From 7f090dbfaaa0093b10c700cc878341c2a5a3600d Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 14 Jan 2013 13:39:59 +0100
Subject: [PATCH] * Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
 - Allow systemd-tmpfiles to relabel lpd spool files - Ad labeling for texlive
 bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface -
 Remove duplicate rules from *.te - Add support for /var/lock/man-db.lock -
 Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi
 scripts - Allow httpd_t to read munin conf files - Allow certwatch to read
 meminfo - Fix nscd_dontaudit_write_sock_file() interfac - Fix
 gnome_filetrans_home_content() to include also "fontconfig" dir as
 cache_home_t - llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the
 proper labeling

---
 policy-rawhide-base.patch    |  693 +++++-----
 policy-rawhide-contrib.patch | 2418 +++++++++++++---------------------
 selinux-policy.spec          |   16 +-
 3 files changed, 1299 insertions(+), 1828 deletions(-)

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b33c9019..70897dc1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -110620,7 +110620,7 @@ index cc8df9d..5e914db 100644
 +	files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
 +')
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index e3dbbb8..15f25f0 100644
+index e3dbbb8..f766e86 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
 @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2)
@@ -110787,17 +110787,19 @@ index e3dbbb8..15f25f0 100644
  	kudzu_domtrans(bootloader_t)
  ')
  
-@@ -195,17 +234,19 @@ optional_policy(`
+@@ -195,17 +234,18 @@ optional_policy(`
  
  optional_policy(`
  	modutils_exec_insmod(bootloader_t)
-+	modutils_list_module_config(bootloader_t)
- 	modutils_read_module_deps(bootloader_t)
- 	modutils_read_module_config(bootloader_t)
- 	modutils_exec_insmod(bootloader_t)
+-	modutils_read_module_deps(bootloader_t)
+-	modutils_read_module_config(bootloader_t)
+-	modutils_exec_insmod(bootloader_t)
  	modutils_exec_depmod(bootloader_t)
  	modutils_exec_update_mods(bootloader_t)
 +	modutils_domtrans_insmod_uncond(bootloader_t)
++	modutils_list_module_config(bootloader_t)
++	modutils_read_module_deps(bootloader_t)
++	modutils_read_module_config(bootloader_t)
  ')
  
  optional_policy(`
@@ -111045,7 +111047,7 @@ index c6ca761..0c86bfd 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 8128de8..0880523 100644
+index 8128de8..0bb92ab 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2)
@@ -111061,7 +111063,7 @@ index 8128de8..0880523 100644
  
  type netutils_t;
  type netutils_exec_t;
-@@ -42,6 +42,7 @@ allow netutils_t self:packet_socket create_socket_perms;
+@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms;
  allow netutils_t self:udp_socket create_socket_perms;
  allow netutils_t self:tcp_socket create_stream_socket_perms;
  allow netutils_t self:socket create_socket_perms;
@@ -111069,9 +111071,10 @@ index 8128de8..0880523 100644
  
  manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
  manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
-@@ -50,8 +51,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+ 
  kernel_search_proc(netutils_t)
- kernel_read_network_state(netutils_t)
+-kernel_read_network_state(netutils_t)
  kernel_read_all_sysctls(netutils_t)
 +kernel_read_network_state(netutils_t)
 +kernel_request_load_module(netutils_t)
@@ -111080,7 +111083,7 @@ index 8128de8..0880523 100644
  corenet_all_recvfrom_netlabel(netutils_t)
  corenet_tcp_sendrecv_generic_if(netutils_t)
  corenet_raw_sendrecv_generic_if(netutils_t)
-@@ -66,6 +68,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -66,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
  corenet_udp_bind_generic_node(netutils_t)
  
  dev_read_sysfs(netutils_t)
@@ -111090,7 +111093,7 @@ index 8128de8..0880523 100644
  
  fs_getattr_xattr_fs(netutils_t)
  
-@@ -82,10 +87,9 @@ auth_use_nsswitch(netutils_t)
+@@ -82,10 +86,9 @@ auth_use_nsswitch(netutils_t)
  
  logging_send_syslog_msg(netutils_t)
  
@@ -111102,7 +111105,7 @@ index 8128de8..0880523 100644
  userdom_use_all_users_fds(netutils_t)
  
  optional_policy(`
-@@ -106,13 +110,14 @@ optional_policy(`
+@@ -106,13 +109,14 @@ optional_policy(`
  #
  
  allow ping_t self:capability { setuid net_raw };
@@ -111120,7 +111123,7 @@ index 8128de8..0880523 100644
  corenet_all_recvfrom_netlabel(ping_t)
  corenet_tcp_sendrecv_generic_if(ping_t)
  corenet_raw_sendrecv_generic_if(ping_t)
-@@ -122,6 +127,7 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -122,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
  corenet_tcp_sendrecv_all_ports(ping_t)
  
  fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -111128,7 +111131,7 @@ index 8128de8..0880523 100644
  
  domain_use_interactive_fds(ping_t)
  
-@@ -132,11 +138,9 @@ kernel_read_system_state(ping_t)
+@@ -132,11 +137,9 @@ kernel_read_system_state(ping_t)
  
  auth_use_nsswitch(ping_t)
  
@@ -111142,7 +111145,7 @@ index 8128de8..0880523 100644
  
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
-@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -147,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
  	')
  ')
  
@@ -111168,7 +111171,7 @@ index 8128de8..0880523 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -159,6 +177,15 @@ optional_policy(`
+@@ -159,6 +176,15 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -111184,7 +111187,7 @@ index 8128de8..0880523 100644
  ########################################
  #
  # Traceroute local policy
-@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -172,7 +198,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
  kernel_read_system_state(traceroute_t)
  kernel_read_network_state(traceroute_t)
  
@@ -111192,7 +111195,7 @@ index 8128de8..0880523 100644
  corenet_all_recvfrom_netlabel(traceroute_t)
  corenet_tcp_sendrecv_generic_if(traceroute_t)
  corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -196,6 +221,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -111200,7 +111203,7 @@ index 8128de8..0880523 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -204,11 +230,17 @@ auth_use_nsswitch(traceroute_t)
  
  logging_send_syslog_msg(traceroute_t)
  
@@ -111466,10 +111469,10 @@ index 0960199..aa51ab2 100644
 +	can_exec($1, sudo_exec_t)
 +')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..baefb50 100644
+index d9fce57..ed65dbc 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,101 @@ attribute sudodomain;
+@@ -7,3 +7,100 @@ attribute sudodomain;
  
  type sudo_exec_t;
  application_executable_file(sudo_exec_t)
@@ -111535,7 +111538,6 @@ index d9fce57..baefb50 100644
 +term_getattr_pty_fs(sudodomain)
 +term_relabel_all_ttys(sudodomain)
 +term_relabel_all_ptys(sudodomain)
-+term_getattr_pty_fs(sudodomain)
 +
 +#auth_run_chk_passwd(sudodomain)
 +# sudo stores a token in the pam_pid directory
@@ -112432,7 +112434,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..f079522 100644
+index 644d4d7..b8419c0 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -112668,7 +112670,7 @@ index 644d4d7..f079522 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +348,21 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +348,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -112681,6 +112683,7 @@ index 644d4d7..f079522 100644
  /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
++/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd)	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/tucan.*/tucan.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -112692,7 +112695,7 @@ index 644d4d7..f079522 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,8 +380,12 @@ ifdef(`distro_redhat', `
+@@ -321,8 +381,12 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -112705,7 +112708,7 @@ index 644d4d7..f079522 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -332,9 +395,11 @@ ifdef(`distro_redhat', `
+@@ -332,9 +396,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -112717,7 +112720,7 @@ index 644d4d7..f079522 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +448,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +449,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -112734,7 +112737,7 @@ index 644d4d7..f079522 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +466,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +467,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -117007,7 +117010,7 @@ index 6a1e4d1..70c5c72 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ebbf47a 100644
+index cf04cb5..bba3449 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -117133,7 +117136,7 @@ index cf04cb5..ebbf47a 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,283 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,274 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -117316,9 +117319,6 @@ index cf04cb5..ebbf47a 100644
 +
 +ifdef(`distro_redhat',`
 +	files_search_mnt(domain)
-+	optional_policy(`
-+		unconfined_use_fds(domain)
-+	')
 +')
 +
 +# these seem questionable:
@@ -117333,16 +117333,6 @@ index cf04cb5..ebbf47a 100644
 +')
 +
 +optional_policy(`
-+	rpm_use_fds(domain)
-+	rpm_read_pipes(domain)
-+	rpm_search_log(domain)
-+	rpm_append_tmp_files(domain)
-+	rpm_dontaudit_leaks(domain)
-+	rpm_read_script_tmp_files(domain)
-+	rpm_inherited_fifo(domain)
-+')
-+
-+optional_policy(`
 +	sosreport_append_tmp_files(domain)
 +')
 +
@@ -117398,14 +117388,18 @@ index cf04cb5..ebbf47a 100644
 +	puppet_rw_tmp(domain)
 +')
 +
++dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
++
 +optional_policy(`
 +	rpm_use_fds(domain)
 +	rpm_read_pipes(domain)
++	rpm_search_log(domain)
++	rpm_append_tmp_files(domain)
++	rpm_dontaudit_leaks(domain)
++	rpm_read_script_tmp_files(domain)
++	rpm_inherited_fifo(domain)
 +')
 +
-+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
-+
-+
 +tunable_policy(`fips_mode',`
 +	allow domain self:fifo_file manage_fifo_file_perms;
 +	kernel_read_kernel_sysctls(domain)
@@ -122301,7 +122295,7 @@ index 649e458..31a14c8 100644
 +	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..6fc8411 100644
+index 6fac350..6c81d4e 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -122322,16 +122316,15 @@ index 6fac350..6fc8411 100644
  role system_r types kernel_t;
  sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
  
-@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
  type debugfs_t;
  files_mountpoint(debugfs_t)
  fs_type(debugfs_t)
-+files_mountpoint(debugfs_t)
 +
  allow debugfs_t self:filesystem associate;
  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
  
-@@ -95,6 +101,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+@@ -95,6 +100,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
  type proc_mdstat_t, proc_type;
  genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
  
@@ -122342,7 +122335,7 @@ index 6fac350..6fc8411 100644
  type proc_net_t, proc_type;
  genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
  
-@@ -153,6 +163,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +162,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
  type sysctl_vm_t, sysctl_type;
  genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
  
@@ -122353,15 +122346,7 @@ index 6fac350..6fc8411 100644
  # /proc/sys/dev directory and files
  type sysctl_dev_t, sysctl_type;
  genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +179,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
- type unlabeled_t;
- fs_associate(unlabeled_t)
- sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-+fs_associate(unlabeled_t)
- 
- # These initial sids are no longer used, and can be removed:
- sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +246,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
  corenet_in_generic_if(unlabeled_t)
  corenet_in_generic_node(unlabeled_t)
  
@@ -122369,7 +122354,7 @@ index 6fac350..6fc8411 100644
  corenet_all_recvfrom_netlabel(kernel_t)
  # Kernel-generated traffic e.g., ICMP replies:
  corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +256,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
  corenet_tcp_sendrecv_all_nodes(kernel_t)
  corenet_raw_send_generic_node(kernel_t)
  corenet_send_all_packets(kernel_t)
@@ -122395,7 +122380,7 @@ index 6fac350..6fc8411 100644
  
  # Mount root file system. Used when loading a policy
  # from initrd, then mounting the root filesystem
-@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +279,8 @@ fs_unmount_all_fs(kernel_t)
  
  selinux_load_policy(kernel_t)
  
@@ -122405,7 +122390,7 @@ index 6fac350..6fc8411 100644
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -277,25 +296,48 @@ files_list_root(kernel_t)
+@@ -277,25 +294,48 @@ files_list_root(kernel_t)
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -122454,7 +122439,7 @@ index 6fac350..6fc8411 100644
  ')
  
  optional_policy(`
-@@ -305,6 +347,19 @@ optional_policy(`
+@@ -305,6 +345,19 @@ optional_policy(`
  
  optional_policy(`
  	logging_send_syslog_msg(kernel_t)
@@ -122474,7 +122459,7 @@ index 6fac350..6fc8411 100644
  ')
  
  optional_policy(`
-@@ -334,7 +389,6 @@ optional_policy(`
+@@ -334,7 +387,6 @@ optional_policy(`
  
  	rpc_manage_nfs_ro_content(kernel_t)
  	rpc_manage_nfs_rw_content(kernel_t)
@@ -122482,7 +122467,7 @@ index 6fac350..6fc8411 100644
  	rpc_udp_rw_nfs_sockets(kernel_t)
  
  	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +397,7 @@ optional_policy(`
+@@ -343,9 +395,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -122493,7 +122478,7 @@ index 6fac350..6fc8411 100644
  	')
  
  	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +406,7 @@ optional_policy(`
+@@ -354,7 +404,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -122502,7 +122487,7 @@ index 6fac350..6fc8411 100644
  	')
  ')
  
-@@ -367,6 +419,15 @@ optional_policy(`
+@@ -367,6 +417,15 @@ optional_policy(`
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -122518,7 +122503,7 @@ index 6fac350..6fc8411 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +468,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
  allow kern_unconfined unlabeled_t:filesystem *;
  allow kern_unconfined unlabeled_t:association *;
  allow kern_unconfined unlabeled_t:packet *;
@@ -122975,7 +122960,7 @@ index 81440c5..a02d444 100644
  ')
 +
 diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index 522ab32..443f4a0 100644
+index 522ab32..cb9c3a2 100644
 --- a/policy/modules/kernel/selinux.te
 +++ b/policy/modules/kernel/selinux.te
 @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
@@ -122986,13 +122971,7 @@ index 522ab32..443f4a0 100644
  attribute can_setsecparam;
  attribute selinux_unconfined_type;
  
-@@ -31,14 +32,15 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
- type security_t, boolean_type;
- files_mountpoint(security_t)
- fs_type(security_t)
-+files_mountpoint(security_t)
- mls_trusted_object(security_t)
- sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
+@@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
  genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
  genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
  
@@ -123005,7 +122984,7 @@ index 522ab32..443f4a0 100644
  
  ########################################
  #
-@@ -60,11 +62,28 @@ ifdef(`distro_rhel4',`
+@@ -60,11 +61,28 @@ ifdef(`distro_rhel4',`
  ')
  
  if(!secure_mode_policyload) {
@@ -123016,9 +122995,10 @@ index 522ab32..443f4a0 100644
 +	dev_search_sysfs(can_setenforce)
 +	allow can_setenforce security_t:dir list_dir_perms;
 +	allow can_setenforce security_t:file rw_file_perms;
-+
-+	ifdef(`distro_rhel4',`
-+		# needed for systems without audit support
+ 
+ 	ifdef(`distro_rhel4',`
+ 		# needed for systems without audit support
+-		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
 +		auditallow can_setenforce security_t:security setenforce;
 +	')
 +
@@ -123030,10 +123010,9 @@ index 522ab32..443f4a0 100644
 +	')
 +
 +	allow can_setbool boolean_type:security setbool;
- 
- 	ifdef(`distro_rhel4',`
- 		# needed for systems without audit support
--		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
++
++	ifdef(`distro_rhel4',`
++		# needed for systems without audit support
 +		auditallow can_setbool boolean_type:security setbool;
  	')
  }
@@ -124800,7 +124779,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..39285bc 100644
+index 88d0028..e1ba9a0 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.1)
@@ -124925,13 +124904,12 @@ index 88d0028..39285bc 100644
  	certwatch_run(sysadm_t, sysadm_r)
  ')
  
-@@ -122,11 +154,20 @@ optional_policy(`
+@@ -122,11 +154,19 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	consoletype_run(sysadm_t, sysadm_r)
 +	cron_admin_role(sysadm_r, sysadm_t)
-+	#cron_role(sysadm_r, sysadm_t)
  ')
  
  optional_policy(`
@@ -124948,7 +124926,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -140,6 +181,10 @@ optional_policy(`
+@@ -140,6 +180,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124959,7 +124937,7 @@ index 88d0028..39285bc 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,11 +201,11 @@ optional_policy(`
+@@ -156,11 +200,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124973,7 +124951,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -179,6 +224,13 @@ optional_policy(`
+@@ -179,6 +223,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -124987,7 +124965,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -186,15 +238,20 @@ optional_policy(`
+@@ -186,15 +237,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125011,7 +124989,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -214,22 +271,20 @@ optional_policy(`
+@@ -214,22 +270,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -125040,7 +125018,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -241,25 +296,47 @@ optional_policy(`
+@@ -241,25 +295,47 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125088,7 +125066,7 @@ index 88d0028..39285bc 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +347,36 @@ optional_policy(`
+@@ -270,31 +346,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125132,7 +125110,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -319,12 +401,18 @@ optional_policy(`
+@@ -319,12 +400,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125152,7 +125130,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -349,7 +437,18 @@ optional_policy(`
+@@ -349,7 +436,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125172,7 +125150,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -360,19 +459,15 @@ optional_policy(`
+@@ -360,19 +458,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125194,7 +125172,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -384,10 +479,6 @@ optional_policy(`
+@@ -384,10 +478,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125205,7 +125183,7 @@ index 88d0028..39285bc 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +486,9 @@ optional_policy(`
+@@ -395,6 +485,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -125215,7 +125193,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -402,31 +496,34 @@ optional_policy(`
+@@ -402,31 +495,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125256,7 +125234,7 @@ index 88d0028..39285bc 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -439,10 +536,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +535,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -125267,7 +125245,7 @@ index 88d0028..39285bc 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -463,15 +556,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +555,75 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -127599,7 +127577,7 @@ index fe0c682..2b21421 100644
 +	allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..129ae69 100644
+index 5fc0391..f0a738c 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3)
@@ -128028,7 +128006,7 @@ index 5fc0391..129ae69 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +448,124 @@ optional_policy(`
+@@ -331,3 +448,123 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -128080,7 +128058,6 @@ index 5fc0391..129ae69 100644
 +
 +tunable_policy(`ssh_chroot_rw_homedirs',`
 +        files_list_home(chroot_user_t)
-+        userdom_read_user_home_content_files(chroot_user_t)
 +        userdom_manage_user_home_content(chroot_user_t)
 +', `
 +
@@ -128308,7 +128285,7 @@ index d1f64a0..c92d1e2 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..6c7c743 100644
+index 6bf0ecc..f74788a 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -129105,7 +129082,7 @@ index 6bf0ecc..6c7c743 100644
  ')
  
  ########################################
-@@ -1284,10 +1618,541 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1618,559 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -129544,6 +129521,24 @@ index 6bf0ecc..6c7c743 100644
 +#	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
 +')
 +
++#######################################
++## <summary>
++##  Transition to xserver .fontconfig named content
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`xserver_filetrans_fonts_cache_home_content',`
++    gen_require(`
++        type user_fonts_cache_t;
++    ')
++
++	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++')
++
 +########################################
 +## <summary>
 +##	Transition to xserver named content
@@ -129650,7 +129645,7 @@ index 6bf0ecc..6c7c743 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..4a06941 100644
+index 2696452..ffd9c11 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -130206,7 +130201,7 @@ index 2696452..4a06941 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +619,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +619,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -130233,8 +130228,6 @@ index 2696452..4a06941 100644
 +init_dbus_chat(xdm_t)
 +init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
 +init_status(xdm_t)
-+
-+systemd_write_inhibit_pipes(xdm_t)
  
  libs_exec_lib_files(xdm_t)
  
@@ -130252,7 +130245,7 @@ index 2696452..4a06941 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +661,43 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -130302,7 +130295,7 @@ index 2696452..4a06941 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +711,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -130329,7 +130322,7 @@ index 2696452..4a06941 100644
  ')
  
  optional_policy(`
-@@ -514,12 +740,71 @@ optional_policy(`
+@@ -514,12 +738,71 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130401,7 +130394,7 @@ index 2696452..4a06941 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +822,78 @@ optional_policy(`
+@@ -537,28 +820,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130458,29 +130451,29 @@ index 2696452..4a06941 100644
  optional_policy(`
 -	udev_read_db(xdm_t)
 +	ssh_signull(xdm_t)
-+')
-+
-+optional_policy(`
-+	shutdown_domtrans(xdm_t)
  ')
  
  optional_policy(`
 -	unconfined_domain(xdm_t)
 -	unconfined_domtrans(xdm_t)
-+	telepathy_exec(xdm_t)
++	shutdown_domtrans(xdm_t)
 +')
  
 -	ifndef(`distro_redhat',`
 -		allow xdm_t self:process { execheap execmem };
 -	')
 +optional_policy(`
-+	udev_read_db(xdm_t)
++	telepathy_exec(xdm_t)
 +')
  
 -	ifdef(`distro_rhel4',`
 -		allow xdm_t self:process { execheap execmem };
 -	')
 +optional_policy(`
++	udev_read_db(xdm_t)
++')
++
++optional_policy(`
 +	unconfined_signal(xdm_t)
 +')
 +
@@ -130489,7 +130482,7 @@ index 2696452..4a06941 100644
  ')
  
  optional_policy(`
-@@ -570,6 +905,14 @@ optional_policy(`
+@@ -570,6 +903,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130504,7 +130497,7 @@ index 2696452..4a06941 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +935,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -130517,7 +130510,7 @@ index 2696452..4a06941 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +952,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -130533,7 +130526,7 @@ index 2696452..4a06941 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +979,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -130555,7 +130548,7 @@ index 2696452..4a06941 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +999,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -130569,7 +130562,7 @@ index 2696452..4a06941 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1027,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1025,27 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -130586,7 +130579,6 @@ index 2696452..4a06941 100644
 +
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
-+dev_read_raw_memory(xserver_t)
 +dev_write_raw_memory(xserver_t)
  dev_rwx_zero(xserver_t)
  
@@ -130601,7 +130593,7 @@ index 2696452..4a06941 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,8 +1059,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1056,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -130615,7 +130607,7 @@ index 2696452..4a06941 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1078,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1075,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -130639,7 +130631,16 @@ index 2696452..4a06941 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1143,40 @@ optional_policy(`
+@@ -729,8 +1094,6 @@ userdom_setattr_user_ttys(xserver_t)
+ userdom_read_user_tmp_files(xserver_t)
+ userdom_rw_user_tmpfs_files(xserver_t)
+ 
+-xserver_use_user_fonts(xserver_t)
+-
+ ifndef(`distro_redhat',`
+ 	allow xserver_t self:process { execmem execheap execstack };
+ 	domain_mmap_low_uncond(xserver_t)
+@@ -775,16 +1138,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130681,7 +130682,7 @@ index 2696452..4a06941 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1185,10 @@ optional_policy(`
+@@ -793,6 +1180,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130692,7 +130693,7 @@ index 2696452..4a06941 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1204,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1199,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -130706,7 +130707,7 @@ index 2696452..4a06941 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1215,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1210,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -130715,7 +130716,7 @@ index 2696452..4a06941 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1228,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1223,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -130750,18 +130751,7 @@ index 2696452..4a06941 100644
  ')
  
  optional_policy(`
-@@ -859,6 +1250,10 @@ optional_policy(`
- 	rhgb_rw_tmpfs_files(xserver_t)
- ')
- 
-+optional_policy(`
-+	userhelper_search_config(xserver_t)
-+')
-+
- ########################################
- #
- # Rules common to all X window domains
-@@ -902,7 +1297,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1288,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -130770,7 +130760,7 @@ index 2696452..4a06941 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1351,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1342,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -130802,7 +130792,7 @@ index 2696452..4a06941 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1397,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1388,40 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -130838,10 +130828,6 @@ index 2696452..4a06941 100644
 +	fs_append_nfs_files(xdmhomewriter)
 +')
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_append_nfs_files(xdmhomewriter)
-+')
-+
 +optional_policy(`
 +	unconfined_rw_shm(xserver_t)
 +
@@ -130974,10 +130960,10 @@ index 1b6619e..be02b96 100644
 +    allow $1 application_domain_type:socket_class_set getattr;
 +')
 diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..c59902a 100644
+index c6fdab7..fc63d59 100644
 --- a/policy/modules/system/application.te
 +++ b/policy/modules/system/application.te
-@@ -6,6 +6,30 @@ attribute application_domain_type;
+@@ -6,7 +6,27 @@ attribute application_domain_type;
  # Executables to be run by user
  attribute application_exec_type;
  
@@ -130999,15 +130985,12 @@ index c6fdab7..c59902a 100644
 +optional_policy(`
 +	cfengine_append_inherited_log(application_domain_type)
 +')
-+
-+optional_policy(`
-+	cron_rw_inherited_user_spool_files(application_domain_type)
-+	cron_sigchld(application_domain_type)
-+')
 +
  optional_policy(`
++	cron_rw_inherited_user_spool_files(application_domain_type)
  	cron_sigchld(application_domain_type)
  ')
+ 
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
 index 28ad538..ebe81bf 100644
 --- a/policy/modules/system/authlogin.fc
@@ -131819,7 +131802,7 @@ index 3efd5b6..7c0ea2d 100644
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..eceffb2 100644
+index 104037e..d10bb17 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -132084,7 +132067,15 @@ index 104037e..eceffb2 100644
  files_list_var_lib(nsswitch_domain)
  
  # read /etc/nsswitch.conf
-@@ -426,6 +457,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
+@@ -418,14 +449,18 @@ files_read_etc_files(nsswitch_domain)
+ sysnet_dns_name_resolve(nsswitch_domain)
+ 
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+-	files_list_var_lib(nsswitch_domain)
+-
+ 	miscfiles_read_generic_certs(nsswitch_domain)
+ 	sysnet_use_ldap(nsswitch_domain)
+ ')
  
  optional_policy(`
  	tunable_policy(`authlogin_nsswitch_use_ldap',`
@@ -132097,7 +132088,7 @@ index 104037e..eceffb2 100644
  		ldap_stream_connect(nsswitch_domain)
  	')
  ')
-@@ -438,6 +475,7 @@ optional_policy(`
+@@ -438,6 +473,7 @@ optional_policy(`
  	likewise_stream_connect_lsassd(nsswitch_domain)
  ')
  
@@ -132105,7 +132096,7 @@ index 104037e..eceffb2 100644
  optional_policy(`
  	kerberos_use(nsswitch_domain)
  ')
-@@ -456,6 +494,7 @@ optional_policy(`
+@@ -456,6 +492,7 @@ optional_policy(`
  
  optional_policy(`
  	sssd_stream_connect(nsswitch_domain)
@@ -132113,7 +132104,7 @@ index 104037e..eceffb2 100644
  ')
  
  optional_policy(`
-@@ -463,3 +502,132 @@ optional_policy(`
+@@ -463,3 +500,132 @@ optional_policy(`
  	samba_read_var_files(nsswitch_domain)
  	samba_dontaudit_write_var_files(nsswitch_domain)
  ')
@@ -133917,7 +133908,7 @@ index 24e7804..386109d 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..2cef56a 100644
+index dd3be8d..1c57099 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,24 @@ gen_require(`
@@ -134063,7 +134054,7 @@ index dd3be8d..2cef56a 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,28 +180,39 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +180,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -134082,10 +134073,9 @@ index dd3be8d..2cef56a 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
- domain_signal_all_domains(init_t)
+@@ -139,14 +198,20 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
-+domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
 +domain_read_all_domains_state(init_t)
  
@@ -134104,7 +134094,7 @@ index dd3be8d..2cef56a 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +222,46 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +221,45 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -134118,7 +134108,6 @@ index dd3be8d..2cef56a 100644
 +mls_socket_write_all_levels(init_t)
 +
 +mls_rangetrans_source(init_t)
-+mls_rangetrans_source(initrc_t)
  
  selinux_set_all_booleans(init_t)
 +selinux_load_policy(init_t)
@@ -134146,15 +134135,15 @@ index dd3be8d..2cef56a 100644
 +
 +miscfiles_manage_localization(init_t)
 +miscfiles_filetrans_named_content(init_t)
-+
-+userdom_use_user_ttys(init_t)
  
 -miscfiles_read_localization(init_t)
++userdom_use_user_ttys(init_t)
++
 +allow init_t self:process setsched;
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +270,176 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +268,176 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -134182,9 +134171,10 @@ index dd3be8d..2cef56a 100644
 +
 +optional_policy(`
 +	gnome_filetrans_home_content(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	auth_rw_login_records(init_t)
 +	modutils_domtrans_insmod(init_t)
 +	modutils_list_module_config(init_t)
 +')
@@ -134314,11 +134304,10 @@ index dd3be8d..2cef56a 100644
  ')
  
  optional_policy(`
--	auth_rw_login_records(init_t)
 +	consolekit_manage_log(init_t)
- ')
- 
- optional_policy(`
++')
++
++optional_policy(`
 +	dbus_connect_system_bus(init_t)
  	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
@@ -134339,7 +134328,7 @@ index dd3be8d..2cef56a 100644
  ')
  
  optional_policy(`
-@@ -216,6 +447,27 @@ optional_policy(`
+@@ -216,6 +445,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134367,7 +134356,7 @@ index dd3be8d..2cef56a 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -225,8 +477,9 @@ optional_policy(`
+@@ -225,8 +475,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -134379,7 +134368,7 @@ index dd3be8d..2cef56a 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +510,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +508,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -134396,7 +134385,7 @@ index dd3be8d..2cef56a 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +535,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +533,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -134439,7 +134428,7 @@ index dd3be8d..2cef56a 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +572,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +570,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -134451,7 +134440,7 @@ index dd3be8d..2cef56a 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +584,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +582,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -134462,7 +134451,7 @@ index dd3be8d..2cef56a 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,17 +595,16 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +593,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -134472,9 +134461,7 @@ index dd3be8d..2cef56a 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
- domain_signull_all_domains(initrc_t)
- domain_sigstop_all_domains(initrc_t)
-+domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +602,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -134482,7 +134469,7 @@ index dd3be8d..2cef56a 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +612,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134490,7 +134477,7 @@ index dd3be8d..2cef56a 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,8 +620,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +617,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -134502,7 +134489,13 @@ index dd3be8d..2cef56a 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -363,8 +639,12 @@ files_list_isid_type_dirs(initrc_t)
+ files_manage_etc_runtime_files(initrc_t)
+ files_etc_filetrans_etc_runtime(initrc_t, file)
+-files_exec_etc_files(initrc_t)
+ files_read_usr_files(initrc_t)
+ files_manage_urandom_seed(initrc_t)
+ files_manage_generic_spool(initrc_t)
+@@ -363,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -134516,7 +134509,7 @@ index dd3be8d..2cef56a 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +654,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +650,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -134530,7 +134523,7 @@ index dd3be8d..2cef56a 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +667,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +663,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -134538,7 +134531,7 @@ index dd3be8d..2cef56a 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +679,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +675,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -134546,7 +134539,7 @@ index dd3be8d..2cef56a 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +698,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +694,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -134570,7 +134563,15 @@ index dd3be8d..2cef56a 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -485,6 +766,10 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +727,6 @@ ifdef(`distro_gentoo',`
+ 	allow initrc_t self:process setfscreate;
+ 	dev_create_null_dev(initrc_t)
+ 	dev_create_zero_dev(initrc_t)
+-	dev_create_generic_dirs(initrc_t)
+ 	term_create_console_dev(initrc_t)
+ 
+ 	# unfortunately /sbin/rc does stupid tricks
+@@ -485,6 +761,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -134581,7 +134582,7 @@ index dd3be8d..2cef56a 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +790,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +785,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -134590,7 +134591,7 @@ index dd3be8d..2cef56a 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +805,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +800,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -134598,7 +134599,7 @@ index dd3be8d..2cef56a 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +826,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +821,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -134606,7 +134607,7 @@ index dd3be8d..2cef56a 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +836,40 @@ ifdef(`distro_redhat',`
+@@ -549,8 +831,40 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -134647,7 +134648,7 @@ index dd3be8d..2cef56a 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +877,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +872,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -134679,7 +134680,7 @@ index dd3be8d..2cef56a 100644
  	')
  ')
  
-@@ -576,6 +912,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +907,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -134719,7 +134720,7 @@ index dd3be8d..2cef56a 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +957,8 @@ optional_policy(`
+@@ -588,6 +952,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -134728,7 +134729,7 @@ index dd3be8d..2cef56a 100644
  ')
  
  optional_policy(`
-@@ -609,6 +980,7 @@ optional_policy(`
+@@ -609,6 +975,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -134736,7 +134737,7 @@ index dd3be8d..2cef56a 100644
  ')
  
  optional_policy(`
-@@ -625,6 +997,17 @@ optional_policy(`
+@@ -625,6 +992,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134754,7 +134755,7 @@ index dd3be8d..2cef56a 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1024,13 @@ optional_policy(`
+@@ -641,9 +1019,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -134768,18 +134769,25 @@ index dd3be8d..2cef56a 100644
  	')
  
  	optional_policy(`
-@@ -668,6 +1055,10 @@ optional_policy(`
+@@ -656,15 +1038,11 @@ optional_policy(`
  ')
  
  optional_policy(`
-+	glance_manage_pid_files(initrc_t)
-+')
-+
-+optional_policy(`
- 	gpm_setattr_gpmctl(initrc_t)
+-	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+-	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+-	# the directory. But we do not want to allow this.
+-	# The master process of dovecot will manage this file.
+-	dovecot_dontaudit_unlink_lib_files(initrc_t)
++	ftp_read_config(initrc_t)
  ')
  
-@@ -685,6 +1076,15 @@ optional_policy(`
+ optional_policy(`
+-	ftp_read_config(initrc_t)
++	glance_manage_pid_files(initrc_t)
+ ')
+ 
+ optional_policy(`
+@@ -685,6 +1063,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134795,7 +134803,7 @@ index dd3be8d..2cef56a 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1125,7 @@ optional_policy(`
+@@ -725,6 +1112,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -134803,7 +134811,7 @@ index dd3be8d..2cef56a 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1143,14 @@ optional_policy(`
+@@ -742,7 +1130,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134818,7 +134826,7 @@ index dd3be8d..2cef56a 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1173,10 @@ optional_policy(`
+@@ -765,6 +1160,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134829,7 +134837,7 @@ index dd3be8d..2cef56a 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1186,20 @@ optional_policy(`
+@@ -774,10 +1173,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134850,7 +134858,7 @@ index dd3be8d..2cef56a 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1208,10 @@ optional_policy(`
+@@ -786,6 +1195,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134861,7 +134869,7 @@ index dd3be8d..2cef56a 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1233,6 @@ optional_policy(`
+@@ -807,8 +1220,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -134870,7 +134878,7 @@ index dd3be8d..2cef56a 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1241,10 @@ optional_policy(`
+@@ -817,6 +1228,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134881,7 +134889,7 @@ index dd3be8d..2cef56a 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1254,12 @@ optional_policy(`
+@@ -826,10 +1241,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -134894,7 +134902,7 @@ index dd3be8d..2cef56a 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1286,27 @@ optional_policy(`
+@@ -856,12 +1273,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134923,7 +134931,7 @@ index dd3be8d..2cef56a 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1316,18 @@ optional_policy(`
+@@ -871,6 +1303,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -134942,7 +134950,7 @@ index dd3be8d..2cef56a 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1343,10 @@ optional_policy(`
+@@ -886,6 +1330,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134953,7 +134961,7 @@ index dd3be8d..2cef56a 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1357,185 @@ optional_policy(`
+@@ -896,3 +1344,185 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -135447,7 +135455,7 @@ index c42fbc3..174cfdb 100644
  ## <summary>
  ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..169f4b2 100644
+index 5dfa44b..938e2ec 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -135488,18 +135496,15 @@ index 5dfa44b..169f4b2 100644
  kernel_request_load_module(iptables_t)
  kernel_read_system_state(iptables_t)
  kernel_read_network_state(iptables_t)
-@@ -64,6 +65,10 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t)
  corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
 +dev_read_urand(iptables_t)
-+ifdef(`hide_broken_symptoms',`
-+	dev_dontaudit_write_mtrr(iptables_t)
-+')
  
  fs_getattr_xattr_fs(iptables_t)
  fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +77,11 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +74,11 @@ fs_list_inotifyfs(iptables_t)
  mls_file_read_all_levels(iptables_t)
  
  term_dontaudit_use_console(iptables_t)
@@ -135513,7 +135518,7 @@ index 5dfa44b..169f4b2 100644
  
  auth_use_nsswitch(iptables_t)
  
-@@ -85,15 +90,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +87,14 @@ init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -135531,7 +135536,7 @@ index 5dfa44b..169f4b2 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -102,6 +106,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +103,8 @@ ifdef(`hide_broken_symptoms',`
  
  optional_policy(`
  	fail2ban_append_log(iptables_t)
@@ -135540,7 +135545,7 @@ index 5dfa44b..169f4b2 100644
  ')
  
  optional_policy(`
-@@ -124,6 +130,7 @@ optional_policy(`
+@@ -124,6 +127,7 @@ optional_policy(`
  
  optional_policy(`
  	psad_rw_tmp_files(iptables_t)
@@ -135548,14 +135553,17 @@ index 5dfa44b..169f4b2 100644
  ')
  
  optional_policy(`
-@@ -137,6 +144,7 @@ optional_policy(`
- optional_policy(`
- 	shorewall_read_tmp_files(iptables_t)
- 	shorewall_rw_lib_files(iptables_t)
-+	shorewall_read_tmp_files(iptables_t)
- 	shorewall_read_config(iptables_t)
+@@ -135,9 +139,9 @@ optional_policy(`
  ')
  
+ optional_policy(`
++	shorewall_read_config(iptables_t)
+ 	shorewall_read_tmp_files(iptables_t)
+ 	shorewall_rw_lib_files(iptables_t)
+-	shorewall_read_config(iptables_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
 index 73bb3c0..e6fa600 100644
 --- a/policy/modules/system/libraries.fc
@@ -136215,7 +136223,7 @@ index 0e3c2a9..40adf5a 100644
 +')
 +
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..b123de6 100644
+index c04ac46..e06286c 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -136296,16 +136304,15 @@ index c04ac46..b123de6 100644
  
  userdom_spec_domtrans_all_users(local_login_t)
  userdom_signal_all_users(local_login_t)
-@@ -141,19 +149,19 @@ ifdef(`distro_ubuntu',`
+@@ -141,19 +149,15 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
 -tunable_policy(`console_login',`
-+tunable_policy(`login_console_enabled',`
- 	# Able to relabel /dev/console to user tty types.
- 	term_relabel_console(local_login_t)
- ')
- 
+-	# Able to relabel /dev/console to user tty types.
+-	term_relabel_console(local_login_t)
+-')
+-
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_read_nfs_files(local_login_t)
 -	fs_read_nfs_symlinks(local_login_t)
@@ -136319,12 +136326,13 @@ index c04ac46..b123de6 100644
 -	fs_read_cifs_symlinks(local_login_t)
 +tunable_policy(`login_console_enabled',`
 +     term_use_console(local_login_t)
++     # Able to relabel /dev/console to user tty types.
 +     term_relabel_console(local_login_t)
 +     term_setattr_console(local_login_t)
  ')
  
  optional_policy(`
-@@ -177,14 +185,6 @@ optional_policy(`
+@@ -177,14 +181,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -136339,7 +136347,7 @@ index c04ac46..b123de6 100644
  	unconfined_shell_domtrans(local_login_t)
  ')
  
-@@ -215,6 +215,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +211,7 @@ allow sulogin_t self:sem create_sem_perms;
  allow sulogin_t self:msgq create_msgq_perms;
  allow sulogin_t self:msg { send receive };
  
@@ -136347,7 +136355,7 @@ index c04ac46..b123de6 100644
  kernel_read_system_state(sulogin_t)
  
  fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +224,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +220,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
  files_read_etc_files(sulogin_t)
  # because file systems are not mounted:
  files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -136364,7 +136372,7 @@ index c04ac46..b123de6 100644
  seutil_read_config(sulogin_t)
  seutil_read_default_contexts(sulogin_t)
  
-@@ -238,14 +242,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +238,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
@@ -136391,7 +136399,7 @@ index c04ac46..b123de6 100644
  	init_getpgid(sulogin_t)
  ', `
  	allow sulogin_t self:process setexec;
-@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +266,3 @@ ifdef(`sulogin_no_pam', `
  	selinux_compute_relabel_context(sulogin_t)
  	selinux_compute_user_contexts(sulogin_t)
  ')
@@ -136895,7 +136903,7 @@ index 4e94884..23894f4 100644
 +	init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..37275c3 100644
+index 39ea221..d9a4b9b 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -137110,7 +137118,7 @@ index 39ea221..37275c3 100644
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +425,35 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,22 +425,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -137118,14 +137126,12 @@ index 39ea221..37275c3 100644
  manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
  files_search_var_lib(syslogd_t)
  
+-# manage pid file
 +manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+-files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
-+
- # manage pid file
- manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
- files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
  
 +kernel_rw_stream_socket_perms(syslogd_t)
  kernel_read_system_state(syslogd_t)
@@ -137147,7 +137153,7 @@ index 39ea221..37275c3 100644
  corenet_all_recvfrom_netlabel(syslogd_t)
  corenet_udp_sendrecv_generic_if(syslogd_t)
  corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,10 +479,28 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +475,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -137163,20 +137169,19 @@ index 39ea221..37275c3 100644
 +
  dev_filetrans(syslogd_t, devlog_t, sock_file)
  dev_read_sysfs(syslogd_t)
+-
 +dev_read_rand(syslogd_t)
 +dev_read_urand(syslogd_t)
 +# relating to systemd-kmsg-syslogd
 +dev_write_kmsg(syslogd_t)
 +dev_read_kmsg(syslogd_t)
- 
-+domain_read_all_domains_state(syslogd_t)
- domain_use_interactive_fds(syslogd_t)
++
 +domain_read_all_domains_state(syslogd_t)
 +domain_getattr_all_domains(syslogd_t)
+ domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
- files_read_usr_files(syslogd_t)
-@@ -442,14 +512,18 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +507,18 @@ files_read_kernel_symbol_table(syslogd_t)
  files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
@@ -137195,7 +137200,7 @@ index 39ea221..37275c3 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +535,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +530,11 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -137209,7 +137214,7 @@ index 39ea221..37275c3 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -502,15 +576,36 @@ optional_policy(`
+@@ -502,15 +571,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137246,7 +137251,7 @@ index 39ea221..37275c3 100644
  ')
  
  optional_policy(`
-@@ -521,3 +616,24 @@ optional_policy(`
+@@ -521,3 +611,24 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -137491,7 +137496,7 @@ index 58bc27f..51e9872 100644
 +	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..66465b0 100644
+index e8c59a5..7622d77 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -137588,13 +137593,7 @@ index e8c59a5..66465b0 100644
  
  read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
  read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -215,11 +226,13 @@ files_search_mnt(lvm_t)
- 
- kernel_get_sysvipc_info(lvm_t)
- kernel_read_system_state(lvm_t)
-+kernel_read_kernel_sysctls(lvm_t)
- # Read system variables in /proc/sys
- kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +231,7 @@ kernel_read_kernel_sysctls(lvm_t)
  # it has no reason to need this
  kernel_dontaudit_getattr_core_if(lvm_t)
  kernel_use_fds(lvm_t)
@@ -137602,7 +137601,7 @@ index e8c59a5..66465b0 100644
  kernel_search_debugfs(lvm_t)
  
  corecmd_exec_bin(lvm_t)
-@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +242,13 @@ dev_delete_generic_dirs(lvm_t)
  dev_read_rand(lvm_t)
  dev_read_urand(lvm_t)
  dev_rw_lvm_control(lvm_t)
@@ -137617,7 +137616,7 @@ index e8c59a5..66465b0 100644
  # cjp: this has no effect since LVM does not
  # have lnk_file relabelto for anything else.
  # perhaps this should be blk_files?
-@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +260,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
  dev_dontaudit_getattr_generic_blk_files(lvm_t)
  dev_dontaudit_getattr_generic_pipes(lvm_t)
  dev_create_generic_dirs(lvm_t)
@@ -137625,7 +137624,7 @@ index e8c59a5..66465b0 100644
  
  domain_use_interactive_fds(lvm_t)
  domain_read_all_domains_state(lvm_t)
-@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +270,21 @@ files_read_etc_files(lvm_t)
  files_read_etc_runtime_files(lvm_t)
  # for when /usr is not mounted:
  files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -137648,7 +137647,7 @@ index e8c59a5..66465b0 100644
  
  selinux_get_fs_mount(lvm_t)
  selinux_validate_context(lvm_t)
-@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +304,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
  # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
  storage_manage_fixed_disk(lvm_t)
  
@@ -137657,7 +137656,7 @@ index e8c59a5..66465b0 100644
  
  init_use_fds(lvm_t)
  init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +312,20 @@ init_use_script_ptys(lvm_t)
  init_read_script_state(lvm_t)
  
  logging_send_syslog_msg(lvm_t)
@@ -137679,7 +137678,7 @@ index e8c59a5..66465b0 100644
  
  ifdef(`distro_redhat',`
  	# this is from the initrd:
-@@ -313,6 +338,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +337,11 @@ ifdef(`distro_redhat',`
  ')
  
  optional_policy(`
@@ -137691,7 +137690,7 @@ index e8c59a5..66465b0 100644
  	bootloader_rw_tmp_files(lvm_t)
  ')
  
-@@ -333,14 +363,26 @@ optional_policy(`
+@@ -333,14 +362,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138056,7 +138055,7 @@ index 7449974..6375786 100644
 +	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..7857f24 100644
+index 7a49e28..3e5393b 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@@ -138168,7 +138167,7 @@ index 7a49e28..7857f24 100644
  
  # Read module config and dependency information
  list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -117,7 +123,11 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -117,14 +123,18 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
  
  can_exec(insmod_t, insmod_exec_t)
  
@@ -138176,11 +138175,11 @@ index 7a49e28..7857f24 100644
 +fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
 +
  kernel_load_module(insmod_t)
+-kernel_request_load_module(insmod_t)
 +files_manage_kernel_modules(insmod_t)
- kernel_request_load_module(insmod_t)
  kernel_read_system_state(insmod_t)
  kernel_read_network_state(insmod_t)
-@@ -125,6 +135,7 @@ kernel_write_proc_files(insmod_t)
+ kernel_write_proc_files(insmod_t)
  kernel_mount_debugfs(insmod_t)
  kernel_mount_kvmfs(insmod_t)
  kernel_read_debugfs(insmod_t)
@@ -138188,7 +138187,7 @@ index 7a49e28..7857f24 100644
  # Rules for /proc/sys/kernel/tainted
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +153,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -138196,7 +138195,7 @@ index 7a49e28..7857f24 100644
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -151,30 +163,38 @@ files_read_etc_runtime_files(insmod_t)
+@@ -151,30 +162,37 @@ files_read_etc_runtime_files(insmod_t)
  files_read_etc_files(insmod_t)
  files_read_usr_files(insmod_t)
  files_exec_etc_files(insmod_t)
@@ -138208,7 +138207,6 @@ index 7a49e28..7857f24 100644
  # for locking: (cjp: ????)
  files_write_kernel_modules(insmod_t)
 +allow insmod_t modules_dep_t:file manage_file_perms;
-+files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
  
  fs_getattr_xattr_fs(insmod_t)
  fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -138238,7 +138236,7 @@ index 7a49e28..7857f24 100644
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
  kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +204,32 @@ optional_policy(`
+@@ -184,28 +202,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138278,7 +138276,7 @@ index 7a49e28..7857f24 100644
  ')
  
  optional_policy(`
-@@ -225,6 +249,7 @@ optional_policy(`
+@@ -225,6 +247,7 @@ optional_policy(`
  
  optional_policy(`
  	rpm_rw_pipes(insmod_t)
@@ -138286,7 +138284,7 @@ index 7a49e28..7857f24 100644
  ')
  
  optional_policy(`
-@@ -233,6 +258,10 @@ optional_policy(`
+@@ -233,6 +256,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138297,7 +138295,7 @@ index 7a49e28..7857f24 100644
  	# cjp: why is this needed:
  	dev_rw_xserver_misc(insmod_t)
  
-@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +318,10 @@ init_use_script_ptys(update_modules_t)
  
  logging_send_syslog_msg(update_modules_t)
  
@@ -138632,7 +138630,7 @@ index 4584457..300c3f7 100644
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..4b28c1b 100644
+index 6a50270..1e98d92 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -138707,7 +138705,7 @@ index 6a50270..4b28c1b 100644
  
  allow mount_t mount_loopback_t:file read_file_perms;
  
-@@ -49,9 +74,25 @@ can_exec(mount_t, mount_exec_t)
+@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t)
  
  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  
@@ -138730,11 +138728,10 @@ index 6a50270..4b28c1b 100644
 +kernel_manage_debugfs(mount_t)
 +kernel_setsched(mount_t)
 +kernel_use_fds(mount_t)
-+kernel_request_load_module(mount_t)
  kernel_dontaudit_write_debugfs_dirs(mount_t)
  kernel_dontaudit_write_proc_dirs(mount_t)
  # To load binfmt_misc kernel module
-@@ -60,31 +101,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
  
@@ -138784,7 +138781,7 @@ index 6a50270..4b28c1b 100644
  files_read_isid_type_files(mount_t)
  # For reading cert files
  files_read_usr_files(mount_t)
-@@ -92,28 +148,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
  files_dontaudit_write_all_mountpoints(mount_t)
  files_dontaudit_setattr_all_mountpoints(mount_t)
  
@@ -138830,7 +138827,7 @@ index 6a50270..4b28c1b 100644
  term_dontaudit_manage_pty_dirs(mount_t)
  
  auth_use_nsswitch(mount_t)
-@@ -121,16 +188,20 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +187,20 @@ auth_use_nsswitch(mount_t)
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -138852,7 +138849,7 @@ index 6a50270..4b28c1b 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +216,27 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -138892,7 +138889,7 @@ index 6a50270..4b28c1b 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +251,8 @@ optional_policy(`
+@@ -179,6 +250,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -138901,7 +138898,7 @@ index 6a50270..4b28c1b 100644
  ')
  
  optional_policy(`
-@@ -186,6 +260,28 @@ optional_policy(`
+@@ -186,6 +259,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138930,7 +138927,7 @@ index 6a50270..4b28c1b 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +290,124 @@ optional_policy(`
+@@ -194,24 +289,124 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138986,10 +138983,12 @@ index 6a50270..4b28c1b 100644
 +optional_policy(`
 +	ssh_exec(mount_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+-	unconfined_domain(unconfined_mount_t)
 +	usbmuxd_stream_connect(mount_t)
-+')
+ ')
 +
 +optional_policy(`
 +	userhelper_exec_console(mount_t)
@@ -138998,12 +138997,10 @@ index 6a50270..4b28c1b 100644
 +optional_policy(`
 +	virt_read_blk_images(mount_t)
 +')
- 
- optional_policy(`
--	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
--	unconfined_domain(unconfined_mount_t)
++
++optional_policy(`
 +	vmware_exec_host(mount_t)
- ')
++')
 +
 +######################################
 +#
@@ -139680,7 +139677,7 @@ index 3822072..702e0e0 100644
 +	logging_send_syslog_msg($1)
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..51e91d2 100644
+index ec01d0b..4873b1c 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,17 @@ gen_require(`
@@ -140101,11 +140098,11 @@ index ec01d0b..51e91d2 100644
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
 +# Admins are creating pp files in random locations
 +files_read_non_security_files(semanage_t)
  
+-logging_send_syslog_msg(semanage_t)
+-
 -miscfiles_read_localization(semanage_t)
 -
 -seutil_libselinux_linked(semanage_t)
@@ -140193,7 +140190,7 @@ index ec01d0b..51e91d2 100644
  ')
  
  ########################################
-@@ -522,108 +603,180 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +603,178 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -140275,12 +140272,12 @@ index ec01d0b..51e91d2 100644
 +	# pki is leaking
 +	pki_dontaudit_write_log(setfiles_t)
 +')
-+
+ 
+-seutil_libselinux_linked(setfiles_t)
 +optional_policy(`
 +	xserver_append_xdm_tmp_files(setfiles_t)
 +')
- 
--seutil_libselinux_linked(setfiles_t)
++
 +ifdef(`hide_broken_symptoms',`
 +
 +	optional_policy(`
@@ -140431,8 +140428,6 @@ index ec01d0b..51e91d2 100644
 +corecmd_exec_bin(policy_manager_domain)
 +corecmd_exec_shell(policy_manager_domain)
 +
-+dev_read_urand(policy_manager_domain)
-+
 +domain_use_interactive_fds(policy_manager_domain)
 +
 +files_read_etc_files(policy_manager_domain)
@@ -140838,7 +140833,7 @@ index 6944526..729dc8c 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..ab5e58c 100644
+index b7686d5..7f2928d 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -141131,7 +141126,7 @@ index b7686d5..ab5e58c 100644
  ')
  
  optional_policy(`
-@@ -339,7 +398,15 @@ optional_policy(`
+@@ -339,7 +398,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -141141,14 +141136,10 @@ index b7686d5..ab5e58c 100644
 +
 +optional_policy(`
 +	modutils_domtrans_insmod(ifconfig_t)
-+')
-+
-+optional_policy(`
-+	netutils_domtrans(dhcpc_t)
  ')
  
  optional_policy(`
-@@ -360,3 +427,9 @@ optional_policy(`
+@@ -360,3 +423,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -142168,10 +142159,10 @@ index 0000000..3e4cae7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..f29d5b8
+index 0000000..dc3c408
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,447 @@
+@@ -0,0 +1,451 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -142532,6 +142523,10 @@ index 0000000..f29d5b8
 +')
 +
 +optional_policy(`
++	lpd_relabel_spool(systemd_tmpfiles_t)
++')
++
++optional_policy(`
 +	rpm_read_db(systemd_tmpfiles_t)
 +	rpm_delete_db(systemd_tmpfiles_t)
 +')
@@ -142917,7 +142912,7 @@ index 0f64692..d7e8a01 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..99fd5da 100644
+index a5ec88b..b31b982 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -143096,18 +143091,7 @@ index a5ec88b..99fd5da 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -217,6 +230,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	consolekit_read_pid_files(udev_t)
-+')
-+
-+optional_policy(`
- 	consoletype_exec(udev_t)
- ')
- 
-@@ -226,6 +243,7 @@ optional_policy(`
+@@ -226,6 +239,7 @@ optional_policy(`
  
  optional_policy(`
  	cups_domtrans_config(udev_t)
@@ -143115,7 +143099,7 @@ index a5ec88b..99fd5da 100644
  ')
  
  optional_policy(`
-@@ -235,10 +253,20 @@ optional_policy(`
+@@ -235,10 +249,20 @@ optional_policy(`
  optional_policy(`
  	devicekit_read_pid_files(udev_t)
  	devicekit_dgram_send(udev_t)
@@ -143136,7 +143120,7 @@ index a5ec88b..99fd5da 100644
  ')
  
  optional_policy(`
-@@ -264,6 +292,10 @@ optional_policy(`
+@@ -264,6 +288,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -143147,7 +143131,7 @@ index a5ec88b..99fd5da 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -278,6 +310,15 @@ optional_policy(`
+@@ -278,6 +306,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -143163,7 +143147,7 @@ index a5ec88b..99fd5da 100644
  	unconfined_signal(udev_t)
  ')
  
-@@ -290,6 +331,7 @@ optional_policy(`
+@@ -290,6 +327,7 @@ optional_policy(`
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
@@ -148034,7 +148018,7 @@ index 3c5dba7..81b2173 100644
 +	filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..d4d6ea9 100644
+index e2b538b..069a8ea 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -148120,7 +148104,7 @@ index e2b538b..d4d6ea9 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -70,26 +80,124 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +80,123 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -148243,7 +148227,6 @@ index e2b538b..d4d6ea9 100644
 +tunable_policy(`use_ecryptfs_home_dirs',`
 +	fs_manage_ecryptfs_dirs(userdom_home_manager_type)
 +	fs_manage_ecryptfs_files(userdom_home_manager_type)
-+	fs_manage_ecryptfs_files(userdom_home_manager_type)
 +')
 +# vi /etc/mtab can cause an avc trying to relabel to self.  
 +dontaudit userdomain self:file relabelto;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index fe538c6b..6515ad85 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
 diff --git a/abrt.fc b/abrt.fc
-index e4f84de..ad5baf5 100644
+index e4f84de..94697ea 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,30 +1,37 @@
+@@ -1,30 +1,38 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -42,6 +42,7 @@ index e4f84de..ad5baf5 100644
 -/var/cache/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 -/var/cache/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/tmp/abrt(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
  
 -/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
 +# ABRT retrace server
@@ -489,7 +490,7 @@ index 058d908..cce58bb 100644
 +	dontaudit $1 abrt_t:sock_file write;
  ')
 diff --git a/abrt.te b/abrt.te
-index cc43d25..db88fca 100644
+index cc43d25..23e8575 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -1,4 +1,4 @@
@@ -498,7 +499,7 @@ index cc43d25..db88fca 100644
  
  ########################################
  #
-@@ -6,129 +6,141 @@ policy_module(abrt, 1.3.4)
+@@ -6,129 +6,143 @@ policy_module(abrt, 1.3.4)
  #
  
  ## <desc>
@@ -558,6 +559,7 @@ index cc43d25..db88fca 100644
 +# var/cache files
  type abrt_var_cache_t;
  files_type(abrt_var_cache_t)
++files_tmp_file(abrt_var_cache_t)
  
 +# pid files
  type abrt_var_run_t;
@@ -670,6 +672,7 @@ index cc43d25..db88fca 100644
  manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
  files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
++files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
  
 +# abrt pid files
  manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -686,7 +689,7 @@ index cc43d25..db88fca 100644
  kernel_request_load_module(abrt_t)
  kernel_rw_kernel_sysctl(abrt_t)
  
-@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +151,14 @@ corecmd_exec_shell(abrt_t)
  corecmd_read_all_executables(abrt_t)
  
  corenet_all_recvfrom_netlabel(abrt_t)
@@ -705,7 +708,7 @@ index cc43d25..db88fca 100644
  
  dev_getattr_all_chr_files(abrt_t)
  dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +173,34 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +175,34 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
@@ -744,7 +747,7 @@ index cc43d25..db88fca 100644
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +208,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -761,7 +764,7 @@ index cc43d25..db88fca 100644
  ')
  
  optional_policy(`
-@@ -209,6 +220,12 @@ optional_policy(`
+@@ -209,6 +222,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -774,7 +777,7 @@ index cc43d25..db88fca 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -220,6 +237,7 @@ optional_policy(`
+@@ -220,6 +239,7 @@ optional_policy(`
  	corecmd_exec_all_executables(abrt_t)
  ')
  
@@ -782,7 +785,7 @@ index cc43d25..db88fca 100644
  optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +248,7 @@ optional_policy(`
+@@ -230,6 +250,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -790,7 +793,7 @@ index cc43d25..db88fca 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -240,9 +259,17 @@ optional_policy(`
+@@ -240,9 +261,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -809,7 +812,7 @@ index cc43d25..db88fca 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +280,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -824,7 +827,15 @@ index cc43d25..db88fca 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -276,15 +307,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
++files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
+ 
+ read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -845,7 +856,7 @@ index cc43d25..db88fca 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +328,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -872,7 +883,7 @@ index cc43d25..db88fca 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +364,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -886,7 +897,7 @@ index cc43d25..db88fca 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +382,11 @@ optional_policy(`
+@@ -330,10 +385,11 @@ optional_policy(`
  
  #######################################
  #
@@ -900,7 +911,7 @@ index cc43d25..db88fca 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,18 +405,23 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,30 +408,37 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -927,7 +938,13 @@ index cc43d25..db88fca 100644
  
  files_search_spool(abrt_dump_oops_t)
  manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -376,6 +434,7 @@ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+ manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
++files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
+ 
+ read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
  
  read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
  
@@ -935,7 +952,7 @@ index cc43d25..db88fca 100644
  kernel_read_kernel_sysctls(abrt_dump_oops_t)
  kernel_read_ring_buffer(abrt_dump_oops_t)
  
-@@ -384,14 +443,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +447,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
  fs_list_inotifyfs(abrt_dump_oops_t)
  
  logging_read_generic_logs(abrt_dump_oops_t)
@@ -953,7 +970,7 @@ index cc43d25..db88fca 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -400,16 +460,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +464,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
@@ -1047,7 +1064,7 @@ index bd5ec9a..a5ed692 100644
 +	allow $1 accountsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/accountsd.te b/accountsd.te
-index 313b33f..783d3df 100644
+index 313b33f..f9d3343 100644
 --- a/accountsd.te
 +++ b/accountsd.te
 @@ -4,6 +4,10 @@ gen_require(`
@@ -1078,15 +1095,7 @@ index 313b33f..783d3df 100644
  ########################################
  #
  # Local policy
-@@ -30,6 +38,7 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
- 
-+kernel_read_system_state(accountsd_t)
- kernel_read_kernel_sysctls(accountsd_t)
- kernel_read_system_state(accountsd_t)
- 
-@@ -38,17 +47,18 @@ corecmd_exec_bin(accountsd_t)
+@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
  dev_read_sysfs(accountsd_t)
  
  files_read_mnt_files(accountsd_t)
@@ -1094,32 +1103,25 @@ index 313b33f..783d3df 100644
  
  fs_getattr_xattr_fs(accountsd_t)
  fs_list_inotifyfs(accountsd_t)
-+fs_getattr_xattr_fs(accountsd_t)
- fs_read_noxattr_fs_files(accountsd_t)
- 
- auth_use_nsswitch(accountsd_t)
+@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
  auth_read_login_records(accountsd_t)
  auth_read_shadow(accountsd_t)
-+auth_read_login_records(accountsd_t)
  
 -miscfiles_read_localization(accountsd_t)
 +init_dbus_chat(accountsd_t)
  
  logging_send_syslog_msg(accountsd_t)
  logging_set_loginuid(accountsd_t)
-@@ -62,6 +72,11 @@ usermanage_domtrans_passwd(accountsd_t)
- optional_policy(`
- 	consolekit_dbus_chat(accountsd_t)
- 	consolekit_read_log(accountsd_t)
-+	consolekit_dbus_chat(accountsd_t)
-+')
-+
-+optional_policy(`
-+	dbus_system_domain(accountsd_t, accountsd_exec_t)
+@@ -65,9 +72,16 @@ optional_policy(`
  ')
  
  optional_policy(`
-@@ -70,4 +85,7 @@ optional_policy(`
++	dbus_system_domain(accountsd_t, accountsd_exec_t)
++')
++
++optional_policy(`
+ 	policykit_dbus_chat(accountsd_t)
+ ')
  
  optional_policy(`
  	xserver_read_xdm_tmp_files(accountsd_t)
@@ -1172,24 +1174,32 @@ index 81280d0..bc4038b 100644
  	domain_system_change_exemption($1)
  	role_transition $2 acct_initrc_exec_t system_r;
 diff --git a/acct.te b/acct.te
-index 1a1c91a..7a449cc 100644
+index 1a1c91a..d538827 100644
 --- a/acct.te
 +++ b/acct.te
-@@ -53,14 +53,15 @@ files_list_usr(acct_t)
+@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
+ dev_read_sysfs(acct_t)
+ dev_read_urand(acct_t)
+ 
+-domain_use_interactive_fds(acct_t)
+-
+ fs_search_auto_mountpoints(acct_t)
+ fs_getattr_xattr_fs(acct_t)
+ 
+@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
+ term_dontaudit_use_generic_ptys(acct_t)
+ 
+ files_read_etc_runtime_files(acct_t)
+-files_list_usr(acct_t)
  
  auth_use_nsswitch(acct_t)
  
-+auth_use_nsswitch(acct_t)
-+
- init_use_fds(acct_t)
- init_use_script_ptys(acct_t)
- init_exec_script_files(acct_t)
+@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
  
  logging_send_syslog_msg(acct_t)
  
 -miscfiles_read_localization(acct_t)
 -
-+userdom_dontaudit_use_unpriv_user_fds(acct_t)
  userdom_dontaudit_search_user_home_dirs(acct_t)
  userdom_dontaudit_use_unpriv_user_fds(acct_t)
  
@@ -1226,7 +1236,7 @@ index 3b41be6..0b18812 100644
  	afs_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/afs.te b/afs.te
-index 6690cdf..ff1c351 100644
+index 6690cdf..baf390f 100644
 --- a/afs.te
 +++ b/afs.te
 @@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
@@ -1276,17 +1286,24 @@ index 6690cdf..ff1c351 100644
  
  seutil_read_config(afs_bosserver_t)
  
-@@ -179,6 +191,9 @@ corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
+@@ -175,12 +187,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
+ 
+ corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+ corenet_all_recvfrom_netlabel(afs_fsserver_t)
++corenet_tcp_bind_generic_node(afs_fsserver_t)
++corenet_udp_bind_generic_node(afs_fsserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
  corenet_udp_sendrecv_generic_if(afs_fsserver_t)
  corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
  corenet_udp_sendrecv_generic_node(afs_fsserver_t)
+-corenet_tcp_bind_generic_node(afs_fsserver_t)
+-corenet_udp_bind_generic_node(afs_fsserver_t)
 +corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
 +corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-+corenet_all_recvfrom_netlabel(afs_fsserver_t)
- corenet_tcp_bind_generic_node(afs_fsserver_t)
- corenet_udp_bind_generic_node(afs_fsserver_t)
  
-@@ -190,7 +205,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
+ corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
+ corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
+@@ -190,7 +204,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
  
  files_read_etc_runtime_files(afs_fsserver_t)
  files_list_home(afs_fsserver_t)
@@ -1294,7 +1311,7 @@ index 6690cdf..ff1c351 100644
  files_list_pids(afs_fsserver_t)
  files_dontaudit_search_mnt(afs_fsserver_t)
  
-@@ -224,7 +238,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+@@ -224,7 +237,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
  
  kernel_read_kernel_sysctls(afs_kaserver_t)
  
@@ -1302,7 +1319,7 @@ index 6690cdf..ff1c351 100644
  corenet_all_recvfrom_netlabel(afs_kaserver_t)
  corenet_udp_sendrecv_generic_if(afs_kaserver_t)
  corenet_udp_sendrecv_generic_node(afs_kaserver_t)
-@@ -239,7 +252,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
+@@ -239,7 +251,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
  corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
  
  files_list_home(afs_kaserver_t)
@@ -1310,7 +1327,7 @@ index 6690cdf..ff1c351 100644
  
  seutil_read_config(afs_kaserver_t)
  
-@@ -262,7 +274,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+@@ -262,7 +273,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
  manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
  filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
  
@@ -1318,7 +1335,7 @@ index 6690cdf..ff1c351 100644
  corenet_all_recvfrom_netlabel(afs_ptserver_t)
  corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
  corenet_udp_sendrecv_generic_if(afs_ptserver_t)
-@@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
+@@ -274,6 +284,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
  corenet_udp_bind_afs_pt_port(afs_ptserver_t)
  corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
  
@@ -1327,7 +1344,7 @@ index 6690cdf..ff1c351 100644
  userdom_dontaudit_use_user_terminals(afs_ptserver_t)
  
  ########################################
-@@ -293,7 +306,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+@@ -293,7 +305,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
  manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
  filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
  
@@ -1335,7 +1352,7 @@ index 6690cdf..ff1c351 100644
  corenet_all_recvfrom_netlabel(afs_vlserver_t)
  corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
  corenet_udp_sendrecv_generic_if(afs_vlserver_t)
-@@ -314,8 +326,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+@@ -314,8 +325,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
  
  allow afs_domain self:udp_socket create_socket_perms;
  
@@ -1409,7 +1426,7 @@ index 01cbb67..94a4a24 100644
  
  	files_list_etc($1)
 diff --git a/aide.te b/aide.te
-index 4b28ab3..2cc5904 100644
+index 4b28ab3..cf64a9a 100644
 --- a/aide.te
 +++ b/aide.te
 @@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1420,15 +1437,12 @@ index 4b28ab3..2cc5904 100644
  role aide_roles types aide_t;
  
  type aide_log_t;
-@@ -33,12 +34,19 @@ setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
- logging_log_filetrans(aide_t, aide_log_t, file)
+@@ -34,11 +35,16 @@ logging_log_filetrans(aide_t, aide_log_t, file)
  
  files_read_all_files(aide_t)
-+files_read_boot_symlinks(aide_t)
  files_read_all_symlinks(aide_t)
 +files_getattr_all_pipes(aide_t)
 +files_getattr_all_sockets(aide_t)
-+files_read_all_symlinks(aide_t)
 +
 +mls_file_read_to_clearance(aide_t)
 +mls_file_write_to_clearance(aide_t)
@@ -1762,7 +1776,7 @@ index 708b743..a482fed 100644
 +	ps_process_pattern($1, alsa_t)
 +')
 diff --git a/alsa.te b/alsa.te
-index cda6d20..1986c26 100644
+index cda6d20..f19402e 100644
 --- a/alsa.te
 +++ b/alsa.te
 @@ -24,6 +24,9 @@ files_type(alsa_var_lib_t)
@@ -1775,17 +1789,15 @@ index cda6d20..1986c26 100644
  ########################################
  #
  # Local policy
-@@ -59,7 +62,8 @@ dev_read_sound(alsa_t)
+@@ -59,7 +62,6 @@ dev_read_sound(alsa_t)
  dev_read_sysfs(alsa_t)
  dev_write_sound(alsa_t)
  
 -files_read_usr_files(alsa_t)
-+corecmd_exec_bin(alsa_t)
-+
  files_search_var_lib(alsa_t)
  
  term_dontaudit_use_console(alsa_t)
-@@ -72,8 +76,6 @@ init_use_fds(alsa_t)
+@@ -72,8 +74,6 @@ init_use_fds(alsa_t)
  
  logging_send_syslog_msg(alsa_t)
  
@@ -1795,7 +1807,7 @@ index cda6d20..1986c26 100644
  userdom_manage_unpriv_user_shared_mem(alsa_t)
  userdom_search_user_home_dirs(alsa_t)
 diff --git a/amanda.te b/amanda.te
-index ed45974..ebba0d8 100644
+index ed45974..b09436e 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -60,7 +60,7 @@ optional_policy(`
@@ -1831,12 +1843,17 @@ index ed45974..ebba0d8 100644
  corenet_all_recvfrom_netlabel(amanda_recover_t)
  corenet_tcp_sendrecv_generic_if(amanda_recover_t)
  corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -200,7 +199,11 @@ fstools_signal(amanda_t)
+@@ -195,12 +194,12 @@ files_search_tmp(amanda_recover_t)
  
+ auth_use_nsswitch(amanda_recover_t)
+ 
+-fstools_domtrans(amanda_t)
+-fstools_signal(amanda_t)
+-
  logging_search_logs(amanda_recover_t)
  
 -miscfiles_read_localization(amanda_recover_t)
- 
+-
 -userdom_use_user_terminals(amanda_recover_t)
 +userdom_use_inherited_user_terminals(amanda_recover_t)
  userdom_search_user_home_content(amanda_recover_t)
@@ -1913,7 +1930,7 @@ index 60d4f8c..18ef077 100644
   	domain_system_change_exemption($1)
   	role_transition $2 amavis_initrc_exec_t system_r;
 diff --git a/amavis.te b/amavis.te
-index ab55ba7..f493d2a 100644
+index ab55ba7..a95b541 100644
 --- a/amavis.te
 +++ b/amavis.te
 @@ -39,7 +39,7 @@ type amavis_quarantine_t;
@@ -1947,7 +1964,7 @@ index ab55ba7..f493d2a 100644
  corenet_all_recvfrom_netlabel(amavis_t)
  corenet_tcp_sendrecv_generic_if(amavis_t)
  corenet_udp_sendrecv_generic_if(amavis_t)
-@@ -118,16 +120,17 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
  
  corenet_sendrecv_razor_client_packets(amavis_t)
  corenet_tcp_connect_razor_port(amavis_t)
@@ -1955,10 +1972,7 @@ index ab55ba7..f493d2a 100644
  
  dev_read_rand(amavis_t)
  dev_read_sysfs(amavis_t)
- dev_read_urand(amavis_t)
-+dev_read_sysfs(amavis_t)
- 
- domain_use_interactive_fds(amavis_t)
+@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
  domain_dontaudit_read_all_domains_state(amavis_t)
  
  files_read_etc_runtime_files(amavis_t)
@@ -1966,7 +1980,7 @@ index ab55ba7..f493d2a 100644
  files_search_spool(amavis_t)
  
  fs_getattr_xattr_fs(amavis_t)
-@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t)
+@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
  
  logging_send_syslog_msg(amavis_t)
  
@@ -1990,7 +2004,7 @@ index ab55ba7..f493d2a 100644
  ')
  
  optional_policy(`
-@@ -173,6 +182,10 @@ optional_policy(`
+@@ -173,6 +181,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3743,7 +3757,7 @@ index 83e899c..7b2ad39 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..bcdad77 100644
+index 1a82e29..93b55a0 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,353 @@
@@ -4262,7 +4276,7 @@ index 1a82e29..bcdad77 100644
  type httpd_suexec_exec_t;
  domain_type(httpd_suexec_t)
  domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +365,23 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +365,19 @@ role system_r types httpd_suexec_t;
  type httpd_suexec_tmp_t;
  files_tmp_file(httpd_suexec_tmp_t)
  
@@ -4271,10 +4285,6 @@ index 1a82e29..bcdad77 100644
 -corecmd_shell_entry_type(httpd_sys_script_t)
 -typealias httpd_sys_content_t alias ntop_http_content_t;
 +
-+optional_policy(`
-+	postgresql_unpriv_client(httpd_sys_script_t)
-+')
-+
 +typeattribute httpd_sys_content_t httpdcontent; # customizable
 +typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
 +typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
@@ -4288,7 +4298,7 @@ index 1a82e29..bcdad77 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -323,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +387,19 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -4308,7 +4318,7 @@ index 1a82e29..bcdad77 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +414,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
  typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
  typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
  
@@ -4359,7 +4369,7 @@ index 1a82e29..bcdad77 100644
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
  allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +460,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +456,36 @@ allow httpd_t self:shm create_shm_perms;
  allow httpd_t self:sem create_sem_perms;
  allow httpd_t self:msgq create_msgq_perms;
  allow httpd_t self:msg { send receive };
@@ -4401,7 +4411,7 @@ index 1a82e29..bcdad77 100644
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +497,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,6 +493,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  
@@ -4410,7 +4420,7 @@ index 1a82e29..bcdad77 100644
  allow httpd_t httpd_rotatelogs_t:process signal_perms;
  
  manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +507,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -415,6 +503,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
  
  allow httpd_t httpd_suexec_exec_t:file read_file_perms;
  
@@ -4421,7 +4431,7 @@ index 1a82e29..bcdad77 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +541,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +537,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -4649,7 +4659,7 @@ index 1a82e29..bcdad77 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +707,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +703,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -4705,7 +4715,7 @@ index 1a82e29..bcdad77 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +755,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +751,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -4790,7 +4800,7 @@ index 1a82e29..bcdad77 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +796,29 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +792,29 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -4856,7 +4866,7 @@ index 1a82e29..bcdad77 100644
  ')
  
  optional_policy(`
-@@ -744,12 +830,10 @@ optional_policy(`
+@@ -744,12 +826,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4871,13 +4881,12 @@ index 1a82e29..bcdad77 100644
  ')
  
  optional_policy(`
-@@ -765,6 +849,24 @@ optional_policy(`
+@@ -765,6 +845,23 @@ optional_policy(`
  ')
  
  optional_policy(`
-+        # needed by FreeIPA 
++	#needed by FreeIPA 
 +	dirsrv_stream_connect(httpd_t)
-+	ldap_stream_connect(httpd_t)
 +')
 +
 +optional_policy(`
@@ -4896,7 +4905,7 @@ index 1a82e29..bcdad77 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +883,42 @@ optional_policy(`
+@@ -781,34 +878,42 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4950,10 +4959,14 @@ index 1a82e29..bcdad77 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +926,10 @@ optional_policy(`
+@@ -816,8 +921,14 @@ optional_policy(`
  ')
  
  optional_policy(`
++	munin_read_config(httpd_t)
++')
++
++optional_policy(`
 +	# Allow httpd to work with mysql
  	mysql_read_config(httpd_t)
  	mysql_stream_connect(httpd_t)
@@ -4961,7 +4974,7 @@ index 1a82e29..bcdad77 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +938,7 @@ optional_policy(`
+@@ -826,6 +937,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -4969,7 +4982,7 @@ index 1a82e29..bcdad77 100644
  ')
  
  optional_policy(`
-@@ -836,20 +949,35 @@ optional_policy(`
+@@ -836,20 +948,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4991,19 +5004,18 @@ index 1a82e29..bcdad77 100644
 -	')
 +optional_policy(`
 +	pcscd_read_pub_files(httpd_t)
++')
++
++optional_policy(`
++	pki_apache_domain_signal(httpd_t)
++	pki_manage_apache_config_files(httpd_t)
++	pki_manage_apache_lib(httpd_t)
++	pki_manage_apache_log_files(httpd_t)
++	pki_manage_apache_run(httpd_t)
  ')
  
  optional_policy(`
 -	puppet_read_lib_files(httpd_t)
-+        pki_apache_domain_signal(httpd_t)
-+        pki_apache_domain_signal(httpd_t)
-+        pki_manage_apache_run(httpd_t)
-+        pki_manage_apache_config_files(httpd_t)
-+        pki_manage_apache_log_files(httpd_t)
-+        pki_manage_apache_lib(httpd_t)
-+')
-+
-+optional_policy(`
 +	puppet_read_lib(httpd_t)
 +')
 +
@@ -5012,7 +5024,7 @@ index 1a82e29..bcdad77 100644
  ')
  
  optional_policy(`
-@@ -857,6 +985,16 @@ optional_policy(`
+@@ -857,6 +983,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5029,7 +5041,7 @@ index 1a82e29..bcdad77 100644
  	seutil_sigchld_newrole(httpd_t)
  ')
  
-@@ -865,6 +1003,7 @@ optional_policy(`
+@@ -865,6 +1001,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5037,7 +5049,7 @@ index 1a82e29..bcdad77 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -877,65 +1016,168 @@ optional_policy(`
+@@ -877,65 +1014,166 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -5066,8 +5078,6 @@ index 1a82e29..bcdad77 100644
 -logging_search_logs(httpd_helper_t)
  logging_send_syslog_msg(httpd_helper_t)
  
-+userdom_use_inherited_user_terminals(httpd_helper_t)
-+
 +tunable_policy(`httpd_verify_dns',`
 +	corenet_udp_bind_all_ephemeral_ports(httpd_t)
 +')
@@ -5105,10 +5115,11 @@ index 1a82e29..bcdad77 100644
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_helper_t)
 +	userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+ 
+ ########################################
+ #
+-# Suexec local policy
 +# Apache PHP script local policy
 +#
 +
@@ -5167,11 +5178,10 @@ index 1a82e29..bcdad77 100644
 +	tunable_policy(`httpd_can_network_connect_db',`
 +		postgresql_tcp_connect(httpd_php_t)
 +	')
- ')
- 
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
 +# Apache suexec local policy
  #
  
@@ -5228,7 +5238,7 @@ index 1a82e29..bcdad77 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1186,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1182,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -5383,7 +5393,7 @@ index 1a82e29..bcdad77 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1270,103 @@ optional_policy(`
+@@ -1077,172 +1266,103 @@ optional_policy(`
  	')
  ')
  
@@ -5549,12 +5559,12 @@ index 1a82e29..bcdad77 100644
 -#
 -
 -allow httpd_sys_script_t self:tcp_socket { accept listen };
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 -
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -5618,7 +5628,7 @@ index 1a82e29..bcdad77 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1374,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1370,70 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -5712,7 +5722,7 @@ index 1a82e29..bcdad77 100644
  
  ########################################
  #
-@@ -1315,8 +1445,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1441,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -5729,7 +5739,7 @@ index 1a82e29..bcdad77 100644
  ')
  
  ########################################
-@@ -1324,49 +1461,36 @@ optional_policy(`
+@@ -1324,49 +1457,36 @@ optional_policy(`
  # User content local policy
  #
  
@@ -5793,7 +5803,7 @@ index 1a82e29..bcdad77 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1500,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1496,94 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -5811,33 +5821,23 @@ index 1a82e29..bcdad77 100644
 +systemd_manage_passwd_run(httpd_passwd_t)
 +systemd_manage_passwd_run(httpd_t)
 +#systemd_passwd_agent_dev_template(httpd)
- 
--allow httpd_gpg_t self:process setrlimit;
++
 +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
 +dontaudit httpd_passwd_t httpd_config_t:file read;
- 
--allow httpd_gpg_t httpd_t:fd use;
--allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
--allow httpd_gpg_t httpd_t:process sigchld;
++
 +search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
 +corecmd_shell_entry_type(httpd_script_type)
- 
--dev_read_rand(httpd_gpg_t)
--dev_read_urand(httpd_gpg_t)
++
 +allow httpd_script_type self:fifo_file rw_file_perms;
 +allow httpd_script_type self:unix_stream_socket connectto;
- 
--files_read_usr_files(httpd_gpg_t)
++
 +allow httpd_script_type httpd_t:fifo_file write;
 +# apache should set close-on-exec
 +apache_dontaudit_leaks(httpd_script_type)
- 
--miscfiles_read_localization(httpd_gpg_t)
++
 +append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
 +logging_search_logs(httpd_script_type)
- 
--tunable_policy(`httpd_gpg_anon_write',`
--	miscfiles_manage_public_files(httpd_gpg_t)
++
 +kernel_dontaudit_search_sysctl(httpd_script_type)
 +kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
 +
@@ -5852,28 +5852,36 @@ index 1a82e29..bcdad77 100644
 +
 +libs_exec_ld_so(httpd_script_type)
 +libs_exec_lib_files(httpd_script_type)
-+
+ 
+-allow httpd_gpg_t self:process setrlimit;
 +miscfiles_read_fonts(httpd_script_type)
 +miscfiles_read_public_files(httpd_script_type)
-+
+ 
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
 +allow httpd_t httpd_script_type:unix_stream_socket connectto;
-+
+ 
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
 +allow httpd_t httpd_script_exec_type:file read_file_perms;
 +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
 +allow httpd_t httpd_script_type:process { signal sigkill sigstop };
 +allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-+
+ 
+-files_read_usr_files(httpd_gpg_t)
 +allow httpd_script_type self:process { setsched signal_perms };
 +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
 +allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-+
+ 
+-miscfiles_read_localization(httpd_gpg_t)
 +allow httpd_script_type httpd_t:fd use;
 +allow httpd_script_type httpd_t:process sigchld;
-+
+ 
+-tunable_policy(`httpd_gpg_anon_write',`
+-	miscfiles_manage_public_files(httpd_gpg_t)
 +dontaudit httpd_script_type httpd_t:tcp_socket { read write };
 +
-+dev_read_urand(httpd_script_type)
-+
 +fs_getattr_xattr_fs(httpd_script_type)
 +
 +files_read_etc_runtime_files(httpd_script_type)
@@ -5903,10 +5911,6 @@ index 1a82e29..bcdad77 100644
 +	allow httpd_t httpd_content_type:dir list_dir_perms;
 +	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
 +	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+
-+	allow httpd_t httpd_content_type:dir list_dir_perms;
-+	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
 +')
 +
 +tunable_policy(`httpd_use_openstack',`
@@ -5988,7 +5992,7 @@ index f3c0aba..5189407 100644
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..febec9a 100644
+index b236327..7e05d8c 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -6009,11 +6013,7 @@ index b236327..febec9a 100644
  corenet_all_recvfrom_netlabel(apcupsd_t)
  corenet_tcp_sendrecv_generic_if(apcupsd_t)
  corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -64,9 +66,11 @@ corenet_udp_sendrecv_generic_node(apcupsd_t)
- corenet_udp_bind_generic_node(apcupsd_t)
- 
- corenet_tcp_bind_apcupsd_port(apcupsd_t)
-+corenet_udp_bind_generic_node(apcupsd_t)
+@@ -67,6 +69,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
  corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
  corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
  corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -6021,7 +6021,7 @@ index b236327..febec9a 100644
  
  corenet_udp_bind_snmp_port(apcupsd_t)
  corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,25 +78,33 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +77,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
@@ -6036,10 +6036,10 @@ index b236327..febec9a 100644
 +#apcupsd runs shutdown, probably need a shutdown domain
 +init_rw_utmp(apcupsd_t)
 +init_telinit(apcupsd_t)
-+
-+auth_read_passwd(apcupsd_t)
  
 -miscfiles_read_localization(apcupsd_t)
++auth_read_passwd(apcupsd_t)
++
 +logging_send_syslog_msg(apcupsd_t)
  
  sysnet_dns_name_resolve(apcupsd_t)
@@ -6049,17 +6049,7 @@ index b236327..febec9a 100644
  
  optional_policy(`
  	hostname_exec(apcupsd_t)
- ')
- 
- optional_policy(`
-+	shutdown_domtrans(apcupsd_t)
-+')
-+
-+optional_policy(`
- 	mta_send_mail(apcupsd_t)
- 	mta_system_content(apcupsd_tmp_t)
- ')
-@@ -112,7 +124,6 @@ optional_policy(`
+@@ -112,7 +119,6 @@ optional_policy(`
  	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
  
@@ -6126,7 +6116,7 @@ index 1a7a97e..1d29dce 100644
  	domain_system_change_exemption($1)
  	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 3590e2f..29e3af5 100644
+index 3590e2f..5d9ac1d 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -6166,16 +6156,7 @@ index 3590e2f..29e3af5 100644
  corecmd_exec_all_executables(apmd_t)
  
  domain_read_all_domains_state(apmd_t)
-@@ -128,6 +129,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
- 
- auth_use_nsswitch(apmd_t)
- 
-+auth_use_nsswitch(apmd_t)
-+
- init_domtrans_script(apmd_t)
- 
- libs_exec_ld_so(apmd_t)
-@@ -136,17 +139,54 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +137,16 @@ libs_exec_lib_files(apmd_t)
  logging_send_audit_msgs(apmd_t)
  logging_send_syslog_msg(apmd_t)
  
@@ -6192,53 +6173,20 @@ index 3590e2f..29e3af5 100644
  userdom_dontaudit_search_user_home_dirs(apmd_t)
 -userdom_dontaudit_search_user_home_content(apmd_t)
 +userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
-+
-+ifdef(`distro_redhat',`
-+	allow apmd_t apmd_lock_t:file manage_file_perms;
-+	files_lock_filetrans(apmd_t, apmd_lock_t, file)
-+
-+	can_exec(apmd_t, apmd_var_run_t)
-+
-+	optional_policy(`
-+		fstools_domtrans(apmd_t)
-+	')
-+
-+	optional_policy(`
-+		iptables_domtrans(apmd_t)
-+	')
-+
-+	optional_policy(`
-+		netutils_domtrans(apmd_t)
-+	')
-+
-+	# ifconfig_exec_t needs to be run in its own domain for Red Hat
-+	optional_policy(`
-+		sssd_search_lib(apmd_t)
-+	')
-+
-+	optional_policy(`
-+		sysnet_domtrans_ifconfig(apmd_t)
-+	')
-+
-+',`
-+	# for ifconfig which is run all the time
-+	kernel_dontaudit_search_sysctl(apmd_t)
-+')
-+
-+ifdef(`distro_suse',`
-+	manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-+	manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-+	files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file)
-+')
  
  optional_policy(`
  	automount_domtrans(apmd_t)
-@@ -206,7 +246,11 @@ optional_policy(`
+@@ -206,11 +206,15 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	seutil_sigchld_newrole(apmd_t)
 +	shutdown_domtrans(apmd_t)
+ ')
+ 
+ optional_policy(`
+-	shutdown_domtrans(apmd_t)
++	sssd_search_lib(apmd_t)
 +')
 +
 +optional_policy(`
@@ -6444,10 +6392,10 @@ index 7268a04..3a5dc33 100644
  	domain_system_change_exemption($1)
  	role_transition $2 asterisk_initrc_exec_t system_r;
 diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..37841a1 100644
+index 5439f1c..0be374d 100644
 --- a/asterisk.te
 +++ b/asterisk.te
-@@ -19,10 +19,11 @@ type asterisk_log_t;
+@@ -19,7 +19,7 @@ type asterisk_log_t;
  logging_log_file(asterisk_log_t)
  
  type asterisk_spool_t;
@@ -6456,11 +6404,7 @@ index 5439f1c..37841a1 100644
  
  type asterisk_tmp_t;
  files_tmp_file(asterisk_tmp_t)
-+mta_system_content(asterisk_tmp_t)
- 
- type asterisk_tmpfs_t;
- files_tmpfs_file(asterisk_tmpfs_t)
-@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -72,11 +72,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
  
  manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
  
@@ -6474,7 +6418,7 @@ index 5439f1c..37841a1 100644
  can_exec(asterisk_t, asterisk_exec_t)
  
  kernel_read_kernel_sysctls(asterisk_t)
-@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
+@@ -87,7 +87,6 @@ kernel_request_load_module(asterisk_t)
  corecmd_exec_bin(asterisk_t)
  corecmd_exec_shell(asterisk_t)
  
@@ -6482,15 +6426,7 @@ index 5439f1c..37841a1 100644
  corenet_all_recvfrom_netlabel(asterisk_t)
  corenet_tcp_sendrecv_generic_if(asterisk_t)
  corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -125,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
- 
- corenet_sendrecv_sip_client_packets(asterisk_t)
- corenet_tcp_connect_sip_port(asterisk_t)
-+corenet_tcp_connect_jabber_client_port(asterisk_t)
- 
- dev_rw_generic_usb_dev(asterisk_t)
- dev_read_sysfs(asterisk_t)
-@@ -135,7 +136,6 @@ dev_read_urand(asterisk_t)
+@@ -135,7 +134,6 @@ dev_read_urand(asterisk_t)
  
  domain_use_interactive_fds(asterisk_t)
  
@@ -6498,7 +6434,7 @@ index 5439f1c..37841a1 100644
  files_search_spool(asterisk_t)
  files_dontaudit_search_home(asterisk_t)
  
-@@ -148,8 +148,6 @@ auth_use_nsswitch(asterisk_t)
+@@ -148,8 +146,6 @@ auth_use_nsswitch(asterisk_t)
  
  logging_send_syslog_msg(asterisk_t)
  
@@ -6775,7 +6711,7 @@ index 089430a..7cd037b 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index a579c3b..9fdef3d 100644
+index a579c3b..e8961f7 100644
 --- a/automount.te
 +++ b/automount.te
 @@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -6788,21 +6724,7 @@ index a579c3b..9fdef3d 100644
  ########################################
  #
  # Local policy
-@@ -50,19 +53,20 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
- files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
- 
- kernel_read_kernel_sysctls(automount_t)
-+kernel_read_vm_sysctls(automount_t)
- kernel_read_irq_sysctls(automount_t)
- kernel_read_fs_sysctls(automount_t)
- kernel_read_vm_sysctls(automount_t)
- kernel_read_proc_symlinks(automount_t)
- kernel_read_system_state(automount_t)
- kernel_read_network_state(automount_t)
-+kernel_search_vm_sysctl(automount_t)
- kernel_list_proc(automount_t)
- kernel_dontaudit_search_xen_state(automount_t)
- 
+@@ -62,7 +65,6 @@ kernel_dontaudit_search_xen_state(automount_t)
  corecmd_exec_bin(automount_t)
  corecmd_exec_shell(automount_t)
  
@@ -6810,7 +6732,7 @@ index a579c3b..9fdef3d 100644
  corenet_all_recvfrom_netlabel(automount_t)
  corenet_tcp_sendrecv_generic_if(automount_t)
  corenet_udp_sendrecv_generic_if(automount_t)
-@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -96,7 +98,6 @@ files_mount_all_file_type_fs(automount_t)
  files_mounton_all_mountpoints(automount_t)
  files_mounton_mnt(automount_t)
  files_read_etc_runtime_files(automount_t)
@@ -6818,7 +6740,7 @@ index a579c3b..9fdef3d 100644
  files_search_boot(automount_t)
  files_search_all(automount_t)
  files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
+@@ -130,15 +131,18 @@ auth_use_nsswitch(automount_t)
  logging_send_syslog_msg(automount_t)
  logging_search_logs(automount_t)
  
@@ -6925,7 +6847,7 @@ index aebe7cb..33fe57b 100644
 +	allow $1 avahi_unit_file_t:service all_service_perms;
  ')
 diff --git a/avahi.te b/avahi.te
-index 60e76be..3929421 100644
+index 60e76be..0730647 100644
 --- a/avahi.te
 +++ b/avahi.te
 @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
@@ -6974,17 +6896,6 @@ index 60e76be..3929421 100644
  userdom_dontaudit_use_unpriv_user_fds(avahi_t)
  userdom_dontaudit_search_user_home_dirs(avahi_t)
  
-@@ -106,6 +110,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	rpcbind_signull(avahi_t)
-+')
-+
-+optional_policy(`
- 	seutil_sigchld_newrole(avahi_t)
- ')
- 
 diff --git a/awstats.te b/awstats.te
 index d6ab824..116176d 100644
 --- a/awstats.te
@@ -7419,7 +7330,7 @@ index 866a1e2..6c2dbe4 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..6a12335 100644
+index 076ffee..74e77ff 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -7449,20 +7360,19 @@ index 076ffee..6a12335 100644
  corenet_all_recvfrom_netlabel(named_t)
  corenet_tcp_sendrecv_generic_if(named_t)
  corenet_udp_sendrecv_generic_if(named_t)
-@@ -170,6 +172,12 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,11 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
 +	# needed by FreeIPA with DNS support
 +	dirsrv_stream_connect(named_t)
-+	ldap_stream_connect(named_t)
 +')
 +
 +optional_policy(`
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -183,6 +191,7 @@ optional_policy(`
+@@ -183,6 +190,7 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(named, named_t)
@@ -7470,7 +7380,7 @@ index 076ffee..6a12335 100644
  ')
  
  optional_policy(`
-@@ -209,7 +218,8 @@ optional_policy(`
+@@ -209,7 +217,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -7480,19 +7390,19 @@ index 076ffee..6a12335 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -223,10 +233,10 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +232,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
-+kernel_read_system_state(ndc_t)
- kernel_read_kernel_sysctls(ndc_t)
+-kernel_read_kernel_sysctls(ndc_t)
  kernel_read_system_state(ndc_t)
++kernel_read_kernel_sysctls(ndc_t)
  
 -corenet_all_recvfrom_unlabeled(ndc_t)
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +259,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -7533,7 +7443,7 @@ index e73fb79..2badfc0 100644
  	domain_system_change_exemption($1)
  	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/bitlbee.te b/bitlbee.te
-index ac8c91e..5ca06bb 100644
+index ac8c91e..a63f4c2 100644
 --- a/bitlbee.te
 +++ b/bitlbee.te
 @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@@ -7551,16 +7461,7 @@ index ac8c91e..5ca06bb 100644
  
  allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
  allow bitlbee_t bitlbee_conf_t:file read_file_perms;
-@@ -54,13 +57,17 @@ files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
- manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
- files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
- 
-+# log files
-+manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-+manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-+
- manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
- manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+@@ -59,8 +62,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
  manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
  files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
  
@@ -7570,19 +7471,7 @@ index ac8c91e..5ca06bb 100644
  
  corenet_all_recvfrom_unlabeled(bitlbee_t)
  corenet_all_recvfrom_netlabel(bitlbee_t)
-@@ -95,6 +102,11 @@ corenet_tcp_sendrecv_http_port(bitlbee_t)
- corenet_sendrecv_http_cache_client_packets(bitlbee_t)
- corenet_tcp_connect_http_cache_port(bitlbee_t)
- corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
-+corenet_tcp_bind_ircd_port(bitlbee_t)
-+corenet_tcp_sendrecv_ircd_port(bitlbee_t)
-+corenet_sendrecv_ircd_server_packets(bitlbee_t)
-+corenet_tcp_bind_interwise_port(bitlbee_t)
-+corenet_tcp_sendrecv_interwise_port(bitlbee_t)
- 
- corenet_sendrecv_ircd_server_packets(bitlbee_t)
- corenet_tcp_bind_ircd_port(bitlbee_t)
-@@ -109,16 +121,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -109,16 +112,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
  dev_read_rand(bitlbee_t)
  dev_read_urand(bitlbee_t)
  
@@ -7609,7 +7498,7 @@ index c295d2e..4f84e9c 100644
  
  /var/lib/blueman(/.*)?	gen_context(system_u:object_r:blueman_var_lib_t,s0)
 diff --git a/blueman.te b/blueman.te
-index bc5c984..fe09796 100644
+index bc5c984..0beaf43 100644
 --- a/blueman.te
 +++ b/blueman.te
 @@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
@@ -7631,24 +7520,23 @@ index bc5c984..fe09796 100644
  allow blueman_t self:fifo_file rw_fifo_file_perms;
  
  manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
-@@ -45,13 +46,14 @@ dev_rw_wireless(blueman_t)
+@@ -45,25 +46,35 @@ dev_rw_wireless(blueman_t)
  domain_use_interactive_fds(blueman_t)
  
  files_list_tmp(blueman_t)
 -files_read_usr_files(blueman_t)
-+files_list_tmp(blueman_t)
  
  auth_use_nsswitch(blueman_t)
  
  logging_send_syslog_msg(blueman_t)
  
 -miscfiles_read_localization(blueman_t)
-+sysnet_domtrans_ifconfig(blueman_t)
+-
+ sysnet_domtrans_ifconfig(blueman_t)
 +sysnet_dns_name_resolve(blueman_t)
  
- sysnet_domtrans_ifconfig(blueman_t)
- 
-@@ -60,10 +62,22 @@ optional_policy(`
+ optional_policy(`
+ 	avahi_domtrans(blueman_t)
  ')
  
  optional_policy(`
@@ -7801,7 +7689,7 @@ index c723a0a..3e8a553 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
  ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..f3ae1a6 100644
+index 6f09d24..88b8feb 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
 @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -7857,20 +7745,15 @@ index 6f09d24..f3ae1a6 100644
  miscfiles_read_fonts(bluetooth_t)
  miscfiles_read_hwdata(bluetooth_t)
  
-@@ -131,7 +142,12 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
- userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+@@ -132,6 +143,7 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
  
  optional_policy(`
-+	devicekit_dbus_chat_power(bluetooth_t)
-+')
-+
-+optional_policy(`
  	dbus_system_bus_client(bluetooth_t)
 +	dbus_connect_system_bus(bluetooth_t)
  
  	optional_policy(`
  		cups_dbus_chat(bluetooth_t)
-@@ -199,7 +215,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -199,7 +211,6 @@ dev_read_urand(bluetooth_helper_t)
  domain_read_all_domains_state(bluetooth_helper_t)
  
  files_read_etc_runtime_files(bluetooth_helper_t)
@@ -8921,7 +8804,7 @@ index b85b53b..a37eebd 100644
  
  userdom_manage_unpriv_user_shared_mem(ccs_t)
 diff --git a/cdrecord.te b/cdrecord.te
-index 55fb26a..e380b26 100644
+index 55fb26a..a7555c0 100644
 --- a/cdrecord.te
 +++ b/cdrecord.te
 @@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
@@ -8933,16 +8816,19 @@ index 55fb26a..e380b26 100644
  term_use_controlling_term(cdrecord_t)
  term_list_ptys(cdrecord_t)
  
-@@ -52,8 +50,6 @@ storage_write_scsi_generic(cdrecord_t)
+@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
  
  logging_send_syslog_msg(cdrecord_t)
  
 -miscfiles_read_localization(cdrecord_t)
 -
- userdom_use_user_terminals(cdrecord_t)
- userdom_read_user_home_content_files(cdrecord_t)
+-userdom_use_user_terminals(cdrecord_t)
+-userdom_read_user_home_content_files(cdrecord_t)
++userdom_use_inherited_user_terminals(cdrecord_t)
  
-@@ -104,11 +100,7 @@ tunable_policy(`cdrecord_read_content',`
+ tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+ 	fs_list_auto_mountpoints(cdrecord_t)
+@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
  	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
  ')
  
@@ -9037,7 +8923,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 2354e21..1bb3f10 100644
+index 2354e21..dd34a80 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -9148,24 +9034,26 @@ index 2354e21..1bb3f10 100644
 +
 +	domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
 +
-+	unconfined_domain(certmonger_unconfined_t)
-+
 +	allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
 +	allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
 +	allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
 +
 +	init_domtrans_script(certmonger_unconfined_t)
 +
-+	unconfined_domain(certmonger_unconfined_t)
++	optional_policy(`
++		unconfined_domain(certmonger_unconfined_t)
++	')
 +')
 diff --git a/certwatch.te b/certwatch.te
-index 403af41..fd3cbaf 100644
+index 403af41..7c0b1be 100644
 --- a/certwatch.te
 +++ b/certwatch.te
-@@ -21,25 +21,24 @@ role certwatch_roles types certwatch_t;
+@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t;
  allow certwatch_t self:capability sys_nice;
  allow certwatch_t self:process { setsched getsched };
  
++kernel_read_system_state(certwatch_t)
++
 +dev_read_rand(certwatch_t)
  dev_read_urand(certwatch_t)
  
@@ -9350,7 +9238,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index fdee107..18cf736 100644
+index fdee107..68d9b5f 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -9403,15 +9291,7 @@ index fdee107..18cf736 100644
  allow cgred_t self:netlink_socket { write bind create read };
  allow cgred_t self:unix_dgram_socket { write create connect };
  
-@@ -92,6 +95,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
- 
- kernel_read_all_sysctls(cgred_t)
- kernel_read_system_state(cgred_t)
-+kernel_read_all_sysctls(cgred_t)
- 
- domain_read_all_domains_state(cgred_t)
- domain_setpriority_all_domains(cgred_t)
-@@ -99,10 +103,9 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +102,9 @@ domain_setpriority_all_domains(cgred_t)
  files_getattr_all_files(cgred_t)
  files_getattr_all_sockets(cgred_t)
  files_read_all_symlinks(cgred_t)
@@ -9959,7 +9839,7 @@ index 32e8265..0de4af3 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..dac9e4c 100644
+index 914ee2d..bd3362e 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -9981,7 +9861,7 @@ index 914ee2d..dac9e4c 100644
  allow chronyd_t self:fifo_file rw_fifo_file_perms;
  
  allow chronyd_t chronyd_keys_t:file read_file_perms;
-@@ -82,7 +87,7 @@ auth_use_nsswitch(chronyd_t)
+@@ -82,12 +87,8 @@ auth_use_nsswitch(chronyd_t)
  
  logging_send_syslog_msg(chronyd_t)
  
@@ -9990,6 +9870,11 @@ index 914ee2d..dac9e4c 100644
  
  optional_policy(`
  	gpsd_rw_shm(chronyd_t)
+ ')
+-
+-optional_policy(`
+-	mta_send_mail(chronyd_t)
+-')
 diff --git a/cipe.te b/cipe.te
 index 28c8475..9b86dd1 100644
 --- a/cipe.te
@@ -10282,7 +10167,7 @@ index 4cc4a5c..99c5cca 100644
 +
  ')
 diff --git a/clamav.te b/clamav.te
-index 8e1fef9..725029f 100644
+index 8e1fef9..c8c9a5a 100644
 --- a/clamav.te
 +++ b/clamav.te
 @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
@@ -10379,36 +10264,26 @@ index 8e1fef9..725029f 100644
  
  tunable_policy(`clamd_use_jit',`
  	allow freshclam_t self:process execmem;
-@@ -244,6 +264,14 @@ optional_policy(`
- 	cron_system_entry(freshclam_t, freshclam_exec_t)
+@@ -241,6 +261,10 @@ optional_policy(`
  ')
  
-+optional_policy(`
+ optional_policy(`
 +	clamd_systemctl(freshclam_t)
 +')
 +
 +optional_policy(`
-+	cron_system_entry(freshclam_t, freshclam_exec_t)
-+')
-+
- ########################################
- #
- # Clamscam local policy
-@@ -275,7 +303,12 @@ kernel_dontaudit_list_proc(clamscan_t)
+ 	cron_system_entry(freshclam_t, freshclam_exec_t)
+ ')
+ 
+@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
  kernel_read_kernel_sysctls(clamscan_t)
  kernel_read_system_state(clamscan_t)
  
 -corenet_all_recvfrom_unlabeled(clamscan_t)
-+read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
-+allow clamscan_t clamd_var_run_t:dir list_dir_perms;
-+
-+kernel_dontaudit_list_proc(clamscan_t)
-+kernel_read_system_state(clamscan_t)
-+
  corenet_all_recvfrom_netlabel(clamscan_t)
  corenet_tcp_sendrecv_generic_if(clamscan_t)
  corenet_tcp_sendrecv_generic_node(clamscan_t)
-@@ -286,14 +319,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
  
  corecmd_read_all_executables(clamscan_t)
  
@@ -10423,7 +10298,7 @@ index 8e1fef9..725029f 100644
  miscfiles_read_public_files(clamscan_t)
  
  sysnet_dns_name_resolve(clamscan_t)
-@@ -310,10 +341,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
+@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
  ')
  
  optional_policy(`
@@ -11167,7 +11042,7 @@ index 8e27a37..fa2c3cb 100644
 +	ps_process_pattern($1, colord_t)
 +')
 diff --git a/colord.te b/colord.te
-index 09f18e2..235f39e 100644
+index 09f18e2..28dd440 100644
 --- a/colord.te
 +++ b/colord.te
 @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -11203,7 +11078,7 @@ index 09f18e2..235f39e 100644
  
  manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
  manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-@@ -74,18 +81,17 @@ dev_read_video_dev(colord_t)
+@@ -74,18 +81,15 @@ dev_read_video_dev(colord_t)
  dev_write_video_dev(colord_t)
  dev_rw_printer(colord_t)
  dev_read_rand(colord_t)
@@ -11218,14 +11093,12 @@ index 09f18e2..235f39e 100644
  files_list_mnt(colord_t)
 -files_read_usr_files(colord_t)
  
-+fs_search_all(colord_t)
  fs_getattr_noxattr_fs(colord_t)
 -fs_getattr_tmpfs(colord_t)
-+fs_dontaudit_getattr_all_fs(colord_t)
  fs_list_noxattr_fs(colord_t)
  fs_read_noxattr_fs_files(colord_t)
  fs_search_all(colord_t)
-@@ -100,7 +106,11 @@ auth_use_nsswitch(colord_t)
+@@ -100,7 +104,11 @@ auth_use_nsswitch(colord_t)
  
  logging_send_syslog_msg(colord_t)
  
@@ -11238,7 +11111,7 @@ index 09f18e2..235f39e 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_getattr_nfs(colord_t)
-@@ -120,6 +130,12 @@ optional_policy(`
+@@ -120,6 +128,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -11251,7 +11124,7 @@ index 09f18e2..235f39e 100644
  	policykit_dbus_chat(colord_t)
  	policykit_domtrans_auth(colord_t)
  	policykit_read_lib(colord_t)
-@@ -133,3 +149,13 @@ optional_policy(`
+@@ -133,3 +147,13 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(colord_t)
  ')
@@ -12177,7 +12050,7 @@ index 694a037..283cf03 100644
 +	allow $1 corosync_unit_file_t:service all_service_perms;
  ')
 diff --git a/corosync.te b/corosync.te
-index eeea48d..d7f485e 100644
+index eeea48d..691ca11 100644
 --- a/corosync.te
 +++ b/corosync.te
 @@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
@@ -12190,30 +12063,7 @@ index eeea48d..d7f485e 100644
  ########################################
  #
  # Local policy
-@@ -43,6 +46,8 @@ allow corosync_t self:shm create_shm_perms;
- allow corosync_t self:unix_dgram_socket sendto;
- allow corosync_t self:unix_stream_socket { accept connectto listen };
- 
-+can_exec(corosync_t, corosync_exec_t)
-+
- manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
- manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
- relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
-@@ -73,6 +78,8 @@ can_exec(corosync_t, corosync_exec_t)
- kernel_read_all_sysctls(corosync_t)
- kernel_read_network_state(corosync_t)
- kernel_read_system_state(corosync_t)
-+kernel_read_network_state(corosync_t)
-+kernel_read_all_sysctls(corosync_t)
- 
- corecmd_exec_bin(corosync_t)
- corecmd_exec_shell(corosync_t)
-@@ -89,11 +96,11 @@ corenet_udp_sendrecv_netsupport_port(corosync_t)
- 
- dev_read_sysfs(corosync_t)
- dev_read_urand(corosync_t)
-+dev_read_sysfs(corosync_t)
- 
+@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
  domain_read_all_domains_state(corosync_t)
  
  files_manage_mounttab(corosync_t)
@@ -12221,7 +12071,7 @@ index eeea48d..d7f485e 100644
  
  auth_use_nsswitch(corosync_t)
  
-@@ -106,7 +113,13 @@ logging_send_syslog_msg(corosync_t)
+@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
  miscfiles_read_localization(corosync_t)
  
  userdom_read_user_tmp_files(corosync_t)
@@ -12236,15 +12086,7 @@ index eeea48d..d7f485e 100644
  
  optional_policy(`
  	ccs_read_config(corosync_t)
-@@ -133,16 +146,44 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	rhcs_getattr_fenced_exec_files(corosync_t)
-+	rhcs_getattr_fenced(corosync_t)
- 	rhcs_rw_cluster_shm(corosync_t)
- 	rhcs_rw_cluster_semaphores(corosync_t)
- 	rhcs_stream_connect_cluster(corosync_t)
+@@ -129,20 +137,29 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12253,35 +12095,30 @@ index eeea48d..d7f485e 100644
 +')
 +
 +optional_policy(`
-+	qpidd_rw_shm(corosync_t)
-+')
-+
-+optional_policy(`
-+	rhcs_getattr_fenced(corosync_t)
-+	# to communication with RHCS
-+	rhcs_rw_cluster_shm(corosync_t)
-+	rhcs_rw_cluster_semaphores(corosync_t)
-+	rhcs_stream_connect_cluster(corosync_t)
-+	rhcs_read_cluster_lib_files(corosync_t)
-+	rhcs_manage_cluster_lib_files(corosync_t)
-+	rhcs_relabel_cluster_lib_files(corosync_t)
-+')
-+
-+optional_policy(`
-+	# should be removed in F19
-+	# workaround because we switch hearbeat from corosync to rgmanager
-+	rgmanager_manage_files(corosync_t)
-+
- 	rgmanager_manage_tmpfs_files(corosync_t)
+ 	qpidd_rw_shm(corosync_t)
  ')
  
  optional_policy(`
- 	rpc_search_nfs_state_data(corosync_t)
+-	rhcs_getattr_fenced_exec_files(corosync_t)
++	rhcs_getattr_fenced(corosync_t)
++	# to communication with RHCS
+ 	rhcs_rw_cluster_shm(corosync_t)
+ 	rhcs_rw_cluster_semaphores(corosync_t)
+ 	rhcs_stream_connect_cluster(corosync_t)
++	rhcs_read_cluster_lib_files(corosync_t)
++	rhcs_manage_cluster_lib_files(corosync_t)
++	rhcs_relabel_cluster_lib_files(corosync_t)
+ ')
+ 
+ optional_policy(`
+-	rgmanager_manage_tmpfs_files(corosync_t)
++	rpc_search_nfs_state_data(corosync_t)
+ ')
+ 
+ optional_policy(`
+-	rpc_search_nfs_state_data(corosync_t)
 -')
 \ No newline at end of file
-+')
-+
-+optional_policy(`
 +    wdmd_rw_tmpfs(corosync_t)
 +')
 diff --git a/couchdb.fc b/couchdb.fc
@@ -12759,10 +12596,10 @@ index 2f1aad6..155a337 100644
 -miscfiles_read_localization(cpuspeed_t)
 +logging_send_syslog_msg(cpuspeed_t)
 diff --git a/cpufreqselector.te b/cpufreqselector.te
-index a3bbc21..5bf715c 100644
+index a3bbc21..7fd7d8f 100644
 --- a/cpufreqselector.te
 +++ b/cpufreqselector.te
-@@ -14,24 +14,21 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
+@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
  # Local policy
  #
  
@@ -12787,11 +12624,7 @@ index a3bbc21..5bf715c 100644
  
  optional_policy(`
  	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-+	init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
- 
- 	optional_policy(`
- 		consolekit_dbus_chat(cpufreqselector_t)
-@@ -51,3 +48,7 @@ optional_policy(`
+@@ -51,3 +47,7 @@ optional_policy(`
  	policykit_read_lib(cpufreqselector_t)
  	policykit_read_reload(cpufreqselector_t)
  ')
@@ -13845,7 +13678,7 @@ index 1303b30..058864e 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 28e1b86..9e55dbb 100644
+index 28e1b86..cb96ffb 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -1,4 +1,4 @@
@@ -14086,7 +13919,7 @@ index 28e1b86..9e55dbb 100644
  logging_log_filetrans(crond_t, cron_log_t, file)
  
  manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,71 +180,67 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,72 +180,67 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
  
  manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
  manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -14185,10 +14018,11 @@ index 28e1b86..9e55dbb 100644
  init_spec_domtrans_script(crond_t)
  
 -auth_domtrans_chk_passwd(crond_t)
- auth_manage_var_auth(crond_t)
+-auth_manage_var_auth(crond_t)
  auth_use_nsswitch(crond_t)
  
-@@ -311,41 +250,42 @@ logging_set_loginuid(crond_t)
+ logging_send_audit_msgs(crond_t)
+@@ -311,41 +249,42 @@ logging_set_loginuid(crond_t)
  
  seutil_read_config(crond_t)
  seutil_read_default_contexts(crond_t)
@@ -14247,7 +14081,7 @@ index 28e1b86..9e55dbb 100644
  ')
  
  optional_policy(`
-@@ -353,102 +293,135 @@ optional_policy(`
+@@ -353,102 +292,135 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14412,7 +14246,7 @@ index 28e1b86..9e55dbb 100644
  allow system_cronjob_t cron_spool_t:dir list_dir_perms;
  allow system_cronjob_t cron_spool_t:file rw_file_perms;
  
-@@ -457,11 +430,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +429,11 @@ kernel_read_network_state(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
  kernel_read_software_raid_state(system_cronjob_t)
  
@@ -14425,7 +14259,7 @@ index 28e1b86..9e55dbb 100644
  corenet_all_recvfrom_netlabel(system_cronjob_t)
  corenet_tcp_sendrecv_generic_if(system_cronjob_t)
  corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +454,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +453,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
  fs_getattr_all_pipes(system_cronjob_t)
  fs_getattr_all_sockets(system_cronjob_t)
  
@@ -14433,7 +14267,7 @@ index 28e1b86..9e55dbb 100644
  domain_dontaudit_read_all_domains_state(system_cronjob_t)
  
  files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +465,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -491,15 +464,19 @@ files_getattr_all_files(system_cronjob_t)
  files_getattr_all_symlinks(system_cronjob_t)
  files_getattr_all_pipes(system_cronjob_t)
  files_getattr_all_sockets(system_cronjob_t)
@@ -14456,7 +14290,7 @@ index 28e1b86..9e55dbb 100644
  init_domtrans_script(system_cronjob_t)
  
  auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +489,23 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +488,23 @@ logging_read_generic_logs(system_cronjob_t)
  logging_send_audit_msgs(system_cronjob_t)
  logging_send_syslog_msg(system_cronjob_t)
  
@@ -14483,7 +14317,7 @@ index 28e1b86..9e55dbb 100644
  	selinux_validate_context(system_cronjob_t)
  	selinux_compute_access_vector(system_cronjob_t)
  	selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +515,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +514,17 @@ tunable_policy(`cron_can_relabel',`
  ')
  
  optional_policy(`
@@ -14501,7 +14335,7 @@ index 28e1b86..9e55dbb 100644
  ')
  
  optional_policy(`
-@@ -546,10 +534,6 @@ optional_policy(`
+@@ -546,10 +533,6 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_bus_client(system_cronjob_t)
@@ -14512,7 +14346,7 @@ index 28e1b86..9e55dbb 100644
  ')
  
  optional_policy(`
-@@ -581,6 +565,7 @@ optional_policy(`
+@@ -581,6 +564,7 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(system_cronjob_t)
  	mta_send_mail(system_cronjob_t)
@@ -14520,7 +14354,7 @@ index 28e1b86..9e55dbb 100644
  ')
  
  optional_policy(`
-@@ -588,15 +573,19 @@ optional_policy(`
+@@ -588,15 +572,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14542,7 +14376,7 @@ index 28e1b86..9e55dbb 100644
  ')
  
  optional_policy(`
-@@ -606,6 +595,7 @@ optional_policy(`
+@@ -606,6 +594,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -14550,7 +14384,7 @@ index 28e1b86..9e55dbb 100644
  ')
  
  optional_policy(`
-@@ -613,12 +603,24 @@ optional_policy(`
+@@ -613,12 +602,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14576,7 +14410,7 @@ index 28e1b86..9e55dbb 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +628,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +627,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -14610,7 +14444,7 @@ index 28e1b86..9e55dbb 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +661,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +660,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -15354,7 +15188,7 @@ index 06da9a0..1a6b35f 100644
 +	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
  ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..6cfc825 100644
+index 9f34c2e..c7a0a97 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -62,6 +62,9 @@ files_pid_file(cupsd_var_run_t)
@@ -15409,7 +15243,15 @@ index 9f34c2e..6cfc825 100644
  files_exec_usr_files(cupsd_t)
  # for /var/lib/defoma
  files_read_var_lib_files(cupsd_t)
-@@ -247,13 +253,11 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -215,7 +221,6 @@ files_read_world_readable_files(cupsd_t)
+ files_read_world_readable_symlinks(cupsd_t)
+ files_read_var_files(cupsd_t)
+ files_read_var_symlinks(cupsd_t)
+-files_write_generic_pid_pipes(cupsd_t)
+ files_dontaudit_getattr_all_tmp_files(cupsd_t)
+ files_dontaudit_list_home(cupsd_t)
+ # for /etc/printcap
+@@ -247,13 +252,11 @@ auth_dontaudit_read_pam_pid(cupsd_t)
  auth_rw_faillog(cupsd_t)
  auth_use_nsswitch(cupsd_t)
  
@@ -15423,7 +15265,7 @@ index 9f34c2e..6cfc825 100644
  miscfiles_read_fonts(cupsd_t)
  miscfiles_setattr_fonts_cache_dirs(cupsd_t)
  
-@@ -275,6 +279,8 @@ optional_policy(`
+@@ -275,6 +278,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
  
@@ -15432,7 +15274,7 @@ index 9f34c2e..6cfc825 100644
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
-@@ -285,8 +291,10 @@ optional_policy(`
+@@ -285,8 +290,10 @@ optional_policy(`
  		hal_dbus_chat(cupsd_t)
  	')
  
@@ -15443,7 +15285,7 @@ index 9f34c2e..6cfc825 100644
  	')
  ')
  
-@@ -299,8 +307,8 @@ optional_policy(`
+@@ -299,8 +306,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15453,7 +15295,7 @@ index 9f34c2e..6cfc825 100644
  ')
  
  optional_policy(`
-@@ -337,7 +345,7 @@ optional_policy(`
+@@ -337,7 +344,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15462,7 +15304,7 @@ index 9f34c2e..6cfc825 100644
  ')
  
  ########################################
-@@ -386,7 +394,6 @@ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+@@ -386,7 +393,6 @@ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
  kernel_read_system_state(cupsd_config_t)
  kernel_read_all_sysctls(cupsd_config_t)
  
@@ -15470,7 +15312,7 @@ index 9f34c2e..6cfc825 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -404,7 +411,6 @@ dev_read_rand(cupsd_config_t)
+@@ -404,7 +410,6 @@ dev_read_rand(cupsd_config_t)
  dev_rw_generic_usb_dev(cupsd_config_t)
  
  files_read_etc_runtime_files(cupsd_config_t)
@@ -15478,7 +15320,7 @@ index 9f34c2e..6cfc825 100644
  files_read_var_symlinks(cupsd_config_t)
  files_search_all_mountpoints(cupsd_config_t)
  
-@@ -420,11 +426,8 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +425,8 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -15490,7 +15332,7 @@ index 9f34c2e..6cfc825 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -452,6 +455,10 @@ optional_policy(`
+@@ -452,6 +454,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15501,19 +15343,7 @@ index 9f34c2e..6cfc825 100644
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -470,6 +477,11 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	policykit_dbus_chat(cupsd_config_t)
-+	userdom_read_all_users_state(cupsd_config_t)
-+')
-+
-+optional_policy(`
- 	rpm_read_db(cupsd_config_t)
- ')
- 
-@@ -513,13 +525,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+@@ -513,13 +519,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
  kernel_read_network_state(cupsd_lpd_t)
  
@@ -15528,7 +15358,7 @@ index 9f34c2e..6cfc825 100644
  corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
  
  dev_read_urand(cupsd_lpd_t)
-@@ -533,7 +545,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -533,7 +539,6 @@ auth_use_nsswitch(cupsd_lpd_t)
  
  logging_send_syslog_msg(cupsd_lpd_t)
  
@@ -15536,7 +15366,7 @@ index 9f34c2e..6cfc825 100644
  miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
  
  optional_policy(`
-@@ -562,14 +573,12 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,14 +567,12 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -15551,7 +15381,7 @@ index 9f34c2e..6cfc825 100644
  miscfiles_read_fonts(cups_pdf_t)
  miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
  
-@@ -582,9 +591,10 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,9 +585,10 @@ tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_files(cups_pdf_t)
  ')
  
@@ -15565,7 +15395,7 @@ index 9f34c2e..6cfc825 100644
  ')
  
  optional_policy(`
-@@ -613,9 +623,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
+@@ -613,9 +617,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
  allow hplip_t hplip_etc_t:file read_file_perms;
  allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
  
@@ -15582,18 +15412,15 @@ index 9f34c2e..6cfc825 100644
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
  files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
  
-@@ -627,7 +644,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -627,7 +638,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  kernel_read_system_state(hplip_t)
  kernel_read_kernel_sysctls(hplip_t)
  
 -corenet_all_recvfrom_unlabeled(hplip_t)
-+# for python
-+corecmd_exec_bin(hplip_t)
-+
  corenet_all_recvfrom_netlabel(hplip_t)
  corenet_tcp_sendrecv_generic_if(hplip_t)
  corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -644,12 +663,15 @@ corenet_sendrecv_hplip_client_packets(hplip_t)
+@@ -644,6 +654,8 @@ corenet_sendrecv_hplip_client_packets(hplip_t)
  corenet_receive_hplip_server_packets(hplip_t)
  corenet_tcp_bind_hplip_port(hplip_t)
  corenet_tcp_connect_hplip_port(hplip_t)
@@ -15602,14 +15429,7 @@ index 9f34c2e..6cfc825 100644
  
  corenet_sendrecv_ipp_client_packets(hplip_t)
  corenet_tcp_connect_ipp_port(hplip_t)
- 
- corenet_sendrecv_howl_server_packets(hplip_t)
- corenet_udp_bind_howl_port(hplip_t)
-+corenet_tcp_connect_ipp_port(hplip_t)
- 
- corecmd_exec_bin(hplip_t)
- 
-@@ -662,23 +684,25 @@ dev_rw_usbfs(hplip_t)
+@@ -662,17 +674,18 @@ dev_rw_usbfs(hplip_t)
  
  domain_use_interactive_fds(hplip_t)
  
@@ -15632,14 +15452,7 @@ index 9f34c2e..6cfc825 100644
  
  sysnet_dns_name_resolve(hplip_t)
  
- userdom_dontaudit_use_unpriv_user_fds(hplip_t)
- userdom_dontaudit_search_user_home_dirs(hplip_t)
- userdom_dontaudit_search_user_home_content(hplip_t)
-+userdom_dbus_send_all_users(hplip_t)
- 
- optional_policy(`
- 	dbus_system_bus_client(hplip_t)
-@@ -731,7 +755,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +744,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -15647,7 +15460,7 @@ index 9f34c2e..6cfc825 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -747,7 +770,6 @@ dev_rw_printer(ptal_t)
+@@ -747,7 +759,6 @@ dev_rw_printer(ptal_t)
  
  domain_use_interactive_fds(ptal_t)
  
@@ -15655,7 +15468,7 @@ index 9f34c2e..6cfc825 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -755,8 +777,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +766,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -15836,7 +15649,7 @@ index 6508280..a2860e3 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cyrus_initrc_exec_t system_r;
 diff --git a/cyrus.te b/cyrus.te
-index 395f97c..f35fbae 100644
+index 395f97c..e157463 100644
 --- a/cyrus.te
 +++ b/cyrus.te
 @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -15866,15 +15679,16 @@ index 395f97c..f35fbae 100644
  corenet_sendrecv_pop_server_packets(cyrus_t)
  corenet_tcp_bind_pop_port(cyrus_t)
  
-@@ -90,7 +92,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t)
  
  files_list_var_lib(cyrus_t)
  files_read_etc_runtime_files(cyrus_t)
 -files_read_usr_files(cyrus_t)
- files_dontaudit_write_usr_dirs(cyrus_t)
+-files_dontaudit_write_usr_dirs(cyrus_t)
  
  fs_getattr_all_fs(cyrus_t)
-@@ -102,7 +103,6 @@ libs_exec_lib_files(cyrus_t)
+ fs_search_auto_mountpoints(cyrus_t)
+@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
  
  logging_send_syslog_msg(cyrus_t)
  
@@ -15882,7 +15696,7 @@ index 395f97c..f35fbae 100644
  miscfiles_read_generic_certs(cyrus_t)
  
  userdom_use_unpriv_users_fds(cyrus_t)
-@@ -116,6 +116,10 @@ optional_policy(`
+@@ -116,6 +115,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15893,7 +15707,7 @@ index 395f97c..f35fbae 100644
  	kerberos_keytab_template(cyrus, cyrus_t)
  ')
  
-@@ -128,6 +132,7 @@ optional_policy(`
+@@ -128,6 +131,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16687,7 +16501,7 @@ index afcf3a2..126d543 100644
 +	dontaudit $1 session_bus_type:dbus send_msg;
  ')
 diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..6206703 100644
+index 2c2e7e1..4c346e6 100644
 --- a/dbus.te
 +++ b/dbus.te
 @@ -1,20 +1,18 @@
@@ -17012,7 +16826,7 @@ index 2c2e7e1..6206703 100644
  selinux_validate_context(session_bus_type)
  selinux_compute_access_vector(session_bus_type)
  selinux_compute_create_context(session_bus_type)
-@@ -225,18 +300,39 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +300,37 @@ selinux_compute_user_contexts(session_bus_type)
  auth_read_pam_console_data(session_bus_type)
  
  logging_send_audit_msgs(session_bus_type)
@@ -17034,6 +16848,7 @@ index 2c2e7e1..6206703 100644
 +userdom_tmpfs_filetrans(session_bus_type, file)
  
  optional_policy(`
+-	xserver_use_xdm_fds(session_bus_type)
 +	gnome_read_config(session_bus_type)
 +	gnome_read_gconf_home_files(session_bus_type)
 +')
@@ -17048,15 +16863,13 @@ index 2c2e7e1..6206703 100644
 +
 +optional_policy(`
 +	xserver_search_xdm_lib(session_bus_type)
-+	xserver_use_xdm_fds(session_bus_type)
-+	xserver_rw_xdm_pipes(session_bus_type)
- 	xserver_use_xdm_fds(session_bus_type)
  	xserver_rw_xdm_pipes(session_bus_type)
++	xserver_use_xdm_fds(session_bus_type)
 +	xserver_append_xdm_home_files(session_bus_type)
  ')
  
  ########################################
-@@ -244,5 +340,6 @@ optional_policy(`
+@@ -244,5 +338,6 @@ optional_policy(`
  # Unconfined access to this module
  #
  
@@ -17237,7 +17050,7 @@ index 5606b40..cd18cf2 100644
  	domain_system_change_exemption($1)
  	role_transition $2 ddclient_initrc_exec_t system_r;
 diff --git a/ddclient.te b/ddclient.te
-index 0b4b8b9..db7291a 100644
+index 0b4b8b9..2efb435 100644
 --- a/ddclient.te
 +++ b/ddclient.te
 @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
@@ -17262,17 +17075,16 @@ index 0b4b8b9..db7291a 100644
  corenet_all_recvfrom_netlabel(ddclient_t)
  corenet_tcp_sendrecv_generic_if(ddclient_t)
  corenet_udp_sendrecv_generic_if(ddclient_t)
-@@ -83,6 +86,9 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
  corenet_udp_sendrecv_generic_node(ddclient_t)
  corenet_tcp_sendrecv_all_ports(ddclient_t)
  corenet_udp_sendrecv_all_ports(ddclient_t)
 +corenet_tcp_bind_generic_node(ddclient_t)
 +corenet_udp_bind_generic_node(ddclient_t)
-+corenet_tcp_connect_all_ports(ddclient_t)
  
  corenet_sendrecv_all_client_packets(ddclient_t)
  corenet_tcp_connect_all_ports(ddclient_t)
-@@ -92,16 +98,16 @@ dev_read_urand(ddclient_t)
+@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
  
  domain_use_interactive_fds(ddclient_t)
  
@@ -17348,7 +17160,7 @@ index a7326da..c87b5b7 100644
  	admin_pattern($1, denyhosts_var_lock_t)
  ')
 diff --git a/denyhosts.te b/denyhosts.te
-index bcb9770..bc1d203 100644
+index bcb9770..b53e611 100644
 --- a/denyhosts.te
 +++ b/denyhosts.te
 @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -17361,13 +17173,7 @@ index bcb9770..bc1d203 100644
  
  allow denyhosts_t self:capability sys_tty_config;
  allow denyhosts_t self:fifo_file rw_fifo_file_perms;
-@@ -44,11 +47,12 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
- 
- kernel_read_network_state(denyhosts_t)
- kernel_read_system_state(denyhosts_t)
-+kernel_read_network_state(denyhosts_t)
- 
-+corecmd_exec_shell(denyhosts_t)
+@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
  corecmd_exec_bin(denyhosts_t)
  corecmd_exec_shell(denyhosts_t)
  
@@ -17375,7 +17181,7 @@ index bcb9770..bc1d203 100644
  corenet_all_recvfrom_netlabel(denyhosts_t)
  corenet_tcp_sendrecv_generic_if(denyhosts_t)
  corenet_tcp_sendrecv_generic_node(denyhosts_t)
-@@ -59,11 +63,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
+@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
  
  dev_read_urand(denyhosts_t)
  
@@ -17389,7 +17195,7 @@ index bcb9770..bc1d203 100644
  sysnet_dns_name_resolve(denyhosts_t)
  sysnet_manage_config(denyhosts_t)
  sysnet_etc_filetrans_config(denyhosts_t)
-@@ -71,3 +75,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
+@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
  optional_policy(`
  	cron_system_entry(denyhosts_t, denyhosts_exec_t)
  ')
@@ -17730,7 +17536,7 @@ index d294865..3b4f593 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/devicekit.te b/devicekit.te
-index ff933af..1aa58d4 100644
+index ff933af..979a3de 100644
 --- a/devicekit.te
 +++ b/devicekit.te
 @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -17775,18 +17581,20 @@ index ff933af..1aa58d4 100644
  allow devicekit_disk_t self:process { getsched signal_perms };
  allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,7 +81,10 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,10 +81,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
  manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
  manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
  files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
 +files_filetrans_named_content(devicekit_disk_t)
  
-+kernel_list_unlabeled(devicekit_disk_t)
 +kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
  kernel_getattr_message_if(devicekit_disk_t)
  kernel_list_unlabeled(devicekit_disk_t)
- kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
-@@ -98,6 +101,7 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+ kernel_read_fs_sysctls(devicekit_disk_t)
+ kernel_read_network_state(devicekit_disk_t)
+ kernel_read_software_raid_state(devicekit_disk_t)
+@@ -98,6 +99,7 @@ corecmd_getattr_all_executables(devicekit_disk_t)
  
  dev_getattr_all_chr_files(devicekit_disk_t)
  dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -17794,7 +17602,7 @@ index ff933af..1aa58d4 100644
  dev_getattr_usbfs_dirs(devicekit_disk_t)
  dev_manage_generic_files(devicekit_disk_t)
  dev_read_urand(devicekit_disk_t)
-@@ -117,7 +121,6 @@ files_manage_boot_dirs(devicekit_disk_t)
+@@ -117,7 +119,6 @@ files_manage_boot_dirs(devicekit_disk_t)
  files_manage_isid_type_dirs(devicekit_disk_t)
  files_manage_mnt_dirs(devicekit_disk_t)
  files_read_etc_runtime_files(devicekit_disk_t)
@@ -17802,7 +17610,7 @@ index ff933af..1aa58d4 100644
  
  fs_getattr_all_fs(devicekit_disk_t)
  fs_list_inotifyfs(devicekit_disk_t)
-@@ -134,16 +137,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
  storage_raw_read_removable_device(devicekit_disk_t)
  storage_raw_write_removable_device(devicekit_disk_t)
  
@@ -17823,7 +17631,7 @@ index ff933af..1aa58d4 100644
  	dbus_system_bus_client(devicekit_disk_t)
  
  	allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -167,6 +172,7 @@ optional_policy(`
+@@ -167,6 +170,7 @@ optional_policy(`
  
  optional_policy(`
  	mount_domtrans(devicekit_disk_t)
@@ -17831,7 +17639,7 @@ index ff933af..1aa58d4 100644
  ')
  
  optional_policy(`
-@@ -180,6 +186,10 @@ optional_policy(`
+@@ -180,6 +184,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17842,7 +17650,7 @@ index ff933af..1aa58d4 100644
  	udev_domtrans(devicekit_disk_t)
  	udev_read_db(devicekit_disk_t)
  ')
-@@ -188,17 +198,27 @@ optional_policy(`
+@@ -188,12 +196,19 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
@@ -17863,15 +17671,7 @@ index ff933af..1aa58d4 100644
  allow devicekit_power_t self:process { getsched signal_perms };
  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
- allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
- 
-+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
-+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
-+
- manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
- manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
- files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
-@@ -242,17 +262,17 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t)
  
  files_read_kernel_img(devicekit_power_t)
  files_read_etc_runtime_files(devicekit_power_t)
@@ -17880,7 +17680,6 @@ index ff933af..1aa58d4 100644
  
  fs_getattr_all_fs(devicekit_power_t)
  fs_list_inotifyfs(devicekit_power_t)
-+fs_getattr_all_fs(devicekit_power_t)
  
 -term_use_all_terms(devicekit_power_t)
 +term_use_all_inherited_terms(devicekit_power_t)
@@ -17892,7 +17691,7 @@ index ff933af..1aa58d4 100644
  
  sysnet_domtrans_ifconfig(devicekit_power_t)
  sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +289,11 @@ optional_policy(`
+@@ -269,9 +283,11 @@ optional_policy(`
  
  optional_policy(`
  	cron_initrc_domtrans(devicekit_power_t)
@@ -17904,7 +17703,7 @@ index ff933af..1aa58d4 100644
  	dbus_system_bus_client(devicekit_power_t)
  
  	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +324,11 @@ optional_policy(`
+@@ -302,8 +318,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17917,15 +17716,7 @@ index ff933af..1aa58d4 100644
  	hal_manage_pid_dirs(devicekit_power_t)
  	hal_manage_pid_files(devicekit_power_t)
  ')
-@@ -321,6 +346,7 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	policykit_dbus_chat(devicekit_power_t)
- 	policykit_domtrans_auth(devicekit_power_t)
- 	policykit_read_lib(devicekit_power_t)
- 	policykit_read_reload(devicekit_power_t)
-@@ -341,3 +367,9 @@ optional_policy(`
+@@ -341,3 +360,9 @@ optional_policy(`
  optional_policy(`
  	vbetool_domtrans(devicekit_power_t)
  ')
@@ -18017,7 +17808,7 @@ index c697edb..31d45bf 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index c93c3db..f14723d 100644
+index c93c3db..cdb4d60 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -18055,7 +17846,7 @@ index c93c3db..f14723d 100644
  sysnet_read_dhcp_config(dhcpd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-@@ -113,6 +112,19 @@ tunable_policy(`dhcpd_use_ldap',`
+@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
  	sysnet_use_ldap(dhcpd_t)
  ')
  
@@ -18063,17 +17854,18 @@ index c93c3db..f14723d 100644
 +	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
 +')
 +
-+optional_policy(`
+ optional_policy(`
 +	# used for dynamic DNS
-+	bind_read_dnssec_keys(dhcpd_t)
-+')
-+
-+optional_policy(`
+ 	bind_read_dnssec_keys(dhcpd_t)
+ ')
+ 
+ optional_policy(`
 +	cobbler_dontaudit_rw_log(dhcpd_t)
 +')
 +
- optional_policy(`
- 	bind_read_dnssec_keys(dhcpd_t)
++optional_policy(`
+ 	dbus_system_bus_client(dhcpd_t)
+ 	dbus_connect_system_bus(dhcpd_t)
  ')
 diff --git a/dictd.if b/dictd.if
 index 3cc3494..cb0a1f4 100644
@@ -18932,10 +18724,10 @@ index 671d3c0..6d36c95 100644
  
  #####################################
 diff --git a/djbdns.te b/djbdns.te
-index 463d290..2f66c34 100644
+index 463d290..df50e4c 100644
 --- a/djbdns.te
 +++ b/djbdns.te
-@@ -48,11 +48,16 @@ corenet_udp_bind_generic_port(djbdns_domain)
+@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
  
  files_search_var(djbdns_domain)
  
@@ -18946,12 +18738,6 @@ index 463d290..2f66c34 100644
  ########################################
  #
  # axfrdns local policy
- #
- 
-+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
- allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms;
- allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms;
- 
 diff --git a/dkim.fc b/dkim.fc
 index 5818418..674367b 100644
 --- a/dkim.fc
@@ -19186,7 +18972,7 @@ index 19aa0b8..b303b37 100644
 +	allow $1 dnsmasq_unit_file_t:service all_service_perms;
  ')
 diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..f33d9f5 100644
+index ba14bcf..363af2a 100644
 --- a/dnsmasq.te
 +++ b/dnsmasq.te
 @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -19216,7 +19002,7 @@ index ba14bcf..f33d9f5 100644
  userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
-@@ -98,11 +98,24 @@ optional_policy(`
+@@ -98,11 +98,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19230,18 +19016,10 @@ index ba14bcf..f33d9f5 100644
  
  optional_policy(`
 +	networkmanager_read_conf(dnsmasq_t)
-+	networkmanager_read_pid_files(dnsmasq_t)
-+')
-+
-+optional_policy(`
-+	ppp_read_pid_files(dnsmasq_t)
-+')
-+
-+optional_policy(`
  	networkmanager_read_pid_files(dnsmasq_t)
  ')
  
-@@ -124,6 +137,7 @@ optional_policy(`
+@@ -124,6 +129,7 @@ optional_policy(`
  
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
@@ -21130,20 +20908,10 @@ index 50d0084..6565422 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..e985043 100644
+index 0872e50..d49f5ad 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
-@@ -60,12 +60,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
- manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
- files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
- 
-+manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
-+
- kernel_read_system_state(fail2ban_t)
- 
+@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
  corecmd_exec_bin(fail2ban_t)
  corecmd_exec_shell(fail2ban_t)
  
@@ -21151,7 +20919,7 @@ index 0872e50..e985043 100644
  corenet_all_recvfrom_netlabel(fail2ban_t)
  corenet_tcp_sendrecv_generic_if(fail2ban_t)
  corenet_tcp_sendrecv_generic_node(fail2ban_t)
-@@ -80,7 +84,6 @@ domain_use_interactive_fds(fail2ban_t)
+@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t)
  domain_dontaudit_read_all_domains_state(fail2ban_t)
  
  files_read_etc_runtime_files(fail2ban_t)
@@ -21159,24 +20927,22 @@ index 0872e50..e985043 100644
  files_list_var(fail2ban_t)
  files_dontaudit_list_tmp(fail2ban_t)
  
-@@ -92,13 +95,14 @@ auth_use_nsswitch(fail2ban_t)
+@@ -92,12 +90,10 @@ auth_use_nsswitch(fail2ban_t)
  logging_read_all_logs(fail2ban_t)
  logging_send_syslog_msg(fail2ban_t)
  
 -miscfiles_read_localization(fail2ban_t)
--
++mta_send_mail(fail2ban_t)
+ 
  sysnet_manage_config(fail2ban_t)
- sysnet_etc_filetrans_config(fail2ban_t)
- 
- mta_send_mail(fail2ban_t)
- 
-+sysnet_manage_config(fail2ban_t)
+-sysnet_etc_filetrans_config(fail2ban_t)
+-
+-mta_send_mail(fail2ban_t)
 +sysnet_filetrans_named_content(fail2ban_t)
-+
+ 
  optional_policy(`
  	apache_read_log(fail2ban_t)
- ')
-@@ -108,6 +112,10 @@ optional_policy(`
+@@ -108,6 +104,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21187,7 +20953,7 @@ index 0872e50..e985043 100644
  	iptables_domtrans(fail2ban_t)
  ')
  
-@@ -137,14 +145,10 @@ corecmd_exec_bin(fail2ban_client_t)
+@@ -137,14 +137,10 @@ corecmd_exec_bin(fail2ban_client_t)
  
  domain_use_interactive_fds(fail2ban_client_t)
  
@@ -21249,18 +21015,19 @@ index c3f7916..cab3954 100644
  	admin_pattern($1, fetchmail_etc_t)
  
 diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..73521ff 100644
+index f0388cb..fd440f8 100644
 --- a/fetchmail.te
 +++ b/fetchmail.te
-@@ -50,10 +50,19 @@ logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
- allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
- mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+@@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen };
  
-+manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-+manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-+logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
-+
- manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+ 
+-read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+-
+ manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+ append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+ create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+@@ -54,6 +52,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
  manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
  files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
  
@@ -21272,7 +21039,7 @@ index f0388cb..73521ff 100644
  kernel_read_kernel_sysctls(fetchmail_t)
  kernel_list_proc(fetchmail_t)
  kernel_getattr_proc_files(fetchmail_t)
-@@ -63,7 +72,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
+@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
  corecmd_exec_bin(fetchmail_t)
  corecmd_exec_shell(fetchmail_t)
  
@@ -21280,7 +21047,7 @@ index f0388cb..73521ff 100644
  corenet_all_recvfrom_netlabel(fetchmail_t)
  corenet_tcp_sendrecv_generic_if(fetchmail_t)
  corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,17 +92,20 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +86,17 @@ fs_search_auto_mountpoints(fetchmail_t)
  
  domain_use_interactive_fds(fetchmail_t)
  
@@ -21293,16 +21060,14 @@ index f0388cb..73521ff 100644
  miscfiles_read_generic_certs(fetchmail_t)
  
  userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
- userdom_search_user_home_dirs(fetchmail_t)
- 
- optional_policy(`
-+	kerberos_use(fetchmail_t)
-+')
+-userdom_search_user_home_dirs(fetchmail_t)
 +
 +optional_policy(`
- 	procmail_domtrans(fetchmail_t)
- ')
++	kerberos_use(fetchmail_t)
++')
  
+ optional_policy(`
+ 	procmail_domtrans(fetchmail_t)
 diff --git a/finger.te b/finger.te
 index af4b6d7..92245bf 100644
 --- a/finger.te
@@ -21819,7 +21584,7 @@ index c12c067..3b01d01 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..5794a7b 100644
+index c81b6e8..7575a9b 100644
 --- a/fprintd.te
 +++ b/fprintd.te
 @@ -30,14 +30,10 @@ dev_list_usbfs(fprintd_t)
@@ -21837,20 +21602,16 @@ index c81b6e8..5794a7b 100644
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
  
-@@ -55,7 +51,17 @@ optional_policy(`
+@@ -54,8 +50,13 @@ optional_policy(`
+ 	')
  ')
  
++
  optional_policy(`
 -	policykit_domtrans_auth(fprintd_t)
-+	dbus_system_domain(fprintd_t, fprintd_exec_t)
-+')
-+
-+optional_policy(`
  	policykit_read_reload(fprintd_t)
  	policykit_read_lib(fprintd_t)
-+	policykit_dbus_chat(fprintd_t)
 +	policykit_domtrans_auth(fprintd_t)
-+	policykit_dbus_chat_auth(fprintd_t)
 +')
 +
 +optional_policy(`
@@ -21964,7 +21725,7 @@ index d062080..e098a40 100644
  	ftp_run_ftpdctl($1, $2)
  ')
 diff --git a/ftp.te b/ftp.te
-index e50f33c..11dedd5 100644
+index e50f33c..45c02b7 100644
 --- a/ftp.te
 +++ b/ftp.te
 @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -22039,15 +21800,14 @@ index e50f33c..11dedd5 100644
  corenet_all_recvfrom_netlabel(ftpd_t)
  corenet_tcp_sendrecv_generic_if(ftpd_t)
  corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -223,10 +228,13 @@ corenet_tcp_bind_ftp_port(ftpd_t)
- 
+@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
  corenet_sendrecv_ftp_data_server_packets(ftpd_t)
  corenet_tcp_bind_ftp_data_port(ftpd_t)
+ 
 +corenet_tcp_bind_generic_port(ftpd_t)
 +corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
 +corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
-+corenet_sendrecv_ftp_server_packets(ftpd_t)
- 
++
  domain_use_interactive_fds(ftpd_t)
  
 -files_read_etc_files(ftpd_t)
@@ -22496,7 +22256,7 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..8892bda 100644
+index e0a4f46..be03e22 100644
 --- a/glance.te
 +++ b/glance.te
 @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -22564,24 +22324,26 @@ index e0a4f46..8892bda 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,8 +109,12 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +109,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
 -corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
 -corenet_tcp_bind_armtechdaemon_port(glance_api_t)
+-
+-corenet_sendrecv_hplip_server_packets(glance_api_t)
+-corenet_tcp_bind_hplip_port(glance_api_t)
 +corenet_tcp_bind_generic_node(glance_api_t)
-+
-+corenet_tcp_bind_glance_port(glance_api_t)
-+corenet_tcp_connect_glance_registry_port(glance_api_t)
-+
-+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
  
- corenet_sendrecv_hplip_server_packets(glance_api_t)
- corenet_tcp_bind_hplip_port(glance_api_t)
-@@ -118,3 +123,7 @@ corenet_sendrecv_glance_registry_client_packets(glance_api_t)
++corenet_tcp_bind_glance_port(glance_api_t)
+ corenet_sendrecv_glance_registry_client_packets(glance_api_t)
  corenet_tcp_connect_glance_registry_port(glance_api_t)
  
++corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
++
++corenet_sendrecv_hplip_server_packets(glance_api_t)
++corenet_tcp_bind_hplip_port(glance_api_t)
++
  fs_getattr_xattr_fs(glance_api_t)
 +
 +optional_policy(`
@@ -23152,7 +22914,7 @@ index e39de43..52e5a3a 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..2d6e6bb 100644
+index d03fd43..f73c152 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,155 @@
@@ -24242,7 +24004,7 @@ index d03fd43..2d6e6bb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -704,12 +813,772 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +813,773 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
@@ -24934,6 +24696,7 @@ index d03fd43..2d6e6bb 100644
 +	filetrans_pattern($1, data_home_t,  gkeyringd_gnome_home_t, dir, "keyrings")
 +	filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
 +	filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
++	filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
 +	userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
 +	gnome_filetrans_gstreamer_home_content($1)
 +')
@@ -25852,7 +25615,7 @@ index 180f1b7..951b790 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 44cf341..7c83c74 100644
+index 44cf341..d80e7c0 100644
 --- a/gpg.te
 +++ b/gpg.te
 @@ -1,47 +1,47 @@
@@ -25924,7 +25687,7 @@ index 44cf341..7c83c74 100644
  
  type gpg_secret_t;
  typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
-@@ -52,112 +52,111 @@ type gpg_helper_t;
+@@ -52,112 +52,107 @@ type gpg_helper_t;
  type gpg_helper_exec_t;
  typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
  typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
@@ -25986,10 +25749,6 @@ index 44cf341..7c83c74 100644
  files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
  
 -manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-+
-+# transition from the gpg domain to the helper domain
-+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
 +
 +allow gpg_t gpg_secret_t:dir create_dir_perms;
  manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -26087,7 +25846,7 @@ index 44cf341..7c83c74 100644
  ')
  
  optional_policy(`
-@@ -165,37 +164,49 @@ optional_policy(`
+@@ -165,37 +160,51 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26111,6 +25870,8 @@ index 44cf341..7c83c74 100644
 +# GPG helper local policy
  #
  
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
++
  allow gpg_helper_t self:process { getsched setsched };
 +
 +# for helper programs (which automatically fetch keys)
@@ -26148,7 +25909,7 @@ index 44cf341..7c83c74 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +218,33 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +216,33 @@ tunable_policy(`use_samba_home_dirs',`
  
  ########################################
  #
@@ -26189,7 +25950,7 @@ index 44cf341..7c83c74 100644
  corecmd_exec_shell(gpg_agent_t)
  
  dev_read_rand(gpg_agent_t)
-@@ -239,32 +254,27 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,32 +252,27 @@ domain_use_interactive_fds(gpg_agent_t)
  
  fs_dontaudit_list_inotifyfs(gpg_agent_t)
  
@@ -26214,14 +25975,14 @@ index 44cf341..7c83c74 100644
  	userdom_manage_user_home_content_dirs(gpg_agent_t)
  	userdom_manage_user_home_content_files(gpg_agent_t)
 -	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
- ')
- 
+-')
+-
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(gpg_agent_t)
 -	fs_manage_nfs_files(gpg_agent_t)
 -	fs_manage_nfs_symlinks(gpg_agent_t)
--')
--
+ ')
+ 
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(gpg_agent_t)
 -	fs_manage_cifs_files(gpg_agent_t)
@@ -26231,7 +25992,7 @@ index 44cf341..7c83c74 100644
  
  optional_policy(`
  	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -277,8 +287,17 @@ optional_policy(`
+@@ -277,8 +285,17 @@ optional_policy(`
  
  allow gpg_pinentry_t self:process { getcap getsched setsched signal };
  allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -26250,7 +26011,7 @@ index 44cf341..7c83c74 100644
  
  manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
  userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +306,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +304,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
  
@@ -26389,18 +26150,11 @@ index 3226f52..68b2eb8 100644
  optional_policy(`
  	seutil_sigchld_newrole(gpm_t)
 diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..61d3e29 100644
+index 25f09ae..2200e6d 100644
 --- a/gpsd.te
 +++ b/gpsd.te
-@@ -60,14 +60,25 @@ dev_rw_realtime_clock(gpsd_t)
+@@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
  
- domain_dontaudit_read_all_domains_state(gpsd_t)
- 
-+dev_read_sysfs(gpsd_t)
-+dev_rw_realtime_clock(gpsd_t)
-+
-+domain_dontaudit_read_all_domains_state(gpsd_t)
-+
  term_use_unallocated_ttys(gpsd_t)
  term_setattr_unallocated_ttys(gpsd_t)
 +term_use_usb_ttys(gpsd_t)
@@ -26411,14 +26165,10 @@ index 25f09ae..61d3e29 100644
  logging_send_syslog_msg(gpsd_t)
  
 -miscfiles_read_localization(gpsd_t)
-+optional_policy(`
-+	chronyd_rw_shm(gpsd_t)
-+	chronyd_stream_connect(gpsd_t)
-+	chronyd_dgram_send(gpsd_t)
-+')
- 
+-
  optional_policy(`
  	chronyd_rw_shm(gpsd_t)
+ 	chronyd_stream_connect(gpsd_t)
 diff --git a/guest.te b/guest.te
 index d928711..93d2d83 100644
 --- a/guest.te
@@ -26615,17 +26365,15 @@ index 580b533..c267cea 100644
  	domain_system_change_exemption($1)
  	role_transition $2 icecast_initrc_exec_t system_r;
 diff --git a/icecast.te b/icecast.te
-index ac6f9d5..73f5015 100644
+index ac6f9d5..6097225 100644
 --- a/icecast.te
 +++ b/icecast.te
-@@ -65,12 +65,12 @@ dev_read_sysfs(icecast_t)
+@@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t)
  dev_read_urand(icecast_t)
  dev_read_rand(icecast_t)
  
-+auth_use_nsswitch(icecast_t)
-+
- domain_use_interactive_fds(icecast_t)
- 
+-domain_use_interactive_fds(icecast_t)
+-
  auth_use_nsswitch(icecast_t)
  
 -miscfiles_read_localization(icecast_t)
@@ -26711,7 +26459,7 @@ index fbb54e7..b347964 100644
  
  ########################################
 diff --git a/inetd.te b/inetd.te
-index 1a5ed62..5eebf38 100644
+index 1a5ed62..9762e4a 100644
 --- a/inetd.te
 +++ b/inetd.te
 @@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -26738,7 +26486,7 @@ index 1a5ed62..5eebf38 100644
  corenet_sendrecv_ircd_server_packets(inetd_t)
  corenet_tcp_bind_ircd_port(inetd_t)
  
-@@ -157,13 +162,13 @@ auth_use_nsswitch(inetd_t)
+@@ -157,8 +162,6 @@ auth_use_nsswitch(inetd_t)
  
  logging_send_syslog_msg(inetd_t)
  
@@ -26747,14 +26495,7 @@ index 1a5ed62..5eebf38 100644
  mls_fd_share_all_levels(inetd_t)
  mls_socket_read_to_clearance(inetd_t)
  mls_socket_write_to_clearance(inetd_t)
- mls_net_outbound_all_levels(inetd_t)
- mls_process_set_level(inetd_t)
-+#706086
-+mls_net_outbound_all_levels(inetd_t)
- 
- userdom_dontaudit_use_unpriv_user_fds(inetd_t)
- userdom_dontaudit_search_user_home_dirs(inetd_t)
-@@ -188,7 +193,7 @@ optional_policy(`
+@@ -188,7 +191,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26763,7 +26504,7 @@ index 1a5ed62..5eebf38 100644
  ')
  
  optional_policy(`
-@@ -220,6 +225,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
  kernel_read_network_state(inetd_child_t)
  kernel_read_system_state(inetd_child_t)
  
@@ -26778,7 +26519,7 @@ index 1a5ed62..5eebf38 100644
  dev_read_urand(inetd_child_t)
  
  fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t)
  
  logging_send_syslog_msg(inetd_child_t)
  
@@ -26838,7 +26579,7 @@ index eb87f23..8e11e4b 100644
  
  	init_labeled_script_domtrans($1, innd_initrc_exec_t)
 diff --git a/inn.te b/inn.te
-index 5aab5d0..e2c9fe9 100644
+index 5aab5d0..5967395 100644
 --- a/inn.te
 +++ b/inn.te
 @@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
@@ -26849,16 +26590,7 @@ index 5aab5d0..e2c9fe9 100644
  
  ########################################
  #
-@@ -43,6 +44,8 @@ allow innd_t self:tcp_socket { accept listen };
- read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
- read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
- 
-+can_exec(innd_t, innd_exec_t)
-+
- allow innd_t innd_log_t:dir setattr_dir_perms;
- append_files_pattern(innd_t, innd_log_t, innd_log_t)
- create_files_pattern(innd_t, innd_log_t, innd_log_t)
-@@ -54,7 +57,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+@@ -54,7 +55,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
  manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
  manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
  manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
@@ -26867,7 +26599,7 @@ index 5aab5d0..e2c9fe9 100644
  
  manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
  manage_files_pattern(innd_t, news_spool_t, news_spool_t)
-@@ -65,7 +68,6 @@ can_exec(innd_t, innd_exec_t)
+@@ -65,7 +66,6 @@ can_exec(innd_t, innd_exec_t)
  kernel_read_kernel_sysctls(innd_t)
  kernel_read_system_state(innd_t)
  
@@ -26875,7 +26607,7 @@ index 5aab5d0..e2c9fe9 100644
  corenet_all_recvfrom_netlabel(innd_t)
  corenet_tcp_sendrecv_generic_if(innd_t)
  corenet_tcp_sendrecv_generic_node(innd_t)
-@@ -91,18 +93,16 @@ fs_search_auto_mountpoints(innd_t)
+@@ -91,18 +91,16 @@ fs_search_auto_mountpoints(innd_t)
  
  files_list_spool(innd_t)
  files_read_etc_runtime_files(innd_t)
@@ -27488,7 +27220,7 @@ index 16b1666..01673a4 100644
 -	admin_pattern($1, jabberd_var_run_t)
  ')
 diff --git a/jabber.te b/jabber.te
-index bb12c90..5394703 100644
+index bb12c90..ff69343 100644
 --- a/jabber.te
 +++ b/jabber.te
 @@ -1,4 +1,4 @@
@@ -27497,7 +27229,7 @@ index bb12c90..5394703 100644
  
  ########################################
  #
-@@ -9,129 +9,136 @@ attribute jabberd_domain;
+@@ -9,129 +9,130 @@ attribute jabberd_domain;
  
  jabber_domain_template(jabberd)
  jabber_domain_template(jabberd_router)
@@ -27650,29 +27382,24 @@ index bb12c90..5394703 100644
 +corecmd_exec_bin(pyicqt_t)
  
 -fs_search_auto_mountpoints(jabberd_t)
-+dev_read_urand(pyicqt_t);
++dev_read_urand(pyicqt_t)
  
 -sysnet_read_config(jabberd_t)
++auth_use_nsswitch(pyicqt_t)
  
 -userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 -userdom_dontaudit_search_user_home_dirs(jabberd_t)
-+auth_use_nsswitch(pyicqt_t);
- 
-+# for RHEL5
-+libs_use_ld_so(pyicqt_t)
-+libs_use_shared_libs(pyicqt_t)
-+
 +# needed for pyicq-t-mysql
++optional_policy(`
++	corenet_tcp_connect_mysqld_port(pyicqt_t)
++')
+ 
  optional_policy(`
 -	udev_read_db(jabberd_t)
-+	corenet_tcp_connect_mysqld_port(pyicqt_t)
++	sysnet_use_ldap(pyicqt_t)
  ')
  
 -########################################
-+optional_policy(`
-+	sysnet_use_ldap(pyicqt_t)
-+')
-+
 +#######################################
  #
 -# Router local policy
@@ -27697,9 +27424,8 @@ index bb12c90..5394703 100644
 -corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
 -corenet_tcp_bind_jabber_client_port(jabberd_router_t)
 -corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
-+dev_read_urand(jabberd_domain)
-+dev_read_urand(jabberd_domain)
 +dev_read_sysfs(jabberd_domain)
++dev_read_urand(jabberd_domain)
  
 -# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
 -# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
@@ -28685,7 +28411,7 @@ index 182ab8b..8b1d9c2 100644
 +')
 +
 diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..17dc1b4 100644
+index e7f5c81..fb73b38 100644
 --- a/kdumpgui.te
 +++ b/kdumpgui.te
 @@ -1,4 +1,4 @@
@@ -28770,23 +28496,23 @@ index e7f5c81..17dc1b4 100644
  
  optional_policy(`
  	bootloader_exec(kdumpgui_t)
-@@ -73,11 +77,11 @@ optional_policy(`
+@@ -69,15 +73,7 @@ optional_policy(`
  ')
  
  optional_policy(`
--	dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-+	consoletype_exec(kdumpgui_t)
-+')
- 
+-	consoletype_exec(kdumpgui_t)
+-')
+-
+-optional_policy(`
+ 	dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+-
 -	optional_policy(`
 -		policykit_dbus_chat(kdumpgui_t)
 -	')
-+optional_policy(`
-+	dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
  ')
  
  optional_policy(`
-@@ -87,4 +91,10 @@ optional_policy(`
+@@ -87,4 +83,10 @@ optional_policy(`
  optional_policy(`
  	kdump_manage_config(kdumpgui_t)
  	kdump_initrc_domtrans(kdumpgui_t)
@@ -30261,10 +29987,10 @@ index aa2a337..bb09e3c 100644
  	files_search_var_lib($1)
  	admin_pattern($1, kismet_var_lib_t)
 diff --git a/kismet.te b/kismet.te
-index ea64ed5..fb28673 100644
+index ea64ed5..e60f701 100644
 --- a/kismet.te
 +++ b/kismet.te
-@@ -81,25 +81,24 @@ kernel_read_network_state(kismet_t)
+@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
  
  corecmd_exec_bin(kismet_t)
  
@@ -30279,8 +30005,6 @@ index ea64ed5..fb28673 100644
 -corenet_sendrecv_kismet_client_packets(kismet_t)
 -corenet_tcp_connect_kismet_port(kismet_t)
 -corenet_tcp_sendrecv_kismet_port(kismet_t)
-+corenet_tcp_bind_rtsclient_port(kismet_t)
-+corenet_tcp_connect_rtsclient_port(kismet_t)
 +corenet_tcp_connect_pulseaudio_port(kismet_t)
  
 -auth_use_nsswitch(kismet_t)
@@ -30329,21 +30053,10 @@ index c530214..b949a9f 100644
  	files_list_pids($1)
  	admin_pattern($1, ksmtuned_var_run_t)
 diff --git a/ksmtuned.te b/ksmtuned.te
-index c1539b5..0af603d 100644
+index c1539b5..a090996 100644
 --- a/ksmtuned.te
 +++ b/ksmtuned.te
-@@ -32,6 +32,10 @@ create_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
- setattr_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
- logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
- 
-+manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
-+manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
-+logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
-+
- manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
- files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
- 
-@@ -43,6 +47,7 @@ corecmd_exec_shell(ksmtuned_t)
+@@ -43,6 +43,7 @@ corecmd_exec_shell(ksmtuned_t)
  dev_rw_sysfs(ksmtuned_t)
  
  domain_read_all_domains_state(ksmtuned_t)
@@ -30351,7 +30064,7 @@ index c1539b5..0af603d 100644
  
  mls_file_read_to_clearance(ksmtuned_t)
  
-@@ -51,5 +56,3 @@ term_use_all_terms(ksmtuned_t)
+@@ -51,5 +52,3 @@ term_use_all_terms(ksmtuned_t)
  auth_use_nsswitch(ksmtuned_t)
  
  logging_send_syslog_msg(ksmtuned_t)
@@ -30865,7 +30578,7 @@ index ee0c7cc..6ec5f73 100644
 +	allow $1 ldap_unit_file_t:service all_service_perms;
  ')
 diff --git a/ldap.te b/ldap.te
-index d7d9b09..bfc2aa2 100644
+index d7d9b09..562c288 100644
 --- a/ldap.te
 +++ b/ldap.te
 @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -30878,18 +30591,7 @@ index d7d9b09..bfc2aa2 100644
  type slapd_lock_t;
  files_lock_file(slapd_lock_t)
  
-@@ -73,6 +76,10 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
- manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
- manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
- 
-+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
-+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
-+
- manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
- manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
- files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-@@ -88,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
  kernel_read_system_state(slapd_t)
  kernel_read_kernel_sysctls(slapd_t)
  
@@ -30897,7 +30599,7 @@ index d7d9b09..bfc2aa2 100644
  corenet_all_recvfrom_netlabel(slapd_t)
  corenet_tcp_sendrecv_generic_if(slapd_t)
  corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -110,25 +116,23 @@ fs_getattr_all_fs(slapd_t)
+@@ -110,25 +112,23 @@ fs_getattr_all_fs(slapd_t)
  fs_search_auto_mountpoints(slapd_t)
  
  files_read_etc_runtime_files(slapd_t)
@@ -31691,7 +31393,7 @@ index 7bab8e5..3a2c50c 100644
  logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..1bbe9d9 100644
+index 4256a4c..720b6cb 100644
 --- a/logwatch.te
 +++ b/logwatch.te
 @@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
@@ -31717,7 +31419,7 @@ index 4256a4c..1bbe9d9 100644
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
  fs_list_inotifyfs(logwatch_t)
  
-@@ -92,17 +94,22 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +94,12 @@ libs_read_lib_files(logwatch_t)
  logging_read_all_logs(logwatch_t)
  logging_send_syslog_msg(logwatch_t) 
  
@@ -31732,17 +31434,7 @@ index 4256a4c..1bbe9d9 100644
  
  mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
  mta_getattr_spool(logwatch_t)
- 
-+ifdef(`distro_redhat',`
-+	files_search_all(logwatch_t)
-+	files_getattr_all_files(logwatch_t)
-+	files_getattr_all_file_type_fs(logwatch_t)
-+')
-+
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_list_nfs(logwatch_t)
- ')
-@@ -164,6 +171,8 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +165,8 @@ dev_read_sysfs(logwatch_mail_t)
  
  logging_read_all_logs(logwatch_mail_t)
  
@@ -32398,7 +32090,7 @@ index 108c0f1..d28241c 100644
  	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
  ')
 diff --git a/mailman.te b/mailman.te
-index 8eaf51b..256819c 100644
+index 8eaf51b..5e9f5bb 100644
 --- a/mailman.te
 +++ b/mailman.te
 @@ -56,10 +56,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
@@ -32423,17 +32115,7 @@ index 8eaf51b..256819c 100644
  ########################################
  #
  # CGI local policy
-@@ -104,6 +97,9 @@ optional_policy(`
- 	apache_search_sys_script_state(mailman_cgi_t)
- 	apache_read_config(mailman_cgi_t)
- 	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
-+
-+	postfix_read_config(mailman_cgi_t)
-+
- ')
- 
- optional_policy(`
-@@ -115,8 +111,9 @@ optional_policy(`
+@@ -115,8 +108,9 @@ optional_policy(`
  # Mail local policy
  #
  
@@ -32445,25 +32127,17 @@ index 8eaf51b..256819c 100644
  
  manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
  manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -126,10 +123,17 @@ corenet_sendrecv_innd_client_packets(mailman_mail_t)
- corenet_tcp_connect_innd_port(mailman_mail_t)
+@@ -127,8 +121,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
  corenet_tcp_sendrecv_innd_port(mailman_mail_t)
  
-+manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-+manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-+files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-+
  corenet_sendrecv_spamd_client_packets(mailman_mail_t)
- corenet_tcp_connect_spamd_port(mailman_mail_t)
+-corenet_tcp_connect_spamd_port(mailman_mail_t)
  corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
- 
-+corenet_tcp_connect_innd_port(mailman_mail_t)
 +corenet_tcp_connect_spamd_port(mailman_mail_t)
-+
+ 
  dev_read_urand(mailman_mail_t)
  
- fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -142,6 +146,10 @@ optional_policy(`
+@@ -142,6 +136,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32474,15 +32148,6 @@ index 8eaf51b..256819c 100644
  	cron_read_pipes(mailman_mail_t)
  ')
  
-@@ -163,6 +171,8 @@ corenet_sendrecv_innd_client_packets(mailman_queue_t)
- corenet_tcp_connect_innd_port(mailman_queue_t)
- corenet_tcp_sendrecv_innd_port(mailman_queue_t)
- 
-+corenet_tcp_connect_innd_port(mailman_queue_t)
-+
- auth_domtrans_chk_passwd(mailman_queue_t)
- 
- files_dontaudit_search_pids(mailman_queue_t)
 diff --git a/mailscanner.if b/mailscanner.if
 index 0293f34..bd1d48e 100644
 --- a/mailscanner.if
@@ -32774,15 +32439,17 @@ index e08c55d..9e634bd 100644
 +
 +')
 diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..03f96e3 100644
+index 2de0f64..85c3827 100644
 --- a/mandb.fc
 +++ b/mandb.fc
-@@ -1 +1,5 @@
+@@ -1 +1,7 @@
  /etc/cron.daily/man-db\.cron	--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
 +/usr/bin/mandb		--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
 +/var/cache/man(/.*)?		gen_context(system_u:object_r:mandb_cache_t,s0)
++
++/var/lock/man-db\.lock	--	gen_context(system_u:object_r:mandb_lock_t,s0)
 diff --git a/mandb.if b/mandb.if
 index 327f3f7..65bfa15 100644
 --- a/mandb.if
@@ -33000,10 +32667,10 @@ index 327f3f7..65bfa15 100644
 +	')
  ')
 diff --git a/mandb.te b/mandb.te
-index 5a414e0..708f675 100644
+index 5a414e0..e2f4ce0 100644
 --- a/mandb.te
 +++ b/mandb.te
-@@ -10,25 +10,34 @@ roleattribute system_r mandb_roles;
+@@ -10,25 +10,40 @@ roleattribute system_r mandb_roles;
  
  type mandb_t;
  type mandb_exec_t;
@@ -33013,6 +32680,9 @@ index 5a414e0..708f675 100644
  
 +type mandb_cache_t;
 +files_type(mandb_cache_t)
++
++type mandb_lock_t;
++files_lock_file(mandb_lock_t)
 +
  ########################################
  #
@@ -33029,6 +32699,9 @@ index 5a414e0..708f675 100644
 +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
 +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
 +can_exec(mandb_t, mandb_exec_t)
++
++allow mandb_t mandb_lock_t:file manage_file_perms;
++files_lock_filetrans(mandb_t, mandb_lock_t, file)
 +
  kernel_read_system_state(mandb_t)
  
@@ -33054,7 +32727,7 @@ index 9dbe694..f89651e 100644
  	admin_pattern($1, mcelog_var_run_t)
  ')
 diff --git a/mcelog.te b/mcelog.te
-index 13ea191..799df10 100644
+index 13ea191..b5fdecf 100644
 --- a/mcelog.te
 +++ b/mcelog.te
 @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
@@ -33071,19 +32744,8 @@ index 13ea191..799df10 100644
  type mcelog_t;
  type mcelog_exec_t;
  init_daemon_domain(mcelog_t, mcelog_exec_t)
-@@ -82,19 +75,31 @@ manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
- manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
- files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
+@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
  
-+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
-+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
-+logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
-+
-+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )
-+
  kernel_read_system_state(mcelog_t)
  
 +corecmd_exec_shell(mcelog_t)
@@ -33106,7 +32768,7 @@ index 13ea191..799df10 100644
  
  tunable_policy(`mcelog_client',`
  	allow mcelog_t self:unix_stream_socket connectto;
-@@ -114,9 +119,6 @@ tunable_policy(`mcelog_server',`
+@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',`
  	allow mcelog_t self:unix_stream_socket { listen accept };
  ')
  
@@ -35368,7 +35030,7 @@ index 6194b80..110cdc6 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..03196be 100644
+index 6a306ee..d579caa 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -36175,7 +35837,7 @@ index 6a306ee..03196be 100644
  ')
  
  optional_policy(`
-@@ -568,108 +535,99 @@ optional_policy(`
+@@ -568,108 +535,100 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36190,6 +35852,7 @@ index 6a306ee..03196be 100644
 +	xserver_read_user_xauth(mozilla_plugin_t)
 +	xserver_append_xdm_home_files(mozilla_plugin_t)
 +	xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
++	xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
  ')
  
  ########################################
@@ -36250,7 +35913,7 @@ index 6a306ee..03196be 100644
 +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
-+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
  
  corecmd_exec_bin(mozilla_plugin_config_t)
  corecmd_exec_shell(mozilla_plugin_config_t)
@@ -36356,20 +36019,18 @@ index 5fa77c7..a0e8661 100644
  	domain_system_change_exemption($1)
  	role_transition $2 mpd_initrc_exec_t system_r;
 diff --git a/mpd.te b/mpd.te
-index 7c8afcc..670e1bf 100644
+index 7c8afcc..200cec1 100644
 --- a/mpd.te
 +++ b/mpd.te
-@@ -74,6 +74,9 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
+@@ -74,6 +74,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
  allow mpd_t self:unix_dgram_socket sendto;
  allow mpd_t self:tcp_socket { accept listen };
  allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
-+
-+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
  
  allow mpd_t mpd_data_t:dir manage_dir_perms;
  allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -110,7 +113,6 @@ kernel_read_kernel_sysctls(mpd_t)
+@@ -110,7 +111,6 @@ kernel_read_kernel_sysctls(mpd_t)
  
  corecmd_exec_bin(mpd_t)
  
@@ -36377,7 +36038,7 @@ index 7c8afcc..670e1bf 100644
  corenet_all_recvfrom_netlabel(mpd_t)
  corenet_tcp_sendrecv_generic_if(mpd_t)
  corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,7 +141,6 @@ dev_read_sound(mpd_t)
+@@ -139,7 +139,6 @@ dev_read_sound(mpd_t)
  dev_write_sound(mpd_t)
  dev_read_sysfs(mpd_t)
  
@@ -36385,7 +36046,7 @@ index 7c8afcc..670e1bf 100644
  
  fs_getattr_all_fs(mpd_t)
  fs_list_inotifyfs(mpd_t)
-@@ -150,7 +151,9 @@ auth_use_nsswitch(mpd_t)
+@@ -150,7 +149,9 @@ auth_use_nsswitch(mpd_t)
  
  logging_send_syslog_msg(mpd_t)
  
@@ -36396,7 +36057,7 @@ index 7c8afcc..670e1bf 100644
  
  tunable_policy(`mpd_enable_homedirs',`
  	userdom_search_user_home_dirs(mpd_t)
-@@ -199,6 +202,16 @@ optional_policy(`
+@@ -199,6 +200,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36492,7 +36153,7 @@ index 9aca704..5db9491 100644
  ')
  
 diff --git a/mrtg.te b/mrtg.te
-index c97c177..9e68dfb 100644
+index c97c177..9411154 100644
 --- a/mrtg.te
 +++ b/mrtg.te
 @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
@@ -36503,7 +36164,7 @@ index c97c177..9e68dfb 100644
  corenet_all_recvfrom_netlabel(mrtg_t)
  corenet_tcp_sendrecv_generic_if(mrtg_t)
  corenet_tcp_sendrecv_generic_node(mrtg_t)
-@@ -82,11 +81,12 @@ domain_dontaudit_search_all_domains_state(mrtg_t)
+@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t)
  
  files_getattr_tmp_dirs(mrtg_t)
  files_read_etc_runtime_files(mrtg_t)
@@ -36511,13 +36172,7 @@ index c97c177..9e68dfb 100644
  files_search_var(mrtg_t)
  files_search_locks(mrtg_t)
  files_search_var_lib(mrtg_t)
- files_search_spool(mrtg_t)
-+files_getattr_tmp_dirs(mrtg_t)
-+files_read_etc_runtime_files(mrtg_t)
- 
- fs_search_auto_mountpoints(mrtg_t)
- fs_getattr_all_fs(mrtg_t)
-@@ -105,13 +105,12 @@ libs_read_lib_files(mrtg_t)
+@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t)
  
  logging_send_syslog_msg(mrtg_t)
  
@@ -38296,10 +37951,10 @@ index afd2fad..b2abfca 100644
 +	clamav_stream_connect(mta_user_agent)
 +')
 diff --git a/munin.fc b/munin.fc
-index eb4b72a..123ee4c 100644
+index eb4b72a..4968324 100644
 --- a/munin.fc
 +++ b/munin.fc
-@@ -1,77 +1,78 @@
+@@ -1,77 +1,79 @@
 -/etc/munin(/.*)?	gen_context(system_u:object_r:munin_etc_t,s0)
 -
 +/etc/munin(/.*)?			gen_context(system_u:object_r:munin_etc_t,s0)
@@ -38417,12 +38072,12 @@ index eb4b72a..123ee4c 100644
 -/var/run/munin.*	gen_context(system_u:object_r:munin_var_run_t,s0)
 -
 -/var/www/html/munin(/.*)?	gen_context(system_u:object_r:httpd_munin_content_t,s0)
--/var/www/html/munin/cgi(/.*)?	gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 +/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
 +/var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
 +/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
-+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
-+/var/www/html/cgi/munin.*              gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+ /var/www/html/munin/cgi(/.*)?	gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/cgi/munin.*       gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/cgi-bin/munin.*		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 diff --git a/munin.if b/munin.if
 index b744fe3..4c1b6a8 100644
 --- a/munin.if
@@ -38587,7 +38242,7 @@ index b744fe3..4c1b6a8 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index 97370e4..27726ee 100644
+index 97370e4..d5f13d8 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -45,7 +45,7 @@ munin_plugin_template(unconfined)
@@ -38677,15 +38332,20 @@ index 97370e4..27726ee 100644
  ')
  
  optional_policy(`
-@@ -253,10 +246,15 @@ dev_read_urand(disk_munin_plugin_t)
+@@ -246,17 +239,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
+ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+ corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
  
- files_read_etc_runtime_files(disk_munin_plugin_t)
- 
-+dev_getattr_lvm_control(disk_munin_plugin_t)
-+dev_read_sysfs(disk_munin_plugin_t)
-+dev_read_urand(disk_munin_plugin_t)
-+dev_read_all_blk_files(munin_disk_plugin_t)
+-dev_getattr_all_blk_files(disk_munin_plugin_t)
++files_read_etc_runtime_files(disk_munin_plugin_t)
 +
+ dev_getattr_lvm_control(disk_munin_plugin_t)
+ dev_read_sysfs(disk_munin_plugin_t)
+ dev_read_urand(disk_munin_plugin_t)
+-
+-files_read_etc_runtime_files(disk_munin_plugin_t)
++dev_read_all_blk_files(munin_disk_plugin_t)
+ 
  fs_getattr_all_fs(disk_munin_plugin_t)
  fs_getattr_all_dirs(disk_munin_plugin_t)
  
@@ -38694,7 +38354,7 @@ index 97370e4..27726ee 100644
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -275,27 +273,36 @@ optional_policy(`
+@@ -275,27 +268,36 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
@@ -38735,7 +38395,7 @@ index 97370e4..27726ee 100644
  ')
  
  optional_policy(`
-@@ -353,7 +360,11 @@ optional_policy(`
+@@ -353,7 +355,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38748,7 +38408,7 @@ index 97370e4..27726ee 100644
  ')
  
  optional_policy(`
-@@ -413,3 +424,4 @@ optional_policy(`
+@@ -413,3 +419,4 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
@@ -39344,7 +39004,7 @@ index 687af38..404ed6d 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 9f6179e..e5300cc 100644
+index 9f6179e..dfa6623 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -1,4 +1,4 @@
@@ -39430,7 +39090,7 @@ index 9f6179e..e5300cc 100644
  logging_log_filetrans(mysqld_t, mysqld_log_t, file)
  
  manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +90,55 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -93,50 +90,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
  
@@ -39439,7 +39099,6 @@ index 9f6179e..e5300cc 100644
 +
  kernel_read_network_state(mysqld_t)
  kernel_read_system_state(mysqld_t)
-+kernel_read_network_state(mysqld_t)
 +kernel_read_kernel_sysctls(mysqld_t)
 +
 +corecmd_exec_bin(mysqld_t)
@@ -39503,7 +39162,7 @@ index 9f6179e..e5300cc 100644
  ')
  
  optional_policy(`
-@@ -153,29 +155,22 @@ optional_policy(`
+@@ -153,29 +154,22 @@ optional_policy(`
  
  #######################################
  #
@@ -39538,7 +39197,7 @@ index 9f6179e..e5300cc 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +182,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +181,21 @@ dev_list_sysfs(mysqld_safe_t)
  
  domain_read_all_domains_state(mysqld_safe_t)
  
@@ -39566,7 +39225,7 @@ index 9f6179e..e5300cc 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -205,7 +204,7 @@ optional_policy(`
+@@ -205,7 +203,7 @@ optional_policy(`
  
  ########################################
  #
@@ -39575,7 +39234,7 @@ index 9f6179e..e5300cc 100644
  #
  
  allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +213,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +212,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -39593,7 +39252,7 @@ index 9f6179e..e5300cc 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -226,31 +226,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +225,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -40017,7 +39676,7 @@ index 0641e97..d7d9a79 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 44ad3b7..61a6f39 100644
+index 44ad3b7..7508aef 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -40047,9 +39706,9 @@ index 44ad3b7..61a6f39 100644
  dev_read_rand(nagios_plugin_domain)
  
 -files_read_usr_files(nagios_plugin_domain)
- 
--miscfiles_read_localization(nagios_plugin_domain)
 -
+-miscfiles_read_localization(nagios_plugin_domain)
+ 
 -userdom_use_user_terminals(nagios_plugin_domain)
 +userdom_use_inherited_user_ptys(nagios_plugin_domain)
 +userdom_use_inherited_user_ttys(nagios_plugin_domain)
@@ -40176,25 +39835,10 @@ index 44ad3b7..61a6f39 100644
  optional_policy(`
  	init_read_utmp(nagios_system_plugin_t)
  ')
-@@ -450,3 +448,26 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
- optional_policy(`
- 	unconfined_domain(nagios_unconfined_plugin_t)
- ')
-+
-+#######################################
-+#
-+# Event handler plugin plugin policy
-+#
-+
-+manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
-+manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
-+files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file })
-+
-+corecmd_exec_bin(nagios_eventhandler_plugin_t)
-+corecmd_exec_shell(nagios_eventhandler_plugin_t)
-+
-+init_domtrans_script(nagios_eventhandler_plugin_t)
-+
+@@ -442,6 +440,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+ 
+ init_domtrans_script(nagios_eventhandler_plugin_t)
+ 
 +systemd_exec_systemctl(nagios_eventhandler_plugin_t)
 +
 +allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
@@ -40202,6 +39846,16 @@ index 44ad3b7..61a6f39 100644
 +optional_policy(`
 +    unconfined_domain(nagios_eventhandler_plugin_t)
 +')
++
+ ########################################
+ #
+ # Unconfined plugin policy
+@@ -450,3 +456,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+ optional_policy(`
+ 	unconfined_domain(nagios_unconfined_plugin_t)
+ ')
++
++
 +
 diff --git a/namespace.fc b/namespace.fc
 new file mode 100644
@@ -40815,7 +40469,7 @@ index 0e8508c..96dbf6f 100644
 +	files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..fca40a6 100644
+index 0b48a30..1dc0c55 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -1,4 +1,4 @@
@@ -40846,7 +40500,7 @@ index 0b48a30..fca40a6 100644
  type NetworkManager_log_t;
  logging_log_file(NetworkManager_log_t)
  
-@@ -39,35 +42,51 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,24 +42,40 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
  # Local policy
  #
  
@@ -40896,22 +40550,15 @@ index 0b48a30..fca40a6 100644
  
  manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
- filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
- 
--allow NetworkManager_t NetworkManager_log_t:dir setattr_dir_perms;
--append_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
--create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
--setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+@@ -68,6 +87,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
  logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
  
-+manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
-+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-+
 +can_exec(NetworkManager_t, NetworkManager_tmp_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,9 +100,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,9 +101,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
  files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
  
@@ -40921,7 +40568,7 @@ index 0b48a30..fca40a6 100644
  kernel_read_system_state(NetworkManager_t)
  kernel_read_network_state(NetworkManager_t)
  kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -91,7 +107,6 @@ kernel_request_load_module(NetworkManager_t)
+@@ -91,7 +108,6 @@ kernel_request_load_module(NetworkManager_t)
  kernel_read_debugfs(NetworkManager_t)
  kernel_rw_net_sysctls(NetworkManager_t)
  
@@ -40929,7 +40576,7 @@ index 0b48a30..fca40a6 100644
  corenet_all_recvfrom_netlabel(NetworkManager_t)
  corenet_tcp_sendrecv_generic_if(NetworkManager_t)
  corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +117,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +118,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
  corenet_tcp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_bind_generic_node(NetworkManager_t)
@@ -40955,7 +40602,7 @@ index 0b48a30..fca40a6 100644
  dev_rw_sysfs(NetworkManager_t)
  dev_read_rand(NetworkManager_t)
  dev_read_urand(NetworkManager_t)
-@@ -125,13 +133,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +134,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
  dev_getattr_all_chr_files(NetworkManager_t)
  dev_rw_wireless(NetworkManager_t)
  
@@ -40969,7 +40616,7 @@ index 0b48a30..fca40a6 100644
  fs_getattr_all_fs(NetworkManager_t)
  fs_search_auto_mountpoints(NetworkManager_t)
  fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +141,16 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +142,16 @@ mls_file_read_all_levels(NetworkManager_t)
  
  selinux_dontaudit_search_fs(NetworkManager_t)
  
@@ -40986,7 +40633,7 @@ index 0b48a30..fca40a6 100644
  storage_getattr_fixed_disk_dev(NetworkManager_t)
  
  init_read_utmp(NetworkManager_t)
-@@ -148,10 +159,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +160,11 @@ init_domtrans_script(NetworkManager_t)
  
  auth_use_nsswitch(NetworkManager_t)
  
@@ -40999,7 +40646,7 @@ index 0b48a30..fca40a6 100644
  
  seutil_read_config(NetworkManager_t)
  
-@@ -166,21 +178,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +179,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
  sysnet_read_dhcpc_state(NetworkManager_t)
  sysnet_delete_dhcpc_state(NetworkManager_t)
  sysnet_search_dhcp_state(NetworkManager_t)
@@ -41036,7 +40683,7 @@ index 0b48a30..fca40a6 100644
  ')
  
  optional_policy(`
-@@ -196,10 +219,6 @@ optional_policy(`
+@@ -196,10 +220,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41047,7 +40694,7 @@ index 0b48a30..fca40a6 100644
  	consoletype_exec(NetworkManager_t)
  ')
  
-@@ -210,16 +229,11 @@ optional_policy(`
+@@ -210,16 +230,11 @@ optional_policy(`
  optional_policy(`
  	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
  
@@ -41066,7 +40713,7 @@ index 0b48a30..fca40a6 100644
  	')
  ')
  
-@@ -231,18 +245,19 @@ optional_policy(`
+@@ -231,18 +246,19 @@ optional_policy(`
  	dnsmasq_kill(NetworkManager_t)
  	dnsmasq_signal(NetworkManager_t)
  	dnsmasq_signull(NetworkManager_t)
@@ -41089,7 +40736,7 @@ index 0b48a30..fca40a6 100644
  ')
  
  optional_policy(`
-@@ -257,11 +272,7 @@ optional_policy(`
+@@ -257,11 +273,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41102,7 +40749,7 @@ index 0b48a30..fca40a6 100644
  ')
  
  optional_policy(`
-@@ -274,10 +285,17 @@ optional_policy(`
+@@ -274,10 +286,17 @@ optional_policy(`
  	nscd_signull(NetworkManager_t)
  	nscd_kill(NetworkManager_t)
  	nscd_initrc_domtrans(NetworkManager_t)
@@ -41120,7 +40767,7 @@ index 0b48a30..fca40a6 100644
  ')
  
  optional_policy(`
-@@ -289,6 +307,7 @@ optional_policy(`
+@@ -289,6 +308,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41128,7 +40775,7 @@ index 0b48a30..fca40a6 100644
  	policykit_domtrans_auth(NetworkManager_t)
  	policykit_read_lib(NetworkManager_t)
  	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +315,7 @@ optional_policy(`
+@@ -296,7 +316,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41137,7 +40784,7 @@ index 0b48a30..fca40a6 100644
  ')
  
  optional_policy(`
-@@ -307,6 +326,7 @@ optional_policy(`
+@@ -307,6 +327,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -41145,7 +40792,7 @@ index 0b48a30..fca40a6 100644
  ')
  
  optional_policy(`
-@@ -320,13 +340,14 @@ optional_policy(`
+@@ -320,13 +341,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41164,7 +40811,7 @@ index 0b48a30..fca40a6 100644
  ')
  
  optional_policy(`
-@@ -356,6 +377,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +378,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
  
@@ -42212,7 +41859,7 @@ index ba64485..429bd79 100644
 +
 +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
 diff --git a/nscd.if b/nscd.if
-index 8f2ab09..685270c 100644
+index 8f2ab09..7b8f5ad 100644
 --- a/nscd.if
 +++ b/nscd.if
 @@ -1,8 +1,8 @@
@@ -42304,30 +41951,19 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -135,28 +130,36 @@ interface(`nscd_socket_use',`
+@@ -135,28 +130,38 @@ interface(`nscd_socket_use',`
  ##	</summary>
  ## </param>
  #
 -interface(`nscd_shm_use',`
--	gen_require(`
--		type nscd_t, nscd_var_run_t;
--		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 +interface(`nscd_use',`
 +	tunable_policy(`nscd_use_shm',`
 +		nscd_shm_use($1)
 +	',`
 +		nscd_socket_use($1)
- 	')
++	')
 +')
- 
--	allow $1 self:unix_stream_socket create_stream_socket_perms;
--
--	allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
--	allow $1 nscd_t:fd use;
--
--	files_search_pids($1)
--	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
--	dontaudit $1 nscd_var_run_t:file read_file_perms;
++
 +########################################
 +## <summary>
 +##	Do not audit attempts to write nscd sock files
@@ -42339,13 +41975,24 @@ index 8f2ab09..685270c 100644
 +## </param>
 +#
 +interface(`nscd_dontaudit_write_sock_file',`
-+	gen_require(`
-+		type nscd_t;
-+	')
+ 	gen_require(`
+ 		type nscd_t, nscd_var_run_t;
+-		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ 	')
  
+-	allow $1 self:unix_stream_socket create_stream_socket_perms;
+-
+-	allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+-	allow $1 nscd_t:fd use;
++	dontaudit $1 nscd_t:sock_file write;
++	dontaudit $1 nscd_var_run_t:sock_file write;
+ 
+-	files_search_pids($1)
+-	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+-	dontaudit $1 nscd_var_run_t:file read_file_perms;
+-
 -	allow $1 nscd_var_run_t:dir list_dir_perms;
 -	allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
-+	dontaudit $1 nscd_t:sock_file write;
  ')
  
  ########################################
@@ -42356,7 +42003,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -164,18 +167,35 @@ interface(`nscd_shm_use',`
+@@ -164,18 +169,35 @@ interface(`nscd_shm_use',`
  ##	</summary>
  ## </param>
  #
@@ -42399,7 +42046,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -193,7 +213,7 @@ interface(`nscd_dontaudit_search_pid',`
+@@ -193,7 +215,7 @@ interface(`nscd_dontaudit_search_pid',`
  
  ########################################
  ## <summary>
@@ -42408,7 +42055,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -212,7 +232,7 @@ interface(`nscd_read_pid',`
+@@ -212,7 +234,7 @@ interface(`nscd_read_pid',`
  
  ########################################
  ## <summary>
@@ -42417,7 +42064,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -244,20 +264,20 @@ interface(`nscd_unconfined',`
+@@ -244,20 +266,20 @@ interface(`nscd_unconfined',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -42442,7 +42089,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -275,8 +295,31 @@ interface(`nscd_initrc_domtrans',`
+@@ -275,8 +297,31 @@ interface(`nscd_initrc_domtrans',`
  
  ########################################
  ## <summary>
@@ -42476,7 +42123,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,7 +328,7 @@ interface(`nscd_initrc_domtrans',`
+@@ -285,7 +330,7 @@ interface(`nscd_initrc_domtrans',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -42485,7 +42132,7 @@ index 8f2ab09..685270c 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -294,10 +337,14 @@ interface(`nscd_admin',`
+@@ -294,10 +339,14 @@ interface(`nscd_admin',`
  	gen_require(`
  		type nscd_t, nscd_log_t, nscd_var_run_t;
  		type nscd_initrc_exec_t;
@@ -42501,7 +42148,7 @@ index 8f2ab09..685270c 100644
  
  	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -310,5 +357,7 @@ interface(`nscd_admin',`
+@@ -310,5 +359,7 @@ interface(`nscd_admin',`
  	files_list_pids($1)
  	admin_pattern($1, nscd_var_run_t)
  
@@ -43652,10 +43299,10 @@ index 0000000..fce899a
 +')
 diff --git a/nsplugin.te b/nsplugin.te
 new file mode 100644
-index 0000000..ff384e0
+index 0000000..7d839fe
 --- /dev/null
 +++ b/nsplugin.te
-@@ -0,0 +1,322 @@
+@@ -0,0 +1,318 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -43702,10 +43349,6 @@ index 0000000..ff384e0
 +domain_type(nsplugin_config_t)
 +domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
 +
-+application_executable_file(nsplugin_exec_t)
-+application_executable_file(nsplugin_config_exec_t)
-+
-+
 +########################################
 +#
 +# nsplugin local policy
@@ -45335,10 +44978,16 @@ index 296a1d3..467700e 100644
 +userdom_stream_connect(oddjob_mkhomedir_t)
 +
 diff --git a/openct.te b/openct.te
-index 8467596..c73eb86 100644
+index 8467596..66f068f 100644
 --- a/openct.te
 +++ b/openct.te
-@@ -34,6 +34,8 @@ kernel_read_kernel_sysctls(openct_t)
+@@ -28,12 +28,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
+ 
+-can_exec(openct_t, openct_exec_t)
+-
+ kernel_read_kernel_sysctls(openct_t)
  kernel_list_proc(openct_t)
  kernel_read_proc_symlinks(openct_t)
  
@@ -45347,7 +44996,7 @@ index 8467596..c73eb86 100644
  dev_read_sysfs(openct_t)
  dev_rw_usbfs(openct_t)
  dev_rw_smartcard(openct_t)
-@@ -41,15 +43,12 @@ dev_rw_generic_usb_dev(openct_t)
+@@ -41,15 +41,12 @@ dev_rw_generic_usb_dev(openct_t)
  
  domain_use_interactive_fds(openct_t)
  
@@ -46325,10 +45974,10 @@ index 0000000..98ce2c3
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..9bd0784
+index 0000000..4fe3c71
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,380 @@
+@@ -0,0 +1,377 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
@@ -46545,7 +46194,6 @@ index 0000000..9bd0784
 +files_dontaudit_search_all_mountpoints(openshift_domain)
 +files_dontaudit_search_spool(openshift_domain)
 +files_dontaudit_search_all_dirs(openshift_domain)
-+files_dontaudit_list_var(openshift_domain)
 +files_exec_etc_files(openshift_domain)
 +files_exec_usr_files(openshift_domain)
 +files_dontaudit_getattr_non_security_sockets(openshift_domain)
@@ -46555,9 +46203,6 @@ index 0000000..9bd0784
 +libs_exec_lib_files(openshift_domain)
 +libs_exec_ld_so(openshift_domain)
 +
-+term_use_ptmx(openshift_domain)
-+term_use_generic_ptys(openshift_domain)
-+
 +selinux_validate_context(openshift_domain)
 +
 +logging_inherit_append_all_logs(openshift_domain)
@@ -46570,6 +46215,7 @@ index 0000000..9bd0784
 +mta_dontaudit_read_spool_symlinks(openshift_domain)
 +
 +term_dontaudit_search_ptys(openshift_domain)
++term_use_generic_ptys(openshift_domain)
 +term_use_ptmx(openshift_domain)
 +
 +userdom_use_inherited_user_ptys(openshift_domain)
@@ -48000,7 +47646,7 @@ index d2fc677..920b13f 100644
 -	admin_pattern($1, pegasus_var_run_t)
 -')
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..d459c82 100644
+index 7bcf327..e440d35 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,4 +1,4 @@
@@ -48107,15 +47753,7 @@ index 7bcf327..d459c82 100644
  
  domain_use_interactive_fds(pegasus_t)
  domain_read_all_domains_state(pegasus_t)
-@@ -122,24 +115,31 @@ files_list_var_lib(pegasus_t)
- files_read_var_lib_files(pegasus_t)
- files_read_var_lib_symlinks(pegasus_t)
- 
-+hostname_exec(pegasus_t)
-+
- init_rw_utmp(pegasus_t)
- init_stream_connect_script(pegasus_t)
- 
+@@ -128,18 +121,23 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -48131,42 +47769,41 @@ index 7bcf327..d459c82 100644
 -	dbus_connect_system_bus(pegasus_t)
 +    dbus_system_bus_client(pegasus_t)
 +    dbus_connect_system_bus(pegasus_t)
-+
-+    optional_policy(`
-+	networkmanager_dbus_chat(pegasus_t)
-+    ')
-+')
  
 -	optional_policy(`
 -		networkmanager_dbus_chat(pegasus_t)
 -	')
++    optional_policy(`
++	networkmanager_dbus_chat(pegasus_t)
++    ')
++')
++
 +optional_policy(`
 +	corosync_stream_connect(pegasus_t)
  ')
  
  optional_policy(`
-@@ -151,6 +151,10 @@ optional_policy(`
+@@ -151,16 +149,15 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	rpm_exec(pegasus_t)
 +	ricci_stream_connect_modclusterd(pegasus_t)
-+')
-+
-+optional_policy(`
- 	rpm_exec(pegasus_t)
  ')
  
-@@ -159,8 +163,7 @@ optional_policy(`
+ optional_policy(`
+-	samba_manage_config(pegasus_t)
++	rpm_exec(pegasus_t)
  ')
  
  optional_policy(`
 -	seutil_sigchld_newrole(pegasus_t)
 -	seutil_dontaudit_read_config(pegasus_t)
-+	sysnet_domtrans_ifconfig(pegasus_t)
++	samba_manage_config(pegasus_t)
  ')
  
  optional_policy(`
-@@ -168,7 +171,7 @@ optional_policy(`
+@@ -168,7 +165,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49420,10 +49057,10 @@ index 0000000..83c13cf
 +
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..b4286ce
+index 0000000..352c7e4
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,288 @@
+@@ -0,0 +1,282 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@@ -49540,7 +49177,6 @@ index 0000000..b4286ce
 +corenet_tcp_connect_ldap_port(pki_tomcat_t)
 +corenet_tcp_connect_smtp_port(pki_tomcat_t)
 +corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
-+corenet_tcp_connect_ldap_port(pki_tomcat_t)
 +
 +selinux_get_enforce_mode(pki_tomcat_t)
 +
@@ -49574,11 +49210,6 @@ index 0000000..b4286ce
 +        hostname_exec(pki_tomcat_t)
 +')
 +
-+# install/ uninstall instance
-+# WHY? leak?
-+#allow load_policy_t pki_log_t:file write;
-+#allow setfiles_t pki_log_t:file write;
-+
 +#######################################
 +#
 +# tps local policy
@@ -52363,7 +51994,7 @@ index 2e23946..41da729 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..738b640 100644
+index 191a66f..0a90ce1 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -1,4 +1,4 @@
@@ -53030,7 +52661,7 @@ index 191a66f..738b640 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +574,78 @@ optional_policy(`
+@@ -647,67 +574,77 @@ optional_policy(`
  
  ########################################
  #
@@ -53113,7 +52744,6 @@ index 191a66f..738b640 100644
  
 +# for spampd
 +corenet_tcp_connect_spamd_port(postfix_master_t)
-+corenet_tcp_bind_spamd_port(postfix_master_t)
 +
 +files_search_all_mountpoints(postfix_smtp_t)
 +
@@ -53127,7 +52757,7 @@ index 191a66f..738b640 100644
  ')
  
  optional_policy(`
-@@ -720,24 +658,27 @@ optional_policy(`
+@@ -720,24 +657,27 @@ optional_policy(`
  
  ########################################
  #
@@ -53161,7 +52791,7 @@ index 191a66f..738b640 100644
  fs_getattr_all_dirs(postfix_smtpd_t)
  fs_getattr_all_fs(postfix_smtpd_t)
  
-@@ -754,6 +695,7 @@ optional_policy(`
+@@ -754,6 +694,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -53169,7 +52799,7 @@ index 191a66f..738b640 100644
  ')
  
  optional_policy(`
-@@ -764,31 +706,100 @@ optional_policy(`
+@@ -764,31 +705,100 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -53956,7 +53586,7 @@ index cd8b8b9..cde0d62 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ppp.te b/ppp.te
-index b2b5dba..25f2610 100644
+index b2b5dba..91e0a7a 100644
 --- a/ppp.te
 +++ b/ppp.te
 @@ -1,4 +1,4 @@
@@ -54146,14 +53776,14 @@ index b2b5dba..25f2610 100644
  
 -fs_getattr_all_fs(pppd_t)
 -fs_search_auto_mountpoints(pppd_t)
-+# for scripts
- 
+-
 -term_use_unallocated_ttys(pppd_t)
 -term_setattr_unallocated_ttys(pppd_t)
 -term_ioctl_generic_ptys(pppd_t)
 -term_create_pty(pppd_t, pppd_devpts_t)
 -term_use_generic_ptys(pppd_t)
--
++# for scripts
+ 
 -init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
  init_read_utmp(pppd_t)
 -init_signal_script(pppd_t)
@@ -54217,7 +53847,7 @@ index b2b5dba..25f2610 100644
  
  allow pptp_t pppd_etc_t:dir list_dir_perms;
  allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +255,44 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +255,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
  allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
  allow pptp_t pppd_etc_rw_t:file read_file_perms;
  allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -54239,7 +53869,6 @@ index b2b5dba..25f2610 100644
 +files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
  
 +kernel_list_proc(pptp_t)
-+kernel_signal(pptp_t)
  kernel_read_kernel_sysctls(pptp_t)
  kernel_read_network_state(pptp_t)
 +kernel_read_proc_symlinks(pptp_t)
@@ -54275,7 +53904,7 @@ index b2b5dba..25f2610 100644
  fs_getattr_all_fs(pptp_t)
  fs_search_auto_mountpoints(pptp_t)
  
-@@ -282,12 +300,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +299,12 @@ term_ioctl_generic_ptys(pptp_t)
  term_search_ptys(pptp_t)
  term_use_ptmx(pptp_t)
  
@@ -56559,7 +56188,7 @@ index 7cb8b1f..b7b5ee7 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index f2309f4..fd38d93 100644
+index f2309f4..b3f151c 100644
 --- a/puppet.te
 +++ b/puppet.te
 @@ -1,4 +1,4 @@
@@ -56709,7 +56338,7 @@ index f2309f4..fd38d93 100644
  init_all_labeled_script_domtrans(puppet_t)
  init_domtrans_script(puppet_t)
  init_read_utmp(puppet_t)
-@@ -143,18 +138,15 @@ init_signull_script(puppet_t)
+@@ -143,18 +138,19 @@ init_signull_script(puppet_t)
  logging_send_syslog_msg(puppet_t)
  
  miscfiles_read_hwdata(puppet_t)
@@ -56723,6 +56352,10 @@ index f2309f4..fd38d93 100644
  
  sysnet_run_ifconfig(puppet_t, system_r)
 -sysnet_use_ldap(puppet_t)
++
++usermanage_access_check_groupadd(puppet_t)
++usermanage_access_check_passwd(puppet_t)
++usermanage_access_check_useradd(puppet_t)
  
  tunable_policy(`puppet_manage_all_files',`
 -	files_manage_non_auth_files(puppet_t)
@@ -56730,18 +56363,12 @@ index f2309f4..fd38d93 100644
  ')
  
  optional_policy(`
-@@ -196,21 +188,92 @@ optional_policy(`
+@@ -196,21 +192,86 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	usermanage_domtrans_groupadd(puppet_t)
 -	usermanage_domtrans_useradd(puppet_t)
-+    usermanage_access_check_groupadd(puppet_t)
-+    usermanage_access_check_passwd(puppet_t)
-+    usermanage_access_check_useradd(puppet_t)
-+')
-+
-+optional_policy(`
 +	auth_filetrans_named_content(puppet_t)
 +')
 +
@@ -56829,7 +56456,7 @@ index f2309f4..fd38d93 100644
  
  allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
  manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +284,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
  allow puppetca_t puppet_var_run_t:dir search_dir_perms;
  
  kernel_read_system_state(puppetca_t)
@@ -56837,7 +56464,7 @@ index f2309f4..fd38d93 100644
  kernel_read_kernel_sysctls(puppetca_t)
  
  corecmd_exec_bin(puppetca_t)
-@@ -229,15 +293,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t)
  dev_read_urand(puppetca_t)
  dev_search_sysfs(puppetca_t)
  
@@ -56853,7 +56480,7 @@ index f2309f4..fd38d93 100644
  miscfiles_read_generic_certs(puppetca_t)
  
  seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +307,52 @@ optional_policy(`
+@@ -246,38 +305,47 @@ optional_policy(`
  	hostname_exec(puppetca_t)
  ')
  
@@ -56861,11 +56488,6 @@ index f2309f4..fd38d93 100644
 +	mta_sendmail_access_check(puppetca_t)
 +')
 +
-+optional_policy(`
-+    usermanage_access_check_groupadd(puppet_t)
-+    usermanage_access_check_passwd(puppet_t)
-+    usermanage_access_check_useradd(puppet_t)
-+')
 +
  ########################################
  #
@@ -56922,7 +56544,7 @@ index f2309f4..fd38d93 100644
  
  kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
  kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +364,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
  
  corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -56953,7 +56575,7 @@ index f2309f4..fd38d93 100644
  
  selinux_validate_context(puppetmaster_t)
  
-@@ -314,26 +390,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t)
  logging_send_syslog_msg(puppetmaster_t)
  
  miscfiles_read_generic_certs(puppetmaster_t)
@@ -56990,7 +56612,7 @@ index f2309f4..fd38d93 100644
  ')
  
  optional_policy(`
-@@ -342,3 +423,9 @@ optional_policy(`
+@@ -342,3 +416,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -59109,19 +58731,15 @@ index cd51b96..f7e9c70 100644
 +    admin_pattern($1, qpidd_var_run_t)
  ')
 diff --git a/qpid.te b/qpid.te
-index 76f5b39..8bf531a 100644
+index 76f5b39..a5ba415 100644
 --- a/qpid.te
 +++ b/qpid.te
-@@ -37,18 +37,22 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
+@@ -37,37 +37,37 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
  manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
  fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
  
 -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
 -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-+manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
-+manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
-+fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-+
 +manage_dirs_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
 +manage_files_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
  files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
@@ -59139,8 +58757,9 @@ index 76f5b39..8bf531a 100644
 +corenet_tcp_bind_generic_node(qpidd_t)
  corenet_tcp_sendrecv_generic_if(qpidd_t)
  corenet_tcp_sendrecv_generic_node(qpidd_t)
- corenet_tcp_bind_generic_node(qpidd_t)
-@@ -57,17 +61,18 @@ corenet_sendrecv_amqp_server_packets(qpidd_t)
+-corenet_tcp_bind_generic_node(qpidd_t)
+ 
+ corenet_sendrecv_amqp_server_packets(qpidd_t)
  corenet_tcp_bind_amqp_port(qpidd_t)
  corenet_tcp_sendrecv_amqp_port(qpidd_t)
  
@@ -59410,7 +59029,7 @@ index afc0068..7616aa4 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..e08eabf 100644
+index 769d1fd..7e6e161 100644
 --- a/quantum.te
 +++ b/quantum.te
 @@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
@@ -59423,11 +59042,10 @@ index 769d1fd..e08eabf 100644
  ########################################
  #
  # Local policy
-@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
+@@ -61,11 +64,12 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
  corenet_tcp_sendrecv_all_ports(quantum_t)
  corenet_tcp_bind_generic_node(quantum_t)
  
-+corenet_tcp_bind_generic_node(quantum_t)
 +corenet_tcp_bind_quantum_port(quantum_t)
 +corenet_tcp_connect_mysqld_port(quantum_t)
 +
@@ -59439,7 +59057,7 @@ index 769d1fd..e08eabf 100644
  auth_use_nsswitch(quantum_t)
  
  libs_exec_ldconfig(quantum_t)
-@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
+@@ -73,8 +77,6 @@ libs_exec_ldconfig(quantum_t)
  logging_send_audit_msgs(quantum_t)
  logging_send_syslog_msg(quantum_t)
  
@@ -59448,7 +59066,7 @@ index 769d1fd..e08eabf 100644
  sysnet_domtrans_ifconfig(quantum_t)
  
  optional_policy(`
-@@ -94,3 +97,7 @@ optional_policy(`
+@@ -94,3 +96,7 @@ optional_policy(`
  
  	postgresql_tcp_connect(quantum_t)
  ')
@@ -59739,7 +59357,7 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
  ')
 diff --git a/quota.te b/quota.te
-index 4b2c272..0df6e21 100644
+index 4b2c272..1aee969 100644
 --- a/quota.te
 +++ b/quota.te
 @@ -1,16 +1,14 @@
@@ -59780,25 +59398,15 @@ index 4b2c272..0df6e21 100644
  allow quota_t quota_db_t:file { manage_file_perms quotaon };
  files_root_filetrans(quota_t, quota_db_t, file)
  files_boot_filetrans(quota_t, quota_db_t, file)
-@@ -48,7 +44,16 @@ files_var_filetrans(quota_t, quota_db_t, file)
+@@ -48,7 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file)
  files_spool_filetrans(quota_t, quota_db_t, file)
  userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
  
 -kernel_request_load_module(quota_t)
-+optional_policy(`
-+	mta_spool_filetrans(quota_t, quota_db_t, file)
-+	mta_spool_filetrans(quota_t, quota_db_t, file)
-+	mta_spool_filetrans_queue(quota_t, quota_db_t, file)
-+')
-+
-+optional_policy(`
-+	openshift_lib_filetrans(quota_t, quota_db_t, file)
-+')
-+
  kernel_list_proc(quota_t)
  kernel_read_proc_symlinks(quota_t)
  kernel_read_kernel_sysctls(quota_t)
-@@ -58,14 +63,6 @@ dev_read_sysfs(quota_t)
+@@ -58,14 +53,6 @@ dev_read_sysfs(quota_t)
  dev_getattr_all_blk_files(quota_t)
  dev_getattr_all_chr_files(quota_t)
  
@@ -59813,7 +59421,7 @@ index 4b2c272..0df6e21 100644
  fs_get_xattr_fs_quotas(quota_t)
  fs_set_xattr_fs_quotas(quota_t)
  fs_getattr_xattr_fs(quota_t)
-@@ -80,20 +77,24 @@ term_dontaudit_use_console(quota_t)
+@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t)
  
  domain_use_interactive_fds(quota_t)
  
@@ -59832,19 +59440,20 @@ index 4b2c272..0df6e21 100644
  logging_send_syslog_msg(quota_t)
  
 -userdom_use_user_terminals(quota_t)
++mta_spool_filetrans(quota_t, quota_db_t, file)
++mta_spool_filetrans_queue(quota_t, quota_db_t, file)
++
 +userdom_use_inherited_user_terminals(quota_t)
  userdom_dontaudit_use_unpriv_user_fds(quota_t)
  
  optional_policy(`
 -	mta_queue_filetrans(quota_t, quota_db_t, file)
 -	mta_spool_filetrans(quota_t, quota_db_t, file)
--')
--
--optional_policy(`
- 	seutil_sigchld_newrole(quota_t)
++	openshift_lib_filetrans(quota_t, quota_db_t, file)
  ')
  
-@@ -103,12 +104,12 @@ optional_policy(`
+ optional_policy(`
+@@ -103,12 +101,12 @@ optional_policy(`
  
  #######################################
  #
@@ -59859,7 +59468,7 @@ index 4b2c272..0df6e21 100644
  
  manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
  files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-@@ -121,11 +122,9 @@ init_read_utmp(quota_nld_t)
+@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t)
  
  logging_send_syslog_msg(quota_nld_t)
  
@@ -60214,7 +59823,7 @@ index 951db7f..db0d815 100644
 +	allow $1 mdadm_var_run_t:file manage_file_perms;
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..c27bb23 100644
+index 2c1730b..43e7487 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -26,7 +26,7 @@ dev_associate(mdadm_var_run_t)
@@ -60274,17 +59883,6 @@ index 2c1730b..c27bb23 100644
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
  userdom_dontaudit_use_user_terminals(mdadm_t)
-@@ -89,6 +91,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	cron_system_entry(mdadm_t, mdadm_exec_t)
-+')
-+
-+optional_policy(`
- 	gpm_dontaudit_getattr_gpmctl(mdadm_t)
- ')
- 
 diff --git a/razor.fc b/razor.fc
 index 6723f4d..6e26673 100644
 --- a/razor.fc
@@ -62217,7 +61815,7 @@ index 56bc01f..aee7ba7 100644
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..337c06d 100644
+index 2c2de9a..d8bf297 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -50,6 +50,10 @@ rhcs_domain_template(qdiskd)
@@ -62303,47 +61901,27 @@ index 2c2de9a..337c06d 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -159,8 +170,9 @@ storage_raw_read_removable_device(fenced_t)
- term_getattr_pty_fs(fenced_t)
+@@ -160,7 +171,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
-+term_use_generic_ptys(fenced_t)
  
 -auth_use_nsswitch(fenced_t)
 +logging_send_syslog_msg(fenced_t)
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -186,11 +198,26 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	ccs_read_config(fenced_t)
-+	tunable_policy(`fenced_can_ssh',`
-+
-+		allow fenced_t self:capability { setuid setgid };
-+
-+		corenet_tcp_connect_ssh_port(fenced_t)
-+	')
+@@ -190,10 +201,6 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	gnome_read_generic_home_content(fenced_t)
-+		ssh_exec(fenced_t)
-+		ssh_read_user_home_files(fenced_t)
-+	')
-+
-+# needed by fence_scsi
-+optional_policy(`
-+	corosync_exec(fenced_t)
-+')
-+
-+optional_policy(`
-+	ccs_read_config(fenced_t)
+-')
+-
+-optional_policy(`
+ 	lvm_domtrans(fenced_t)
+ 	lvm_read_config(fenced_t)
  ')
- 
- optional_policy(`
-@@ -203,6 +230,13 @@ optional_policy(`
+@@ -203,6 +210,13 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -62357,7 +61935,7 @@ index 2c2de9a..337c06d 100644
  #######################################
  #
  # foghorn local policy
-@@ -223,7 +257,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,7 +237,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
  dev_read_urand(foghorn_t)
  
@@ -62367,7 +61945,7 @@ index 2c2de9a..337c06d 100644
  
  optional_policy(`
  	dbus_connect_system_bus(foghorn_t)
-@@ -257,6 +292,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +272,8 @@ storage_getattr_removable_dev(gfs_controld_t)
  
  init_rw_script_tmp_files(gfs_controld_t)
  
@@ -62376,7 +61954,7 @@ index 2c2de9a..337c06d 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +312,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +292,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -62389,7 +61967,7 @@ index 2c2de9a..337c06d 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +358,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +338,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -63114,7 +62692,7 @@ index 6dbc905..92aac94 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..a7c75e8 100644
+index 1cedd70..48fec17 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -31,6 +31,7 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -63125,13 +62703,11 @@ index 1cedd70..a7c75e8 100644
  allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
  allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,21 +53,35 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
  
 +corenet_tcp_connect_http_port(rhsmcertd_t)
-+
-+files_list_tmp(rhsmcertd_t)
 +
  corecmd_exec_bin(rhsmcertd_t)
 +corecmd_exec_shell(rhsmcertd_t)
@@ -63147,11 +62723,11 @@ index 1cedd70..a7c75e8 100644
 +files_manage_generic_locks(rhsmcertd_t)
 +
 +auth_read_passwd(rhsmcertd_t)
-+
-+logging_send_syslog_msg(rhsmcertd_t)
  
 -miscfiles_read_localization(rhsmcertd_t)
 -miscfiles_read_generic_certs(rhsmcertd_t)
++logging_send_syslog_msg(rhsmcertd_t)
++
 +miscfiles_read_certs(rhsmcertd_t)
  
  sysnet_dns_name_resolve(rhsmcertd_t)
@@ -63552,7 +63128,7 @@ index 050479d..0e1b364 100644
  		type rlogind_home_t;
  	')
 diff --git a/rlogin.te b/rlogin.te
-index d34cdec..991c738 100644
+index d34cdec..f41c9c5 100644
 --- a/rlogin.te
 +++ b/rlogin.te
 @@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
@@ -63582,18 +63158,15 @@ index d34cdec..991c738 100644
  corenet_all_recvfrom_netlabel(rlogind_t)
  corenet_tcp_sendrecv_generic_if(rlogind_t)
  corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -67,8 +67,10 @@ fs_getattr_all_fs(rlogind_t)
+@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t)
  fs_search_auto_mountpoints(rlogind_t)
  
  auth_domtrans_chk_passwd(rlogind_t)
 +auth_signal_chk_passwd(rlogind_t)
  auth_rw_login_records(rlogind_t)
  auth_use_nsswitch(rlogind_t)
-+auth_login_pgm_domain(rlogind_t)
  
- files_read_etc_runtime_files(rlogind_t)
- files_search_default(rlogind_t)
-@@ -77,30 +79,28 @@ init_rw_utmp(rlogind_t)
+@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t)
  
  logging_send_syslog_msg(rlogind_t)
  
@@ -63616,23 +63189,19 @@ index d34cdec..991c738 100644
 -	fs_read_nfs_files(rlogind_t)
 -	fs_read_nfs_symlinks(rlogind_t)
 -')
-+rlogin_read_home_content(rlogind_t)
- 
+-
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_list_cifs(rlogind_t)
 -	fs_read_cifs_files(rlogind_t)
 -	fs_read_cifs_symlinks(rlogind_t)
-+optional_policy(`
-+	kerberos_keytab_template(rlogind, rlogind_t)
-+	kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
- ')
+-')
++rlogin_read_home_content(rlogind_t)
  
  optional_policy(`
--	kerberos_keytab_template(rlogind, rlogind_t)
+ 	kerberos_keytab_template(rlogind, rlogind_t)
 -	kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
 -	kerberos_manage_host_rcache(rlogind_t)
-+	remotelogin_domtrans(rlogind_t)
-+	remotelogin_signal(rlogind_t)
++	kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
  ')
  
  optional_policy(`
@@ -64800,20 +64369,18 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index c49828c..13e491e 100644
+index c49828c..a323332 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
-@@ -42,7 +42,8 @@ kernel_read_system_state(rpcbind_t)
+@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
  kernel_read_network_state(rpcbind_t)
  kernel_request_load_module(rpcbind_t)
  
 -corenet_all_recvfrom_unlabeled(rpcbind_t)
-+corecmd_exec_shell(rpcbind_t)
-+
  corenet_all_recvfrom_netlabel(rpcbind_t)
  corenet_tcp_sendrecv_generic_if(rpcbind_t)
  corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -62,12 +63,11 @@ corecmd_exec_shell(rpcbind_t)
+@@ -62,12 +61,11 @@ corecmd_exec_shell(rpcbind_t)
  
  domain_use_interactive_fds(rpcbind_t)
  
@@ -65462,7 +65029,7 @@ index 0628d50..bedc8ae 100644
 +	allow rpm_script_t $1:process sigchld;
  ')
 diff --git a/rpm.te b/rpm.te
-index 5cbe81c..9f7e65d 100644
+index 5cbe81c..b86d966 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,11 @@
@@ -65732,15 +65299,7 @@ index 5cbe81c..9f7e65d 100644
  allow rpm_script_t rpm_tmp_t:file read_file_perms;
  
  allow rpm_script_t rpm_script_tmp_t:dir mounton;
-@@ -260,6 +271,7 @@ manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
- manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
- manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
- files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
-+can_exec(rpm_script_t, rpm_script_tmp_t)
- 
- manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
- manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -267,8 +279,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -267,8 +278,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
  manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
  manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
  fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -65751,7 +65310,7 @@ index 5cbe81c..9f7e65d 100644
  
  kernel_read_crypto_sysctls(rpm_script_t)
  kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +290,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +289,27 @@ kernel_read_network_state(rpm_script_t)
  kernel_list_all_proc(rpm_script_t)
  kernel_read_software_raid_state(rpm_script_t)
  
@@ -65801,7 +65360,7 @@ index 5cbe81c..9f7e65d 100644
  mls_file_read_all_levels(rpm_script_t)
  mls_file_write_all_levels(rpm_script_t)
  
-@@ -331,30 +326,49 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +325,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
  
  term_getattr_unallocated_ttys(rpm_script_t)
  term_list_ptys(rpm_script_t)
@@ -65810,10 +65369,7 @@ index 5cbe81c..9f7e65d 100644
  
  auth_dontaudit_getattr_shadow(rpm_script_t)
  auth_use_nsswitch(rpm_script_t)
-+# ideally we would not need this
-+files_manage_all_files(rpm_script_t)
-+files_relabel_all_files(rpm_script_t)
-+
+ 
 +corecmd_exec_all_executables(rpm_script_t)
 +can_exec(rpm_script_t, rpm_script_tmp_t)
 +can_exec(rpm_script_t, rpm_script_tmpfs_t)
@@ -65824,11 +65380,13 @@ index 5cbe81c..9f7e65d 100644
 +domain_signal_all_domains(rpm_script_t)
 +domain_signull_all_domains(rpm_script_t)
 +
++# ideally we would not need this
++files_manage_all_files(rpm_script_t)
 +files_exec_etc_files(rpm_script_t)
 +files_read_etc_runtime_files(rpm_script_t)
 +files_exec_usr_files(rpm_script_t)
 +files_relabel_all_files(rpm_script_t)
- 
++
  init_domtrans_script(rpm_script_t)
  init_telinit(rpm_script_t)
  
@@ -65860,7 +65418,7 @@ index 5cbe81c..9f7e65d 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -363,24 +377,24 @@ ifdef(`distro_redhat',`
+@@ -363,24 +375,24 @@ ifdef(`distro_redhat',`
  	')
  ')
  
@@ -65892,7 +65450,7 @@ index 5cbe81c..9f7e65d 100644
  ')
  
  optional_policy(`
-@@ -388,8 +402,17 @@ optional_policy(`
+@@ -388,8 +400,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -65912,7 +65470,7 @@ index 5cbe81c..9f7e65d 100644
  ')
  
  optional_policy(`
-@@ -397,6 +420,7 @@ optional_policy(`
+@@ -397,6 +418,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -65920,7 +65478,7 @@ index 5cbe81c..9f7e65d 100644
  	unconfined_domtrans(rpm_script_t)
  
  	optional_policy(`
-@@ -409,6 +433,6 @@ optional_policy(`
+@@ -409,6 +431,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66674,18 +66232,15 @@ index bd35afe..051addd 100644
 +	rtkit_daemon_dbus_chat($1)
  ')
 diff --git a/rtkit.te b/rtkit.te
-index 3f5a8ef..d7bffcc 100644
+index 3f5a8ef..29a8e9e 100644
 --- a/rtkit.te
 +++ b/rtkit.te
-@@ -31,8 +31,9 @@ auth_use_nsswitch(rtkit_daemon_t)
+@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
  
  logging_send_syslog_msg(rtkit_daemon_t)
  
 -miscfiles_read_localization(rtkit_daemon_t)
 -
-+optional_policy(`
-+	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
-+')
  optional_policy(`
  	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
  
@@ -67603,7 +67158,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..bb73e4a 100644
+index 57c034b..27fd4cd 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -1,4 +1,4 @@
@@ -68187,7 +67742,7 @@ index 57c034b..bb73e4a 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +528,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +528,14 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -68197,7 +67752,7 @@ index 57c034b..bb73e4a 100644
 +manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
  
  manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
- manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 -files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -68210,7 +67765,7 @@ index 57c034b..bb73e4a 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +545,39 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +544,39 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -68273,7 +67828,7 @@ index 57c034b..bb73e4a 100644
  ')
  
  optional_policy(`
-@@ -600,17 +590,24 @@ optional_policy(`
+@@ -600,17 +589,24 @@ optional_policy(`
  
  ########################################
  #
@@ -68302,7 +67857,7 @@ index 57c034b..bb73e4a 100644
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -620,16 +617,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +616,12 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -68320,7 +67875,7 @@ index 57c034b..bb73e4a 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +630,23 @@ optional_policy(`
+@@ -637,22 +629,23 @@ optional_policy(`
  
  ########################################
  #
@@ -68352,7 +67907,7 @@ index 57c034b..bb73e4a 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -661,26 +655,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +654,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -68388,19 +67943,19 @@ index 57c034b..bb73e4a 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -692,58 +682,78 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +681,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
 -auth_use_nsswitch(smbmount_t)
 +corecmd_list_bin(smbmount_t)
-+
+ 
+-miscfiles_read_localization(smbmount_t)
 +files_list_mnt(smbmount_t)
 +files_mounton_mnt(smbmount_t)
 +files_manage_etc_runtime_files(smbmount_t)
 +files_etc_filetrans_etc_runtime(smbmount_t, file)
- 
--miscfiles_read_localization(smbmount_t)
++
 +auth_use_nsswitch(smbmount_t)
  
 -mount_use_fds(smbmount_t)
@@ -68469,7 +68024,6 @@ index 57c034b..bb73e4a 100644
  manage_files_pattern(swat_t, samba_var_t, samba_var_t)
 -manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
  files_var_filetrans(swat_t, samba_var_t, dir, "samba")
-+files_list_var_lib(swat_t)
  
  allow swat_t smbd_exec_t:file mmap_file_perms ;
  
@@ -68481,7 +68035,7 @@ index 57c034b..bb73e4a 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +762,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +760,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -68505,7 +68059,7 @@ index 57c034b..bb73e4a 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -770,36 +776,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +774,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -68548,7 +68102,7 @@ index 57c034b..bb73e4a 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -811,10 +806,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +804,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -68562,7 +68116,7 @@ index 57c034b..bb73e4a 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -837,13 +833,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+@@ -837,13 +831,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process { signal_perms getsched setsched };
  allow winbind_t self:fifo_file rw_fifo_file_perms;
@@ -68582,7 +68136,7 @@ index 57c034b..bb73e4a 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +851,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +849,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -68593,11 +68147,7 @@ index 57c034b..bb73e4a 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -863,26 +859,25 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
- manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
- files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
-+files_list_var_lib(winbind_t)
+@@ -866,23 +860,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -68627,7 +68177,7 @@ index 57c034b..bb73e4a 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -891,13 +886,18 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +883,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -68645,11 +68195,10 @@ index 57c034b..bb73e4a 100644
 +corenet_udp_sendrecv_all_ports(winbind_t)
 +corenet_tcp_bind_generic_node(winbind_t)
 +corenet_udp_bind_generic_node(winbind_t)
-+corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +905,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +901,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -68660,7 +68209,7 @@ index 57c034b..bb73e4a 100644
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -917,11 +913,17 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,11 +909,17 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -68679,7 +68228,7 @@ index 57c034b..bb73e4a 100644
  userdom_dontaudit_use_unpriv_user_fds(winbind_t)
  userdom_manage_user_home_content_dirs(winbind_t)
  userdom_manage_user_home_content_files(winbind_t)
-@@ -936,6 +938,10 @@ optional_policy(`
+@@ -936,6 +934,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -68690,7 +68239,7 @@ index 57c034b..bb73e4a 100644
  	kerberos_use(winbind_t)
  ')
  
-@@ -952,31 +958,29 @@ optional_policy(`
+@@ -952,31 +954,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -68728,7 +68277,7 @@ index 57c034b..bb73e4a 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -990,25 +994,38 @@ optional_policy(`
+@@ -990,25 +990,38 @@ optional_policy(`
  
  ########################################
  #
@@ -68781,7 +68330,7 @@ index 57c034b..bb73e4a 100644
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
 diff --git a/sambagui.te b/sambagui.te
-index d9f8784..2b2c0dc 100644
+index d9f8784..9c40dbd 100644
 --- a/sambagui.te
 +++ b/sambagui.te
 @@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
@@ -68802,18 +68351,7 @@ index d9f8784..2b2c0dc 100644
  
  sysnet_use_ldap(sambagui_t)
  
-@@ -44,6 +44,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	dbus_system_domain(sambagui_t, sambagui_exec_t)
-+')
-+
-+optional_policy(`
- 	nscd_dontaudit_search_pid(sambagui_t)
- ')
- 
-@@ -61,6 +65,7 @@ optional_policy(`
+@@ -61,6 +61,7 @@ optional_policy(`
  	samba_manage_var_files(sambagui_t)
  	samba_read_secrets(sambagui_t)
  	samba_initrc_domtrans(sambagui_t)
@@ -72283,7 +71821,7 @@ index 1aeef8a..d5ce40a 100644
  	admin_pattern($1, shorewall_etc_t)
  
 diff --git a/shorewall.te b/shorewall.te
-index ca03de6..f80249c 100644
+index ca03de6..bac98d6 100644
 --- a/shorewall.te
 +++ b/shorewall.te
 @@ -57,6 +57,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
@@ -72304,13 +71842,12 @@ index ca03de6..f80249c 100644
  files_search_kernel_modules(shorewall_t)
  
  fs_getattr_all_fs(shorewall_t)
-@@ -86,12 +88,13 @@ init_rw_utmp(shorewall_t)
+@@ -86,12 +88,11 @@ init_rw_utmp(shorewall_t)
  logging_read_generic_logs(shorewall_t)
  logging_send_syslog_msg(shorewall_t)
  
 -miscfiles_read_localization(shorewall_t)
-+auth_use_nsswitch(shorewall_t)
- 
+-
  sysnet_domtrans_ifconfig(shorewall_t)
  
 -userdom_dontaudit_list_user_home_dirs(shorewall_t)
@@ -72670,7 +72207,7 @@ index e0644b5..ea347cc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 fsdaemon_initrc_exec_t system_r;
 diff --git a/smartmon.te b/smartmon.te
-index 9ade9c5..ff7649e 100644
+index 9ade9c5..90cb567 100644
 --- a/smartmon.te
 +++ b/smartmon.te
 @@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
@@ -72721,14 +72258,18 @@ index 9ade9c5..ff7649e 100644
  
  sysnet_dns_name_resolve(fsdaemon_t)
  
-@@ -122,3 +130,7 @@ optional_policy(`
- optional_policy(`
- 	udev_read_db(fsdaemon_t)
+@@ -116,9 +124,9 @@ optional_policy(`
  ')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	seutil_sigchld_newrole(fsdaemon_t)
++	udev_read_db(fsdaemon_t)
+ ')
+ 
+ optional_policy(`
+-	udev_read_db(fsdaemon_t)
 +	virt_read_images(fsdaemon_t)
-+')
+ ')
 diff --git a/smokeping.if b/smokeping.if
 index 1fa51c1..82e111c 100644
 --- a/smokeping.if
@@ -72777,10 +72318,10 @@ index a8b1aaf..a09f2fe 100644
  
  	netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
 diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..529487e 100644
+index 9c8f9a5..14f15a4 100644
 --- a/smoltclient.te
 +++ b/smoltclient.te
-@@ -51,14 +51,20 @@ fs_list_auto_mountpoints(smoltclient_t)
+@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
  
  files_getattr_generic_locks(smoltclient_t)
  files_read_etc_runtime_files(smoltclient_t)
@@ -72792,14 +72333,6 @@ index 9c8f9a5..529487e 100644
  
  miscfiles_read_hwdata(smoltclient_t)
 -miscfiles_read_localization(smoltclient_t)
-+
-+optional_policy(`
-+	abrt_stream_connect(smoltclient_t)
-+')
-+
-+optional_policy(`
-+	cron_system_entry(smoltclient_t, smoltclient_exec_t)
-+')
  
  optional_policy(`
  	abrt_stream_connect(smoltclient_t)
@@ -73273,7 +72806,7 @@ index 7a9cc9d..86cbca9 100644
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/snmp.te b/snmp.te
-index 81864ce..bcd62b2 100644
+index 81864ce..a56b827 100644
 --- a/snmp.te
 +++ b/snmp.te
 @@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t)
@@ -73307,7 +72840,17 @@ index 81864ce..bcd62b2 100644
  corenet_all_recvfrom_netlabel(snmpd_t)
  corenet_tcp_sendrecv_generic_if(snmpd_t)
  corenet_udp_sendrecv_generic_if(snmpd_t)
-@@ -94,7 +97,6 @@ domain_signull_all_domains(snmpd_t)
+@@ -75,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t)
+ corenet_tcp_sendrecv_snmp_port(snmpd_t)
+ corenet_udp_sendrecv_snmp_port(snmpd_t)
+ 
+-corenet_sendrecv_snmp_client_packets(snmpd_t)
+ corenet_tcp_connect_agentx_port(snmpd_t)
+-corenet_sendrecv_snmp_server_packets(snmpd_t)
+ corenet_tcp_bind_agentx_port(snmpd_t)
+ corenet_udp_bind_agentx_port(snmpd_t)
+ corenet_tcp_sendrecv_agentx_port(snmpd_t)
+@@ -94,7 +95,6 @@ domain_signull_all_domains(snmpd_t)
  domain_read_all_domains_state(snmpd_t)
  domain_exec_all_entry_files(snmpd_t)
  
@@ -73315,15 +72858,7 @@ index 81864ce..bcd62b2 100644
  files_read_etc_runtime_files(snmpd_t)
  files_search_home(snmpd_t)
  
-@@ -103,6 +105,7 @@ fs_getattr_all_fs(snmpd_t)
- files_list_all(snmpd_t)
- files_search_all_mountpoints(snmpd_t)
- fs_search_auto_mountpoints(snmpd_t)
-+files_search_all_mountpoints(snmpd_t)
- 
- storage_dontaudit_read_fixed_disk(snmpd_t)
- storage_dontaudit_read_removable_device(snmpd_t)
-@@ -112,16 +115,25 @@ auth_use_nsswitch(snmpd_t)
+@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t)
  
  init_read_utmp(snmpd_t)
  init_dontaudit_write_utmp(snmpd_t)
@@ -73337,19 +72872,6 @@ index 81864ce..bcd62b2 100644
  
  seutil_dontaudit_search_config(snmpd_t)
  
- userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
- userdom_dontaudit_search_user_home_dirs(snmpd_t)
- 
-+ifdef(`distro_redhat',`
-+	optional_policy(`
-+		rpm_read_db(snmpd_t)
-+		rpm_dontaudit_manage_db(snmpd_t)
-+	')
-+')
-+
- optional_policy(`
- 	amanda_dontaudit_read_dumpdates(snmpd_t)
- ')
 diff --git a/snort.if b/snort.if
 index 7d86b34..5f58180 100644
 --- a/snort.if
@@ -74864,7 +74386,7 @@ index 5e1f053..e7820bc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 squid_initrc_exec_t system_r;
 diff --git a/squid.te b/squid.te
-index 221c560..d8c9794 100644
+index 221c560..6ea61f9 100644
 --- a/squid.te
 +++ b/squid.te
 @@ -29,7 +29,7 @@ type squid_cache_t;
@@ -74901,28 +74423,32 @@ index 221c560..d8c9794 100644
  ########################################
  #
  # Local policy
-@@ -87,6 +93,10 @@ files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
- manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
- fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+@@ -80,13 +86,13 @@ setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
+ manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
+ logging_log_filetrans(squid_t, squid_log_t, { file dir })
  
-+manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
-+manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
-+files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
++manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
++fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
 +
+ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
+ manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
+ files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
+ 
+-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+-fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+-
  manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
  files_pid_filetrans(squid_t, squid_var_run_t, file)
  
-@@ -96,7 +106,8 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -96,7 +102,6 @@ kernel_read_kernel_sysctls(squid_t)
  kernel_read_system_state(squid_t)
  kernel_read_network_state(squid_t)
  
 -corenet_all_recvfrom_unlabeled(squid_t)
-+files_dontaudit_getattr_boot_dirs(squid_t)
-+
  corenet_all_recvfrom_netlabel(squid_t)
  corenet_tcp_sendrecv_generic_if(squid_t)
  corenet_udp_sendrecv_generic_if(squid_t)
-@@ -156,7 +167,6 @@ dev_read_urand(squid_t)
+@@ -156,7 +161,6 @@ dev_read_urand(squid_t)
  domain_use_interactive_fds(squid_t)
  
  files_read_etc_runtime_files(squid_t)
@@ -74930,7 +74456,7 @@ index 221c560..d8c9794 100644
  files_search_spool(squid_t)
  files_dontaudit_getattr_tmp_dirs(squid_t)
  files_getattr_home_dir(squid_t)
-@@ -178,7 +188,6 @@ libs_exec_lib_files(squid_t)
+@@ -178,7 +182,6 @@ libs_exec_lib_files(squid_t)
  logging_send_syslog_msg(squid_t)
  
  miscfiles_read_generic_certs(squid_t)
@@ -74938,7 +74464,7 @@ index 221c560..d8c9794 100644
  
  userdom_use_unpriv_users_fds(squid_t)
  userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -200,6 +209,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -200,6 +203,8 @@ tunable_policy(`squid_use_tproxy',`
  optional_policy(`
  	apache_content_template(squid)
  
@@ -74947,25 +74473,24 @@ index 221c560..d8c9794 100644
  	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
  	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
  	corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -209,18 +220,22 @@ optional_policy(`
+@@ -209,18 +214,18 @@ optional_policy(`
  	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
  	corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
  
+-	sysnet_dns_name_resolve(httpd_squid_script_t)
 +	corenet_tcp_connect_squid_port(httpd_squid_script_t)
-+
- 	sysnet_dns_name_resolve(httpd_squid_script_t)
  
 -	squid_read_config(httpd_squid_script_t)
+-')
++	sysnet_dns_name_resolve(httpd_squid_script_t)
+ 
+-optional_policy(`
+-	cron_system_entry(squid_t, squid_exec_t)
 +	optional_policy(`
 +		squid_read_config(httpd_squid_script_t)
 +	')
  ')
  
- optional_policy(`
--	cron_system_entry(squid_t, squid_exec_t)
-+	mysql_stream_connect(squid_t)
- ')
- 
  optional_policy(`
 -	kerberos_manage_host_rcache(squid_t)
 -	kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0")
@@ -74974,7 +74499,7 @@ index 221c560..d8c9794 100644
  ')
  
  optional_policy(`
-@@ -238,3 +253,24 @@ optional_policy(`
+@@ -238,3 +243,24 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -75989,7 +75514,7 @@ index c9824cb..1973f71 100644
  
  userdom_dontaudit_use_unpriv_user_fds(sxid_t)
 diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..33023d7 100644
+index c8b80b2..c6580e4 100644
 --- a/sysstat.te
 +++ b/sysstat.te
 @@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(sysstat_t)
@@ -76009,16 +75534,12 @@ index c8b80b2..33023d7 100644
  
  auth_use_nsswitch(sysstat_t)
  
-@@ -58,12 +59,13 @@ init_use_fds(sysstat_t)
+@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t)
  
- locallogin_use_fds(sysstat_t)
- 
--logging_send_syslog_msg(sysstat_t)
-+auth_use_nsswitch(sysstat_t)
+ logging_send_syslog_msg(sysstat_t)
  
 -miscfiles_read_localization(sysstat_t)
-+logging_send_syslog_msg(sysstat_t)
- 
+-
  userdom_dontaudit_list_user_home_dirs(sysstat_t)
  
  optional_policy(`
@@ -77258,7 +76779,7 @@ index e9c0964..6e84ad8 100644
  	xserver_rw_xdm_pipes(telepathy_domain)
  ')
 diff --git a/telnet.te b/telnet.te
-index 9f89916..6a317d0 100644
+index 9f89916..5f4c85e 100644
 --- a/telnet.te
 +++ b/telnet.te
 @@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t)
@@ -77296,13 +76817,7 @@ index 9f89916..6a317d0 100644
  files_read_etc_runtime_files(telnetd_t)
  files_search_home(telnetd_t)
  
-@@ -65,16 +67,18 @@ fs_getattr_xattr_fs(telnetd_t)
- auth_rw_login_records(telnetd_t)
- auth_use_nsswitch(telnetd_t)
- 
-+corecmd_search_bin(telnetd_t)
-+
- init_rw_utmp(telnetd_t)
+@@ -69,12 +71,12 @@ init_rw_utmp(telnetd_t)
  
  logging_send_syslog_msg(telnetd_t)
  
@@ -77317,7 +76832,7 @@ index 9f89916..6a317d0 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_search_nfs(telnetd_t)
-@@ -86,7 +90,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -86,7 +88,7 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
  	kerberos_keytab_template(telnetd, telnetd_t)
@@ -78136,10 +77651,10 @@ index 0000000..4902155
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..e8b5d5e
+index 0000000..aab66c4
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,127 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -78203,8 +77718,6 @@ index 0000000..e8b5d5e
 +
 +kernel_read_system_state(thumb_t)
 +
-+domain_use_interactive_fds(thumb_t)
-+
 +corecmd_exec_bin(thumb_t)
 +corecmd_exec_shell(thumb_t)
 +
@@ -78339,7 +77852,7 @@ index 67ca5c5..a1ef2d2 100644
  
  fs_search_auto_mountpoints(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..0ab6c4c 100644
+index a4a949c..a0b1618 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
 @@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
@@ -78350,11 +77863,10 @@ index a4a949c..0ab6c4c 100644
  
  ########################################
  #
-@@ -18,20 +19,26 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+@@ -18,20 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
  
  kernel_list_unlabeled(tmpreaper_t)
  kernel_read_system_state(tmpreaper_t)
-+kernel_list_unlabeled(tmpreaper_t)
 +kernel_delete_unlabeled(tmpreaper_t)
  
  dev_read_urand(tmpreaper_t)
@@ -78381,17 +77893,13 @@ index a4a949c..0ab6c4c 100644
  mls_file_read_all_levels(tmpreaper_t)
  mls_file_write_all_levels(tmpreaper_t)
  
-@@ -39,14 +46,20 @@ auth_use_nsswitch(tmpreaper_t)
+@@ -39,14 +45,16 @@ auth_use_nsswitch(tmpreaper_t)
  
  logging_send_syslog_msg(tmpreaper_t)
  
 -miscfiles_read_localization(tmpreaper_t)
  miscfiles_delete_man_pages(tmpreaper_t)
  
-+optional_policy(`
-+	cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
-+')
-+
  ifdef(`distro_redhat',`
 -	userdom_list_all_user_home_content(tmpreaper_t)
 +	userdom_list_user_home_content(tmpreaper_t)
@@ -78404,7 +77912,7 @@ index a4a949c..0ab6c4c 100644
  ')
  
  optional_policy(`
-@@ -54,6 +67,7 @@ optional_policy(`
+@@ -54,6 +62,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78412,7 +77920,7 @@ index a4a949c..0ab6c4c 100644
  	apache_list_cache(tmpreaper_t)
  	apache_delete_cache_dirs(tmpreaper_t)
  	apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +83,15 @@ optional_policy(`
+@@ -69,7 +78,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79005,7 +78513,7 @@ index 61c2e07..5e1df41 100644
 +	')
  ')
 diff --git a/tor.te b/tor.te
-index 964a395..2a5bcc4 100644
+index 964a395..78962c4 100644
 --- a/tor.te
 +++ b/tor.te
 @@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
@@ -79032,16 +78540,7 @@ index 964a395..2a5bcc4 100644
  ########################################
  #
  # Local policy
-@@ -68,6 +78,8 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
- kernel_read_kernel_sysctls(tor_t)
- kernel_read_net_sysctls(tor_t)
- kernel_read_system_state(tor_t)
-+kernel_read_net_sysctls(tor_t)
-+kernel_read_kernel_sysctls(tor_t)
- 
- corenet_all_recvfrom_unlabeled(tor_t)
- corenet_all_recvfrom_netlabel(tor_t)
-@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
  corenet_udp_sendrecv_generic_node(tor_t)
  corenet_tcp_bind_generic_node(tor_t)
  corenet_udp_bind_generic_node(tor_t)
@@ -79049,12 +78548,7 @@ index 964a395..2a5bcc4 100644
  corenet_sendrecv_dns_server_packets(tor_t)
  corenet_udp_bind_dns_port(tor_t)
  corenet_udp_sendrecv_dns_port(tor_t)
-@@ -94,23 +105,27 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
- 
- dev_read_sysfs(tor_t)
- dev_read_urand(tor_t)
-+dev_read_sysfs(tor_t)
- 
+@@ -98,19 +107,22 @@ dev_read_urand(tor_t)
  domain_use_interactive_fds(tor_t)
  
  files_read_etc_runtime_files(tor_t)
@@ -79383,7 +78877,7 @@ index ab5c1d0..d13105e 100644
  	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
  	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
 diff --git a/uml.te b/uml.te
-index dc03cc5..fa862cf 100644
+index dc03cc5..423afe4 100644
 --- a/uml.te
 +++ b/uml.te
 @@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
@@ -79409,7 +78903,18 @@ index dc03cc5..fa862cf 100644
  userdom_attach_admin_tun_iface(uml_t)
  
  tunable_policy(`use_nfs_home_dirs',`
-@@ -171,8 +176,6 @@ init_use_script_ptys(uml_switch_t)
+@@ -133,10 +138,6 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	seutil_use_newrole_fds(uml_t)
+-')
+-
+-optional_policy(`
+ 	virt_attach_tun_iface(uml_t)
+ ')
+ 
+@@ -171,8 +172,6 @@ init_use_script_ptys(uml_switch_t)
  
  logging_send_syslog_msg(uml_switch_t)
  
@@ -80288,7 +79793,7 @@ index af9acc0..0119768 100644
  	admin_pattern($1, uucpd_log_t)
  
 diff --git a/uucp.te b/uucp.te
-index 380902c..3886551 100644
+index 380902c..75545d6 100644
 --- a/uucp.te
 +++ b/uucp.te
 @@ -31,7 +31,7 @@ type uucpd_ro_t;
@@ -80330,13 +79835,23 @@ index 380902c..3886551 100644
  
  optional_policy(`
  	cron_system_entry(uucpd_t, uucpd_exec_t)
-@@ -160,10 +164,17 @@ auth_use_nsswitch(uux_t)
+@@ -125,10 +129,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mta_send_mail(uucpd_t)
+-')
+-
+-optional_policy(`
+ 	ssh_exec(uucpd_t)
+ ')
+ 
+@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t)
  logging_search_logs(uux_t)
  logging_send_syslog_msg(uux_t)
  
 -miscfiles_read_localization(uux_t)
-+logging_send_syslog_msg(uux_t)
- 
+-
  optional_policy(`
  	mta_send_mail(uux_t)
  	mta_read_queue(uux_t)
@@ -80612,7 +80127,7 @@ index 31c752e..e9c041d 100644
  	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/vdagent.te b/vdagent.te
-index 77be35a..5ba96c7 100644
+index 77be35a..4abe2aa 100644
 --- a/vdagent.te
 +++ b/vdagent.te
 @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -80623,7 +80138,7 @@ index 77be35a..5ba96c7 100644
  allow vdagent_t self:fifo_file rw_fifo_file_perms;
  allow vdagent_t self:unix_stream_socket { accept listen };
  
-@@ -43,13 +44,17 @@ dev_rw_input_dev(vdagent_t)
+@@ -43,13 +44,15 @@ dev_rw_input_dev(vdagent_t)
  dev_read_sysfs(vdagent_t)
  dev_dontaudit_write_mtrr(vdagent_t)
  
@@ -80634,11 +80149,9 @@ index 77be35a..5ba96c7 100644
 -logging_send_syslog_msg(vdagent_t)
 +systemd_read_logind_sessions_files(vdagent_t)
 +systemd_login_read_pid_files(vdagent_t)
-+
-+term_use_virtio_console(vdagent_t)
  
 -miscfiles_read_localization(vdagent_t)
-+userdom_read_all_users_state(vdagent_t)
++term_use_virtio_console(vdagent_t)
 +
 +logging_send_syslog_msg(vdagent_t)
  
@@ -82395,7 +81908,7 @@ index 9dec06c..d8a2b54 100644
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..95dd6c8 100644
+index 1f22fba..eaf5bf9 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,94 +1,105 @@
@@ -82513,14 +82026,14 @@ index 1f22fba..95dd6c8 100644
 +##  </p>
  ## </desc>
 -gen_tunable(virt_use_xserver, false)
-+gen_tunable(virt_use_rawip, false)
- 
+-
 -attribute virt_ptynode;
 -attribute virt_domain;
 -attribute virt_image_type;
 -attribute virt_tmp_type;
 -attribute virt_tmpfs_type;
--
++gen_tunable(virt_use_rawip, false)
+ 
 -attribute svirt_lxc_domain;
 +## <desc>
 +## <p>
@@ -82720,9 +82233,7 @@ index 1f22fba..95dd6c8 100644
 -corenet_tcp_sendrecv_virt_migration_port(virt_domain)
 -
 -corenet_rw_tun_tap_dev(virt_domain)
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -dev_getattr_fs(virt_domain)
 -dev_list_sysfs(virt_domain)
 -dev_read_generic_symlinks(virt_domain)
@@ -82824,7 +82335,9 @@ index 1f22fba..95dd6c8 100644
 -		xserver_stream_connect(virt_domain)
 -	')
 -')
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -optional_policy(`
 -	dbus_read_lib_files(virt_domain)
 -')
@@ -82860,9 +82373,7 @@ index 1f22fba..95dd6c8 100644
  
 -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
 -read_files_pattern(svirt_t, virt_content_t, virt_content_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -dontaudit svirt_t virt_content_t:file write_file_perms;
 -dontaudit svirt_t virt_content_t:dir rw_dir_perms;
 -
@@ -82870,7 +82381,9 @@ index 1f22fba..95dd6c8 100644
 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
 -
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -83059,14 +82572,13 @@ index 1f22fba..95dd6c8 100644
  corenet_rw_tun_tap_dev(virtd_t)
  
  dev_rw_sysfs(virtd_t)
-@@ -548,22 +370,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +370,22 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
 +# Init script handling
  domain_use_interactive_fds(virtd_t)
  domain_read_all_domains_state(virtd_t)
-+domain_read_all_domains_state(virtd_t)
  
 -files_read_usr_files(virtd_t)
  files_read_etc_runtime_files(virtd_t)
@@ -83088,7 +82600,7 @@ index 1f22fba..95dd6c8 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +417,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +416,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -83108,7 +82620,7 @@ index 1f22fba..95dd6c8 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +439,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +438,24 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -83143,7 +82655,7 @@ index 1f22fba..95dd6c8 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +465,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +464,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -83152,7 +82664,7 @@ index 1f22fba..95dd6c8 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -646,107 +478,330 @@ optional_policy(`
+@@ -646,107 +477,330 @@ optional_policy(`
  	consoletype_exec(virtd_t)
  ')
  
@@ -83540,7 +83052,7 @@ index 1f22fba..95dd6c8 100644
  
  manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +813,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +812,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -83549,15 +83061,15 @@ index 1f22fba..95dd6c8 100644
 -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +virt_filetrans_named_content(virsh_t)
  
--allow virsh_t svirt_lxc_domain:process transition;
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
  
+-allow virsh_t svirt_lxc_domain:process transition;
+-
 -can_exec(virsh_t, virsh_exec_t)
 -
 -virt_domtrans(virsh_t)
@@ -83569,7 +83081,7 @@ index 1f22fba..95dd6c8 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +831,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +830,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -83596,7 +83108,7 @@ index 1f22fba..95dd6c8 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +851,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +850,21 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -83627,7 +83139,7 @@ index 1f22fba..95dd6c8 100644
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
  	fs_manage_nfs_files(virsh_t)
-@@ -847,6 +883,10 @@ optional_policy(`
+@@ -847,6 +882,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -83638,7 +83150,7 @@ index 1f22fba..95dd6c8 100644
  	rpm_exec(virsh_t)
  ')
  
-@@ -854,7 +894,7 @@ optional_policy(`
+@@ -854,7 +893,7 @@ optional_policy(`
  	xen_manage_image_dirs(virsh_t)
  	xen_append_log(virsh_t)
  	xen_domtrans(virsh_t)
@@ -83647,7 +83159,7 @@ index 1f22fba..95dd6c8 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,34 +919,39 @@ optional_policy(`
+@@ -879,34 +918,39 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -83697,7 +83209,7 @@ index 1f22fba..95dd6c8 100644
  
  manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +961,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +960,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
  allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -83713,7 +83225,7 @@ index 1f22fba..95dd6c8 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +981,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +980,8 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -83724,7 +83236,7 @@ index 1f22fba..95dd6c8 100644
  files_relabel_rootfs(virtd_lxc_t)
  files_mounton_non_security(virtd_lxc_t)
  files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -955,15 +1001,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1000,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -83743,7 +83255,7 @@ index 1f22fba..95dd6c8 100644
  
  term_use_generic_ptys(virtd_lxc_t)
  term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1015,39 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,20 +1014,38 @@ auth_use_nsswitch(virtd_lxc_t)
  
  logging_send_syslog_msg(virtd_lxc_t)
  
@@ -83761,7 +83273,6 @@ index 1f22fba..95dd6c8 100644
 +selinux_compute_create_context(virtd_lxc_t)
 +selinux_compute_relabel_context(virtd_lxc_t)
 +selinux_compute_user_contexts(virtd_lxc_t)
-+seutil_read_default_contexts(virtd_lxc_t)
 +
 +sysnet_exec_ifconfig(virtd_lxc_t)
 +
@@ -83789,7 +83300,7 @@ index 1f22fba..95dd6c8 100644
  allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
  allow svirt_lxc_domain self:fifo_file manage_file_perms;
  allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1056,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,19 +1054,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
  allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
  allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
  
@@ -83809,7 +83320,7 @@ index 1f22fba..95dd6c8 100644
  manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1063,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1061,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -83828,7 +83339,7 @@ index 1f22fba..95dd6c8 100644
  kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
  
  corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1082,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1080,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
  files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
  files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
  files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -83855,7 +83366,7 @@ index 1f22fba..95dd6c8 100644
  auth_dontaudit_read_login_records(svirt_lxc_domain)
  auth_dontaudit_write_login_records(svirt_lxc_domain)
  auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,11 +1107,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,11 +1105,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
  
  libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
  
@@ -83872,7 +83383,7 @@ index 1f22fba..95dd6c8 100644
  
  optional_policy(`
  	udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1125,63 @@ optional_policy(`
+@@ -1078,81 +1123,63 @@ optional_policy(`
  	apache_read_sys_content(svirt_lxc_domain)
  ')
  
@@ -83977,7 +83488,7 @@ index 1f22fba..95dd6c8 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1194,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1192,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -83992,7 +83503,7 @@ index 1f22fba..95dd6c8 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1212,8 @@ optional_policy(`
+@@ -1183,9 +1210,8 @@ optional_policy(`
  
  ########################################
  #
@@ -84003,7 +83514,7 @@ index 1f22fba..95dd6c8 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1226,65 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1224,65 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -84086,7 +83597,7 @@ index 9ead775..b5285e7 100644
 -userdom_use_user_terminals(vlock_t)
 +userdom_use_inherited_user_terminals(vlock_t)
 diff --git a/vmware.te b/vmware.te
-index 3a56513..935180a 100644
+index 3a56513..5721057 100644
 --- a/vmware.te
 +++ b/vmware.te
 @@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -84134,7 +83645,7 @@ index 3a56513..935180a 100644
  sysnet_dns_name_resolve(vmware_host_t)
  sysnet_domtrans_ifconfig(vmware_host_t)
  
-@@ -149,11 +147,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+@@ -149,12 +147,16 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
  netutils_domtrans_ping(vmware_host_t)
  
  optional_policy(`
@@ -84148,22 +83659,12 @@ index 3a56513..935180a 100644
 +
 +optional_policy(`
  	modutils_domtrans_insmod(vmware_host_t)
+-')
 +') 
-+
-+optional_policy(`
-+	samba_read_config(vmware_host_t)
-+')
-+
-+optional_policy(`
-+	seutil_sigchld_newrole(vmware_host_t)
-+')
-+
-+optional_policy(`
-+	shutdown_domtrans(vmware_host_t)
- ')
  
  optional_policy(`
-@@ -244,9 +258,7 @@ dev_search_sysfs(vmware_t)
+ 	samba_read_config(vmware_host_t)
+@@ -244,9 +246,7 @@ dev_search_sysfs(vmware_t)
  
  domain_use_interactive_fds(vmware_t)
  
@@ -84173,7 +83674,7 @@ index 3a56513..935180a 100644
  files_list_home(vmware_t)
  
  fs_getattr_all_fs(vmware_t)
-@@ -258,9 +270,8 @@ storage_raw_write_removable_device(vmware_t)
+@@ -258,9 +258,8 @@ storage_raw_write_removable_device(vmware_t)
  libs_exec_ld_so(vmware_t)
  libs_read_lib_files(vmware_t)
  
@@ -84217,17 +83718,11 @@ index 137ac44..a0089e6 100644
  	domain_system_change_exemption($1)
  	role_transition $2 vnstatd_initrc_exec_t system_r;
 diff --git a/vnstatd.te b/vnstatd.te
-index febc3e5..9183e32 100644
+index febc3e5..ff18188 100644
 --- a/vnstatd.te
 +++ b/vnstatd.te
-@@ -34,9 +34,13 @@ allow vnstatd_t self:process signal;
- allow vnstatd_t self:fifo_file rw_fifo_file_perms;
- allow vnstatd_t self:unix_stream_socket { accept listen };
+@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen };
  
-+manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-+manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-+files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
-+
  manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
  manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
 -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
@@ -84235,7 +83730,7 @@ index febc3e5..9183e32 100644
  
  manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
  manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-@@ -47,14 +51,10 @@ kernel_read_system_state(vnstatd_t)
+@@ -47,14 +47,10 @@ kernel_read_system_state(vnstatd_t)
  
  domain_use_interactive_fds(vnstatd_t)
  
@@ -84250,7 +83745,7 @@ index febc3e5..9183e32 100644
  ########################################
  #
  # Client local policy
-@@ -64,23 +64,19 @@ allow vnstat_t self:process signal;
+@@ -64,23 +60,19 @@ allow vnstat_t self:process signal;
  allow vnstat_t self:fifo_file rw_fifo_file_perms;
  allow vnstat_t self:unix_stream_socket { accept listen };
  
@@ -84691,7 +84186,7 @@ index ebbdaf6..63c53ba 100644
  	corosync_initrc_domtrans(wdmd_t)
  	corosync_stream_connect(wdmd_t)
 diff --git a/webadm.te b/webadm.te
-index 708254f..2db084b 100644
+index 708254f..d26f598 100644
 --- a/webadm.te
 +++ b/webadm.te
 @@ -25,6 +25,9 @@ role webadm_r;
@@ -84717,11 +84212,7 @@ index 708254f..2db084b 100644
  files_dontaudit_search_all_dirs(webadm_t)
  files_list_var(webadm_t)
  
-@@ -40,10 +49,13 @@ seutil_domtrans_setfiles(webadm_t)
- 
- logging_send_audit_msgs(webadm_t)
- logging_send_syslog_msg(webadm_t)
-+logging_send_audit_msgs(webadm_t)
+@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t)
  
  userdom_dontaudit_search_user_home_dirs(webadm_t)
  
@@ -84733,10 +84224,10 @@ index 708254f..2db084b 100644
  tunable_policy(`webadm_manage_user_files',`
  	userdom_manage_user_home_content_files(webadm_t)
 diff --git a/webalizer.te b/webalizer.te
-index cdca8c7..bc76d1b 100644
+index cdca8c7..3c09628 100644
 --- a/webalizer.te
 +++ b/webalizer.te
-@@ -55,26 +55,38 @@ can_exec(webalizer_t, webalizer_exec_t)
+@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t)
  kernel_read_kernel_sysctls(webalizer_t)
  kernel_read_system_state(webalizer_t)
  
@@ -84771,14 +84262,11 @@ index cdca8c7..bc76d1b 100644
  
  optional_policy(`
  	apache_read_log(webalizer_t)
-+	apache_manage_sys_content(webalizer_t)
-+')
-+
-+optional_policy(`
-+	apache_read_log(webalizer_t)
  	apache_content_template(webalizer)
++	apache_manage_sys_content(webalizer_t)
  	manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
  	manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+ ')
 diff --git a/wine.if b/wine.if
 index fd2b6cc..4b83bb0 100644
 --- a/wine.if
@@ -84932,7 +84420,7 @@ index fd2b6cc..4b83bb0 100644
  
  ########################################
 diff --git a/wine.te b/wine.te
-index b51923c..335c8c2 100644
+index b51923c..22e9047 100644
 --- a/wine.te
 +++ b/wine.te
 @@ -48,7 +48,7 @@ domain_mmap_low(wine_t)
@@ -84944,19 +84432,8 @@ index b51923c..335c8c2 100644
  
  tunable_policy(`wine_mmap_zero_ignore',`
  	dontaudit wine_t self:memprotect mmap_zero;
-@@ -71,6 +71,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	rtkit_scheduled(wine_t)
-+')
-+
-+optional_policy(`
- 	unconfined_domain(wine_t)
- ')
- 
 diff --git a/wireshark.te b/wireshark.te
-index cf5cab6..0418405 100644
+index cf5cab6..d379bd6 100644
 --- a/wireshark.te
 +++ b/wireshark.te
 @@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
@@ -84976,13 +84453,12 @@ index cf5cab6..0418405 100644
  
  fs_getattr_all_fs(wireshark_t)
  fs_list_inotifyfs(wireshark_t)
-@@ -90,31 +89,17 @@ fs_search_auto_mountpoints(wireshark_t)
+@@ -90,31 +89,15 @@ fs_search_auto_mountpoints(wireshark_t)
  
  auth_use_nsswitch(wireshark_t)
  
 -libs_read_lib_files(wireshark_t)
-+auth_use_nsswitch(wireshark_t)
- 
+-
  miscfiles_read_fonts(wireshark_t)
 -miscfiles_read_localization(wireshark_t)
  
@@ -85526,7 +85002,7 @@ index f93558c..cc73c96 100644
  
  	files_search_pids($1)
 diff --git a/xen.te b/xen.te
-index ed40676..94542a1 100644
+index ed40676..8042769 100644
 --- a/xen.te
 +++ b/xen.te
 @@ -1,42 +1,34 @@
@@ -85991,7 +85467,12 @@ index ed40676..94542a1 100644
  
  fs_list_tmpfs(xenconsoled_t)
  fs_manage_xenfs_dirs(xenconsoled_t)
-@@ -400,10 +407,9 @@ term_use_console(xenconsoled_t)
+@@ -395,15 +402,13 @@ fs_manage_xenfs_files(xenconsoled_t)
+ 
+ term_create_pty(xenconsoled_t, xen_devpts_t)
+ term_use_generic_ptys(xenconsoled_t)
+-term_use_console(xenconsoled_t)
+ 
  init_use_fds(xenconsoled_t)
  init_use_script_ptys(xenconsoled_t)
  
@@ -86004,7 +85485,7 @@ index ed40676..94542a1 100644
  xen_stream_connect_xenstore(xenconsoled_t)
  
  optional_policy(`
-@@ -416,24 +422,26 @@ optional_policy(`
+@@ -416,24 +421,26 @@ optional_policy(`
  #
  
  allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
@@ -86035,7 +85516,7 @@ index ed40676..94542a1 100644
  manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
  manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
  manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
-@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
+@@ -448,157 +455,36 @@ dev_filetrans_xen(xenstored_t)
  dev_rw_xen(xenstored_t)
  dev_read_sysfs(xenstored_t)
  
@@ -86719,7 +86200,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..68a6624 100644
+index 46e4cd3..29d4996 100644
 --- a/zabbix.te
 +++ b/zabbix.te
 @@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
@@ -86731,42 +86212,35 @@ index 46e4cd3..68a6624 100644
  ##	Determine whether zabbix can
  ##	connect to all TCP ports
  ##	</p>
-@@ -90,16 +90,20 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
- corenet_tcp_bind_zabbix_port(zabbix_t)
- corenet_tcp_sendrecv_zabbix_port(zabbix_t)
- 
-+# needed by zabbix-server-mysql
-+corenet_tcp_connect_http_port(zabbix_t)
-+# to monitor ftp urls
-+corenet_tcp_connect_ftp_port(zabbix_t)
-+
-+
- corecmd_exec_bin(zabbix_t)
- corecmd_exec_shell(zabbix_t)
+@@ -95,12 +95,8 @@ corecmd_exec_shell(zabbix_t)
  
  dev_read_urand(zabbix_t)
  
 -files_read_usr_files(zabbix_t)
- 
+-
  auth_use_nsswitch(zabbix_t)
  
 -miscfiles_read_localization(zabbix_t)
- 
+-
  zabbix_agent_tcp_connect(zabbix_t)
  
-@@ -115,7 +119,10 @@ optional_policy(`
+ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +106,11 @@ tunable_policy(`zabbix_can_network',`
+ ')
  
  optional_policy(`
- 	mysql_stream_connect(zabbix_t)
+-	netutils_domtrans_ping(zabbix_t)
++	mysql_stream_connect(zabbix_t)
+ ')
+ 
+ optional_policy(`
+-	mysql_stream_connect(zabbix_t)
 -	mysql_tcp_connect(zabbix_t)
-+')
-+
-+optional_policy(`
 +	netutils_domtrans_ping(zabbix_t)
  ')
  
  optional_policy(`
-@@ -125,6 +132,7 @@ optional_policy(`
+@@ -125,6 +120,7 @@ optional_policy(`
  
  optional_policy(`
  	snmp_read_snmp_var_lib_files(zabbix_t)
@@ -86774,7 +86248,7 @@ index 46e4cd3..68a6624 100644
  ')
  
  ########################################
-@@ -182,7 +190,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+@@ -182,7 +178,6 @@ domain_search_all_domains_state(zabbix_agent_t)
  files_getattr_all_dirs(zabbix_agent_t)
  files_getattr_all_files(zabbix_agent_t)
  files_read_all_symlinks(zabbix_agent_t)
@@ -86782,7 +86256,7 @@ index 46e4cd3..68a6624 100644
  
  fs_getattr_all_fs(zabbix_agent_t)
  
-@@ -190,7 +197,6 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,7 +185,6 @@ init_read_utmp(zabbix_agent_t)
  
  logging_search_logs(zabbix_agent_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 907e2682..d82899ff 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,20 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
+- Allow systemd-tmpfiles to relabel lpd spool files
+- Ad labeling for texlive bash scripts
+- Add xserver_filetrans_fonts_cache_home_content() interface
+- Remove duplicate rules from *.te
+- Add support for /var/lock/man-db.lock
+- Add support for /var/tmp/abrt(/.*)?
+- Add additional labeling for munin cgi scripts
+- Allow httpd_t to read munin conf files
+- Allow certwatch to read meminfo
+- Fix nscd_dontaudit_write_sock_file() interfac
+- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
+- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling 
+
 * Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
 - Allow gnomeclock to talk to puppet over dbus
 - Allow numad access discovered by Dominic