files_getattr_home_dir',`
+@@ -3104,6 +3254,7 @@ interface(`files_getattr_home_dir',`
  	')
  
  	allow $1 home_root_t:dir getattr;
@@ -9099,7 +9178,7 @@ index ed203b2..bfb7926 100644
  ')
  
  ########################################
-@@ -3124,6 +3250,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3124,6 +3275,7 @@ interface(`files_dontaudit_getattr_home_dir',`
  	')
  
  	dontaudit $1 home_root_t:dir getattr;
@@ -9107,7 +9186,7 @@ index ed203b2..bfb7926 100644
  ')
  
  ########################################
-@@ -3365,6 +3492,24 @@ interface(`files_list_mnt',`
+@@ -3365,6 +3517,24 @@ interface(`files_list_mnt',`
  	allow $1 mnt_t:dir list_dir_perms;
  ')
  
@@ -9132,7 +9211,7 @@ index ed203b2..bfb7926 100644
  ########################################
  ## <summary>
  ##	Mount a filesystem on /mnt.
-@@ -3438,6 +3583,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3608,24 @@ interface(`files_read_mnt_files',`
  	read_files_pattern($1, mnt_t, mnt_t)
  ')
  
@@ -9157,7 +9236,7 @@ index ed203b2..bfb7926 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3892,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3917,100 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -9258,7 +9337,7 @@ index ed203b2..bfb7926 100644
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
-@@ -3914,6 +4171,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4196,32 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -9291,92 +9370,262 @@ index ed203b2..bfb7926 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -3968,6 +4251,84 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4276,7 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
+-##	Set the attributes of all tmp directories.
 +##	Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_dirs',`
-+	gen_require(`
-+		type tmp_t;
-+	')
-+
-+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel a file from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_files',`
-+	gen_require(`
-+		type tmp_t;
-+	')
-+
-+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel all tmp dirs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_relabel_all_tmp_dirs',`
-+	gen_require(`
-+		attribute tmpfile;
-+		type var_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	relabel_dirs_pattern($1, tmpfile, tmpfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel all tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_relabel_all_tmp_files',`
-+	gen_require(`
-+		attribute tmpfile;
-+		type var_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	relabel_files_pattern($1, tmpfile, tmpfile)
-+')
-+
-+########################################
-+## <summary>
- ##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
-@@ -4127,6 +4488,13 @@ interface(`files_purge_tmp',`
+ ##	<summary>
+@@ -3976,17 +4284,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
++	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List all tmp directories.
++##	Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3994,74 +4302,77 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
++	relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
++##	Relabel all tmp dirs.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 tmpfile:file getattr;
++	allow $1 var_t:dir search_dir_perms;
++	relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
++##	Relabel all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_files',`
+ 	gen_require(`
+ 		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	allow $1 tmpfile:file getattr;
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp sock_file.
++##	Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_setattr_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 tmpfile:sock_file getattr;
++	allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all tmp files.
++##	List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4069,36 +4380,111 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	read_files_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the tmp directories, with a private
+-##	type using a type transition.
++##	Do not audit attempts to get the attributes
++##	of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
++##	Domain not to audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	dontaudit $1 tmpfile:file getattr;
++')
++
++########################################
++## <summary>
++##	Allow attempts to get the attributes
++##	of all tmp files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_getattr_all_tmp_files',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	allow $1 tmpfile:file getattr;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain not to audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	dontaudit $1 tmpfile:sock_file getattr;
++')
++
++########################################
++## <summary>
++##	Read all tmp files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_all_tmp_files',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	read_files_pattern($1, tmpfile, tmpfile)
++')
++
++########################################
++## <summary>
++##	Create an object in the tmp directories, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_tmp_filetrans',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+@@ -4127,6 +4513,13 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -9390,79 +9639,32 @@ index ed203b2..bfb7926 100644
  ')
  
  ########################################
-@@ -4736,7 +5104,7 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5129,24 @@ interface(`files_read_var_files',`
  
  ########################################
  ## <summary>
--##	Read and write files in the /var directory.
 +##	Append files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4744,36 +5112,54 @@ interface(`files_read_var_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_rw_var_files',`
-+interface(`files_append_var_files',`
- 	gen_require(`
- 		type var_t;
- 	')
- 
--	rw_files_pattern($1, var_t, var_t)
-+	append_files_pattern($1, var_t, var_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read and write
--##	files in the /var directory.
-+##	Read and write files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_rw_var_files',`
- 	gen_require(`
- 		type var_t;
- 	')
- 
--	dontaudit $1 var_t:file rw_file_perms;
-+	rw_files_pattern($1, var_t, var_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete files in the /var directory.
-+##	Do not audit attempts to read and write
-+##	files in the /var directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_rw_var_files',`
++interface(`files_append_var_files',`
 +	gen_require(`
 +		type var_t;
 +	')
 +
-+	dontaudit $1 var_t:file rw_file_perms;
++	append_files_pattern($1, var_t, var_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete files in the /var directory.
+ ##	Read and write files in the /var directory.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -5071,6 +5457,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5482,24 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -9487,7 +9689,7 @@ index ed203b2..bfb7926 100644
  ##	Search the locks directory (/var/lock).
  ## </summary>
  ## <param name="domain">
-@@ -5156,12 +5560,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5585,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -9504,7 +9706,7 @@ index ed203b2..bfb7926 100644
  ')
  
  ########################################
-@@ -5207,6 +5611,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5636,27 @@ interface(`files_delete_all_locks',`
  
  ########################################
  ## <summary>
@@ -9532,7 +9734,7 @@ index ed203b2..bfb7926 100644
  ##	Read all lock files.
  ## </summary>
  ## <param name="domain">
-@@ -5335,6 +5760,43 @@ interface(`files_search_pids',`
+@@ -5335,6 +5785,43 @@ interface(`files_search_pids',`
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
@@ -9576,7 +9778,7 @@ index ed203b2..bfb7926 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5542,6 +6004,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6029,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -9639,7 +9841,7 @@ index ed203b2..bfb7926 100644
  ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -5559,6 +6077,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6102,44 @@ interface(`files_read_all_pids',`
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -9684,7 +9886,7 @@ index ed203b2..bfb7926 100644
  ')
  
  ########################################
-@@ -5844,3 +6400,247 @@ interface(`files_unconfined',`
+@@ -5844,3 +6425,247 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -11232,7 +11434,7 @@ index be4de58..cce681a 100644
  ########################################
  #
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..96d3fbf 100644
+index 2be17d2..faaf889 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -11284,7 +11486,7 @@ index 2be17d2..96d3fbf 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,25 +63,104 @@ optional_policy(`
+@@ -27,25 +63,108 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -11321,6 +11523,10 @@ index 2be17d2..96d3fbf 100644
 +	oident_relabel_user_content(staff_t)
 +')
 +
++optional_policy(`
++	mysql_exec(staff_t)
++')
++
 +optional_policy(`
  	postgresql_role(staff_r, staff_t)
  ')
@@ -11391,7 +11597,7 @@ index 2be17d2..96d3fbf 100644
  
  optional_policy(`
  	vlock_run(staff_t, staff_r)
-@@ -137,10 +252,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +256,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -19529,7 +19735,7 @@ index 9d44538..7e9057e 100644
  #
  interface(`cyphesis_domtrans',`
 diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
-index e182bf4..f80e725 100644
+index e182bf4..aab657c 100644
 --- a/policy/modules/services/cyrus.te
 +++ b/policy/modules/services/cyrus.te
 @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -19541,7 +19747,18 @@ index e182bf4..f80e725 100644
  dontaudit cyrus_t self:capability sys_tty_config;
  allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow cyrus_t self:process setrlimit;
-@@ -135,6 +135,7 @@ optional_policy(`
+@@ -119,6 +119,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	dirsrv_stream_connect(cyrus_t)
++')
++
++optional_policy(`
+ 	kerberos_keytab_template(cyrus, cyrus_t)
+ ')
+ 
+@@ -135,6 +139,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20614,10 +20831,10 @@ index 0000000..0070a0d
 +/var/log/dirsrv/ldap-agent.log	gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
 diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if
 new file mode 100644
-index 0000000..440a6c5
+index 0000000..9d8f5de
 --- /dev/null
 +++ b/policy/modules/services/dirsrv.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,212 @@
 +## <summary>policy for dirsrv</summary>
 +
 +########################################
@@ -20718,6 +20935,25 @@ index 0000000..440a6c5
 +        allow $1 dirsrv_var_lib_t:file manage_file_perms;
 +')
 +
++########################################
++## <summary>
++##	Connect to dirsrv over an unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dirsrv_stream_connect',`
++	gen_require(`
++		type dirsrv_t, dirsrv_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
++')
++
 +#######################################
 +## <summary>
 +##      Allow a domain to manage dirsrv /var/run files.
@@ -21013,6 +21249,16 @@ index 03b5286..fcafa0b 100644
  ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
  
  ########################################
+diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
+index dc1056c..bd60100 100644
+--- a/policy/modules/services/dkim.fc
++++ b/policy/modules/services/dkim.fc
+@@ -7,3 +7,5 @@
+ /var/run/dkim-filter(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter\.pid	--	gen_context(system_u:object_r:dkim_milter_data_t,s0)
++
++/var/lib/dkim-milter(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
 diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
 index b886676..ad3210e 100644
 --- a/policy/modules/services/dnsmasq.fc
@@ -21077,7 +21323,7 @@ index 9bd812b..c808b31 100644
  ')
  
 diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..c516b94 100644
+index fdaeeba..dc4eb3d 100644
 --- a/policy/modules/services/dnsmasq.te
 +++ b/policy/modules/services/dnsmasq.te
 @@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -21091,7 +21337,16 @@ index fdaeeba..c516b94 100644
  
  kernel_read_kernel_sysctls(dnsmasq_t)
  kernel_read_system_state(dnsmasq_t)
-@@ -96,10 +97,18 @@ optional_policy(`
+@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
+ 
+ miscfiles_read_localization(dnsmasq_t)
+ 
++sysnet_dns_name_resolve(dnsmasq_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+ userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
+ 
+@@ -96,10 +99,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21110,7 +21365,7 @@ index fdaeeba..c516b94 100644
  	seutil_sigchld_newrole(dnsmasq_t)
  ')
  
-@@ -114,4 +123,5 @@ optional_policy(`
+@@ -114,4 +125,5 @@ optional_policy(`
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
  	virt_read_pid_files(dnsmasq_t)
@@ -24168,7 +24423,7 @@ index c62f23e..335fda1 100644
  /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
 +/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
 diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..c51c1f6 100644
+index 3aa8fa7..8fa74c3 100644
 --- a/policy/modules/services/ldap.if
 +++ b/policy/modules/services/ldap.if
 @@ -1,5 +1,41 @@
@@ -24239,40 +24494,17 @@ index 3aa8fa7..c51c1f6 100644
  ##	Read the OpenLDAP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -69,8 +124,30 @@ interface(`ldap_stream_connect',`
+@@ -69,8 +124,7 @@ interface(`ldap_stream_connect',`
  	')
  
  	files_search_pids($1)
 -	allow $1 slapd_var_run_t:sock_file write;
 -	allow $1 slapd_t:unix_stream_socket connectto;
 +	stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
-+
-+	optional_policy(`
-+		ldap_stream_connect_dirsrv($1)
-+	')
-+')
-+
-+########################################
-+## <summary>
-+##	Connect to dirsrv over an unix stream socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`ldap_stream_connect_dirsrv',`
-+	gen_require(`
-+		type dirsrv_t, dirsrv_var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
  ')
  
  ########################################
-@@ -110,6 +187,7 @@ interface(`ldap_admin',`
+@@ -110,6 +164,7 @@ interface(`ldap_admin',`
  
  	admin_pattern($1, slapd_lock_t)
  
@@ -24624,17 +24856,18 @@ index db4fd6f..5008a6c 100644
  	admin_pattern($1, memcached_var_run_t)
  ')
 diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
-index 55a3e2f..613c69d 100644
+index 55a3e2f..bc489e0 100644
 --- a/policy/modules/services/milter.fc
 +++ b/policy/modules/services/milter.fc
-@@ -1,3 +1,6 @@
+@@ -1,10 +1,15 @@
 +/etc/mail/dkim-milter/keys(/.*)?        gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 +
 +/usr/sbin/dkim-filter           --      gen_context(system_u:object_r:dkim_milter_exec_t,s0)
  /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
  /usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
  /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-@@ -5,6 +8,7 @@
+ 
++/var/lib/dkim-milter(/.*)?          gen_context(system_u:object_r:dkim_milter_data_t,s0)
  /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
  /var/lib/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_state_t,s0)
  
@@ -24812,10 +25045,10 @@ index 0000000..42bb2a3
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
 new file mode 100644
-index 0000000..d76fb11
+index 0000000..6395ec8
 --- /dev/null
 +++ b/policy/modules/services/mock.if
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,254 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@@ -24876,6 +25109,24 @@ index 0000000..d76fb11
 +
 +########################################
 +## <summary>
++##	Getattr on mock lib file,dir,sock_file ...
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mock_getattr_lib',`
++	gen_require(`
++		type mock_var_lib_t;
++	')
++
++	allow $1 mock_var_lib_t:dir_file_class_set getattr;
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete
 +##	mock lib files.
 +## </summary>
@@ -26497,10 +26748,35 @@ index f17583b..8f01394 100644
 +
 +miscfiles_read_localization(munin_plugin_domain)
 diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..4d3b208 100644
+index e9c0982..06034b8 100644
 --- a/policy/modules/services/mysql.if
 +++ b/policy/modules/services/mysql.if
-@@ -73,6 +73,7 @@ interface(`mysql_stream_connect',`
+@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
+ 	domtrans_pattern($1, mysqld_exec_t, mysqld_t)
+ ')
+ 
++######################################
++## <summary>
++##	Execute MySQL in the coller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mysql_exec',`
++	gen_require(`
++		type  mysqld_exec_t;
++	')
++
++	can_exec($1, mysqld_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Send a generic signal to MySQL.
+@@ -73,6 +91,7 @@ interface(`mysql_stream_connect',`
  		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
  	')
  
@@ -26508,7 +26784,7 @@ index e9c0982..4d3b208 100644
  	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
  	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
  ')
-@@ -252,7 +253,7 @@ interface(`mysql_write_log',`
+@@ -252,7 +271,7 @@ interface(`mysql_write_log',`
  	')
  
  	logging_search_logs($1)
@@ -26517,7 +26793,7 @@ index e9c0982..4d3b208 100644
  ')
  
  ######################################
-@@ -329,10 +330,9 @@ interface(`mysql_search_pid_files',`
+@@ -329,10 +348,9 @@ interface(`mysql_search_pid_files',`
  #
  interface(`mysql_admin',`
  	gen_require(`
@@ -26531,7 +26807,7 @@ index e9c0982..4d3b208 100644
  	')
  
  	allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +343,17 @@ interface(`mysql_admin',`
+@@ -343,13 +361,17 @@ interface(`mysql_admin',`
  	role_transition $2 mysqld_initrc_exec_t system_r;
  	allow $2 system_r;
  
@@ -27957,19 +28233,29 @@ index b246bdd..f414173 100644
  files_etc_filetrans(pads_t, pads_config_t, file)
 diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
 new file mode 100644
-index 0000000..8d00972
+index 0000000..fbd07f6
 --- /dev/null
 +++ b/policy/modules/services/passenger.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,16 @@
 +
 +/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
 +
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++
++/var/log/passenger(/.*)?           gen_context(system_u:object_r:passenger_log_t,s0)
++/var/log/passenger.*        --      gen_context(system_u:object_r:passenger_log_t,s0)
++
 +/var/lib/passenger(/.*)?           gen_context(system_u:object_r:passenger_var_lib_t,s0)
 +
 +/var/run/passenger(/.*)?           gen_context(system_u:object_r:passenger_var_run_t,s0)
 diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if
 new file mode 100644
-index 0000000..66f9799
+index 0000000..9ef0492
 --- /dev/null
 +++ b/policy/modules/services/passenger.if
 @@ -0,0 +1,67 @@
@@ -27995,7 +28281,7 @@ index 0000000..66f9799
 +	allow $1 passenger_t:process signal;
 +
 +	domtrans_pattern($1, passenger_exec_t, passenger_t)
-+	allow $1 passenger_t:unix_stream_socket { read write shutdown };
++	allow $1 passenger_t:unix_stream_socket { read write connectto shutdown };
 +	allow passenger_t $1:unix_stream_socket { read write };
 +')
 +
@@ -28042,10 +28328,10 @@ index 0000000..66f9799
 +')
 diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
 new file mode 100644
-index 0000000..ba9fdb9
+index 0000000..efa9336
 --- /dev/null
 +++ b/policy/modules/services/passenger.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,76 @@
 +policy_module(passanger, 1.0.0)
 +
 +########################################
@@ -28062,6 +28348,9 @@ index 0000000..ba9fdb9
 +type passenger_tmp_t;
 +files_tmp_file(passenger_tmp_t)
 +
++type passenger_log_t;
++logging_log_file(passenger_log_t)
++
 +type passenger_var_lib_t;
 +files_type(passenger_var_lib_t)
 +
@@ -28075,11 +28364,16 @@ index 0000000..ba9fdb9
 +# passanger local policy
 +#
 +
-+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
-+allow passenger_t self:process signal;
++allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
++allow passenger_t self:process { setpgid setsched sigkill signal };
++
 +allow passenger_t self:fifo_file rw_fifo_file_perms;
 +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
++manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
++manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
++logging_log_filetrans(passenger_t, passenger_log_t, file)
++
 +files_search_var_lib(passenger_t)
 +manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
 +manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
@@ -28090,6 +28384,8 @@ index 0000000..ba9fdb9
 +manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
 +files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
 +
++can_exec(passenger_t, passenger_exec_t)
++
 +kernel_read_system_state(passenger_t)
 +kernel_read_kernel_sysctls(passenger_t)
 +
@@ -28738,6 +29034,16 @@ index 0000000..5793840
 +miscfiles_read_localization(piranha_domain)
 +
 +sysnet_read_config(piranha_domain)
+diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc
+index 5702ca4..5df5316 100644
+--- a/policy/modules/services/plymouthd.fc
++++ b/policy/modules/services/plymouthd.fc
+@@ -5,3 +5,5 @@
+ /var/lib/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+ /var/run/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+ /var/spool/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_spool_t,s0)
++
++/var/log/boot\.log		--	gen_context(system_u:object_r:plymouthd_var_log_t,s0)
 diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
 index 9759ed8..07dd3ff 100644
 --- a/policy/modules/services/plymouthd.if
@@ -28903,10 +29209,31 @@ index 9759ed8..07dd3ff 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index fb8dc84..56cc327 100644
+index fb8dc84..ef11559 100644
 --- a/policy/modules/services/plymouthd.te
 +++ b/policy/modules/services/plymouthd.te
-@@ -60,10 +60,20 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -19,6 +19,9 @@ files_type(plymouthd_spool_t)
+ type plymouthd_var_lib_t;
+ files_type(plymouthd_var_lib_t)
+ 
++type plymouthd_var_log_t;
++logging_log_file(plymouthd_var_log_t)
++
+ type plymouthd_var_run_t;
+ files_pid_file(plymouthd_var_run_t)
+ 
+@@ -42,6 +45,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+ 
++manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
++manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
++logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
++
+ manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+ files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
+@@ -60,10 +67,20 @@ domain_use_interactive_fds(plymouthd_t)
  files_read_etc_files(plymouthd_t)
  files_read_usr_files(plymouthd_t)
  
@@ -28927,7 +29254,7 @@ index fb8dc84..56cc327 100644
  ########################################
  #
  # Plymouth private policy
-@@ -74,6 +84,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +91,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
  allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
  
  kernel_read_system_state(plymouth_t)
@@ -28935,7 +29262,7 @@ index fb8dc84..56cc327 100644
  
  domain_use_interactive_fds(plymouth_t)
  
-@@ -87,7 +98,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +105,7 @@ sysnet_read_config(plymouth_t)
  
  plymouthd_stream_connect(plymouth_t)
  
@@ -34250,7 +34577,7 @@ index 22dfeb4..d9f5dbc 100644
  	files_list_var_lib($1)
  	admin_pattern($1, setroubleshoot_var_lib_t)
 diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..679558c 100644
+index 086cd5f..b0ee422 100644
 --- a/policy/modules/services/setroubleshoot.te
 +++ b/policy/modules/services/setroubleshoot.te
 @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -34281,18 +34608,22 @@ index 086cd5f..679558c 100644
  
  corecmd_exec_bin(setroubleshootd_t)
  corecmd_exec_shell(setroubleshootd_t)
-@@ -121,6 +126,10 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,6 +126,14 @@ seutil_read_bin_policy(setroubleshootd_t)
  userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
  
  optional_policy(`
 +	locate_read_lib_files(setroubleshootd_t)
 +')
 +
++optional_policy(`
++	mock_getattr_lib(setroubleshootd_t)
++')
++
 +optional_policy(`
  	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
  ')
  
-@@ -152,6 +161,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -152,6 +165,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
  corecmd_exec_shell(setroubleshoot_fixit_t)
  
  seutil_domtrans_setfiles(setroubleshoot_fixit_t)
@@ -34300,7 +34631,7 @@ index 086cd5f..679558c 100644
  
  files_read_usr_files(setroubleshoot_fixit_t)
  files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +174,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +178,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
  
  miscfiles_read_localization(setroubleshoot_fixit_t)
  
@@ -35579,7 +35910,7 @@ index 22adaca..784c363 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..4877b5a 100644
+index 2dad3c8..4cdb5c2 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -35705,7 +36036,15 @@ index 2dad3c8..4877b5a 100644
  
  dev_read_urand(ssh_t)
  
-@@ -169,14 +173,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -162,6 +166,7 @@ logging_read_generic_logs(ssh_t)
+ auth_use_nsswitch(ssh_t)
+ 
+ miscfiles_read_localization(ssh_t)
++miscfiles_read_generic_certs(ssh_t)
+ 
+ seutil_read_config(ssh_t)
+ 
+@@ -169,14 +174,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
  userdom_search_user_home_dirs(ssh_t)
  # Write to the user domain tty.
  userdom_use_user_terminals(ssh_t)
@@ -35724,7 +36063,7 @@ index 2dad3c8..4877b5a 100644
  ')
  
  tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +203,57 @@ optional_policy(`
+@@ -200,6 +204,57 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -35782,7 +36121,7 @@ index 2dad3c8..4877b5a 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -209,7 +263,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +264,7 @@ tunable_policy(`allow_ssh_keysign',`
  	allow ssh_keysign_t self:capability { setgid setuid };
  	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  
@@ -35791,7 +36130,7 @@ index 2dad3c8..4877b5a 100644
  
  	dev_read_urand(ssh_keysign_t)
  
-@@ -232,33 +286,39 @@ optional_policy(`
+@@ -232,33 +287,39 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -35840,7 +36179,7 @@ index 2dad3c8..4877b5a 100644
  ')
  
  optional_policy(`
-@@ -266,11 +326,24 @@ optional_policy(`
+@@ -266,11 +327,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35866,7 +36205,7 @@ index 2dad3c8..4877b5a 100644
  ')
  
  optional_policy(`
-@@ -284,6 +357,11 @@ optional_policy(`
+@@ -284,6 +358,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35878,7 +36217,7 @@ index 2dad3c8..4877b5a 100644
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -292,26 +370,26 @@ optional_policy(`
+@@ -292,26 +371,26 @@ optional_policy(`
  ')
  
  ifdef(`TODO',`
@@ -35924,7 +36263,7 @@ index 2dad3c8..4877b5a 100644
  ') dnl endif TODO
  
  ########################################
-@@ -324,7 +402,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',`
  
  dontaudit ssh_keygen_t self:capability sys_tty_config;
  allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -35932,7 +36271,7 @@ index 2dad3c8..4877b5a 100644
  allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
  
  allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +430,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +431,6 @@ logging_send_syslog_msg(ssh_keygen_t)
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
  
  optional_policy(`
@@ -36001,7 +36340,7 @@ index 941380a..6dbfc01 100644
  	# Allow sssd_t to restart the apache service
  	sssd_initrc_domtrans($1)
 diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..7113802 100644
+index 8ffa257..12d37a2 100644
 --- a/policy/modules/services/sssd.te
 +++ b/policy/modules/services/sssd.te
 @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -36035,15 +36374,49 @@ index 8ffa257..7113802 100644
  kernel_read_system_state(sssd_t)
  
  corecmd_exec_bin(sssd_t)
-@@ -80,6 +83,8 @@ logging_send_audit_msgs(sssd_t)
+@@ -60,6 +63,7 @@ domain_obj_id_change_exemption(sssd_t)
+ files_list_tmp(sssd_t)
+ files_read_etc_files(sssd_t)
+ files_read_usr_files(sssd_t)
++files_list_var_lib(sssd_t)
+ 
+ fs_list_inotifyfs(sssd_t)
+ 
+@@ -69,7 +73,8 @@ seutil_read_file_contexts(sssd_t)
+ 
+ mls_file_read_to_clearance(sssd_t)
+ 
+-auth_use_nsswitch(sssd_t)
++
++# auth_use_nsswitch(sssd_t)
+ auth_domtrans_chk_passwd(sssd_t)
+ auth_domtrans_upd_passwd(sssd_t)
+ 
+@@ -79,6 +84,12 @@ logging_send_syslog_msg(sssd_t)
+ logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_localization(sssd_t)
- 
-+userdom_manage_tmp_role(system_r, sssd_t)
++miscfiles_read_generic_certs(sssd_t)
 +
++sysnet_dns_name_resolve(sssd_t)
++sysnet_use_ldap(sssd_t)
++
++userdom_manage_tmp_role(system_r, sssd_t)
+ 
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
- 	dbus_connect_system_bus(sssd_t)
+@@ -88,3 +99,11 @@ optional_policy(`
+ optional_policy(`
+ 	kerberos_manage_host_rcache(sssd_t)
+ ')
++
++optional_policy(`
++	dirsrv_stream_connect(sssd_t)
++')
++
++optional_policy(`
++	ldap_stream_connect(sssd_t)
++')
 diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
 index 6073656..eaf49b2 100644
 --- a/policy/modules/services/stunnel.if
@@ -37301,7 +37674,7 @@ index 7c5d8d8..8822e63 100644
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 +')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..a48a862 100644
+index 3eca020..333a07f 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -37558,7 +37931,12 @@ index 3eca020..a48a862 100644
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  
-@@ -243,18 +291,27 @@ dev_read_rand(virtd_t)
+@@ -239,22 +287,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+ corenet_rw_tun_tap_dev(virtd_t)
+ 
+ dev_rw_sysfs(virtd_t)
++dev_read_urand(virtd_t)
+ dev_read_rand(virtd_t)
  dev_rw_kvm(virtd_t)
  dev_getattr_all_chr_files(virtd_t)
  dev_rw_mtrr(virtd_t)
@@ -37587,7 +37965,7 @@ index 3eca020..a48a862 100644
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +319,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -37606,7 +37984,7 @@ index 3eca020..a48a862 100644
  
  mcs_process_set_categories(virtd_t)
  
-@@ -285,16 +354,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t)
  modutils_manage_module_config(virtd_t)
  
  logging_send_syslog_msg(virtd_t)
@@ -37637,7 +38015,7 @@ index 3eca020..a48a862 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +448,8 @@ optional_policy(`
+@@ -365,6 +449,8 @@ optional_policy(`
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -37646,7 +38024,7 @@ index 3eca020..a48a862 100644
  ')
  
  optional_policy(`
-@@ -396,12 +481,25 @@ optional_policy(`
+@@ -396,12 +482,25 @@ optional_policy(`
  
  allow virt_domain self:capability { dac_read_search dac_override kill };
  allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -37673,7 +38051,7 @@ index 3eca020..a48a862 100644
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +520,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +521,7 @@ corenet_rw_tun_tap_dev(virt_domain)
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -37681,7 +38059,7 @@ index 3eca020..a48a862 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +528,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +529,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -37694,7 +38072,7 @@ index 3eca020..a48a862 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,6 +541,11 @@ files_search_all(virt_domain)
+@@ -440,6 +542,11 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -37706,7 +38084,7 @@ index 3eca020..a48a862 100644
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -457,8 +563,117 @@ optional_policy(`
+@@ -457,8 +564,117 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39209,7 +39587,7 @@ index da2601a..6b12229 100644
 +	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 145fc4b..6b4d8c9 100644
+index 145fc4b..05cbefe 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -39828,13 +40206,17 @@ index 145fc4b..6b4d8c9 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -504,11 +714,17 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -504,11 +714,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
 +	accountsd_read_lib_files(xdm_t)
 +')
 +
++optional_policy(`
++	acct_dontaudit_list_data(xdm_t)
++')
++
 +optional_policy(`
  	alsa_domtrans(xdm_t)
 +	alsa_read_rw_config(xdm_t)
@@ -39846,7 +40228,7 @@ index 145fc4b..6b4d8c9 100644
  ')
  
  optional_policy(`
-@@ -516,12 +732,49 @@ optional_policy(`
+@@ -516,12 +736,49 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39896,7 +40278,7 @@ index 145fc4b..6b4d8c9 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -539,28 +792,63 @@ optional_policy(`
+@@ -539,28 +796,63 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39969,7 +40351,7 @@ index 145fc4b..6b4d8c9 100644
  ')
  
  optional_policy(`
-@@ -572,6 +860,10 @@ optional_policy(`
+@@ -572,6 +864,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39980,7 +40362,7 @@ index 145fc4b..6b4d8c9 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -596,7 +888,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +892,7 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -39989,7 +40371,7 @@ index 145fc4b..6b4d8c9 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -610,6 +902,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +906,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -40004,7 +40386,7 @@ index 145fc4b..6b4d8c9 100644
  
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +929,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +933,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -40026,7 +40408,7 @@ index 145fc4b..6b4d8c9 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +949,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +953,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -40034,7 +40416,7 @@ index 145fc4b..6b4d8c9 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -668,7 +976,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +980,6 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -40042,7 +40424,7 @@ index 145fc4b..6b4d8c9 100644
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -678,11 +985,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,11 +989,17 @@ dev_wx_raw_memory(xserver_t)
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -40060,7 +40442,7 @@ index 145fc4b..6b4d8c9 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -693,8 +1006,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +1010,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -40074,7 +40456,7 @@ index 145fc4b..6b4d8c9 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1034,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1038,14 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -40089,7 +40471,7 @@ index 145fc4b..6b4d8c9 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1094,28 @@ optional_policy(`
+@@ -773,12 +1098,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40119,7 +40501,7 @@ index 145fc4b..6b4d8c9 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -787,6 +1124,10 @@ optional_policy(`
+@@ -787,6 +1128,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40130,7 +40512,7 @@ index 145fc4b..6b4d8c9 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -802,10 +1143,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1147,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -40144,7 +40526,7 @@ index 145fc4b..6b4d8c9 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1154,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -813,7 +1158,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -40153,7 +40535,7 @@ index 145fc4b..6b4d8c9 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -826,6 +1167,9 @@ init_use_fds(xserver_t)
+@@ -826,6 +1171,9 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -40163,7 +40545,7 @@ index 145fc4b..6b4d8c9 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1177,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -833,6 +1181,11 @@ tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_symlinks(xserver_t)
  ')
  
@@ -40175,7 +40557,7 @@ index 145fc4b..6b4d8c9 100644
  tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_dirs(xserver_t)
  	fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1190,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1194,14 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -40192,7 +40574,7 @@ index 145fc4b..6b4d8c9 100644
  ')
  
  optional_policy(`
-@@ -853,6 +1205,10 @@ optional_policy(`
+@@ -853,6 +1209,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -40203,7 +40585,7 @@ index 145fc4b..6b4d8c9 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -896,7 +1252,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -896,7 +1256,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -40212,7 +40594,7 @@ index 145fc4b..6b4d8c9 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -950,11 +1306,31 @@ allow x_domain self:x_resource { read write };
+@@ -950,11 +1310,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -40244,7 +40626,7 @@ index 145fc4b..6b4d8c9 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -976,18 +1352,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -976,18 +1356,32 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -40871,7 +41253,7 @@ index 1c4b1e7..ffa4134 100644
  /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..716da1d 100644
+index bea0ade..cbd62c5 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -41198,37 +41580,88 @@ index bea0ade..716da1d 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1500,6 +1692,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1692,38 @@ interface(`auth_manage_login_records',`
  #
  interface(`auth_use_nsswitch',`
  
-+	allow $1 self:netlink_route_socket r_netlink_socket_perms;
-+
- 	files_list_var_lib($1)
- 
+-	files_list_var_lib($1)
+-
  	# read /etc/nsswitch.conf
-@@ -1531,7 +1725,15 @@ interface(`auth_use_nsswitch',`
+ 	files_read_etc_files($1)
+ 
+-	miscfiles_read_generic_certs($1)
+-
+ 	sysnet_dns_name_resolve($1)
+-	sysnet_use_ldap($1)
++
++	tunable_policy(`authlogin_use_sssd',`', `
++		files_list_var_lib($1)
++
++		miscfiles_read_generic_certs($1)
++
++		sysnet_use_ldap($1)
++	')
+ 
+ 	optional_policy(`
+-		avahi_stream_connect($1)
++		tunable_policy(`authlogin_use_sssd',`', `
++			dirsrv_stream_connect($1)
++		')
+ 	')
+ 
+ 	optional_policy(`
+-		ldap_stream_connect($1)
++		tunable_policy(`authlogin_use_sssd',`', `
++			ldap_stream_connect($1)
++		')
+ 	')
+ 
+  	optional_policy(`
+-		likewise_stream_connect_lsassd($1)
++		tunable_policy(`authlogin_use_sssd',`', `
++			likewise_stream_connect_lsassd($1)
++		')
+ 	')
+ 
++	# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
+ 	optional_policy(`
+ 		kerberos_use($1)
+ 	')
+@@ -1531,13 +1733,25 @@ interface(`auth_use_nsswitch',`
  	')
  
  	optional_policy(`
 -		nscd_socket_use($1)
 +		nscd_use($1)
-+	')
-+
-+	optional_policy(`
-+		nslcd_stream_connect($1)
+ 	')
+ 
+ 	optional_policy(`
+-		samba_stream_connect_winbind($1)
+-		samba_read_var_files($1)
+-		samba_dontaudit_write_var_files($1)
++		tunable_policy(`authlogin_use_sssd',`', `
++			nslcd_stream_connect($1)
++		')
 +	')
 +
 +	optional_policy(`
 +		sssd_stream_connect($1)
++	')
++
++	optional_policy(`
++		tunable_policy(`authlogin_use_sssd',`', `
++			samba_stream_connect_winbind($1)
++			samba_read_var_files($1)
++			samba_dontaudit_write_var_files($1)
++		')
  	')
+ ')
  
- 	optional_policy(`
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..7413dc4 100644
+index 54d122b..c2a3970 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
-@@ -5,9 +5,17 @@ policy_module(authlogin, 2.2.0)
+@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
  # Declarations
  #
  
@@ -41238,6 +41671,13 @@ index 54d122b..7413dc4 100644
 +## </p>
 +## </desc>
 +gen_tunable(authlogin_radius, false)
++
++## <desc>
++## <p>
++## Allow users to login using a sssd server
++## </p>
++## </desc>
++gen_tunable(authlogin_use_sssd, false)
 +
  attribute can_read_shadow_passwords;
  attribute can_write_shadow_passwords;
@@ -41246,7 +41686,7 @@ index 54d122b..7413dc4 100644
  
  type auth_cache_t;
  logging_log_file(auth_cache_t)
-@@ -44,7 +52,7 @@ type pam_tmp_t;
+@@ -44,7 +59,7 @@ type pam_tmp_t;
  files_tmp_file(pam_tmp_t)
  
  type pam_var_console_t;
@@ -41255,7 +41695,7 @@ index 54d122b..7413dc4 100644
  
  type pam_var_run_t;
  files_pid_file(pam_var_run_t)
-@@ -83,7 +91,7 @@ logging_log_file(wtmp_t)
+@@ -83,7 +98,7 @@ logging_log_file(wtmp_t)
  
  allow chkpwd_t self:capability { dac_override setuid };
  dontaudit chkpwd_t self:capability sys_tty_config;
@@ -41264,7 +41704,7 @@ index 54d122b..7413dc4 100644
  
  allow chkpwd_t shadow_t:file read_file_perms;
  files_list_etc(chkpwd_t)
-@@ -394,3 +402,11 @@ optional_policy(`
+@@ -394,3 +409,11 @@ optional_policy(`
  	xserver_use_xdm_fds(utempter_t)
  	xserver_rw_xdm_pipes(utempter_t)
  ')
@@ -41591,10 +42031,10 @@ index c310775..d5fc685 100644
  
  term_dontaudit_use_console(hostname_t)
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 9775375..299b718 100644
+index 6fed22c..06e5395 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
-@@ -24,7 +24,21 @@ ifdef(`distro_gentoo',`
+@@ -33,7 +33,21 @@ ifdef(`distro_gentoo', `
  #
  # /sbin
  #
@@ -41616,7 +42056,7 @@ index 9775375..299b718 100644
  
  ifdef(`distro_gentoo', `
  /sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -44,6 +58,9 @@ ifdef(`distro_gentoo', `
+@@ -53,6 +67,9 @@ ifdef(`distro_gentoo', `
  
  /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
  /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -41627,7 +42067,7 @@ index 9775375..299b718 100644
  #
  # /var
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index df3fa64..473d2b4 100644
+index ed152c4..be3bb8f 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,40 @@ interface(`init_script_domain',`
@@ -41675,9 +42115,9 @@ index df3fa64..473d2b4 100644
  
  	role system_r types $1;
  
--	domtrans_pattern(init_t,$2,$1)
+-	domtrans_pattern(init_t, $2, $1)
 +	tunable_policy(`init_systemd',`', `
-+		domtrans_pattern(init_t,$2,$1)
++		domtrans_pattern(init_t, $2, $1)
 +		allow init_t $1:unix_stream_socket create_stream_socket_perms;
 +		allow $1 init_t:unix_dgram_socket sendto;
 +	')
@@ -41695,10 +42135,12 @@ index df3fa64..473d2b4 100644
  	')
  
  	typeattribute $1 daemon;
-@@ -205,6 +245,21 @@ interface(`init_daemon_domain',`
+@@ -204,7 +244,22 @@ interface(`init_daemon_domain',`
+ 
  	role system_r types $1;
  
- 	domtrans_pattern(initrc_t,$2,$1)
+-	domtrans_pattern(initrc_t, $2, $1)
++	domtrans_pattern(initrc_t,$2,$1)
 +	allow initrc_t $1:process siginh;
 +	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
 +	allow $1 initrc_transition_domain:fd use;
@@ -41724,8 +42166,8 @@ index df3fa64..473d2b4 100644
 +		type init_t;
  	')
  
--	init_daemon_domain($1,$2)
-+#	init_daemon_domain($1,$2)
+-	init_daemon_domain($1, $2)
++#	init_daemon_domain($1, $2)
  
  	ifdef(`enable_mcs',`
  		range_transition initrc_t $2:process $3;
@@ -41739,7 +42181,7 @@ index df3fa64..473d2b4 100644
  	')
  ')
  
-@@ -336,8 +394,10 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,15 +394,31 @@ interface(`init_ranged_daemon_domain',`
  #
  interface(`init_system_domain',`
  	gen_require(`
@@ -41749,11 +42191,12 @@ index df3fa64..473d2b4 100644
 +		attribute initrc_transition_domain;
  	')
  
- 	application_domain($1,$2)
-@@ -345,6 +405,20 @@ interface(`init_system_domain',`
+ 	application_domain($1, $2)
+ 
  	role system_r types $1;
  
- 	domtrans_pattern(initrc_t,$2,$1)
+-	domtrans_pattern(initrc_t, $2, $1)
++	domtrans_pattern(initrc_t,$2,$1)
 +	allow initrc_t $1:process siginh;
 +	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
 +	allow $1 initrc_transition_domain:fd use;
@@ -41816,7 +42259,7 @@ index df3fa64..473d2b4 100644
 +		type init_t;
  	')
  
- 	init_system_domain($1,$2)
+ 	init_system_domain($1, $2)
  
  	ifdef(`enable_mcs',`
  		range_transition initrc_t $2:process $3;
@@ -41826,10 +42269,10 @@ index df3fa64..473d2b4 100644
  	ifdef(`enable_mls',`
  		range_transition initrc_t $2:process $3;
 +		range_transition init_t $2:process $3;
+ 		mls_rangetrans_target($1)
  	')
  ')
- 
-@@ -687,19 +795,24 @@ interface(`init_telinit',`
+@@ -688,19 +796,24 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -41855,7 +42298,7 @@ index df3fa64..473d2b4 100644
  	')
  ')
  
-@@ -772,18 +885,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +886,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -41879,7 +42322,7 @@ index df3fa64..473d2b4 100644
  	')
  ')
  
-@@ -799,19 +913,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +914,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -41925,7 +42368,7 @@ index df3fa64..473d2b4 100644
  ')
  
  ########################################
-@@ -867,8 +1003,12 @@ interface(`init_script_file_domtrans',`
+@@ -868,8 +1004,12 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -41938,7 +42381,7 @@ index df3fa64..473d2b4 100644
  	domtrans_pattern($1, $2, initrc_t)
  	files_search_etc($1)
  ')
-@@ -1129,12 +1269,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1270,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -41952,7 +42395,7 @@ index df3fa64..473d2b4 100644
  ')
  
  ########################################
-@@ -1374,6 +1509,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1510,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -41980,7 +42423,7 @@ index df3fa64..473d2b4 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1460,6 +1616,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1617,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -42006,7 +42449,7 @@ index df3fa64..473d2b4 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1673,7 +1848,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1849,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -42015,7 +42458,7 @@ index df3fa64..473d2b4 100644
  ')
  
  ########################################
-@@ -1748,3 +1923,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +1924,93 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -42110,7 +42553,7 @@ index df3fa64..473d2b4 100644
 +	allow $1 init_t:unix_dgram_socket sendto;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 2fbb25a..2cba7c4 100644
+index 0580e7c..28fd86c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,27 @@ gen_require(`
@@ -42277,7 +42720,7 @@ index 2fbb25a..2cba7c4 100644
 +	dev_write_kmsg(init_t)
 +	dev_write_urand(init_t)
 +	dev_rw_autofs(init_t)
-+	dev_create_generic_symlinks(init_t)
++	dev_manage_generic_symlinks(init_t)
 +	dev_manage_generic_dirs(init_t)
 +	dev_manage_generic_files(init_t)
 +	dev_read_generic_chr_files(init_t)
@@ -42534,7 +42977,7 @@ index 2fbb25a..2cba7c4 100644
  userdom_read_user_home_content_files(initrc_t)
  # Allow access to the sysadm TTYs. Note that this will give access to the
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +658,7 @@ ifdef(`distro_redhat',`
+@@ -474,7 +659,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -42543,7 +42986,7 @@ index 2fbb25a..2cba7c4 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -519,6 +704,23 @@ ifdef(`distro_redhat',`
+@@ -520,6 +705,23 @@ ifdef(`distro_redhat',`
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -42567,7 +43010,7 @@ index 2fbb25a..2cba7c4 100644
  	')
  
  	optional_policy(`
-@@ -526,10 +728,17 @@ ifdef(`distro_redhat',`
+@@ -527,10 +729,17 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -42585,7 +43028,7 @@ index 2fbb25a..2cba7c4 100644
  	')
  
  	optional_policy(`
-@@ -544,6 +753,35 @@ ifdef(`distro_suse',`
+@@ -545,6 +754,35 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -42621,7 +43064,7 @@ index 2fbb25a..2cba7c4 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +794,8 @@ optional_policy(`
+@@ -557,6 +795,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -42630,7 +43073,7 @@ index 2fbb25a..2cba7c4 100644
  ')
  
  optional_policy(`
-@@ -572,6 +812,7 @@ optional_policy(`
+@@ -573,6 +813,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -42638,7 +43081,7 @@ index 2fbb25a..2cba7c4 100644
  ')
  
  optional_policy(`
-@@ -584,6 +825,11 @@ optional_policy(`
+@@ -585,6 +826,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42650,7 +43093,7 @@ index 2fbb25a..2cba7c4 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -600,9 +846,13 @@ optional_policy(`
+@@ -601,9 +847,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -42664,7 +43107,7 @@ index 2fbb25a..2cba7c4 100644
  	')
  
  	optional_policy(`
-@@ -701,7 +951,13 @@ optional_policy(`
+@@ -702,7 +952,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42678,7 +43121,7 @@ index 2fbb25a..2cba7c4 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -724,6 +980,10 @@ optional_policy(`
+@@ -725,6 +981,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42689,7 +43132,7 @@ index 2fbb25a..2cba7c4 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -737,6 +997,10 @@ optional_policy(`
+@@ -738,6 +998,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42700,7 +43143,7 @@ index 2fbb25a..2cba7c4 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -745,6 +1009,10 @@ optional_policy(`
+@@ -746,6 +1010,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42711,7 +43154,7 @@ index 2fbb25a..2cba7c4 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -766,8 +1034,6 @@ optional_policy(`
+@@ -767,8 +1035,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -42720,7 +43163,7 @@ index 2fbb25a..2cba7c4 100644
  ')
  
  optional_policy(`
-@@ -776,14 +1042,21 @@ optional_policy(`
+@@ -777,14 +1043,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42742,7 +43185,7 @@ index 2fbb25a..2cba7c4 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1078,19 @@ optional_policy(`
+@@ -806,11 +1079,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42763,7 +43206,7 @@ index 2fbb25a..2cba7c4 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1100,25 @@ optional_policy(`
+@@ -820,6 +1101,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -42789,7 +43232,7 @@ index 2fbb25a..2cba7c4 100644
  ')
  
  optional_policy(`
-@@ -844,3 +1144,59 @@ optional_policy(`
+@@ -845,3 +1145,59 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -45651,7 +46094,7 @@ index 170e2c7..bbaa8cf 100644
 +')
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ff5d72d..f5fdb63 100644
+index ff5d72d..8526f19 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -45808,7 +46251,16 @@ index ff5d72d..f5fdb63 100644
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -405,6 +423,10 @@ ifndef(`direct_sysadm_daemon',`
+@@ -380,6 +398,8 @@ selinux_compute_create_context(run_init_t)
+ selinux_compute_relabel_context(run_init_t)
+ selinux_compute_user_contexts(run_init_t)
+ 
++term_use_console(run_init_t)
++
+ auth_use_nsswitch(run_init_t)
+ auth_domtrans_chk_passwd(run_init_t)
+ auth_domtrans_upd_passwd(run_init_t)
+@@ -405,6 +425,10 @@ ifndef(`direct_sysadm_daemon',`
  	')
  ')
  
@@ -45819,7 +46271,7 @@ index ff5d72d..f5fdb63 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -420,61 +442,22 @@ optional_policy(`
+@@ -420,61 +444,22 @@ optional_policy(`
  # semodule local policy
  #
  
@@ -45889,7 +46341,7 @@ index ff5d72d..f5fdb63 100644
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -483,12 +466,23 @@ ifdef(`distro_debian',`
+@@ -483,12 +468,23 @@ ifdef(`distro_debian',`
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -45913,7 +46365,7 @@ index ff5d72d..f5fdb63 100644
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -498,112 +492,54 @@ ifdef(`enable_mls',`
+@@ -498,112 +494,54 @@ ifdef(`enable_mls',`
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
@@ -46090,7 +46542,7 @@ index 726619b..36426f7 100644
 +
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 8e71fb7..350d003 100644
+index 8e71fb7..f1b155a 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -46207,21 +46659,15 @@ index 8e71fb7..350d003 100644
  ##	Read network config files.
  ## </summary>
  ## <desc>
-@@ -403,11 +496,8 @@ interface(`sysnet_manage_config',`
- 		type net_conf_t;
+@@ -406,6 +499,7 @@ interface(`sysnet_manage_config',`
+ 	allow $1 net_conf_t:file manage_file_perms;
+ 
+ 	ifdef(`distro_redhat',`
++		allow $1 net_conf_t:dir list_dir_perms;
+ 		manage_files_pattern($1, net_conf_t, net_conf_t)
  	')
- 
--	allow $1 net_conf_t:file manage_file_perms;
--
--	ifdef(`distro_redhat',`
--		manage_files_pattern($1, net_conf_t, net_conf_t)
--	')
-+	allow $1 net_conf_t:dir list_dir_perms;
-+	manage_files_pattern($1, net_conf_t, net_conf_t)
  ')
- 
- #######################################
-@@ -444,6 +534,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -444,6 +538,7 @@ interface(`sysnet_delete_dhcpc_pid',`
  		type dhcpc_var_run_t;
  	')
  
@@ -46229,7 +46675,7 @@ index 8e71fb7..350d003 100644
  	allow $1 dhcpc_var_run_t:file unlink;
  ')
  
-@@ -464,6 +555,10 @@ interface(`sysnet_domtrans_ifconfig',`
+@@ -464,6 +559,10 @@ interface(`sysnet_domtrans_ifconfig',`
  
  	corecmd_search_bin($1)
  	domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -46240,7 +46686,7 @@ index 8e71fb7..350d003 100644
  ')
  
  ########################################
-@@ -534,6 +629,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -534,6 +633,25 @@ interface(`sysnet_signal_ifconfig',`
  
  ########################################
  ## <summary>
@@ -46266,26 +46712,29 @@ index 8e71fb7..350d003 100644
  ##	Read the DHCP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -677,7 +791,10 @@ interface(`sysnet_use_ldap',`
- 	corenet_tcp_connect_ldap_port($1)
+@@ -641,6 +759,8 @@ interface(`sysnet_dns_name_resolve',`
+ 	corenet_tcp_connect_dns_port($1)
+ 	corenet_sendrecv_dns_client_packets($1)
+ 
++	miscfiles_read_generic_certs($1)
++
+ 	sysnet_read_config($1)
+ 
+ 	optional_policy(`
+@@ -678,6 +798,9 @@ interface(`sysnet_use_ldap',`
  	corenet_sendrecv_ldap_client_packets($1)
  
--	sysnet_read_config($1)
-+	files_search_etc($1)
-+	allow $1 net_conf_t:file read_file_perms;
+ 	sysnet_read_config($1)
++
 +	# LDAP Configuration using encrypted requires
 +	dev_read_urand($1)
  ')
  
  ########################################
-@@ -709,5 +826,52 @@ interface(`sysnet_use_portmap',`
- 	corenet_tcp_connect_portmap_port($1)
- 	corenet_sendrecv_portmap_client_packets($1)
+@@ -711,3 +834,49 @@ interface(`sysnet_use_portmap',`
  
--	sysnet_read_config($1)
-+	files_search_etc($1)
-+	allow $1 net_conf_t:file read_file_perms;
-+')
+ 	sysnet_read_config($1)
+ ')
 +
 +########################################
 +## <summary>
@@ -46331,7 +46780,7 @@ index 8e71fb7..350d003 100644
 +	')
 +
 +	role_transition $1 dhcpc_exec_t system_r;
- ')
++')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
 index dfbe736..d8c6f24 100644
 --- a/policy/modules/system/sysnetwork.te
@@ -46650,7 +47099,7 @@ index 0000000..5f0352b
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..a74c435
+index 0000000..24f8c6f
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
 @@ -0,0 +1,98 @@
@@ -46721,7 +47170,7 @@ index 0000000..a74c435
 +files_manage_all_locks(systemd_tmpfiles_t)
 +files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
 +files_unlink_all_pid_sockets(systemd_tmpfiles_t)
-+
++files_delete_boot_flag(systemd_tmpfiles_t)
 +files_purge_tmp(systemd_tmpfiles_t)
 +files_manage_generic_tmp_files(systemd_tmpfiles_t)
 +files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e7330e31..99148d8d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -471,6 +471,17 @@ exit 0
 %endif
 
 %changelog
+* Tue Dec 21 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-1
+- Update to upstream
+- Fixes for systemd policy
+- Fixes for passenger policy
+- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
+- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
+- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
+- Dontaudit (xdm_t) gok attempting to list contents of /var/account
+- Telepathy domains need to read urand
+- Need interface to getattr all file classes in a mock library for setroubleshoot
+
 * Wed Dec 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.11-2
 - Update selinux policy to handle new /usr/share/sandbox/start script