From c8f96d3d71dda063d2568883dbd09317c951b4ed Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Tue, 12 Jun 2012 14:33:10 +0200
Subject: [PATCH 1/3] * Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com>
 3.11.0-3 - PolicyKit path has changed - Allow httpd connect to dirsrv socket
 - Allow tuned to write generic kernel sysctls - Dontaudit logwatch to gettr
 on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Make
 condor_startd and rgmanager as initrc domain - Allow virsh to read
 /etc/passwd - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs -
 xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm - Fix
 files_filetrans_named_content() interface - Add new attribute - initrc_domain
 - Allow systemd_logind_t to signal, signull, sigkill all processes - Add
 filetrans rules for etc_runtime files

---
 policy-rawhide.patch         | 321 +++++++++++++++++++----------------
 policy_contrib-rawhide.patch | 194 +++++++++++++--------
 selinux-policy.spec          |  18 +-
 3 files changed, 320 insertions(+), 213 deletions(-)

diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index b1a3db62..8fb05e80 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -64649,7 +64649,7 @@ index 4429d30..cbcd9d0 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 41346fb..9ec1de8 100644
+index 41346fb..6e7808a 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -55,6 +55,7 @@
@@ -66032,7 +66032,7 @@ index 41346fb..9ec1de8 100644
  ##	Search the contents of generic spool
  ##	directories (/var/spool).
  ## </summary>
-@@ -6406,3 +7285,332 @@ interface(`files_unconfined',`
+@@ -6406,3 +7285,343 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -66364,6 +66364,17 @@ index 41346fb..9ec1de8 100644
 +	files_root_filetrans($1, usr_t, dir, "export")
 +	files_root_filetrans($1, usr_t, dir, "emul")
 +	files_root_filetrans($1, var_t, dir, "nsr")
++	files_etc_filetrans_etc_runtime($1, file, "runtime")
++	files_etc_filetrans_etc_runtime($1, dir, "blkid")
++	files_etc_filetrans_etc_runtime($1, dir, "cmtab")
++	files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
++	files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
++	files_etc_filetrans_etc_runtime($1, file, "nologin")
++	files_etc_filetrans_etc_runtime($1, file, "securetty")
++	files_etc_filetrans_etc_runtime($1, file, "ifstate")
++	files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
++	files_etc_filetrans_etc_runtime($1, file, "hwconf")
++	files_etc_filetrans_etc_runtime($1, file, "iptables.save")
 +')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 1ce8aa0..24dfed0 100644
@@ -73032,7 +73043,7 @@ index b17e27a..f87cce0 100644
 +    ssh_rw_dgram_sockets(chroot_user_t)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..7421ac9 100644
+index fc86b7c..cfe92e1 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,34 @@
@@ -73125,7 +73136,7 @@ index fc86b7c..7421ac9 100644
  
  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 -/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/[mxkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[mxkwg]dm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
 +/var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
 +
@@ -74466,7 +74477,7 @@ index 130ced9..647cc5c 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index c4f7c35..a4b887d 100644
+index c4f7c35..c221771 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -74790,7 +74801,7 @@ index c4f7c35..a4b887d 100644
  ')
  
  optional_policy(`
-@@ -299,20 +396,38 @@ optional_policy(`
+@@ -299,64 +396,103 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -74833,7 +74844,8 @@ index c4f7c35..a4b887d 100644
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -320,43 +435,63 @@ can_exec(xdm_t, xdm_exec_t)
++can_exec(xdm_t, xsession_exec_t)
+ 
  allow xdm_t xdm_lock_t:file manage_file_perms;
  files_lock_filetrans(xdm_t, xdm_lock_t, file)
  
@@ -74903,7 +74915,7 @@ index c4f7c35..a4b887d 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,18 +500,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,18 +501,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -74931,7 +74943,7 @@ index c4f7c35..a4b887d 100644
  
  corenet_all_recvfrom_unlabeled(xdm_t)
  corenet_all_recvfrom_netlabel(xdm_t)
-@@ -388,38 +531,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +532,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -74984,7 +74996,7 @@ index c4f7c35..a4b887d 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -430,9 +583,25 @@ files_list_mnt(xdm_t)
+@@ -430,9 +584,25 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -75010,7 +75022,7 @@ index c4f7c35..a4b887d 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +611,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -75052,7 +75064,7 @@ index c4f7c35..a4b887d 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +651,43 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -75102,7 +75114,7 @@ index c4f7c35..a4b887d 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +701,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -75124,7 +75136,7 @@ index c4f7c35..a4b887d 100644
  ')
  
  optional_policy(`
-@@ -514,12 +722,63 @@ optional_policy(`
+@@ -514,12 +723,63 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75188,7 +75200,7 @@ index c4f7c35..a4b887d 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +796,69 @@ optional_policy(`
+@@ -537,28 +797,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75267,7 +75279,7 @@ index c4f7c35..a4b887d 100644
  ')
  
  optional_policy(`
-@@ -570,6 +870,14 @@ optional_policy(`
+@@ -570,6 +871,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75282,7 +75294,7 @@ index c4f7c35..a4b887d 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +902,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,7 +903,8 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -75292,7 +75304,7 @@ index c4f7c35..a4b887d 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -608,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +918,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -75308,7 +75320,7 @@ index c4f7c35..a4b887d 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +945,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -75330,7 +75342,7 @@ index c4f7c35..a4b887d 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,6 +965,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -75338,7 +75350,7 @@ index c4f7c35..a4b887d 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -667,23 +991,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +992,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -75370,7 +75382,7 @@ index c4f7c35..a4b887d 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1024,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -75384,7 +75396,7 @@ index c4f7c35..a4b887d 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -708,8 +1042,6 @@ init_getpgid(xserver_t)
+@@ -708,8 +1043,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -75393,7 +75405,7 @@ index c4f7c35..a4b887d 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -717,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -717,11 +1050,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -75408,7 +75420,7 @@ index c4f7c35..a4b887d 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1108,40 @@ optional_policy(`
+@@ -775,16 +1109,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75450,7 +75462,7 @@ index c4f7c35..a4b887d 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1150,10 @@ optional_policy(`
+@@ -793,6 +1151,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75461,7 +75473,7 @@ index c4f7c35..a4b887d 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1170,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -75475,7 +75487,7 @@ index c4f7c35..a4b887d 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1181,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -75484,7 +75496,7 @@ index c4f7c35..a4b887d 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1193,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1194,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -75519,7 +75531,7 @@ index c4f7c35..a4b887d 100644
  ')
  
  optional_policy(`
-@@ -859,6 +1215,10 @@ optional_policy(`
+@@ -859,6 +1216,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -75530,7 +75542,7 @@ index c4f7c35..a4b887d 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -902,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -75539,7 +75551,7 @@ index c4f7c35..a4b887d 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1316,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1317,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -75571,7 +75583,7 @@ index c4f7c35..a4b887d 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1362,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1363,43 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -77152,7 +77164,7 @@ index d2e40b8..3ba2e4c 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..b0bb610 100644
+index d26fe81..e07c6b7 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -77213,7 +77225,7 @@ index d26fe81..b0bb610 100644
  
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
-@@ -193,8 +235,10 @@ interface(`init_daemon_domain',`
+@@ -193,8 +235,11 @@ interface(`init_daemon_domain',`
  	gen_require(`
  		attribute direct_run_init, direct_init, direct_init_entry;
  		type initrc_t;
@@ -77221,10 +77233,11 @@ index d26fe81..b0bb610 100644
  		role system_r;
  		attribute daemon;
 +		attribute initrc_transition_domain;
++		attribute initrc_domain;
  	')
  
  	typeattribute $1 daemon;
-@@ -202,39 +246,20 @@ interface(`init_daemon_domain',`
+@@ -202,40 +247,40 @@ interface(`init_daemon_domain',`
  	domain_type($1)
  	domain_entry_file($1, $2)
  
@@ -77241,6 +77254,7 @@ index d26fe81..b0bb610 100644
 -	# when using run_init
 -	init_use_script_ptys($1)
 +	domtrans_pattern(initrc_t,$2,$1)
++	domtrans_pattern(initrc_domain, $2,$1) 
  
  	ifdef(`direct_sysadm_daemon',`
  		domtrans_pattern(direct_run_init, $2, $1)
@@ -77259,17 +77273,35 @@ index d26fe81..b0bb610 100644
 -		ifdef(`distro_rhel4',`
 -			kernel_dontaudit_use_fds($1)
 -		')
--	')
--
--	optional_policy(`
--		nscd_socket_use($1)
 +	tunable_policy(`init_upstart || init_systemd',`
 +	     # Handle upstart direct transition to a executable
 +	     domtrans_pattern(init_t,$2,$1)
  	')
++')
+ 
+-	optional_policy(`
+-		nscd_socket_use($1)
+-	')
++#######################################
++## <summary>
++##      Create initrc domain.
++## </summary>
++## <param name="domain">
++##      <summary>
++##       Type to be used as a initrc daemon domain.
++##      </summary>
++## </param>
++#
++interface(`init_initrc_domain',`
++        gen_require(`
++                attribute initrc_domain;
++        ')
++
++        typeattribute $1 initrc_domain;
  ')
  
-@@ -283,17 +308,20 @@ interface(`init_daemon_domain',`
+ ########################################
+@@ -283,17 +328,20 @@ interface(`init_daemon_domain',`
  interface(`init_ranged_daemon_domain',`
  	gen_require(`
  		type initrc_t;
@@ -77291,7 +77323,7 @@ index d26fe81..b0bb610 100644
  	')
  ')
  
-@@ -336,22 +364,23 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,22 +384,23 @@ interface(`init_ranged_daemon_domain',`
  #
  interface(`init_system_domain',`
  	gen_require(`
@@ -77322,7 +77354,7 @@ index d26fe81..b0bb610 100644
  	')
  ')
  
-@@ -401,20 +430,41 @@ interface(`init_system_domain',`
+@@ -401,20 +450,41 @@ interface(`init_system_domain',`
  interface(`init_ranged_system_domain',`
  	gen_require(`
  		type initrc_t;
@@ -77364,7 +77396,7 @@ index d26fe81..b0bb610 100644
  ########################################
  ## <summary>
  ##	Execute init (/sbin/init) with a domain transition.
-@@ -442,7 +492,6 @@ interface(`init_domtrans',`
+@@ -442,7 +512,6 @@ interface(`init_domtrans',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -77372,7 +77404,7 @@ index d26fe81..b0bb610 100644
  #
  interface(`init_exec',`
  	gen_require(`
-@@ -451,6 +500,29 @@ interface(`init_exec',`
+@@ -451,6 +520,29 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -77402,7 +77434,7 @@ index d26fe81..b0bb610 100644
  ')
  
  ########################################
-@@ -539,6 +611,24 @@ interface(`init_sigchld',`
+@@ -539,6 +631,24 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -77427,7 +77459,7 @@ index d26fe81..b0bb610 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -549,10 +639,66 @@ interface(`init_sigchld',`
+@@ -549,10 +659,66 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -77496,7 +77528,7 @@ index d26fe81..b0bb610 100644
  ')
  
  ########################################
-@@ -718,19 +864,25 @@ interface(`init_telinit',`
+@@ -718,19 +884,25 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -77523,7 +77555,7 @@ index d26fe81..b0bb610 100644
  	')
  ')
  
-@@ -760,7 +912,7 @@ interface(`init_rw_initctl',`
+@@ -760,7 +932,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -77532,7 +77564,7 @@ index d26fe81..b0bb610 100644
  ##	</summary>
  ## </param>
  #
-@@ -803,11 +955,12 @@ interface(`init_script_file_entry_type',`
+@@ -803,11 +975,12 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -77547,7 +77579,7 @@ index d26fe81..b0bb610 100644
  
  	ifdef(`distro_gentoo',`
  		gen_require(`
-@@ -818,11 +971,11 @@ interface(`init_spec_domtrans_script',`
+@@ -818,11 +991,11 @@ interface(`init_spec_domtrans_script',`
  	')
  
  	ifdef(`enable_mcs',`
@@ -77561,7 +77593,7 @@ index d26fe81..b0bb610 100644
  	')
  ')
  
-@@ -838,19 +991,41 @@ interface(`init_spec_domtrans_script',`
+@@ -838,19 +1011,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -77607,7 +77639,7 @@ index d26fe81..b0bb610 100644
  ')
  
  ########################################
-@@ -906,9 +1081,14 @@ interface(`init_script_file_domtrans',`
+@@ -906,9 +1101,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -77622,7 +77654,7 @@ index d26fe81..b0bb610 100644
  	files_search_etc($1)
  ')
  
-@@ -999,7 +1179,9 @@ interface(`init_ptrace',`
+@@ -999,7 +1199,9 @@ interface(`init_ptrace',`
  		type init_t;
  	')
  
@@ -77633,7 +77665,7 @@ index d26fe81..b0bb610 100644
  ')
  
  ########################################
-@@ -1117,6 +1299,24 @@ interface(`init_read_all_script_files',`
+@@ -1117,6 +1319,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -77658,7 +77690,7 @@ index d26fe81..b0bb610 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1168,12 +1368,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1388,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -77672,7 +77704,7 @@ index d26fe81..b0bb610 100644
  ')
  
  ########################################
-@@ -1413,6 +1608,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1628,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -77700,7 +77732,7 @@ index d26fe81..b0bb610 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1499,6 +1715,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1735,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -77726,7 +77758,7 @@ index d26fe81..b0bb610 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1557,6 +1792,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1812,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -77751,7 +77783,7 @@ index d26fe81..b0bb610 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1629,6 +1882,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1902,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -77795,7 +77827,7 @@ index d26fe81..b0bb610 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1717,7 +2007,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2027,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -77804,7 +77836,7 @@ index d26fe81..b0bb610 100644
  ')
  
  ########################################
-@@ -1758,6 +2048,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,6 +2068,128 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -77933,7 +77965,7 @@ index d26fe81..b0bb610 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2204,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2224,284 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -78219,7 +78251,7 @@ index d26fe81..b0bb610 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5fb9683..28b9f3b 100644
+index 5fb9683..0721079 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -78257,7 +78289,7 @@ index 5fb9683..28b9f3b 100644
  # used for direct running of init scripts
  # by admin domains
  attribute direct_run_init;
-@@ -25,14 +53,18 @@ attribute direct_init_entry;
+@@ -25,14 +53,21 @@ attribute direct_init_entry;
  attribute init_script_domain_type;
  attribute init_script_file_type;
  attribute init_run_all_scripts_domain;
@@ -78268,6 +78300,9 @@ index 5fb9683..28b9f3b 100644
  # Mark process types as daemons
  attribute daemon;
 +attribute systemprocess;
++
++# Mark process types as initrc domain
++attribute initrc_domain;
  
  #
  # init_t is the domain of the init process.
@@ -78277,7 +78312,7 @@ index 5fb9683..28b9f3b 100644
  type init_exec_t;
  domain_type(init_t)
  domain_entry_file(init_t, init_exec_t)
-@@ -45,6 +77,9 @@ role system_r types init_t;
+@@ -45,6 +80,9 @@ role system_r types init_t;
  type init_var_run_t;
  files_pid_file(init_var_run_t)
  
@@ -78287,7 +78322,7 @@ index 5fb9683..28b9f3b 100644
  #
  # initctl_t is the type of the named pipe created
  # by init during initialization.  This pipe is used
-@@ -63,6 +98,8 @@ role system_r types initrc_t;
+@@ -63,6 +101,8 @@ role system_r types initrc_t;
  # of the below init_upstart tunable
  # but this has a typeattribute in it
  corecmd_shell_entry_type(initrc_t)
@@ -78296,7 +78331,7 @@ index 5fb9683..28b9f3b 100644
  
  type initrc_devpts_t;
  term_pty(initrc_devpts_t)
-@@ -92,7 +129,7 @@ ifdef(`enable_mls',`
+@@ -92,7 +132,7 @@ ifdef(`enable_mls',`
  #
  
  # Use capabilities. old rule:
@@ -78305,7 +78340,7 @@ index 5fb9683..28b9f3b 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -104,12 +141,25 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -104,12 +144,25 @@ allow init_t self:fifo_file rw_fifo_file_perms;
  
  # Re-exec itself
  can_exec(init_t, init_exec_t)
@@ -78337,7 +78372,7 @@ index 5fb9683..28b9f3b 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -119,25 +169,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -119,28 +172,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -78373,7 +78408,11 @@ index 5fb9683..28b9f3b 100644
  files_etc_filetrans_etc_runtime(init_t, file)
  # Run /etc/X11/prefdm:
  files_exec_etc_files(init_t)
-@@ -149,6 +208,8 @@ fs_list_inotifyfs(init_t)
++files_read_usr_files(init_t)
+ # file descriptors inherited from the rootfs:
+ files_dontaudit_rw_root_files(init_t)
+ files_dontaudit_rw_root_chr_files(init_t)
+@@ -149,6 +212,8 @@ fs_list_inotifyfs(init_t)
  # cjp: this may be related to /dev/log
  fs_write_ramfs_sockets(init_t)
  
@@ -78382,7 +78421,7 @@ index 5fb9683..28b9f3b 100644
  mcs_process_set_categories(init_t)
  mcs_killall(init_t)
  
-@@ -156,22 +217,40 @@ mls_file_read_all_levels(init_t)
+@@ -156,22 +221,40 @@ mls_file_read_all_levels(init_t)
  mls_file_write_all_levels(init_t)
  mls_process_write_down(init_t)
  mls_fd_use_all_levels(init_t)
@@ -78424,7 +78463,7 @@ index 5fb9683..28b9f3b 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -180,12 +259,14 @@ ifdef(`distro_gentoo',`
+@@ -180,12 +263,14 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -78440,18 +78479,17 @@ index 5fb9683..28b9f3b 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -193,16 +274,146 @@ tunable_policy(`init_upstart',`
+@@ -193,16 +278,146 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
 +storage_raw_rw_fixed_disk(init_t)
 +
- optional_policy(`
--	auth_rw_login_records(init_t)
++optional_policy(`
 +	modutils_domtrans_insmod(init_t)
- ')
- 
- optional_policy(`
++')
++
++optional_policy(`
 +	postfix_exec(init_t)
 +	postfix_list_spool(init_t)
 +	mta_read_aliases(init_t)
@@ -78564,32 +78602,33 @@ index 5fb9683..28b9f3b 100644
 +	lvm_rw_pipes(init_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
+-	auth_rw_login_records(init_t)
 +	consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
-+	dbus_connect_system_bus(init_t)
- 	dbus_system_bus_client(init_t)
-+	dbus_delete_pid_files(init_t)
  ')
  
  optional_policy(`
--	nscd_socket_use(init_t)
++	dbus_connect_system_bus(init_t)
+ 	dbus_system_bus_client(init_t)
++	dbus_delete_pid_files(init_t)
++')
++
++optional_policy(`
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(init_t)
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
  ')
  
  optional_policy(`
-@@ -210,6 +421,17 @@ optional_policy(`
+@@ -210,6 +425,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78607,7 +78646,7 @@ index 5fb9683..28b9f3b 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -219,8 +441,8 @@ optional_policy(`
+@@ -219,8 +445,8 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -78618,7 +78657,7 @@ index 5fb9683..28b9f3b 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -248,12 +470,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -248,12 +474,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -78634,7 +78673,7 @@ index 5fb9683..28b9f3b 100644
  
  init_write_initctl(initrc_t)
  
-@@ -265,20 +490,34 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -265,20 +494,34 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -78673,7 +78712,7 @@ index 5fb9683..28b9f3b 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -286,6 +525,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -286,6 +529,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -78681,7 +78720,7 @@ index 5fb9683..28b9f3b 100644
  dev_write_kmsg(initrc_t)
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
-@@ -296,8 +536,10 @@ dev_write_framebuffer(initrc_t)
+@@ -296,8 +540,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -78692,7 +78731,7 @@ index 5fb9683..28b9f3b 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -305,17 +547,16 @@ dev_manage_generic_files(initrc_t)
+@@ -305,17 +551,16 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -78712,7 +78751,7 @@ index 5fb9683..28b9f3b 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -323,6 +564,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -323,6 +568,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -78720,7 +78759,7 @@ index 5fb9683..28b9f3b 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -330,8 +572,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -330,8 +576,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -78732,7 +78771,7 @@ index 5fb9683..28b9f3b 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -347,8 +591,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -347,8 +595,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -78746,7 +78785,7 @@ index 5fb9683..28b9f3b 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -358,9 +606,12 @@ fs_mount_all_fs(initrc_t)
+@@ -358,9 +610,12 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -78760,7 +78799,7 @@ index 5fb9683..28b9f3b 100644
  mcs_killall(initrc_t)
  mcs_process_set_categories(initrc_t)
  
-@@ -370,6 +621,7 @@ mls_process_read_up(initrc_t)
+@@ -370,6 +625,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -78768,7 +78807,7 @@ index 5fb9683..28b9f3b 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -381,6 +633,7 @@ term_use_all_terms(initrc_t)
+@@ -381,6 +637,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -78776,7 +78815,7 @@ index 5fb9683..28b9f3b 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -401,18 +654,17 @@ logging_read_audit_config(initrc_t)
+@@ -401,18 +658,17 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -78798,7 +78837,7 @@ index 5fb9683..28b9f3b 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -465,6 +717,10 @@ ifdef(`distro_gentoo',`
+@@ -465,6 +721,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -78809,7 +78848,7 @@ index 5fb9683..28b9f3b 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -485,7 +741,7 @@ ifdef(`distro_redhat',`
+@@ -485,7 +745,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -78818,7 +78857,7 @@ index 5fb9683..28b9f3b 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -500,6 +756,7 @@ ifdef(`distro_redhat',`
+@@ -500,6 +760,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -78826,7 +78865,7 @@ index 5fb9683..28b9f3b 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -520,6 +777,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +781,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -78834,7 +78873,7 @@ index 5fb9683..28b9f3b 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -529,8 +787,35 @@ ifdef(`distro_redhat',`
+@@ -529,8 +791,35 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -78870,7 +78909,7 @@ index 5fb9683..28b9f3b 100644
  	')
  
  	optional_policy(`
-@@ -538,14 +823,27 @@ ifdef(`distro_redhat',`
+@@ -538,14 +827,27 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -78898,7 +78937,7 @@ index 5fb9683..28b9f3b 100644
  	')
  ')
  
-@@ -556,6 +854,39 @@ ifdef(`distro_suse',`
+@@ -556,6 +858,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -78938,7 +78977,7 @@ index 5fb9683..28b9f3b 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -568,6 +899,8 @@ optional_policy(`
+@@ -568,6 +903,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -78947,7 +78986,7 @@ index 5fb9683..28b9f3b 100644
  ')
  
  optional_policy(`
-@@ -589,6 +922,7 @@ optional_policy(`
+@@ -589,6 +926,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -78955,7 +78994,7 @@ index 5fb9683..28b9f3b 100644
  ')
  
  optional_policy(`
-@@ -601,6 +935,17 @@ optional_policy(`
+@@ -601,6 +939,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78973,7 +79012,7 @@ index 5fb9683..28b9f3b 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -617,9 +962,13 @@ optional_policy(`
+@@ -617,9 +966,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -78987,7 +79026,7 @@ index 5fb9683..28b9f3b 100644
  	')
  
  	optional_policy(`
-@@ -644,6 +993,10 @@ optional_policy(`
+@@ -644,6 +997,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78998,7 +79037,7 @@ index 5fb9683..28b9f3b 100644
  	gpm_setattr_gpmctl(initrc_t)
  ')
  
-@@ -661,6 +1014,15 @@ optional_policy(`
+@@ -661,6 +1018,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79014,7 +79053,7 @@ index 5fb9683..28b9f3b 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -701,6 +1063,7 @@ optional_policy(`
+@@ -701,6 +1067,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -79022,7 +79061,7 @@ index 5fb9683..28b9f3b 100644
  ')
  
  optional_policy(`
-@@ -718,7 +1081,13 @@ optional_policy(`
+@@ -718,7 +1085,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79036,7 +79075,7 @@ index 5fb9683..28b9f3b 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -741,6 +1110,10 @@ optional_policy(`
+@@ -741,6 +1114,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79047,7 +79086,7 @@ index 5fb9683..28b9f3b 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -750,10 +1123,20 @@ optional_policy(`
+@@ -750,10 +1127,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79068,7 +79107,7 @@ index 5fb9683..28b9f3b 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -762,6 +1145,10 @@ optional_policy(`
+@@ -762,6 +1149,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79079,7 +79118,7 @@ index 5fb9683..28b9f3b 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -783,8 +1170,6 @@ optional_policy(`
+@@ -783,8 +1174,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -79088,7 +79127,7 @@ index 5fb9683..28b9f3b 100644
  ')
  
  optional_policy(`
-@@ -793,6 +1178,10 @@ optional_policy(`
+@@ -793,6 +1182,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79099,7 +79138,7 @@ index 5fb9683..28b9f3b 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -802,10 +1191,12 @@ optional_policy(`
+@@ -802,10 +1195,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -79112,7 +79151,7 @@ index 5fb9683..28b9f3b 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -817,7 +1208,6 @@ optional_policy(`
+@@ -817,7 +1212,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79120,7 +79159,7 @@ index 5fb9683..28b9f3b 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -827,12 +1217,30 @@ optional_policy(`
+@@ -827,12 +1221,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79153,7 +79192,7 @@ index 5fb9683..28b9f3b 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -842,6 +1250,18 @@ optional_policy(`
+@@ -842,6 +1254,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -79172,7 +79211,7 @@ index 5fb9683..28b9f3b 100644
  ')
  
  optional_policy(`
-@@ -857,6 +1277,10 @@ optional_policy(`
+@@ -857,6 +1281,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79183,7 +79222,7 @@ index 5fb9683..28b9f3b 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -867,3 +1291,165 @@ optional_policy(`
+@@ -867,3 +1295,165 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -85362,10 +85401,10 @@ index 0000000..2497606
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..eec7c72
+index 0000000..76b90b2
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,423 @@
+@@ -0,0 +1,420 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -85437,9 +85476,11 @@ index 0000000..eec7c72
 +init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
 +init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
 +init_status(systemd_logind_t)
++init_signal(systemd_logind_t)
 +init_reboot(systemd_logind_t)
 +init_halt(systemd_logind_t)
 +init_undefined(systemd_logind_t)
++init_signal_script(systemd_logind_t)
 +
 +kernel_read_system_state(systemd_logind_t)
 +
@@ -85458,6 +85499,9 @@ index 0000000..eec7c72
 +dev_write_kmsg(systemd_logind_t)
 +
 +domain_read_all_domains_state(systemd_logind_t)
++domain_signal_all_domains(systemd_logind_t)
++domain_signull_all_domains(systemd_logind_t)
++domain_kill_all_domains(systemd_logind_t)
 +
 +# /etc/udev/udev.conf should probably have a private type if only for confined administration
 +# /etc/nsswitch.conf
@@ -85501,18 +85545,10 @@ index 0000000..eec7c72
 +userdom_manage_user_tmp_files(systemd_logind_t)
 +userdom_manage_user_tmp_symlinks(systemd_logind_t)
 +userdom_manage_user_tmp_sockets(systemd_logind_t)
-+userdom_signal_all_users(systemd_logind_t)
-+userdom_signull_all_users(systemd_logind_t)
-+userdom_kill_all_users(systemd_logind_t)
-+
-+application_signal(systemd_logind_t)
-+application_signull(systemd_logind_t)
-+application_sigkill(systemd_logind_t)
 +
 +optional_policy(`
 +	cron_dbus_chat_crond(systemd_logind_t)
 +	cron_read_state_crond(systemd_logind_t)
-+	cron_signal(systemd_logind_t)
 +')
 +
 +optional_policy(`
@@ -90879,7 +90915,7 @@ index e720dcd..3361868 100644
 +	typeattribute $1 userdom_home_manager_type;
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 47efe9a..55dc5cc 100644
+index 47efe9a..4136fa9 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2)
@@ -90954,7 +90990,7 @@ index 47efe9a..55dc5cc 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -71,26 +102,111 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,112 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -90979,6 +91015,7 @@ index 47efe9a..55dc5cc 100644
  files_tmp_file(user_tmp_t)
  userdom_user_home_content(user_tmp_t)
 +files_poly_parent(user_tmp_t)
++files_mountpoint(user_tmp_t)
  
 -type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
 +type user_tmpfs_t, user_tmpfs_type;
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 28dd5c1e..a8706735 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2453,7 +2453,7 @@ index 6480167..d0bf548 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index a36a01d..777623e 100644
+index a36a01d..f6aad32 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@@ -3072,10 +3072,16 @@ index a36a01d..777623e 100644
  	cobbler_search_lib(httpd_t)
  ')
  
-@@ -540,6 +832,18 @@ optional_policy(`
+@@ -540,6 +832,24 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
++optional_policy(`
++        # needed by FreeIPA 
++	dirsrv_stream_connect(httpd_t)
++	ldap_stream_connect(httpd_t)
++')
++
 +optional_policy(`
 +	dirsrv_manage_config(httpd_t)
 +	dirsrv_manage_log(httpd_t)
@@ -3091,7 +3097,7 @@ index a36a01d..777623e 100644
   optional_policy(`
  	dbus_system_bus_client(httpd_t)
  
-@@ -549,12 +853,21 @@ optional_policy(`
+@@ -549,12 +859,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3114,7 +3120,7 @@ index a36a01d..777623e 100644
  	kerberos_keytab_template(httpd, httpd_t)
  ')
  
-@@ -568,7 +881,21 @@ optional_policy(`
+@@ -568,7 +887,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3136,7 +3142,7 @@ index a36a01d..777623e 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -579,6 +906,7 @@ optional_policy(`
+@@ -579,6 +912,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -3144,7 +3150,7 @@ index a36a01d..777623e 100644
  ')
  
  optional_policy(`
-@@ -589,6 +917,33 @@ optional_policy(`
+@@ -589,6 +923,33 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3178,7 +3184,7 @@ index a36a01d..777623e 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -603,6 +958,11 @@ optional_policy(`
+@@ -603,6 +964,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3190,7 +3196,7 @@ index a36a01d..777623e 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -615,6 +975,12 @@ optional_policy(`
+@@ -615,6 +981,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -3203,7 +3209,7 @@ index a36a01d..777623e 100644
  ########################################
  #
  # Apache helper local policy
-@@ -628,7 +994,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -628,7 +1000,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -3216,7 +3222,7 @@ index a36a01d..777623e 100644
  
  ########################################
  #
-@@ -666,28 +1036,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -666,28 +1042,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -3260,7 +3266,7 @@ index a36a01d..777623e 100644
  ')
  
  ########################################
-@@ -697,6 +1069,7 @@ optional_policy(`
+@@ -697,6 +1075,7 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -3268,7 +3274,7 @@ index a36a01d..777623e 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,14 +1084,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -711,14 +1090,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -3292,7 +3298,7 @@ index a36a01d..777623e 100644
  # for shell scripts
  corecmd_exec_bin(httpd_suexec_t)
  corecmd_exec_shell(httpd_suexec_t)
-@@ -752,13 +1134,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -752,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -3325,7 +3331,7 @@ index a36a01d..777623e 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1181,25 @@ optional_policy(`
+@@ -781,6 +1187,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -3351,7 +3357,7 @@ index a36a01d..777623e 100644
  ########################################
  #
  # Apache system script local policy
-@@ -801,12 +1220,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -801,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -3369,7 +3375,7 @@ index a36a01d..777623e 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -815,18 +1239,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -815,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -3426,7 +3432,7 @@ index a36a01d..777623e 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1290,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -834,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -3467,7 +3473,7 @@ index a36a01d..777623e 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1335,20 @@ optional_policy(`
+@@ -854,10 +1341,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3488,7 +3494,7 @@ index a36a01d..777623e 100644
  ')
  
  ########################################
-@@ -903,11 +1394,146 @@ optional_policy(`
+@@ -903,11 +1400,146 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -10086,10 +10092,10 @@ index 0000000..168f664
 +')
 diff --git a/condor.te b/condor.te
 new file mode 100644
-index 0000000..4eb7bd9
+index 0000000..1bba4b7
 --- /dev/null
 +++ b/condor.te
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,232 @@
 +policy_module(condor, 1.0.0)
 +
 +########################################
@@ -10308,6 +10314,7 @@ index 0000000..4eb7bd9
 +auth_use_nsswitch(condor_startd_t)
 +
 +init_domtrans_script(condor_startd_t)
++init_initrc_domain(condor_startd_t)
 +
 +libs_exec_lib_files(condor_startd_t)
 +
@@ -13263,7 +13270,7 @@ index c43ff4c..5da88b5 100644
  	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/cvs.te b/cvs.te
-index 88e7e97..1c723fb 100644
+index 88e7e97..08d7ec0 100644
 --- a/cvs.te
 +++ b/cvs.te
 @@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
@@ -13298,8 +13305,12 @@ index 88e7e97..1c723fb 100644
  logging_send_syslog_msg(cvs_t)
  logging_send_audit_msgs(cvs_t)
  
-@@ -90,7 +92,7 @@ mta_send_mail(cvs_t)
+@@ -88,9 +90,11 @@ miscfiles_read_localization(cvs_t)
  
+ mta_send_mail(cvs_t)
+ 
++userdom_dontaudit_search_user_home_dirs(cvs_t)
++
  # cjp: typeattribute doesnt work in conditionals yet
  auth_can_read_shadow_passwords(cvs_t)
 -tunable_policy(`allow_cvs_read_shadow',`
@@ -13307,7 +13318,7 @@ index 88e7e97..1c723fb 100644
  	allow cvs_t self:capability dac_override;
  	auth_tunable_read_shadow(cvs_t)
  ')
-@@ -112,4 +114,5 @@ optional_policy(`
+@@ -112,4 +116,5 @@ optional_policy(`
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -16520,7 +16531,7 @@ index e1d7dc5..df96c0d 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/dovecot.te b/dovecot.te
-index 2df7766..ef8b0d7 100644
+index 2df7766..53efc0b 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16751,7 +16762,7 @@ index 2df7766..ef8b0d7 100644
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -283,24 +338,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
  userdom_manage_user_home_content_sockets(dovecot_deliver_t)
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
@@ -16779,6 +16790,7 @@ index 2df7766..ef8b0d7 100644
  optional_policy(`
  	mta_manage_spool(dovecot_deliver_t)
 +	mta_read_queue(dovecot_deliver_t)
++	mta_read_home_rw(dovecot_deliver_t)
 +')
 +
 +optional_policy(`
@@ -20106,16 +20118,17 @@ index 4afb81f..842165a 100644
 -
 -libs_exec_ldconfig(glance_api_t)
 diff --git a/gnome.fc b/gnome.fc
-index 00a19e3..d776f66 100644
+index 00a19e3..17006fc 100644
 --- a/gnome.fc
 +++ b/gnome.fc
-@@ -1,9 +1,53 @@
+@@ -1,9 +1,54 @@
 -HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
 +HOME_DIR/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
 +HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
 +HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
 +HOME_DIR/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.nv(/.*)?  gen_context(system_u:object_r:cache_home_t,s0)
  HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
  HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@@ -20166,7 +20179,7 @@ index 00a19e3..d776f66 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index f5afe78..581c9dd 100644
+index f5afe78..e283f63 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,44 +1,937 @@
@@ -21276,7 +21289,7 @@ index f5afe78..581c9dd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,17 +1068,62 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1068,80 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -21292,6 +21305,24 @@ index f5afe78..581c9dd 100644
 +	gnome_filetrans_gstreamer_home_content($1)
 +')
 +
++######################################
++## <summary>
++##      Allow to execute gstreamer home content files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`gnome_exec_gstreamer_home_files',`
++        gen_require(`
++                type gstreamer_home_t;
++        ')
++
++        can_exec($1, gstreamer_home_t)
++')
++
 +#######################################
 +## <summary>
 +##  file name transition gstreamer home content files.
@@ -21343,7 +21374,7 @@ index f5afe78..581c9dd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +1131,306 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1149,307 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -21564,6 +21595,7 @@ index f5afe78..581c9dd 100644
 +	userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
 +	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
 +	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
++	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
 +	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
 +	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
 +	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
@@ -26044,10 +26076,10 @@ index 0000000..8bc2c6d
 +')
 diff --git a/l2tpd.te b/l2tpd.te
 new file mode 100644
-index 0000000..4786fde
+index 0000000..1b720ad
 --- /dev/null
 +++ b/l2tpd.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,101 @@
 +policy_module(l2tpd, 1.0.0)
 +
 +########################################
@@ -26136,6 +26168,8 @@ index 0000000..4786fde
 +
 +term_use_ptmx(l2tpd_t)
 +
++auth_read_passwd(l2tpd_t)
++
 +logging_send_syslog_msg(l2tpd_t)
 +
 +miscfiles_read_localization(l2tpd_t)
@@ -27129,7 +27163,7 @@ index 3c7b1e8..1e155f5 100644
 +
 +/var/run/epylog\.pid		gen_context(system_u:object_r:logwatch_var_run_t,s0)
 diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..671d4e1 100644
+index 75ce30f..47aa9f5 100644
 --- a/logwatch.te
 +++ b/logwatch.te
 @@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -27171,16 +27205,18 @@ index 75ce30f..671d4e1 100644
  files_read_usr_files(logwatch_t)
  files_search_spool(logwatch_t)
  files_search_mnt(logwatch_t)
-@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t)
+@@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t)
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
  fs_list_inotifyfs(logwatch_t)
  
++storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
++
 +mls_file_read_to_clearance(logwatch_t)
 +
  term_dontaudit_getattr_pty_dirs(logwatch_t)
  term_dontaudit_list_ptys(logwatch_t)
  
-@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t)
  sysnet_exec_ifconfig(logwatch_t)
  
  userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -27196,7 +27232,7 @@ index 75ce30f..671d4e1 100644
  	files_getattr_all_file_type_fs(logwatch_t)
  ')
  
-@@ -145,3 +161,24 @@ optional_policy(`
+@@ -145,3 +163,24 @@ optional_policy(`
  	samba_read_log(logwatch_t)
  	samba_read_share_files(logwatch_t)
  ')
@@ -28700,7 +28736,7 @@ index ee72cbe..bf5fc09 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 26101cb..db61a30 100644
+index 26101cb..7393387 100644
 --- a/milter.te
 +++ b/milter.te
 @@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
@@ -28717,7 +28753,7 @@ index 26101cb..db61a30 100644
  # currently-supported milters are milter-greylist, milter-regex and spamass-milter
  milter_template(greylist)
  milter_template(regex)
-@@ -20,6 +27,23 @@ milter_template(spamass)
+@@ -20,6 +27,24 @@ milter_template(spamass)
  type spamass_milter_state_t;
  files_type(spamass_milter_state_t)
  
@@ -28728,6 +28764,7 @@ index 26101cb..db61a30 100644
 +
 +allow dkim_milter_t self:capability { kill setgid setuid };
 +allow dkim_milter_t self:process signal;
++allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
 +allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 +
 +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
@@ -28741,7 +28778,7 @@ index 26101cb..db61a30 100644
  ########################################
  #
  # milter-greylist local policy
-@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
+@@ -33,11 +58,19 @@ files_type(spamass_milter_state_t)
  allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
  allow greylist_milter_t self:process { setsched getsched };
  
@@ -32982,7 +33019,7 @@ index a648982..59f096b 100644
  ')
 +
 diff --git a/ncftool.te b/ncftool.te
-index f19ca0b..8c48c33 100644
+index f19ca0b..dfc1ba2 100644
 --- a/ncftool.te
 +++ b/ncftool.te
 @@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
@@ -33058,7 +33095,7 @@ index f19ca0b..8c48c33 100644
  optional_policy(`
  	consoletype_exec(ncftool_t)
  ')
-@@ -69,13 +83,17 @@ optional_policy(`
+@@ -69,13 +83,18 @@ optional_policy(`
  
  optional_policy(`
  	iptables_initrc_domtrans(ncftool_t)
@@ -33066,6 +33103,7 @@ index f19ca0b..8c48c33 100644
  ')
  
  optional_policy(`
++	modutils_list_module_config(ncftool_t)
  	modutils_read_module_config(ncftool_t)
 -	modutils_run_insmod(ncftool_t, ncftool_roles)
 +	modutils_domtrans_insmod(ncftool_t)
@@ -38034,16 +38072,17 @@ index 4cffb07..3436696 100644
  allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
  allow podsleuth_t self:sem create_sem_perms;
 diff --git a/policykit.fc b/policykit.fc
-index 63d0061..c65d18f 100644
+index 63d0061..4718a93 100644
 --- a/policykit.fc
 +++ b/policykit.fc
-@@ -1,16 +1,18 @@
+@@ -1,16 +1,20 @@
  /usr/lib/policykit/polkit-read-auth-helper --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 -/usr/lib/policykit/polkit-grant-helper.* --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
 +/usr/lib/policykit/polkit-grant-helper.*   --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
  /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
  /usr/lib/policykit/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
 -/usr/lib/policykit-1/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/lib/polkit-1/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
  
  /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
  /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -38051,11 +38090,12 @@ index 63d0061..c65d18f 100644
 -/usr/libexec/polkitd			--	gen_context(system_u:object_r:policykit_exec_t,s0)
 +/usr/libexec/polkitd.*			--	gen_context(system_u:object_r:policykit_exec_t,s0)
 +/usr/libexec/polkit-1/polkit-agent-helper-1 --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
++/usr/lib/polkit-1/polkit-agent-helper-1  --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 +/usr/libexec/polkit-1/polkitd.*		--	gen_context(system_u:object_r:policykit_exec_t,s0)
  
  /var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
  /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
-+/var/lib/polkit-1(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
++/var/lib/polkit-1(/.*)?				gen_context(system_u:object_r:policykit_var_lib_t,s0)
  /var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
  /var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
  
@@ -38203,7 +38243,7 @@ index 48ff1e8..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policykit.te b/policykit.te
-index 44db896..67a2c44 100644
+index 44db896..11800bb 100644
 --- a/policykit.te
 +++ b/policykit.te
 @@ -1,51 +1,73 @@
@@ -38293,7 +38333,7 @@ index 44db896..67a2c44 100644
  rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
  
  policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
  
@@ -38337,6 +38377,10 @@ index 44db896..67a2c44 100644
 +')
 +
 +optional_policy(`
++	kerberos_manage_host_rcache(policykit_t)
++')
++
++optional_policy(`
 +	gnome_read_config(policykit_t)
 +')
 +
@@ -38413,10 +38457,14 @@ index 44db896..67a2c44 100644
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -118,14 +191,21 @@ optional_policy(`
+@@ -118,14 +195,25 @@ optional_policy(`
  	hal_read_state(policykit_auth_t)
  ')
  
++optional_policy(`
++        kerberos_manage_host_rcache(policykit_auth_t)
++')
++
 +optional_policy(`
 +	xserver_stream_connect(policykit_auth_t)
 +	xserver_xdm_append_log(policykit_auth_t)
@@ -38437,7 +38485,7 @@ index 44db896..67a2c44 100644
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -145,19 +225,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
  files_read_etc_files(policykit_grant_t)
  files_read_usr_files(policykit_grant_t)
  
@@ -38462,7 +38510,7 @@ index 44db896..67a2c44 100644
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -167,9 +246,8 @@ optional_policy(`
+@@ -167,9 +254,8 @@ optional_policy(`
  # polkit_resolve local policy
  #
  
@@ -38474,7 +38522,7 @@ index 44db896..67a2c44 100644
  allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
  allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -185,14 +263,8 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t)
  files_read_etc_files(policykit_resolve_t)
  files_read_usr_files(policykit_resolve_t)
  
@@ -38489,7 +38537,7 @@ index 44db896..67a2c44 100644
  userdom_read_all_users_state(policykit_resolve_t)
  
  optional_policy(`
-@@ -207,4 +279,3 @@ optional_policy(`
+@@ -207,4 +287,3 @@ optional_policy(`
  	kernel_search_proc(policykit_resolve_t)
  	hal_read_state(policykit_resolve_t)
  ')
@@ -44832,7 +44880,7 @@ index 7dc38d1..808f9c6 100644
 +	admin_pattern($1, rgmanager_var_run_t)
 +')
 diff --git a/rgmanager.te b/rgmanager.te
-index 07333db..53bff36 100644
+index 07333db..91ef567 100644
 --- a/rgmanager.te
 +++ b/rgmanager.te
 @@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false)
@@ -44882,7 +44930,7 @@ index 07333db..53bff36 100644
  
  # need to write to /dev/misc/dlm-control
  dev_rw_dlm_control(rgmanager_t)
-@@ -76,31 +78,36 @@ dev_search_sysfs(rgmanager_t)
+@@ -76,31 +78,37 @@ dev_search_sysfs(rgmanager_t)
  
  domain_read_all_domains_state(rgmanager_t)
  domain_getattr_all_domains(rgmanager_t)
@@ -44914,6 +44962,7 @@ index 07333db..53bff36 100644
  auth_use_nsswitch(rgmanager_t)
  
 +init_domtrans_script(rgmanager_t)
++init_initrc_domain(rgmanager_t)
 +
  logging_send_syslog_msg(rgmanager_t)
  
@@ -44924,7 +44973,7 @@ index 07333db..53bff36 100644
  
  tunable_policy(`rgmanager_can_network_connect',`
  	corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +125,14 @@ optional_policy(`
+@@ -118,6 +126,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44939,7 +44988,7 @@ index 07333db..53bff36 100644
  	fstools_domtrans(rgmanager_t)
  ')
  
-@@ -140,6 +155,16 @@ optional_policy(`
+@@ -140,6 +156,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44956,7 +45005,7 @@ index 07333db..53bff36 100644
  	mysql_domtrans_mysql_safe(rgmanager_t)
  	mysql_stream_connect(rgmanager_t)
  ')
-@@ -165,6 +190,8 @@ optional_policy(`
+@@ -165,6 +191,8 @@ optional_policy(`
  optional_policy(`
  	rpc_initrc_domtrans_nfsd(rgmanager_t)
  	rpc_initrc_domtrans_rpcd(rgmanager_t)
@@ -47948,19 +47997,20 @@ index a07b2f4..36b4903 100644
 +
 +userdom_getattr_user_terminals(rwho_t)
 diff --git a/samba.fc b/samba.fc
-index 69a6074..3d65472 100644
+index 69a6074..c9dbc93 100644
 --- a/samba.fc
 +++ b/samba.fc
-@@ -14,6 +14,8 @@
+@@ -14,6 +14,9 @@
  #
  # /usr
  #
 +/usr/lib/systemd/system/smb.* 	--	gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/nmb.*   --      gen_context(system_u:object_r:samba_unit_file_t,s0)
 +
  /usr/bin/net			--	gen_context(system_u:object_r:samba_net_exec_t,s0)
  /usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
  /usr/bin/smbcontrol		--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -36,6 +38,10 @@
+@@ -36,6 +39,10 @@
  
  /var/log/samba(/.*)?			gen_context(system_u:object_r:samba_log_t,s0)
  
@@ -47971,7 +48021,7 @@ index 69a6074..3d65472 100644
  /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
  /var/run/samba/connections\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
  /var/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -48,6 +54,11 @@
+@@ -48,6 +55,11 @@
  /var/run/samba/smbd\.pid	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
  /var/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
  
@@ -54328,7 +54378,7 @@ index 0000000..9127cec
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..a0d188c
+index 0000000..7eea9cd
 --- /dev/null
 +++ b/thumb.te
 @@ -0,0 +1,105 @@
@@ -54435,7 +54485,7 @@ index 0000000..a0d188c
 +	gnome_read_generic_data_home_files(thumb_t)
 +	gnome_manage_gstreamer_home_files(thumb_t)
 +	gnome_manage_gstreamer_home_dirs(thumb_t)
-+	#gnome_exec_gstreamer_home_files(thumb_t)
++	gnome_exec_gstreamer_home_files(thumb_t)
 +')
 diff --git a/thunderbird.te b/thunderbird.te
 index bf37d98..204ac7e 100644
@@ -54764,7 +54814,7 @@ index 54b8605..a04f013 100644
  	admin_pattern($1, tuned_var_run_t)
  ')
 diff --git a/tuned.te b/tuned.te
-index db9d2a5..da20967 100644
+index db9d2a5..c7b09c0 100644
 --- a/tuned.te
 +++ b/tuned.te
 @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -54780,7 +54830,7 @@ index db9d2a5..da20967 100644
  type tuned_log_t;
  logging_log_file(tuned_log_t)
  
-@@ -23,23 +29,38 @@ files_pid_file(tuned_var_run_t)
+@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
  # tuned local policy
  #
  
@@ -54809,10 +54859,12 @@ index db9d2a5..da20967 100644
  
  kernel_read_system_state(tuned_t)
  kernel_read_network_state(tuned_t)
+-
 +kernel_read_kernel_sysctls(tuned_t)
++kernel_rw_kernel_sysctl(tuned_t)
 +kernel_rw_hotplug_sysctls(tuned_t)
 +kernel_rw_vm_sysctls(tuned_t)
- 
++
 +dev_getattr_all_blk_files(tuned_t)
 +dev_getattr_all_chr_files(tuned_t)
 +dev_dontaudit_getattr_all(tuned_t)
@@ -54822,7 +54874,7 @@ index db9d2a5..da20967 100644
  # to allow cpu tuning
  dev_rw_netcontrol(tuned_t)
  
-@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
  files_read_usr_files(tuned_t)
  files_dontaudit_search_home(tuned_t)
  
@@ -54833,7 +54885,7 @@ index db9d2a5..da20967 100644
  logging_send_syslog_msg(tuned_t)
  
  miscfiles_read_localization(tuned_t)
-@@ -58,6 +83,14 @@ optional_policy(`
+@@ -58,6 +84,14 @@ optional_policy(`
  	fstools_domtrans(tuned_t)
  ')
  
@@ -56560,7 +56612,7 @@ index 7c5d8d8..85b7d8b 100644
 +	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
  ')
 diff --git a/virt.te b/virt.te
-index ad3068a..6713ab0 100644
+index ad3068a..5759ef5 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@@ -57154,7 +57206,7 @@ index ad3068a..6713ab0 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -449,25 +657,428 @@ files_search_all(virt_domain)
+@@ -449,25 +657,430 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -57257,6 +57309,8 @@ index ad3068a..6713ab0 100644
 +init_rw_script_stream_sockets(virsh_t)
 +init_use_fds(virsh_t)
 +
++auth_read_passwd(virsh_t)
++
 +miscfiles_read_localization(virsh_t)
 +
 +sysnet_dns_name_resolve(virsh_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fbd69a52..39f79857 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,22 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
+- PolicyKit path has changed
+- Allow httpd connect to dirsrv socket
+- Allow tuned to write generic kernel sysctls
+- Dontaudit logwatch to gettr on /dev/dm-2
+- Allow policykit-auth to manage kerberos files
+- Make condor_startd and rgmanager as initrc domain
+- Allow virsh to read /etc/passwd
+- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
+- xdm now needs to execute xsession_exec_t
+- Need labels for /var/lib/gdm
+- Fix files_filetrans_named_content() interface
+- Add new attribute - initrc_domain
+- Allow systemd_logind_t to signal, signull, sigkill all processes
+- Add filetrans rules for etc_runtime files
+
 * Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
 - Rename boolean names to remove allow_
 

From bfc280fd5bbab091e3fb0601d624105dc1efc2d9 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 15 Jun 2012 10:43:55 +0200
Subject: [PATCH 2/3] - Add support for ecryptfs   * ecryptfs does not support
 xattr   * we need labeling for HOMEDIR - Add policy for (u)mount.ecryptfs* -
 Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage - Allow
 dovecot to manage Maildir content, fix transitions to Maildir - Allow
 postfix_local to transition to dovecot_deliver - Dontaudit attempts to
 setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions -
 Allow apmd to change with the logind daemon - Changes required for sanlock in
 rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as
 execmod if boolean turned on - Allow squid to create the squid directory in
 /var with the correct la - Add a new policy for glusterd from Bryan Bickford
 (bbickfor@redhat.co - Allow virtd to exec xend_exec_t without transition -
 Allow virtd_lxc_t to unmount all file systems

---
 modules-targeted.conf        |    7 +
 policy-rawhide.patch         |  718 +++++++++++++++++------
 policy_contrib-rawhide.patch | 1055 ++++++++++++++++++++++++----------
 selinux-policy.spec          |   21 +-
 4 files changed, 1303 insertions(+), 498 deletions(-)

diff --git a/modules-targeted.conf b/modules-targeted.conf
index a2c7c8ce..9c8cbc02 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2556,3 +2556,10 @@ svnserve =  module
 #  policy for man2html apps
 # 
 man2html =  module
+
+# Layer: contrib
+# Module: glusterd
+#  
+#  policy for glusterd service
+#
+glusterd =  module
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 8fb05e80..1bcf4e22 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -58218,7 +58218,7 @@ index 66e85ea..d02654d 100644
  ## user domains.
  ## </p>
 diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..cc2b436 100644
+index 4705ab6..8ba19a0 100644
 --- a/policy/global_tunables
 +++ b/policy/global_tunables
 @@ -6,52 +6,59 @@
@@ -58307,10 +58307,17 @@ index 4705ab6..cc2b436 100644
  ## Allow any files/directories to be exported read/write via NFS.
  ## </p>
  ## </desc>
-@@ -105,9 +103,17 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
  
  ## <desc>
  ## <p>
++## Support ecryptfs home directories
++## </p>
++## </desc>
++gen_tunable(use_ecryptfs_home_dirs,false)
++
++## <desc>
++## <p>
 +## Support fusefs home directories
 +## </p>
 +## </desc>
@@ -58422,10 +58429,10 @@ index f477c7f..d80599b 100644
 +
  ') dnl end enable_mcs
 diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..530d2df 100644
+index 7a6f06f..48fc840 100644
 --- a/policy/modules/admin/bootloader.fc
 +++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,16 @@
 -
 +/etc/default/grub	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
  /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
@@ -58437,6 +58444,8 @@ index 7a6f06f..530d2df 100644
  /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
  /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/sbin/zipl			--	gen_context(system_u:object_r:bootloader_exec_t,s0)
++
++/var/run/blkid(/.*)?		gen_context(system_u:object_r:bootloader_var_run_t,s0)
  
 -/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/usr/sbin/grub.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
@@ -58529,7 +58538,7 @@ index a778bb1..5e914db 100644
 +	files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
 +')
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index ab0439a..e717a21 100644
+index ab0439a..4104b53 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
 @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
@@ -58543,13 +58552,16 @@ index ab0439a..e717a21 100644
  
  #
  # boot_runtime_t is the type for /boot/kernel.h,
-@@ -19,14 +19,15 @@ files_type(boot_runtime_t)
+@@ -19,14 +19,18 @@ files_type(boot_runtime_t)
  type bootloader_t;
  type bootloader_exec_t;
  application_domain(bootloader_t, bootloader_exec_t)
 -role bootloader_roles types bootloader_t;
 +#role bootloader_roles types bootloader_t;
 +role system_r types bootloader_t;
++
++type bootloader_var_run_t;
++files_pid_file(bootloader_var_run_t)
  
  #
  # bootloader_etc_t is the configuration file,
@@ -58561,7 +58573,7 @@ index ab0439a..e717a21 100644
  
  #
  # The temp file is used for initrd creation;
-@@ -41,7 +42,7 @@ dev_node(bootloader_tmp_t)
+@@ -41,7 +45,7 @@ dev_node(bootloader_tmp_t)
  # bootloader local policy
  #
  
@@ -58570,7 +58582,18 @@ index ab0439a..e717a21 100644
  allow bootloader_t self:process { signal_perms execmem };
  allow bootloader_t self:fifo_file rw_fifo_file_perms;
  
-@@ -81,6 +82,7 @@ dev_rw_nvram(bootloader_t)
+@@ -59,6 +63,10 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
+ # for tune2fs (cjp: ?)
+ files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+ 
++manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
++
+ kernel_getattr_core_if(bootloader_t)
+ kernel_read_network_state(bootloader_t)
+ kernel_read_system_state(bootloader_t)
+@@ -81,6 +89,7 @@ dev_rw_nvram(bootloader_t)
  
  fs_getattr_xattr_fs(bootloader_t)
  fs_getattr_tmpfs(bootloader_t)
@@ -58578,7 +58601,7 @@ index ab0439a..e717a21 100644
  fs_read_tmpfs_symlinks(bootloader_t)
  #Needed for ia64
  fs_manage_dos_files(bootloader_t)
-@@ -89,6 +91,7 @@ mls_file_read_all_levels(bootloader_t)
+@@ -89,6 +98,7 @@ mls_file_read_all_levels(bootloader_t)
  mls_file_write_all_levels(bootloader_t)
  
  term_getattr_all_ttys(bootloader_t)
@@ -58586,7 +58609,7 @@ index ab0439a..e717a21 100644
  term_dontaudit_manage_pty_dirs(bootloader_t)
  
  corecmd_exec_all_executables(bootloader_t)
-@@ -98,12 +101,14 @@ domain_use_interactive_fds(bootloader_t)
+@@ -98,12 +108,14 @@ domain_use_interactive_fds(bootloader_t)
  files_create_boot_dirs(bootloader_t)
  files_manage_boot_files(bootloader_t)
  files_manage_boot_symlinks(bootloader_t)
@@ -58601,7 +58624,7 @@ index ab0439a..e717a21 100644
  # for nscd
  files_dontaudit_search_pids(bootloader_t)
  # for blkid.tab
-@@ -111,6 +116,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -111,6 +123,7 @@ files_manage_etc_runtime_files(bootloader_t)
  files_etc_filetrans_etc_runtime(bootloader_t, file)
  files_dontaudit_search_home(bootloader_t)
  
@@ -58609,7 +58632,7 @@ index ab0439a..e717a21 100644
  init_getattr_initctl(bootloader_t)
  init_use_script_ptys(bootloader_t)
  init_use_script_fds(bootloader_t)
-@@ -118,8 +124,10 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,8 +131,10 @@ init_rw_script_pipes(bootloader_t)
  
  libs_read_lib_files(bootloader_t)
  libs_exec_lib_files(bootloader_t)
@@ -58621,7 +58644,7 @@ index ab0439a..e717a21 100644
  logging_rw_generic_logs(bootloader_t)
  
  miscfiles_read_localization(bootloader_t)
-@@ -130,7 +138,8 @@ seutil_read_bin_policy(bootloader_t)
+@@ -130,7 +145,8 @@ seutil_read_bin_policy(bootloader_t)
  seutil_read_loadpolicy(bootloader_t)
  seutil_dontaudit_search_config(bootloader_t)
  
@@ -58631,7 +58654,7 @@ index ab0439a..e717a21 100644
  userdom_dontaudit_search_user_home_dirs(bootloader_t)
  
  ifdef(`distro_debian',`
-@@ -166,7 +175,8 @@ ifdef(`distro_redhat',`
+@@ -166,7 +182,8 @@ ifdef(`distro_redhat',`
  	files_manage_isid_type_chr_files(bootloader_t)
  
  	# for mke2fs
@@ -58641,7 +58664,7 @@ index ab0439a..e717a21 100644
  
  	optional_policy(`
  		unconfined_domain(bootloader_t)
-@@ -174,6 +184,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +191,10 @@ ifdef(`distro_redhat',`
  ')
  
  optional_policy(`
@@ -58652,7 +58675,7 @@ index ab0439a..e717a21 100644
  	fstools_exec(bootloader_t)
  ')
  
-@@ -183,6 +197,10 @@ optional_policy(`
+@@ -183,6 +204,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58663,7 +58686,7 @@ index ab0439a..e717a21 100644
  	kudzu_domtrans(bootloader_t)
  ')
  
-@@ -195,15 +213,13 @@ optional_policy(`
+@@ -195,15 +220,13 @@ optional_policy(`
  
  optional_policy(`
  	modutils_exec_insmod(bootloader_t)
@@ -66453,10 +66476,18 @@ index 1ce8aa0..24dfed0 100644
  	allow files_unconfined_type file_type:file execmod;
  ')
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..e89e4bf 100644
+index cda5588..91d1e25 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -14,3 +14,8 @@
+@@ -1,3 +1,7 @@
++# ecryptfs does not support xattr
++HOME_DIR/\.ecryptfs(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
++HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
++
+ /cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
+ /cgroup/.*			<<none>>
+ 
+@@ -14,3 +18,8 @@
  # for systemd systems:
  /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
  /sys/fs/cgroup/.*		<<none>>
@@ -66466,7 +66497,7 @@ index cda5588..e89e4bf 100644
 +/usr/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 +/usr/lib/udev/devices/shm/.*	<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..6d3f720 100644
+index 7c6b791..242bce2 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -66592,15 +66623,17 @@ index 7c6b791..6d3f720 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -763,6 +829,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',`
+ 
  	')
  
++	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
  	rw_files_pattern($1, cgroup_t, cgroup_t)
 +	fs_search_tmpfs($1)
  	dev_search_sysfs($1)
  ')
  
-@@ -803,6 +870,8 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',`
  	')
  
  	manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -66609,7 +66642,7 @@ index 7c6b791..6d3f720 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -1107,6 +1176,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
  
  ########################################
  ## <summary>
@@ -66634,7 +66667,7 @@ index 7c6b791..6d3f720 100644
  ##	Do not audit attempts to read all
  ##	noxattrfs files.
  ## </summary>
-@@ -1245,7 +1332,7 @@ interface(`fs_append_cifs_files',`
+@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
  
  ########################################
  ## <summary>
@@ -66643,7 +66676,7 @@ index 7c6b791..6d3f720 100644
  ##	on a CIFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
  
  ########################################
  ## <summary>
@@ -66686,7 +66719,7 @@ index 7c6b791..6d3f720 100644
  ##	Do not audit attempts to read or
  ##	write files on a CIFS or SMB filesystem.
  ## </summary>
-@@ -1279,7 +1402,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
  		type cifs_t;
  	')
  
@@ -66695,7 +66728,7 @@ index 7c6b791..6d3f720 100644
  ')
  
  ########################################
-@@ -1542,6 +1665,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',`
  	domain_auto_transition_pattern($1, cifs_t, $2)
  ')
  
@@ -66721,7 +66754,7 @@ index 7c6b791..6d3f720 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -1582,6 +1724,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',`
  
  ########################################
  ## <summary>
@@ -66746,7 +66779,7 @@ index 7c6b791..6d3f720 100644
  ##	Mount a DOS filesystem, such as
  ##	FAT32 or NTFS.
  ## </summary>
-@@ -1679,6 +1839,25 @@ interface(`fs_relabelfrom_dos_fs',`
+@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',`
  
  ########################################
  ## <summary>
@@ -66772,10 +66805,132 @@ index 7c6b791..6d3f720 100644
  ##	Search dosfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2025,6 +2204,68 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
  
- ########################################
- ## <summary>
++
++#######################################
++## <summary>
++##      Search directories
++##      on a ecrypt filesystem.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`fs_search_ecryptfs',`
++        gen_require(`
++                type fusefs_t;
++        ')
++
++        allow $1 ecryptfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete directories
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_dirs',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
++	allow $1 ecryptfs_t:dir manage_dir_perms;
++')
++
++#######################################
++## <summary>
++##      Create, read, write, and delete files
++##      on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_read_ecryptfs_files',`
++        gen_require(`
++                type ecryptfs_t;
++        ')
++
++        read_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete files
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_files',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to create,
++##	read, write, and delete files
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_ecryptfs_files',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	dontaudit $1 ecryptfs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++##	Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_ecryptfs_symlinks',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	allow $1 ecryptfs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
 +##	Manage symbolic links on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
@@ -66784,12 +66939,12 @@ index 7c6b791..6d3f720 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_manage_fusefs_symlinks',`
++interface(`fs_manage_ecryptfs_symlinks',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
 +')
 +
 +########################################
@@ -66827,21 +66982,108 @@ index 7c6b791..6d3f720 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_fusefs_domtrans',`
++interface(`fs_ecryptfs_domtrans',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	allow $1 ecryptfs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, ecryptfs_t, $2)
++')
++
+ ########################################
+ ## <summary>
+ ##	Mount a FUSE filesystem.
+@@ -2006,21 +2368,83 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links on a FUSEFS filesystem.
++##	Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_fusefs_symlinks',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:dir search_dir_perms;
-+	domain_auto_transition_pattern($1, fusefs_t, $2)
++	allow $1 fusefs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Get the attributes of an hugetlbfs
- ##	filesystem.
++##	Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.
  ## </summary>
-@@ -2080,6 +2321,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
++## <desc>
++##	<p>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.  This allows
++##	the specified domain to execute any file
++##	on these filesystems in the specified
++##	domain.  This is not suggested.
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++##	<p>
++##	This interface was added to handle
++##	home directories on FUSE filesystems,
++##	in particular used by the ssh-agent policy.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_read_fusefs_symlinks',`
++interface(`fs_fusefs_domtrans',`
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	allow $1 fusefs_t:dir list_dir_perms;
+-	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	allow $1 fusefs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, fusefs_t, $2)
+ ')
+ 
+ ########################################
+@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
  
  ########################################
  ## <summary>
@@ -66866,7 +67108,7 @@ index 7c6b791..6d3f720 100644
  ##	Read and write hugetlbfs files.
  ## </summary>
  ## <param name="domain">
-@@ -2148,11 +2407,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -66880,7 +67122,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2485,6 +2745,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -66888,7 +67130,7 @@ index 7c6b791..6d3f720 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2523,6 +2784,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -66896,7 +67138,7 @@ index 7c6b791..6d3f720 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2549,6 +2811,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -66922,7 +67164,7 @@ index 7c6b791..6d3f720 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2569,7 +2850,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -66931,7 +67173,7 @@ index 7c6b791..6d3f720 100644
  ##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2589,6 +2870,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -66974,7 +67216,7 @@ index 7c6b791..6d3f720 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2603,7 +2920,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -66983,7 +67225,7 @@ index 7c6b791..6d3f720 100644
  ')
  
  ########################################
-@@ -2627,7 +2944,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -66992,7 +67234,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2741,7 +3058,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -67001,7 +67243,7 @@ index 7c6b791..6d3f720 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +3094,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -67010,7 +67252,7 @@ index 7c6b791..6d3f720 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +3287,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -67018,7 +67260,7 @@ index 7c6b791..6d3f720 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +3328,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -67026,7 +67268,7 @@ index 7c6b791..6d3f720 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +3369,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -67034,7 +67276,7 @@ index 7c6b791..6d3f720 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3263,6 +3583,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
  	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
  ')
  
@@ -67059,7 +67301,7 @@ index 7c6b791..6d3f720 100644
  ########################################
  ## <summary>
  ##	Read and write NFS server files.
-@@ -3283,6 +3621,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
  
  ########################################
  ## <summary>
@@ -67084,7 +67326,7 @@ index 7c6b791..6d3f720 100644
  ##	Allow the type to associate to ramfs filesystems.
  ## </summary>
  ## <param name="type">
-@@ -3392,7 +3748,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -67093,7 +67335,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +3785,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -67102,7 +67344,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +3803,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -67111,7 +67353,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3815,6 +4171,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -67136,7 +67378,7 @@ index 7c6b791..6d3f720 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3963,6 +4337,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -67179,7 +67421,7 @@ index 7c6b791..6d3f720 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4069,7 +4479,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
  		type tmpfs_t;
  	')
  
@@ -67188,7 +67430,7 @@ index 7c6b791..6d3f720 100644
  ')
  
  ########################################
-@@ -4129,6 +4539,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -67213,7 +67455,7 @@ index 7c6b791..6d3f720 100644
  ##	Read tmpfs link files.
  ## </summary>
  ## <param name="domain">
-@@ -4166,7 +4594,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',`
  
  ########################################
  ## <summary>
@@ -67222,7 +67464,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4185,6 +4613,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -67265,7 +67507,7 @@ index 7c6b791..6d3f720 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4242,6 +4706,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4889,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
  
  ########################################
  ## <summary>
@@ -67290,7 +67532,7 @@ index 7c6b791..6d3f720 100644
  ##	Read and write, create and delete generic
  ##	files on tmpfs filesystems.
  ## </summary>
-@@ -4261,6 +4743,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +4926,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -67316,7 +67558,7 @@ index 7c6b791..6d3f720 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4467,6 +4968,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5151,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -67325,7 +67567,7 @@ index 7c6b791..6d3f720 100644
  ')
  
  ########################################
-@@ -4513,7 +5016,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5199,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -67334,7 +67576,7 @@ index 7c6b791..6d3f720 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4876,3 +5379,24 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5562,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -69645,10 +69887,10 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..f373c8d 100644
+index e5aee97..3d10b66 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,52 @@ policy_module(staff, 2.3.0)
+@@ -8,12 +8,57 @@ policy_module(staff, 2.3.0)
  role staff_r;
  
  userdom_unpriv_user_template(staff)
@@ -69697,11 +69939,16 @@ index e5aee97..f373c8d 100644
 +optional_policy(`
 +	abrt_read_cache(staff_t)
 +')
++
++optional_policy(`
++	accountsd_dbus_chat(staff_t)
++	accountsd_read_lib_files(staff_t)
++')
 +
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +63,99 @@ optional_policy(`
+@@ -23,11 +68,98 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69712,16 +69959,6 @@ index e5aee97..f373c8d 100644
 +	bluetooth_role(staff_r, staff_t)
 +')
 +
-+optional_policy(`
- 	dbadm_role_change(staff_r)
- ')
- 
- optional_policy(`
--	git_role(staff_r, staff_t)
-+	accountsd_dbus_chat(staff_t)
-+	accountsd_read_lib_files(staff_t)
-+')
-+
 +optional_policy(`
 +	chrome_role(staff_r, staff_t)
 +')
@@ -69730,6 +69967,15 @@ index e5aee97..f373c8d 100644
 +	colord_dbus_chat(staff_t)
 +')
 +
++optional_policy(`
+ 	dbadm_role_change(staff_r)
+ ')
+ 
+ optional_policy(`
+-	git_role(staff_r, staff_t)
++	dnsmasq_read_pid_files(staff_t)
++')
++
 +optional_policy(`
 +	gnomeclock_dbus_chat(staff_t)
 +')
@@ -69802,7 +70048,7 @@ index e5aee97..f373c8d 100644
  ')
  
  optional_policy(`
-@@ -35,15 +163,23 @@ optional_policy(`
+@@ -35,15 +167,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69813,6 +70059,10 @@ index e5aee97..f373c8d 100644
 +	rpm_dbus_chat(staff_t)
 +')
 +
++optional_policy(`
++	rwho_read_spool_files(staff_t)
++')
++
 +optional_policy(`
  	secadm_role_change(staff_r)
  ')
@@ -69828,7 +70078,7 @@ index e5aee97..f373c8d 100644
  ')
  
  optional_policy(`
-@@ -52,10 +188,59 @@ optional_policy(`
+@@ -52,10 +196,59 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69888,7 +70138,7 @@ index e5aee97..f373c8d 100644
  	xserver_role(staff_r, staff_t)
  ')
  
-@@ -65,10 +250,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +258,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -69899,7 +70149,7 @@ index e5aee97..f373c8d 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -93,18 +274,10 @@ ifndef(`distro_redhat',`
+@@ -93,18 +282,10 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -69918,7 +70168,7 @@ index e5aee97..f373c8d 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +306,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -69929,7 +70179,7 @@ index e5aee97..f373c8d 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +310,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +318,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -69940,7 +70190,7 @@ index e5aee97..f373c8d 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +341,7 @@ ifndef(`distro_redhat',`
+@@ -176,3 +349,7 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -73043,10 +73293,10 @@ index b17e27a..f87cce0 100644
 +    ssh_rw_dgram_sockets(chroot_user_t)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..cfe92e1 100644
+index fc86b7c..decae02 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,34 @@
+@@ -2,13 +2,35 @@
  # HOME_DIR
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -73061,6 +73311,7 @@ index fc86b7c..cfe92e1 100644
  HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +HOME_DIR/\.Xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.cache/gdm(/.*)?	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +HOME_DIR/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +HOME_DIR/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +
@@ -73081,7 +73332,7 @@ index fc86b7c..cfe92e1 100644
  
  #
  # /dev
-@@ -24,11 +45,18 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  
  /etc/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
  
@@ -73100,7 +73351,7 @@ index fc86b7c..cfe92e1 100644
  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,23 +74,24 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,23 +75,24 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  # /tmp
  #
  
@@ -73131,7 +73382,7 @@ index fc86b7c..cfe92e1 100644
  /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
  
-@@ -90,24 +119,43 @@ ifndef(`distro_debian',`
+@@ -90,24 +120,43 @@ ifndef(`distro_debian',`
  /var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -73180,7 +73431,7 @@ index fc86b7c..cfe92e1 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..647cc5c 100644
+index 130ced9..173eaf5 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -73680,16 +73931,34 @@ index 130ced9..647cc5c 100644
  ##	Set the attributes of XDM temporary directories.
  ## </summary>
  ## <param name="domain">
-@@ -765,7 +918,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
  		type xdm_tmp_t;
  	')
  
 -	allow $1 xdm_tmp_t:dir setattr;
 +	allow $1 xdm_tmp_t:dir setattr_dir_perms;
++')
++
++########################################
++## <summary>
++##	Dont audit attempts to set the attributes of XDM temporary directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`xserver_dontaudit_xdm_tmp_dirs',`
++	gen_require(`
++		type xdm_tmp_t;
++	')
++
++	dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
  ')
  
  ########################################
-@@ -805,7 +958,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',`
  	')
  
  	files_search_pids($1)
@@ -73717,7 +73986,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -828,6 +1000,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',`
  
  ########################################
  ## <summary>
@@ -73742,7 +74011,7 @@ index 130ced9..647cc5c 100644
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -897,7 +1087,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1105,7 @@ interface(`xserver_getattr_log',`
  	')
  
  	logging_search_logs($1)
@@ -73751,7 +74020,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -916,7 +1106,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1124,7 @@ interface(`xserver_dontaudit_write_log',`
  		type xserver_log_t;
  	')
  
@@ -73760,7 +74029,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -963,6 +1153,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1171,45 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
@@ -73806,7 +74075,7 @@ index 130ced9..647cc5c 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -976,7 +1205,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1223,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -73815,7 +74084,7 @@ index 130ced9..647cc5c 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1038,6 +1267,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1285,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -73858,7 +74127,7 @@ index 130ced9..647cc5c 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1052,7 +1317,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1335,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -73867,7 +74136,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -1070,8 +1335,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1353,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -73879,7 +74148,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -1185,6 +1452,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1470,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -73906,7 +74175,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -1210,7 +1497,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1515,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -73915,7 +74184,7 @@ index 130ced9..647cc5c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1220,13 +1507,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1525,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -73940,7 +74209,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -1243,10 +1540,533 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1558,533 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -74477,7 +74746,7 @@ index 130ced9..647cc5c 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index c4f7c35..c221771 100644
+index c4f7c35..06c447c 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -75136,7 +75405,7 @@ index c4f7c35..c221771 100644
  ')
  
  optional_policy(`
-@@ -514,12 +723,63 @@ optional_policy(`
+@@ -514,12 +723,64 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75194,13 +75463,14 @@ index c4f7c35..c221771 100644
 +	gnome_read_usr_config(xdm_t)
 +	gnome_read_gconf_config(xdm_t)
 +	gnome_transition_gkeyringd(xdm_t)
++	gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
 +')
 +
 +optional_policy(`
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +797,69 @@ optional_policy(`
+@@ -537,28 +798,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75279,7 +75549,7 @@ index c4f7c35..c221771 100644
  ')
  
  optional_policy(`
-@@ -570,6 +871,14 @@ optional_policy(`
+@@ -570,6 +872,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75294,7 +75564,7 @@ index c4f7c35..c221771 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +903,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,7 +904,8 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -75304,7 +75574,7 @@ index c4f7c35..c221771 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -608,8 +918,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -75320,7 +75590,7 @@ index c4f7c35..c221771 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +945,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -75342,7 +75612,7 @@ index c4f7c35..c221771 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,6 +965,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -75350,7 +75620,7 @@ index c4f7c35..c221771 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -667,23 +992,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +993,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -75382,7 +75652,7 @@ index c4f7c35..c221771 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,8 +1024,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -75396,7 +75666,7 @@ index c4f7c35..c221771 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -708,8 +1043,6 @@ init_getpgid(xserver_t)
+@@ -708,8 +1044,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -75405,7 +75675,7 @@ index c4f7c35..c221771 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -717,11 +1050,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -717,11 +1051,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -75420,7 +75690,7 @@ index c4f7c35..c221771 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1109,40 @@ optional_policy(`
+@@ -775,16 +1110,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75462,7 +75732,7 @@ index c4f7c35..c221771 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1151,10 @@ optional_policy(`
+@@ -793,6 +1152,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75473,7 +75743,7 @@ index c4f7c35..c221771 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1170,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -75487,7 +75757,7 @@ index c4f7c35..c221771 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1181,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -75496,7 +75766,7 @@ index c4f7c35..c221771 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1194,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1195,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -75531,7 +75801,7 @@ index c4f7c35..c221771 100644
  ')
  
  optional_policy(`
-@@ -859,6 +1216,10 @@ optional_policy(`
+@@ -859,6 +1217,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -75542,7 +75812,7 @@ index c4f7c35..c221771 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -902,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -75551,7 +75821,7 @@ index c4f7c35..c221771 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1317,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1318,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -75583,7 +75853,7 @@ index c4f7c35..c221771 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1363,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1364,43 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -75801,7 +76071,7 @@ index 28ad538..82def3d 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 6ce867a..283f236 100644
+index 6ce867a..20a0b0a 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -75884,7 +76154,7 @@ index 6ce867a..283f236 100644
  	manage_files_pattern($1, var_auth_t, var_auth_t)
  
  	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +146,31 @@ interface(`auth_login_pgm_domain',`
  	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
  	files_var_filetrans($1, auth_cache_t, dir)
  
@@ -75912,10 +76182,12 @@ index 6ce867a..283f236 100644
  	fs_list_auto_mountpoints($1)
 +	fs_manage_cgroup_dirs($1)
 +	fs_manage_cgroup_files($1)
++	fs_read_ecryptfs_symlinks($1)
++	fs_read_ecryptfs_files($1)
  
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
-@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +186,8 @@ interface(`auth_login_pgm_domain',`
  	mls_process_set_level($1)
  	mls_fd_share_all_levels($1)
  
@@ -75924,7 +76196,7 @@ index 6ce867a..283f236 100644
  	auth_use_pam($1)
  
  	init_rw_utmp($1)
-@@ -155,9 +196,83 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +198,84 @@ interface(`auth_login_pgm_domain',`
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -75960,6 +76232,7 @@ index 6ce867a..283f236 100644
 +		corecmd_exec_bin($1)
 +		storage_getattr_fixed_disk_dev($1)
 +		mount_domtrans($1)
++		mount_domtrans_ecryptmount($1)
 +	')
 +
 +	optional_policy(`
@@ -76010,7 +76283,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -395,13 +510,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,13 +513,15 @@ interface(`auth_domtrans_chk_passwd',`
  	')
  
  	optional_policy(`
@@ -76027,7 +76300,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -448,6 +565,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +568,25 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -76053,7 +76326,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -467,7 +603,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +606,6 @@ interface(`auth_domtrans_upd_passwd',`
  
  	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
  	auth_dontaudit_read_shadow($1)
@@ -76061,7 +76334,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -664,6 +799,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +802,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -76072,7 +76345,7 @@ index 6ce867a..283f236 100644
  ')
  
  #######################################
-@@ -763,7 +902,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +905,50 @@ interface(`auth_rw_faillog',`
  	')
  
  	logging_search_logs($1)
@@ -76124,7 +76397,7 @@ index 6ce867a..283f236 100644
  ')
  
  #######################################
-@@ -959,9 +1141,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1144,30 @@ interface(`auth_manage_var_auth',`
  	')
  
  	files_search_var($1)
@@ -76158,7 +76431,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -1040,6 +1243,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1246,10 @@ interface(`auth_manage_pam_pid',`
  	files_search_pids($1)
  	allow $1 pam_var_run_t:dir manage_dir_perms;
  	allow $1 pam_var_run_t:file manage_file_perms;
@@ -76169,7 +76442,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -1157,6 +1364,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1367,7 @@ interface(`auth_manage_pam_console_data',`
  	files_search_pids($1)
  	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
  	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -76177,7 +76450,7 @@ index 6ce867a..283f236 100644
  ')
  
  #######################################
-@@ -1526,6 +1734,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1737,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -76203,7 +76476,7 @@ index 6ce867a..283f236 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1676,37 +1903,49 @@ interface(`auth_manage_login_records',`
+@@ -1676,37 +1906,49 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -76263,7 +76536,7 @@ index 6ce867a..283f236 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -1714,87 +1953,206 @@ interface(`auth_relabel_login_records',`
+@@ -1714,87 +1956,206 @@ interface(`auth_relabel_login_records',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -76521,7 +76794,7 @@ index 6ce867a..283f236 100644
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
  ')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f12b8ff..b3e0efd 100644
+index f12b8ff..2293c1b 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1)
@@ -76630,7 +76903,7 @@ index f12b8ff..b3e0efd 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -76651,7 +76924,6 @@ index f12b8ff..b3e0efd 100644
 +	')
 +')
 +
-+
 +auth_read_passwd(nsswitch_domain)
 +
 +# read /etc/nsswitch.conf
@@ -79852,7 +80124,7 @@ index 0646ee7..36e02fa 100644
  ')
  
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..2c2e6f4 100644
+index ef8bbaf..6721637 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -28,14 +28,17 @@ ifdef(`distro_redhat',`
@@ -79909,7 +80181,15 @@ index ef8bbaf..2c2e6f4 100644
  
  /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -151,8 +158,8 @@ ifdef(`distro_redhat',`
+@@ -140,6 +147,7 @@ ifdef(`distro_redhat',`
+ /usr/lib/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/fglrx/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libjs\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libzvbi\.so(\.[^/]*)* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/sse2/libx264\.so(\.[^/]*)* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -151,8 +159,8 @@ ifdef(`distro_redhat',`
  /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  /usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
@@ -79920,7 +80200,7 @@ index ef8bbaf..2c2e6f4 100644
  /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -244,8 +251,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
+@@ -244,8 +252,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
  /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -79929,7 +80209,7 @@ index ef8bbaf..2c2e6f4 100644
  /usr/lib/.*/nprhapengine\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/(.*/)?nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -299,17 +304,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +305,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -82139,10 +82419,10 @@ index 560d5d9..86a7107 100644
  
  ifdef(`distro_gentoo',`
 diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..fa210cd 100644
+index 72c746e..f035d9f 100644
 --- a/policy/modules/system/mount.fc
 +++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,26 @@
 +/bin/fusermount    		--      gen_context(system_u:object_r:fusermount_exec_t,s0)
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
@@ -82165,8 +82445,13 @@ index 72c746e..fa210cd 100644
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/mount(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
++
++/usr/sbin/mount\.ecryptfs_private 	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/mount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs_private	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..4881d86 100644
+index 4584457..5b041ee 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
 @@ -16,6 +16,12 @@ interface(`mount_domtrans',`
@@ -82278,7 +82563,7 @@ index 4584457..4881d86 100644
  ##	</summary>
  ## </param>
  #
-@@ -131,45 +210,119 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +210,138 @@ interface(`mount_send_nfs_client_request',`
  
  ########################################
  ## <summary>
@@ -82413,12 +82698,31 @@ index 4584457..4881d86 100644
 +
 +    mount_domtrans_showmount($1)
 +    role $2 types showmount_t;
++')
++
++#######################################
++## <summary>
++##      Transition to ecryptmount.
++## </summary>
++## <param name="domain">
++## <summary>
++##      Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mount_domtrans_ecryptmount',`
++        gen_require(`
++                type mount_ecryptfs_t, mount_ecryptfs_exec_t;
++        ')
++
++        corecmd_search_bin($1)
++        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6d3b14b..3eddba2 100644
+index 6d3b14b..a810a6b 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
-@@ -10,35 +10,52 @@ policy_module(mount, 1.14.2)
+@@ -10,35 +10,60 @@ policy_module(mount, 1.14.2)
  ## Allow the mount command to mount any directory or file.
  ## </p>
  ## </desc>
@@ -82465,6 +82769,14 @@ index 6d3b14b..3eddba2 100644
 +type showmount_exec_t;
 +application_domain(showmount_t, showmount_exec_t)
 +role system_r types showmount_t;
++
++type mount_ecryptfs_t;
++type mount_ecryptfs_exec_t;
++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
++role system_r types mount_ecryptfs_t;
++
++type mount_ecryptfs_tmpfs_t;
++files_tmpfs_file(mount_ecryptfs_tmpfs_t)
  
  ########################################
  #
@@ -82482,7 +82794,7 @@ index 6d3b14b..3eddba2 100644
  
  allow mount_t mount_loopback_t:file read_file_perms;
  
-@@ -49,9 +66,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t)
  
  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  
@@ -82508,7 +82820,7 @@ index 6d3b14b..3eddba2 100644
  kernel_dontaudit_write_debugfs_dirs(mount_t)
  kernel_dontaudit_write_proc_dirs(mount_t)
  # To load binfmt_misc kernel module
-@@ -60,31 +92,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
  
@@ -82558,7 +82870,7 @@ index 6d3b14b..3eddba2 100644
  files_read_isid_type_files(mount_t)
  # For reading cert files
  files_read_usr_files(mount_t)
-@@ -92,28 +139,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
  files_dontaudit_write_all_mountpoints(mount_t)
  files_dontaudit_setattr_all_mountpoints(mount_t)
  
@@ -82604,7 +82916,7 @@ index 6d3b14b..3eddba2 100644
  term_dontaudit_manage_pty_dirs(mount_t)
  
  auth_use_nsswitch(mount_t)
-@@ -121,6 +179,8 @@ auth_use_nsswitch(mount_t)
+@@ -121,6 +187,8 @@ auth_use_nsswitch(mount_t)
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -82613,16 +82925,17 @@ index 6d3b14b..3eddba2 100644
  
  logging_send_syslog_msg(mount_t)
  
-@@ -131,6 +191,8 @@ sysnet_use_portmap(mount_t)
+@@ -131,6 +199,9 @@ sysnet_use_portmap(mount_t)
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
 +userdom_manage_user_home_content_dirs(mount_t)
 +userdom_read_user_home_content_symlinks(mount_t)
++userdom_list_user_tmp(mount_t)
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -146,26 +208,28 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +217,28 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -82662,7 +82975,7 @@ index 6d3b14b..3eddba2 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +243,8 @@ optional_policy(`
+@@ -179,6 +252,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -82671,7 +82984,7 @@ index 6d3b14b..3eddba2 100644
  ')
  
  optional_policy(`
-@@ -186,6 +252,28 @@ optional_policy(`
+@@ -186,6 +261,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82700,7 +83013,7 @@ index 6d3b14b..3eddba2 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +281,96 @@ optional_policy(`
+@@ -193,21 +290,124 @@ optional_policy(`
  	')
  ')
  
@@ -82753,12 +83066,10 @@ index 6d3b14b..3eddba2 100644
 +optional_policy(`
 +	ssh_exec(mount_t)
 +')
- 
- optional_policy(`
--	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
--	unconfined_domain(unconfined_mount_t)
++
++optional_policy(`
 +	usbmuxd_stream_connect(mount_t)
- ')
++')
 +
 +optional_policy(`
 +	userhelper_exec_console(mount_t)
@@ -82767,10 +83078,12 @@ index 6d3b14b..3eddba2 100644
 +optional_policy(`
 +	virt_read_blk_images(mount_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+-	unconfined_domain(unconfined_mount_t)
 +	vmware_exec_host(mount_t)
-+')
+ ')
 +
 +######################################
 +#
@@ -82804,6 +83117,34 @@ index 6d3b14b..3eddba2 100644
 +sysnet_dns_name_resolve(showmount_t)
 +
 +userdom_use_inherited_user_terminals(showmount_t)
++
++#######################################
++#
++# mount_ecryptfs local policy
++#
++
++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
++
++allow mount_ecryptfs_t self:capability setgid;
++allow mount_ecryptfs_t self:capability { setuid sys_admin };
++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
++userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++
++domain_use_interactive_fds(mount_ecryptfs_t)
++
++files_read_etc_files(mount_ecryptfs_t)
++
++fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
++fs_read_ecryptfs_files(mount_ecryptfs_t)
++
++auth_use_nsswitch(mount_ecryptfs_t)
++
++miscfiles_read_localization(mount_ecryptfs_t)
 diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
 index b263a8a..9348c8c 100644
 --- a/policy/modules/system/netlabel.fc
@@ -87146,7 +87487,7 @@ index db75976..ce61aed 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..3361868 100644
+index e720dcd..4272eef 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -89621,7 +89962,7 @@ index e720dcd..3361868 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3296,3 +4106,1292 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4106,1282 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -89648,11 +89989,6 @@ index e720dcd..3361868 100644
 +## <summary>
 +##	Define this type as a Allow apps to set rlimits on userdomain
 +## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
 +## <param name="userdomain_prefix">
 +##	<summary>
 +##	The prefix of the user domain (e.g., user
@@ -89682,11 +90018,6 @@ index e720dcd..3361868 100644
 +## <summary>
 +##  Define this type as a Allow apps to set rlimits on userdomain
 +## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
 +## <param name="userdomain_prefix">
 +##  <summary>
 +##  The prefix of the user domain (e.g., user
@@ -90915,7 +91246,7 @@ index e720dcd..3361868 100644
 +	typeattribute $1 userdom_home_manager_type;
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 47efe9a..4136fa9 100644
+index 47efe9a..1fa68b1 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2)
@@ -90990,7 +91321,7 @@ index 47efe9a..4136fa9 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -71,26 +102,112 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,121 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -91086,6 +91417,10 @@ index 47efe9a..4136fa9 100644
 +    fs_read_fusefs_files(userdom_home_reader_type)
 +')
 +
++tunable_policy(`use_ecryptfs_home_dirs',`
++        fs_read_ecryptfs_files(userdom_home_reader_type)
++')
++
 +tunable_policy(`use_nfs_home_dirs',`
 +    fs_list_auto_mountpoints(userdom_home_manager_type)
 +    fs_manage_nfs_dirs(userdom_home_manager_type)
@@ -91105,6 +91440,11 @@ index 47efe9a..4136fa9 100644
 +    fs_manage_fusefs_symlinks(userdom_home_manager_type)
 +')
 +
++tunable_policy(`use_ecryptfs_home_dirs',`
++	fs_manage_ecryptfs_dirs(userdom_home_manager_type)
++	fs_manage_ecryptfs_files(userdom_home_manager_type)
++	fs_manage_ecryptfs_files(userdom_home_manager_type)
++')
 diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
 index e79d545..101086d 100644
 --- a/policy/support/misc_patterns.spt
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index a8706735..8566bc43 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -745,7 +745,7 @@ index 1adca53..18e0e41 100644
  
  /var/lib/AccountsService(/.*)?			gen_context(system_u:object_r:accountsd_var_lib_t,s0)
 diff --git a/accountsd.if b/accountsd.if
-index c0f858d..10a0cd6 100644
+index c0f858d..d75aae9 100644
 --- a/accountsd.if
 +++ b/accountsd.if
 @@ -5,9 +5,9 @@
@@ -769,17 +769,21 @@ index c0f858d..10a0cd6 100644
  ##	</summary>
  ## </param>
  #
-@@ -118,6 +118,29 @@ interface(`accountsd_manage_lib_files',`
+@@ -118,28 +118,54 @@ interface(`accountsd_manage_lib_files',`
  
  ########################################
  ## <summary>
+-##	All of the rules required to administrate
+-##	an accountsd environment
 +##	Execute accountsd server in the accountsd domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain allowed to transition.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="role">
 +#
 +interface(`accountsd_systemctl',`
 +	gen_require(`
@@ -796,10 +800,17 @@ index c0f858d..10a0cd6 100644
 +
 +########################################
 +## <summary>
- ##	All of the rules required to administrate
- ##	an accountsd environment
- ## </summary>
-@@ -136,10 +159,19 @@ interface(`accountsd_manage_lib_files',`
++##	All of the rules required to administrate
++##	an accountsd environment
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	Role allowed access.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
  interface(`accountsd_admin',`
  	gen_require(`
  		type accountsd_t;
@@ -1549,7 +1560,7 @@ index e81bdbd..63ab279 100644
  
  optional_policy(`
 diff --git a/apache.fc b/apache.fc
-index fd9fa07..84bc8d6 100644
+index fd9fa07..2679748 100644
 --- a/apache.fc
 +++ b/apache.fc
 @@ -1,39 +1,54 @@
@@ -1640,7 +1651,7 @@ index fd9fa07..84bc8d6 100644
  
  /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,25 +92,36 @@ ifdef(`distro_suse', `
+@@ -73,31 +92,43 @@ ifdef(`distro_suse', `
  /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -1681,7 +1692,14 @@ index fd9fa07..84bc8d6 100644
  /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -109,3 +139,25 @@ ifdef(`distro_debian', `
+ /var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
+ 
+ /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+@@ -109,3 +140,25 @@ ifdef(`distro_debian', `
  /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -1708,7 +1726,7 @@ index fd9fa07..84bc8d6 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 6480167..d0bf548 100644
+index 6480167..d30bdbf 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -13,62 +13,46 @@
@@ -2353,7 +2371,7 @@ index 6480167..d0bf548 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1349,93 @@ interface(`apache_admin',`
+@@ -1205,14 +1349,88 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -2376,13 +2394,6 @@ index 6480167..d0bf548 100644
 +	admin_pattern($1, httpd_unit_file_t)
 +	allow $1 httpd_unit_file_t:service all_service_perms;
 +
-+	ifdef(`TODO',`
-+		apache_set_booleans($1, $2, $3, httpd_bool_t)
-+		seutil_setsebool_role_template($1, $3, $2)
-+		allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
-+		allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
-+	')
-+
 +	apache_filetrans_named_content($1)
 +')
 +
@@ -2422,11 +2433,13 @@ index 6480167..d0bf548 100644
 +interface(`apache_filetrans_named_content',`
 +	gen_require(`
 +		type httpd_sys_content_t, httpd_sys_rw_content_t;
++		type httpd_tmp_t;
 +	')
 +
 +
 +	apache_filetrans_home_content($1)
 +	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++	userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
 +')
 +
 +########################################
@@ -2453,7 +2466,7 @@ index 6480167..d0bf548 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index a36a01d..f6aad32 100644
+index a36a01d..bde887f 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@@ -2772,7 +2785,7 @@ index a36a01d..f6aad32 100644
  
  # Allow the httpd_t to read the web servers config files
  allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -336,8 +494,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -336,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -2780,10 +2793,11 @@ index a36a01d..f6aad32 100644
  manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 -files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
 +files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
++userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
  
  manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +505,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  
@@ -2794,7 +2808,7 @@ index a36a01d..f6aad32 100644
  
  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
  manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,6 +522,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -2804,7 +2818,7 @@ index a36a01d..f6aad32 100644
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -372,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -2825,7 +2839,7 @@ index a36a01d..f6aad32 100644
  
  dev_read_sysfs(httpd_t)
  dev_read_rand(httpd_t)
-@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +557,14 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -2840,7 +2854,7 @@ index a36a01d..f6aad32 100644
  # execute perl
  corecmd_exec_bin(httpd_t)
  corecmd_exec_shell(httpd_t)
-@@ -398,6 +574,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -398,6 +575,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
  files_read_usr_files(httpd_t)
  files_list_mnt(httpd_t)
  files_search_spool(httpd_t)
@@ -2848,7 +2862,7 @@ index a36a01d..f6aad32 100644
  files_read_var_lib_files(httpd_t)
  files_search_home(httpd_t)
  files_getattr_home_dir(httpd_t)
-@@ -409,48 +586,101 @@ files_read_etc_files(httpd_t)
+@@ -409,48 +587,101 @@ files_read_etc_files(httpd_t)
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -2954,7 +2968,7 @@ index a36a01d..f6aad32 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +691,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +692,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -3018,7 +3032,7 @@ index a36a01d..f6aad32 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_t)
  	fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +755,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +756,22 @@ tunable_policy(`httpd_can_sendmail',`
  	# allow httpd to connect to mail servers
  	corenet_tcp_connect_smtp_port(httpd_t)
  	corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3041,7 +3055,7 @@ index a36a01d..f6aad32 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +790,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +791,19 @@ tunable_policy(`httpd_ssi_exec',`
  # to run correctly without this permission, so the permission
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
@@ -3062,7 +3076,7 @@ index a36a01d..f6aad32 100644
  ')
  
  optional_policy(`
-@@ -525,6 +814,9 @@ optional_policy(`
+@@ -525,6 +815,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3072,7 +3086,7 @@ index a36a01d..f6aad32 100644
  	cobbler_search_lib(httpd_t)
  ')
  
-@@ -540,6 +832,24 @@ optional_policy(`
+@@ -540,6 +833,24 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -3097,7 +3111,7 @@ index a36a01d..f6aad32 100644
   optional_policy(`
  	dbus_system_bus_client(httpd_t)
  
-@@ -549,12 +859,21 @@ optional_policy(`
+@@ -549,13 +860,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3118,9 +3132,12 @@ index a36a01d..f6aad32 100644
 +
 +optional_policy(`
  	kerberos_keytab_template(httpd, httpd_t)
++	kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
++	kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
  ')
  
-@@ -568,7 +887,21 @@ optional_policy(`
+ optional_policy(`
+@@ -568,7 +890,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3142,7 +3159,7 @@ index a36a01d..f6aad32 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -579,6 +912,7 @@ optional_policy(`
+@@ -579,6 +915,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -3150,7 +3167,7 @@ index a36a01d..f6aad32 100644
  ')
  
  optional_policy(`
-@@ -589,6 +923,33 @@ optional_policy(`
+@@ -589,6 +926,33 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3184,7 +3201,7 @@ index a36a01d..f6aad32 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -603,6 +964,11 @@ optional_policy(`
+@@ -603,6 +967,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3196,7 +3213,7 @@ index a36a01d..f6aad32 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -615,6 +981,12 @@ optional_policy(`
+@@ -615,6 +984,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -3209,7 +3226,7 @@ index a36a01d..f6aad32 100644
  ########################################
  #
  # Apache helper local policy
-@@ -628,7 +1000,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -628,7 +1003,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -3222,7 +3239,7 @@ index a36a01d..f6aad32 100644
  
  ########################################
  #
-@@ -666,28 +1042,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -666,28 +1045,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -3266,7 +3283,7 @@ index a36a01d..f6aad32 100644
  ')
  
  ########################################
-@@ -697,6 +1075,7 @@ optional_policy(`
+@@ -697,6 +1078,7 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -3274,7 +3291,7 @@ index a36a01d..f6aad32 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,14 +1090,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -711,14 +1093,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -3298,7 +3315,7 @@ index a36a01d..f6aad32 100644
  # for shell scripts
  corecmd_exec_bin(httpd_suexec_t)
  corecmd_exec_shell(httpd_suexec_t)
-@@ -752,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -752,13 +1143,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -3331,7 +3348,7 @@ index a36a01d..f6aad32 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1187,25 @@ optional_policy(`
+@@ -781,6 +1190,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -3357,7 +3374,7 @@ index a36a01d..f6aad32 100644
  ########################################
  #
  # Apache system script local policy
-@@ -801,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -801,12 +1229,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -3375,7 +3392,7 @@ index a36a01d..f6aad32 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -815,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -815,18 +1248,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -3432,7 +3449,7 @@ index a36a01d..f6aad32 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -834,14 +1299,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -3473,7 +3490,7 @@ index a36a01d..f6aad32 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1341,20 @@ optional_policy(`
+@@ -854,10 +1344,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3494,7 +3511,7 @@ index a36a01d..f6aad32 100644
  ')
  
  ########################################
-@@ -903,11 +1400,146 @@ optional_policy(`
+@@ -903,11 +1403,146 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -3823,7 +3840,7 @@ index 1ea99b2..0b668ae 100644
 +	ps_process_pattern($1, apmd_t)
  ')
 diff --git a/apm.te b/apm.te
-index 1c8c27e..13a6f08 100644
+index 1c8c27e..35d798f 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -3931,14 +3948,18 @@ index 1c8c27e..13a6f08 100644
  	dbus_system_bus_client(apmd_t)
  
  	optional_policy(`
-@@ -209,8 +233,9 @@ optional_policy(`
+@@ -209,8 +233,13 @@ optional_policy(`
  	pcmcia_domtrans_cardctl(apmd_t)
  ')
  
++
++optional_policy(`
++	shutdown_domtrans(apmd_t)
++')
 +
  optional_policy(`
 -	seutil_sigchld_newrole(apmd_t)
-+	shutdown_domtrans(apmd_t)
++	systemd_dbus_chat_logind(apmd_t)
  ')
  
  optional_policy(`
@@ -5912,19 +5933,27 @@ index 2c2cdb6..73b3814 100644
 +        role $2 types brctl_t;
 +')
 diff --git a/bugzilla.if b/bugzilla.if
-index de89d0f..954e726 100644
+index de89d0f..86e4ee7 100644
 --- a/bugzilla.if
 +++ b/bugzilla.if
-@@ -58,13 +58,20 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+@@ -48,23 +48,24 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
+-##	<summary>
+-##	The role to be allowed to manage the bugzilla domain.
+-##	</summary>
+-## </param>
+-## <rolecap/>
+ #
  interface(`bugzilla_admin',`
  	gen_require(`
  		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
--		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+ 		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
 -		type httpd_bugzilla_htaccess_t;
--	')
-+        type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-+        type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
-+    ')
++		type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
+ 	')
  
 -	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
 +	allow $1 httpd_bugzilla_script_t:process signal_perms;
@@ -10819,10 +10848,10 @@ index 0000000..196461b
 +/var/run/couchdb(/.*)?		gen_context(system_u:object_r:couchdb_var_run_t,s0)
 diff --git a/couchdb.if b/couchdb.if
 new file mode 100644
-index 0000000..31692fb
+index 0000000..3e17383
 --- /dev/null
 +++ b/couchdb.if
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,244 @@
 +
 +## <summary>policy for couchdb</summary>
 +
@@ -11034,11 +11063,6 @@ index 0000000..31692fb
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
 +## <rolecap/>
 +#
 +interface(`couchdb_admin',`
@@ -12947,7 +12971,7 @@ index 305ddf4..3629b92 100644
 +	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
  ')
 diff --git a/cups.te b/cups.te
-index 6e7f1b6..f7dabbe 100644
+index 6e7f1b6..a699948 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -13063,10 +13087,11 @@ index 6e7f1b6..f7dabbe 100644
  	')
  ')
  
-@@ -311,10 +319,22 @@ optional_policy(`
+@@ -311,10 +319,23 @@ optional_policy(`
  ')
  
  optional_policy(`
++	kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
 +	kerberos_manage_host_rcache(cupsd_t)
 +')
 +
@@ -13086,7 +13111,7 @@ index 6e7f1b6..f7dabbe 100644
  	mta_send_mail(cupsd_t)
  ')
  
-@@ -322,6 +342,8 @@ optional_policy(`
+@@ -322,6 +343,8 @@ optional_policy(`
  	# cups execs smbtool which reads samba_etc_t files
  	samba_read_config(cupsd_t)
  	samba_rw_var_files(cupsd_t)
@@ -13095,7 +13120,7 @@ index 6e7f1b6..f7dabbe 100644
  ')
  
  optional_policy(`
-@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +394,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
  
  allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
  
@@ -13106,7 +13131,7 @@ index 6e7f1b6..f7dabbe 100644
  
  domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
  
-@@ -425,11 +448,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
  
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -13120,7 +13145,7 @@ index 6e7f1b6..f7dabbe 100644
  ifdef(`distro_redhat',`
  	optional_policy(`
  		rpm_read_db(cupsd_config_t)
-@@ -453,6 +476,10 @@ optional_policy(`
+@@ -453,6 +477,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -13131,7 +13156,7 @@ index 6e7f1b6..f7dabbe 100644
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +494,10 @@ optional_policy(`
+@@ -467,6 +495,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -13142,7 +13167,7 @@ index 6e7f1b6..f7dabbe 100644
  	policykit_dbus_chat(cupsd_config_t)
  	userdom_read_all_users_state(cupsd_config_t)
  ')
-@@ -537,6 +568,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
  corenet_tcp_bind_generic_node(cupsd_lpd_t)
  corenet_udp_bind_generic_node(cupsd_lpd_t)
  corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -13150,7 +13175,7 @@ index 6e7f1b6..f7dabbe 100644
  
  dev_read_urand(cupsd_lpd_t)
  dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +619,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t)
  
  miscfiles_read_localization(cups_pdf_t)
  miscfiles_read_fonts(cups_pdf_t)
@@ -13183,7 +13208,7 @@ index 6e7f1b6..f7dabbe 100644
  ')
  
  ########################################
-@@ -661,10 +692,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t)
  corenet_udp_bind_generic_node(hplip_t)
  corenet_tcp_bind_hplip_port(hplip_t)
  corenet_tcp_connect_hplip_port(hplip_t)
@@ -13197,7 +13222,7 @@ index 6e7f1b6..f7dabbe 100644
  
  dev_read_sysfs(hplip_t)
  dev_rw_printer(hplip_t)
-@@ -685,6 +716,9 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t)
  files_read_etc_files(hplip_t)
  files_read_etc_runtime_files(hplip_t)
  files_read_usr_files(hplip_t)
@@ -13207,7 +13232,7 @@ index 6e7f1b6..f7dabbe 100644
  
  logging_send_syslog_msg(hplip_t)
  
-@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -15728,10 +15753,10 @@ index 0000000..b214253
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..71f225b
+index 0000000..4409b7d
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,197 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -15869,6 +15894,9 @@ index 0000000..71f225b
 +
 +optional_policy(`
 +	kerberos_use(dirsrv_t)
++	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
++	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
++	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
 +')
 +
 +# FIPS mode
@@ -15983,7 +16011,7 @@ index b886676..3d5ca2b 100644
  /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
  /var/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff --git a/dnsmasq.if b/dnsmasq.if
-index 9bd812b..9b48f71 100644
+index 9bd812b..53f895e 100644
 --- a/dnsmasq.if
 +++ b/dnsmasq.if
 @@ -10,7 +10,6 @@
@@ -16049,7 +16077,7 @@ index 9bd812b..9b48f71 100644
  ##	Send dnsmasq a signal
  ## </summary>
  ## <param name="domain">
-@@ -144,12 +184,12 @@ interface(`dnsmasq_write_config',`
+@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',`
  ##	</summary>
  ## </param>
  #
@@ -16063,11 +16091,36 @@ index 9bd812b..9b48f71 100644
  	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
  ')
  
-@@ -163,17 +203,80 @@ interface(`dnsmasq_delete_pid_files',`
+ ########################################
+ ## <summary>
+-##	Read dnsmasq pid files
++##	Manage dnsmasq pid files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',`
  ##	</summary>
  ## </param>
  #
--#
++interface(`dnsmasq_manage_pid_files',`
++	gen_require(`
++		type dnsmasq_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
++')
++
++########################################
++## <summary>
++##	Read dnsmasq pid files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
+ #
  interface(`dnsmasq_read_pid_files',`
  	gen_require(`
  		type dnsmasq_var_run_t;
@@ -16145,7 +16198,7 @@ index 9bd812b..9b48f71 100644
  ##	All of the rules required to administrate
  ##	an dnsmasq environment
  ## </summary>
-@@ -193,10 +296,14 @@ interface(`dnsmasq_admin',`
+@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',`
  	gen_require(`
  		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
  		type dnsmasq_initrc_exec_t;
@@ -16161,7 +16214,7 @@ index 9bd812b..9b48f71 100644
  
  	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -208,4 +315,8 @@ interface(`dnsmasq_admin',`
+@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, dnsmasq_var_run_t)
@@ -16249,10 +16302,10 @@ index 0000000..9e231a8
 +/var/run/dnssec.*			gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
 diff --git a/dnssec.if b/dnssec.if
 new file mode 100755
-index 0000000..a9dbcf2
+index 0000000..a952041
 --- /dev/null
 +++ b/dnssec.if
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,64 @@
 +
 +## <summary>policy for dnssec_trigger</summary>
 +
@@ -16304,12 +16357,6 @@ index 0000000..a9dbcf2
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`dnssec_trigger_admin',`
 +	gen_require(`
@@ -16531,7 +16578,7 @@ index e1d7dc5..df96c0d 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/dovecot.te b/dovecot.te
-index 2df7766..53efc0b 100644
+index 2df7766..0e55b6d 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16623,8 +16670,11 @@ index 2df7766..53efc0b 100644
  userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
  userdom_manage_user_home_content_dirs(dovecot_t)
  userdom_manage_user_home_content_files(dovecot_t)
-@@ -154,16 +164,31 @@ userdom_manage_user_home_content_sockets(dovecot_t)
+@@ -152,18 +162,34 @@ userdom_manage_user_home_content_symlinks(dovecot_t)
+ userdom_manage_user_home_content_pipes(dovecot_t)
+ userdom_manage_user_home_content_sockets(dovecot_t)
  userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
++mta_manage_home_rw(dovecot_t)
  
  mta_manage_spool(dovecot_t)
 +mta_read_home_rw(dovecot_t)
@@ -16655,7 +16705,7 @@ index 2df7766..53efc0b 100644
  	seutil_sigchld_newrole(dovecot_t)
  ')
  
-@@ -180,8 +205,8 @@ optional_policy(`
+@@ -180,8 +206,8 @@ optional_policy(`
  # dovecot auth local policy
  #
  
@@ -16666,7 +16716,7 @@ index 2df7766..53efc0b 100644
  allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
  allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
  
  read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
  
@@ -16676,7 +16726,7 @@ index 2df7766..53efc0b 100644
  manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +230,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
  kernel_read_all_sysctls(dovecot_auth_t)
  kernel_read_system_state(dovecot_auth_t)
  
@@ -16689,7 +16739,7 @@ index 2df7766..53efc0b 100644
  dev_read_urand(dovecot_auth_t)
  
  auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +248,8 @@ files_read_usr_files(dovecot_auth_t)
  files_read_usr_symlinks(dovecot_auth_t)
  files_read_var_lib_files(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
@@ -16699,7 +16749,7 @@ index 2df7766..53efc0b 100644
  
  init_rw_utmp(dovecot_auth_t)
  
-@@ -236,6 +268,8 @@ optional_policy(`
+@@ -236,6 +269,8 @@ optional_policy(`
  optional_policy(`
  	mysql_search_db(dovecot_auth_t)
  	mysql_stream_connect(dovecot_auth_t)
@@ -16708,7 +16758,7 @@ index 2df7766..53efc0b 100644
  ')
  
  optional_policy(`
-@@ -243,6 +277,8 @@ optional_policy(`
+@@ -243,6 +278,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16717,7 +16767,7 @@ index 2df7766..53efc0b 100644
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -250,23 +286,42 @@ optional_policy(`
+@@ -250,23 +287,42 @@ optional_policy(`
  #
  # dovecot deliver local policy
  #
@@ -16762,7 +16812,7 @@ index 2df7766..53efc0b 100644
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
  userdom_manage_user_home_content_sockets(dovecot_deliver_t)
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
@@ -18942,7 +18992,7 @@ index 9d3201b..6e75e3d 100644
 +	allow $1 ftpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ftp.te b/ftp.te
-index 4285c83..2edc3a2 100644
+index 4285c83..d1b00d0 100644
 --- a/ftp.te
 +++ b/ftp.te
 @@ -12,7 +12,7 @@ policy_module(ftp, 1.13.1)
@@ -19181,7 +19231,7 @@ index 4285c83..2edc3a2 100644
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +353,34 @@ optional_policy(`
+@@ -309,10 +353,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19195,6 +19245,7 @@ index 4285c83..2edc3a2 100644
 -	kerberos_manage_host_rcache(ftpd_t)
 +	# this part of auth_use_pam
 +	#kerberos_manage_host_rcache(ftpd_t)
++	kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
 +')
 +
 +optional_policy(`
@@ -19217,7 +19268,7 @@ index 4285c83..2edc3a2 100644
  ')
  
  optional_policy(`
-@@ -347,16 +415,17 @@ optional_policy(`
+@@ -347,16 +416,17 @@ optional_policy(`
  
  # Allow ftpdctl to talk to ftpd over a socket connection
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -19237,7 +19288,7 @@ index 4285c83..2edc3a2 100644
  
  ########################################
  #
-@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t)
  
  files_read_etc_files(sftpd_t)
  
@@ -19274,7 +19325,7 @@ index 4285c83..2edc3a2 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
  tunable_policy(`sftpd_full_access',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
  	fs_read_noxattr_fs_files(sftpd_t)
@@ -20117,6 +20168,290 @@ index 4afb81f..842165a 100644
  fs_getattr_xattr_fs(glance_api_t)
 -
 -libs_exec_ldconfig(glance_api_t)
+diff --git a/glusterd.fc b/glusterd.fc
+new file mode 100644
+index 0000000..6418e39
+--- /dev/null
++++ b/glusterd.fc
+@@ -0,0 +1,16 @@
++
++/etc/rc\.d/init\.d/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++
++/etc/glusterfs(/.*)?			gen_context(system_u:object_r:glusterd_etc_t,s0)
++/etc/glusterd(/.*)?			gen_context(system_u:object_r:glusterd_etc_t,s0)
++
++/usr/sbin/glusterd		--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++/usr/sbin/glusterfsd		--	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++/var/log/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_log_t,s0)
++
++/var/run/glusterd(/.*)?			gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd\.pid		--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
++
+diff --git a/glusterd.if b/glusterd.if
+new file mode 100644
+index 0000000..e15bbb0
+--- /dev/null
++++ b/glusterd.if
+@@ -0,0 +1,146 @@
++
++## <summary>policy for glusterd</summary>
++
++
++########################################
++## <summary>
++##	Transition to glusterd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`glusterd_domtrans',`
++	gen_require(`
++		type glusterd_t, glusterd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, glusterd_exec_t, glusterd_t)
++')
++
++
++########################################
++## <summary>
++##	Execute glusterd server in the glusterd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`glusterd_initrc_domtrans',`
++	gen_require(`
++		type glusterd_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++##	Read glusterd's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`glusterd_read_log',`
++	gen_require(`
++		type glusterd_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++##	Append to glusterd log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`glusterd_append_log',`
++	gen_require(`
++		type glusterd_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++##	Manage glusterd log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`glusterd_manage_log',`
++	gen_require(`
++		type glusterd_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
++	manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
++	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an glusterd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`glusterd_admin',`
++	gen_require(`
++		type glusterd_t;
++		type glusterd_initrc_exec_t;
++		type glusterd_log_t;
++		type glusterd_tmp_t;
++		type glusterd_etc_t; 
++	')
++
++	allow $1 glusterd_t:process { ptrace signal_perms };
++	ps_process_pattern($1, glusterd_t)
++
++	glusterd_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 glusterd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	logging_search_logs($1)
++	admin_pattern($1, glusterd_log_t)
++
++	admin_pattern($1, glusterd_tmp_t)
++
++	admin_pattern($1, glusterd_etc_t)
++
++')
++
+diff --git a/glusterd.te b/glusterd.te
+new file mode 100644
+index 0000000..8dfb74a
+--- /dev/null
++++ b/glusterd.te
+@@ -0,0 +1,104 @@
++policy_module(glusterd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type glusterd_t;
++type glusterd_exec_t;
++init_daemon_domain(glusterd_t, glusterd_exec_t)
++
++type glusterd_etc_t;
++files_type(glusterd_etc_t)
++
++type glusterd_tmp_t;
++files_tmp_file(glusterd_tmp_t)
++
++type glusterd_initrc_exec_t;
++init_script_file(glusterd_initrc_exec_t)
++
++type glusterd_log_t;
++logging_log_file(glusterd_log_t)
++
++type glusterd_var_run_t;
++files_pid_file(glusterd_var_run_t)
++
++type glusterd_var_lib_t;
++files_type(glusterd_var_lib_t);
++
++
++########################################
++#
++# glusterd local policy
++#
++
++allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner };
++allow glusterd_t self:process { setrlimit signal };
++allow glusterd_t self:capability sys_resource;
++
++allow glusterd_t self:fifo_file rw_fifo_file_perms;
++allow glusterd_t self:netlink_route_socket r_netlink_socket_perms;
++allow glusterd_t self:tcp_socket create_stream_socket_perms;
++allow glusterd_t self:udp_socket create_socket_perms;
++allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
++allow glusterd_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) 
++userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++
++manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
++manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
++files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs")
++
++can_exec(glusterd_t, glusterd_exec_t)
++
++kernel_read_system_state(glusterd_t)
++
++corecmd_exec_bin(glusterd_t)
++corecmd_exec_shell(glusterd_t)
++
++domain_use_interactive_fds(glusterd_t)
++
++corenet_tcp_bind_generic_node(glusterd_t)
++corenet_tcp_bind_generic_port(glusterd_t)
++corenet_tcp_bind_all_reserved_ports(glusterd_t)
++corenet_udp_bind_all_rpc_ports(glusterd_t)
++corenet_tcp_connect_unreserved_ports(glusterd_t)
++corenet_udp_bind_generic_node(glusterd_t)
++corenet_udp_bind_ipp_port(glusterd_t)
++
++dev_read_sysfs(glusterd_t)
++dev_read_urand(glusterd_t)
++
++files_read_etc_files(glusterd_t)
++files_read_usr_files(glusterd_t)
++files_rw_pid_dirs(glusterd_t)
++
++# Why is this needed
++#files_manage_urandom_seed(glusterd_t)
++
++auth_use_nsswitch(glusterd_t)
++
++logging_send_syslog_msg(glusterd_t)
++
++miscfiles_read_localization(glusterd_t)
++
++sysnet_read_config(glusterd_t)
++
++userdom_manage_user_home_dirs(glusterd_t)
 diff --git a/gnome.fc b/gnome.fc
 index 00a19e3..17006fc 100644
 --- a/gnome.fc
@@ -20179,7 +20514,7 @@ index 00a19e3..17006fc 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index f5afe78..e283f63 100644
+index f5afe78..8da3abc 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,44 +1,937 @@
@@ -21179,10 +21514,11 @@ index f5afe78..e283f63 100644
 +	list_dirs_pattern($1, config_home_t, config_home_t)
 +	read_files_pattern($1, config_home_t, config_home_t)
 +	read_lnk_files_pattern($1, config_home_t, config_home_t)
-+')
-+
-+#######################################
-+## <summary>
+ ')
+ 
+ #######################################
+ ## <summary>
+-##	Create, read, write, and delete gconf config files.
 +##  delete gnome homedir content (.config)
 +## </summary>
 +## <param name="domain">
@@ -21197,11 +21533,10 @@ index f5afe78..e283f63 100644
 +    ')
 +
 +    delete_files_pattern($1, config_home_t, config_home_t)
- ')
- 
- #######################################
- ## <summary>
--##	Create, read, write, and delete gconf config files.
++')
++
++#######################################
++## <summary>
 +##  setattr gnome homedir content (.config)
 +## </summary>
 +## <param name="domain">
@@ -21374,7 +21709,7 @@ index f5afe78..e283f63 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +1149,307 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1149,302 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -21551,11 +21886,6 @@ index f5afe78..e283f63 100644
 +##	Domain allowed access
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the gkeyring domain.
-+##	</summary>
-+## </param>
 +#
 +interface(`gnome_transition_gkeyringd',`
 +	gen_require(`
@@ -24086,10 +24416,10 @@ index 0000000..1725b7e
 +
 diff --git a/jetty.if b/jetty.if
 new file mode 100644
-index 0000000..9f09101
+index 0000000..2abc285
 --- /dev/null
 +++ b/jetty.if
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,268 @@
 +
 +## <summary>policy for jetty</summary>
 +
@@ -24336,11 +24666,6 @@ index 0000000..9f09101
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
 +## <rolecap/>
 +#
 +interface(`jetty_admin',`
@@ -24408,10 +24733,10 @@ index 0000000..274cdec
 +/var/log/jockey\.log	--	gen_context(system_u:object_r:jockey_var_log_t,s0)
 diff --git a/jockey.if b/jockey.if
 new file mode 100644
-index 0000000..fb58f33
+index 0000000..868c7d0
 --- /dev/null
 +++ b/jockey.if
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,126 @@
 +
 +## <summary>policy for jockey</summary>
 +
@@ -24521,12 +24846,6 @@ index 0000000..fb58f33
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`jockey_admin',`
 +	gen_require(`
@@ -24873,7 +25192,7 @@ index 3525d24..ee0a3d5 100644
 +/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/kerberos.if b/kerberos.if
-index 604f67b..8714225 100644
+index 604f67b..ebebcd5 100644
 --- a/kerberos.if
 +++ b/kerberos.if
 @@ -84,7 +84,7 @@ interface(`kerberos_use',`
@@ -24926,7 +25245,7 @@ index 604f67b..8714225 100644
  ##	Create a derived type for kerberos keytab
  ## </summary>
  ## <param name="prefix">
-@@ -282,38 +302,25 @@ interface(`kerberos_manage_host_rcache',`
+@@ -282,42 +302,21 @@ interface(`kerberos_manage_host_rcache',`
  	# does not work in conditionals
  	domain_obj_id_change_exemption($1)
  
@@ -24943,10 +25262,10 @@ index 604f67b..8714225 100644
 +		manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
  		files_search_tmp($1)
  	')
--')
+ ')
  
--########################################
--## <summary>
+ ########################################
+ ## <summary>
 -##	Connect to krb524 service
 -## </summary>
 -## <param name="domain">
@@ -24965,17 +25284,14 @@ index 604f67b..8714225 100644
 -		corenet_udp_sendrecv_kerberos_master_port($1)
 -		corenet_sendrecv_kerberos_master_client_packets($1)
 -	')
-+	kerberos_tmp_filetrans_host_rcache($1, "host_0")
-+	kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
-+	kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
-+	kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
-+	kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
-+	kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
-+	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
- ')
- 
- ########################################
-@@ -338,18 +345,22 @@ interface(`kerberos_admin',`
+-')
+-
+-########################################
+-## <summary>
+ ##	All of the rules required to administrate 
+ ##	an kerberos environment
+ ## </summary>
+@@ -338,18 +337,22 @@ interface(`kerberos_admin',`
  		type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
  		type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
  		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -25003,7 +25319,7 @@ index 604f67b..8714225 100644
  	ps_process_pattern($1, kpropd_t)
  
  	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +389,113 @@ interface(`kerberos_admin',`
+@@ -378,3 +381,114 @@ interface(`kerberos_admin',`
  
  	admin_pattern($1, krb5kdc_var_run_t)
  ')
@@ -25024,6 +25340,7 @@ index 604f67b..8714225 100644
 +		type krb5_host_rcache_t;
 +	')
 +
++	manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
 +	files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
 +')
 +
@@ -25384,10 +25701,10 @@ index 0000000..408d6c0
 +/var/log/keystone(/.*)?		gen_context(system_u:object_r:keystone_log_t,s0)
 diff --git a/keystone.if b/keystone.if
 new file mode 100644
-index 0000000..c7a5aeb
+index 0000000..f20248c
 --- /dev/null
 +++ b/keystone.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,218 @@
 +
 +## <summary>policy for keystone</summary>
 +
@@ -25580,12 +25897,6 @@ index 0000000..c7a5aeb
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`keystone_admin',`
 +	gen_require(`
@@ -26336,7 +26647,7 @@ index 3aa8fa7..9539b76 100644
 +	allow $1 ldap_unit_file_t:service all_service_perms;
  ')
 diff --git a/ldap.te b/ldap.te
-index 64fd1ff..0f5d0b7 100644
+index 64fd1ff..47c43ab 100644
 --- a/ldap.te
 +++ b/ldap.te
 @@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -26404,6 +26715,16 @@ index 64fd1ff..0f5d0b7 100644
  
  logging_send_syslog_msg(slapd_t)
  
+@@ -117,6 +135,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
+ 
+ optional_policy(`
+ 	kerberos_keytab_template(slapd, slapd_t)
++	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
++	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
++	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
+ ')
+ 
+ optional_policy(`
 diff --git a/likewise.fc b/likewise.fc
 index 057a4e4..57491fc 100644
 --- a/likewise.fc
@@ -27795,10 +28116,10 @@ index 0000000..2907017
 +/var/cache/man2html(/.*)?		gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
 diff --git a/man2html.if b/man2html.if
 new file mode 100644
-index 0000000..68fddff
+index 0000000..050157a
 --- /dev/null
 +++ b/man2html.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,127 @@
 +
 +## <summary>policy for httpd_man2html_script</summary>
 +
@@ -27909,12 +28230,6 @@ index 0000000..68fddff
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`httpd_man2html_script_admin',`
 +	gen_require(`
@@ -28811,10 +29126,10 @@ index 0000000..8d0e473
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/mock.if b/mock.if
 new file mode 100644
-index 0000000..1d76fb8
+index 0000000..7f6f2d6
 --- /dev/null
 +++ b/mock.if
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,307 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@@ -29096,12 +29411,6 @@ index 0000000..1d76fb8
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`mock_admin',`
 +	gen_require(`
@@ -29438,10 +29747,19 @@ index b3ace16..83392b6 100644
  optional_policy(`
  	udev_read_db(modemmanager_t)
 diff --git a/mojomojo.if b/mojomojo.if
-index 657a9fc..0b9bf04 100644
+index 657a9fc..6be094b 100644
 --- a/mojomojo.if
 +++ b/mojomojo.if
-@@ -19,18 +19,23 @@
+@@ -10,27 +10,26 @@
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
+-##	<summary>
+-##	Role allowed access.
+-##	</summary>
+-## </param>
+-## <rolecap/>
  #
  interface(`mojomojo_admin',`
  	gen_require(`
@@ -29828,7 +30146,7 @@ index b397fde..30bfefb 100644
 +')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 0724816..7ccc738 100644
+index 0724816..c1fa8ea 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3)
@@ -30129,7 +30447,7 @@ index 0724816..7ccc738 100644
  
  optional_policy(`
  	alsa_read_rw_config(mozilla_plugin_t)
-@@ -422,35 +463,134 @@ optional_policy(`
+@@ -422,35 +463,135 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(mozilla_plugin_t)
  	dbus_session_bus_client(mozilla_plugin_t)
@@ -30188,6 +30506,7 @@ index 0724816..7ccc738 100644
 +optional_policy(`
 +	xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
 +	xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
++	xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
  	xserver_read_xdm_pid(mozilla_plugin_t)
  	xserver_stream_connect(mozilla_plugin_t)
  	xserver_use_user_fonts(mozilla_plugin_t)
@@ -30664,7 +30983,7 @@ index afa18c8..f6e2bb8 100644
 +/var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index 4e2a5ba..12b951c 100644
+index 4e2a5ba..d5a1725 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -31071,7 +31390,7 @@ index 4e2a5ba..12b951c 100644
  ##	Read sendmail binary.
  ## </summary>
  ## <param name="domain">
-@@ -901,3 +983,143 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +983,169 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -31146,6 +31465,32 @@ index 4e2a5ba..12b951c 100644
 +        ')
 +')
 +
++####################################
++## <summary>
++##      Allow domain to manage mail content in the homedir
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`mta_manage_home_rw',`
++        gen_require(`
++                type mail_home_rw_t;
++        ')
++
++        userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
++	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++
++        ifdef(`distro_redhat',`
++                userdom_search_admin_dir($1)
++		userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++        ')
++')
++
 +########################################
 +## <summary>
 +##	create mail content in the  in the /root directory
@@ -31166,7 +31511,7 @@ index 4e2a5ba..12b951c 100644
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
++	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
 +	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
 +')
 +
@@ -31189,7 +31534,7 @@ index 4e2a5ba..12b951c 100644
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
++	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
 +	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
 +')
 +
@@ -35642,10 +35987,10 @@ index 0000000..be6fcb0
 +/var/run/numad\.pid      --  gen_context(system_u:object_r:numad_var_run_t,s0)
 diff --git a/numad.if b/numad.if
 new file mode 100644
-index 0000000..77a3112
+index 0000000..709dda1
 --- /dev/null
 +++ b/numad.if
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,72 @@
 +
 +## <summary>policy for numad</summary>
 +
@@ -35702,12 +36047,6 @@ index 0000000..77a3112
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`numad_admin',`
 +	gen_require(`
@@ -37891,7 +38230,7 @@ index 5702ca4..498d856 100644
  /var/run/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_run_t,s0)
  /var/spool/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_spool_t,s0)
 diff --git a/plymouthd.if b/plymouthd.if
-index 9759ed8..f8d254a 100644
+index 9759ed8..17c097d 100644
 --- a/plymouthd.if
 +++ b/plymouthd.if
 @@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', `
@@ -37903,10 +38242,12 @@ index 9759ed8..f8d254a 100644
  	gen_require(`
  		type plymouthd_spool_t;
  	')
-@@ -228,6 +228,48 @@ interface(`plymouthd_read_pid_files', `
+@@ -228,20 +228,56 @@ interface(`plymouthd_read_pid_files', `
  
  ########################################
  ## <summary>
+-##	All of the rules required to administrate
+-##	an plymouthd environment
 +##	Allow the specified domain to read
 +##	to plymouthd log files.
 +## </summary>
@@ -37929,12 +38270,13 @@ index 9759ed8..f8d254a 100644
 +## <summary>
 +##	Allow the specified domain to manage
 +##	to plymouthd log files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
 +#
 +interface(`plymouthd_manage_log',`
 +	gen_require(`
@@ -37949,10 +38291,20 @@ index 9759ed8..f8d254a 100644
 +
 +########################################
 +## <summary>
- ##	All of the rules required to administrate
- ##	an plymouthd environment
- ## </summary>
-@@ -249,12 +291,17 @@ interface(`plymouthd_admin', `
++##	All of the rules required to administrate
++##	an plymouthd environment
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	Role allowed access.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`plymouthd_admin', `
+ 	gen_require(`
+@@ -249,12 +285,17 @@ interface(`plymouthd_admin', `
  		type plymouthd_var_run_t;
  	')
  
@@ -38243,7 +38595,7 @@ index 48ff1e8..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policykit.te b/policykit.te
-index 44db896..11800bb 100644
+index 44db896..9e61080 100644
 --- a/policykit.te
 +++ b/policykit.te
 @@ -1,51 +1,73 @@
@@ -38298,7 +38650,7 @@ index 44db896..11800bb 100644
 +# policykit_domain local policy
 +#
 +
-+allow policykit_domain self:process getattr;
++allow policykit_domain self:process { execmem getattr };
 +allow policykit_domain self:fifo_file rw_fifo_file_perms;
 +
 +dev_read_sysfs(policykit_domain)
@@ -38333,7 +38685,7 @@ index 44db896..11800bb 100644
  rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
  
  policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,112 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
  
@@ -38377,6 +38729,7 @@ index 44db896..11800bb 100644
 +')
 +
 +optional_policy(`
++	kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
 +	kerberos_manage_host_rcache(policykit_t)
 +')
 +
@@ -38457,11 +38810,12 @@ index 44db896..11800bb 100644
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -118,14 +195,25 @@ optional_policy(`
+@@ -118,14 +196,26 @@ optional_policy(`
  	hal_read_state(policykit_auth_t)
  ')
  
 +optional_policy(`
++	kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
 +        kerberos_manage_host_rcache(policykit_auth_t)
 +')
 +
@@ -38485,7 +38839,7 @@ index 44db896..11800bb 100644
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +235,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
  files_read_etc_files(policykit_grant_t)
  files_read_usr_files(policykit_grant_t)
  
@@ -38510,7 +38864,7 @@ index 44db896..11800bb 100644
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -167,9 +254,8 @@ optional_policy(`
+@@ -167,9 +256,8 @@ optional_policy(`
  # polkit_resolve local policy
  #
  
@@ -38522,7 +38876,7 @@ index 44db896..11800bb 100644
  allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
  allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,14 +273,8 @@ corecmd_search_bin(policykit_resolve_t)
  files_read_etc_files(policykit_resolve_t)
  files_read_usr_files(policykit_resolve_t)
  
@@ -38537,7 +38891,7 @@ index 44db896..11800bb 100644
  userdom_read_all_users_state(policykit_resolve_t)
  
  optional_policy(`
-@@ -207,4 +287,3 @@ optional_policy(`
+@@ -207,4 +289,3 @@ optional_policy(`
  	kernel_search_proc(policykit_resolve_t)
  	hal_read_state(policykit_resolve_t)
  ')
@@ -39740,7 +40094,7 @@ index 46bee12..99499ef 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/postfix.te b/postfix.te
-index 69cbd06..c990292 100644
+index 69cbd06..2f19c1c 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -1,10 +1,19 @@
@@ -39955,10 +40309,14 @@ index 69cbd06..c990292 100644
  
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
-@@ -297,6 +334,10 @@ optional_policy(`
+@@ -297,6 +334,14 @@ optional_policy(`
  ')
  
  optional_policy(`
++	dovecot_domtrans_deliver(postfix_local_t)
++')
++
++optional_policy(`
 +	dspam_domtrans(postfix_local_t)
 +')
 +
@@ -39966,7 +40324,7 @@ index 69cbd06..c990292 100644
  #	for postalias
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
-@@ -304,9 +345,22 @@ optional_policy(`
+@@ -304,9 +349,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39989,7 +40347,7 @@ index 69cbd06..c990292 100644
  ########################################
  #
  # Postfix map local policy
-@@ -379,18 +433,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +437,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  
@@ -40015,7 +40373,7 @@ index 69cbd06..c990292 100644
  allow postfix_pipe_t self:process setrlimit;
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +461,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +465,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -40024,7 +40382,7 @@ index 69cbd06..c990292 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +482,7 @@ optional_policy(`
+@@ -420,6 +486,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -40032,7 +40390,7 @@ index 69cbd06..c990292 100644
  ')
  
  optional_policy(`
-@@ -436,11 +499,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +503,17 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -40050,7 +40408,7 @@ index 69cbd06..c990292 100644
  corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
  corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
  
-@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +560,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
  domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
  
  # to write the mailq output, it really should not need read access!
@@ -40061,7 +40419,7 @@ index 69cbd06..c990292 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -40074,7 +40432,7 @@ index 69cbd06..c990292 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -40085,7 +40443,7 @@ index 69cbd06..c990292 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +637,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -40094,7 +40452,7 @@ index 69cbd06..c990292 100644
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
-@@ -565,6 +642,14 @@ optional_policy(`
+@@ -565,6 +646,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40109,7 +40467,7 @@ index 69cbd06..c990292 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +670,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
  corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
  
  # for prng_exch
@@ -40136,7 +40494,7 @@ index 69cbd06..c990292 100644
  ')
  
  optional_policy(`
-@@ -599,6 +692,12 @@ optional_policy(`
+@@ -599,6 +696,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40149,7 +40507,7 @@ index 69cbd06..c990292 100644
  	postgrey_stream_connect(postfix_smtpd_t)
  ')
  
-@@ -611,7 +710,6 @@ optional_policy(`
+@@ -611,7 +714,6 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -40157,7 +40515,7 @@ index 69cbd06..c990292 100644
  allow postfix_virtual_t self:process { setsched setrlimit };
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +732,75 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -43277,10 +43635,10 @@ index 0000000..9108437
 +/var/log/quantum(/.*)?		gen_context(system_u:object_r:quantum_log_t,s0)
 diff --git a/quantum.if b/quantum.if
 new file mode 100644
-index 0000000..89e4bc5
+index 0000000..010b2be
 --- /dev/null
 +++ b/quantum.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,218 @@
 +## <summary>Quantum is a virtual network service for Openstack</summary>
 +
 +########################################
@@ -43473,12 +43831,6 @@ index 0000000..89e4bc5
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`quantum_admin',`
 +	gen_require(`
@@ -46426,7 +46778,7 @@ index 63e78c6..fdd8228 100644
  		type rlogind_home_t;
  	')
 diff --git a/rlogin.te b/rlogin.te
-index d654552..49dbcc4 100644
+index d654552..706700d 100644
 --- a/rlogin.te
 +++ b/rlogin.te
 @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -46466,7 +46818,7 @@ index d654552..49dbcc4 100644
  
  files_read_etc_files(rlogind_t)
  files_read_etc_runtime_files(rlogind_t)
-@@ -88,27 +88,23 @@ seutil_read_config(rlogind_t)
+@@ -88,27 +88,24 @@ seutil_read_config(rlogind_t)
  userdom_setattr_user_ptys(rlogind_t)
  # cjp: this is egregious
  userdom_read_user_home_content_files(rlogind_t)
@@ -46493,6 +46845,7 @@ index d654552..49dbcc4 100644
 -	fs_read_cifs_symlinks(rlogind_t)
 +optional_policy(`
 +	kerberos_keytab_template(rlogind, rlogind_t)
++	kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
 +	#part of auth_use_pam
 +	#kerberos_manage_host_rcache(rlogind_t)
  ')
@@ -49899,7 +50252,7 @@ index cfe3172..3eb745d 100644
 +
  ')
 diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..d5d96e7 100644
+index e02eb6c..f1314b0 100644
 --- a/sanlock.te
 +++ b/sanlock.te
 @@ -1,4 +1,4 @@
@@ -49931,15 +50284,27 @@ index e02eb6c..d5d96e7 100644
  ## </desc>
  gen_tunable(sanlock_use_samba, false)
  
-@@ -46,6 +46,7 @@ ifdef(`enable_mls',`
+@@ -44,8 +44,9 @@ ifdef(`enable_mls',`
  #
- allow sanlock_t self:capability { sys_nice ipc_lock };
- allow sanlock_t self:process { setsched signull };
+ # sanlock local policy
+ #
+-allow sanlock_t self:capability { sys_nice ipc_lock };
+-allow sanlock_t self:process { setsched signull };
++allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
++allow sanlock_t self:process { setsched signull signal };
 +
  allow sanlock_t self:fifo_file rw_fifo_file_perms;
  allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -67,6 +68,8 @@ storage_raw_rw_fixed_disk(sanlock_t)
+@@ -58,6 +59,7 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+ 
+ kernel_read_system_state(sanlock_t)
++kernel_read_kernel_sysctls(sanlock_t)
+ 
+ domain_use_interactive_fds(sanlock_t)
+ 
+@@ -67,6 +69,8 @@ storage_raw_rw_fixed_disk(sanlock_t)
  
  dev_read_urand(sanlock_t)
  
@@ -49948,7 +50313,7 @@ index e02eb6c..d5d96e7 100644
  init_read_utmp(sanlock_t)
  init_dontaudit_write_utmp(sanlock_t)
  
-@@ -75,19 +78,25 @@ logging_send_syslog_msg(sanlock_t)
+@@ -75,19 +79,25 @@ logging_send_syslog_msg(sanlock_t)
  miscfiles_read_localization(sanlock_t)
  
  tunable_policy(`sanlock_use_nfs',`
@@ -50014,7 +50379,7 @@ index f1aea88..3e6a93f 100644
  	admin_pattern($1, saslauthd_var_run_t)
  ')
 diff --git a/sasl.te b/sasl.te
-index 9d9f8ce..15569f0 100644
+index 9d9f8ce..637b67c 100644
 --- a/sasl.te
 +++ b/sasl.te
 @@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0)
@@ -50036,15 +50401,14 @@ index 9d9f8ce..15569f0 100644
  type saslauthd_var_run_t;
  files_pid_file(saslauthd_var_run_t)
  
-@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+@@ -38,16 +35,17 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
  allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
  allow saslauthd_t self:tcp_socket create_socket_perms;
  
 -allow saslauthd_t saslauthd_tmp_t:dir setattr;
 -manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
 -files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
-+kerberos_tmp_filetrans_host_rcache(saslauthd_t)
- 
+-
 +manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
  manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
  manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -50060,7 +50424,7 @@ index 9d9f8ce..15569f0 100644
  
  corenet_all_recvfrom_unlabeled(saslauthd_t)
  corenet_all_recvfrom_netlabel(saslauthd_t)
-@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
+@@ -55,6 +53,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
  corenet_tcp_sendrecv_generic_node(saslauthd_t)
  corenet_tcp_sendrecv_all_ports(saslauthd_t)
  corenet_tcp_connect_pop_port(saslauthd_t)
@@ -50068,7 +50432,7 @@ index 9d9f8ce..15569f0 100644
  corenet_sendrecv_pop_client_packets(saslauthd_t)
  
  dev_read_urand(saslauthd_t)
-@@ -88,12 +89,13 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+@@ -88,11 +87,12 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
  
  # cjp: typeattribute doesnt work in conditionals
  auth_can_read_shadow_passwords(saslauthd_t)
@@ -50078,11 +50442,10 @@ index 9d9f8ce..15569f0 100644
  ')
  
  optional_policy(`
++	kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
  	kerberos_keytab_template(saslauthd, saslauthd_t)
-+	#kerberos_manage_host_rcache(saslauthd_t)
  ')
  
- optional_policy(`
 diff --git a/sblim.if b/sblim.if
 index fa24879..fdb665a 100644
 --- a/sblim.if
@@ -52805,7 +53168,7 @@ index d2496bd..c7614d7 100644
  	init_labeled_script_domtrans($1, squid_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/squid.te b/squid.te
-index d24bd07..e5f4599 100644
+index d24bd07..daf200c 100644
 --- a/squid.te
 +++ b/squid.te
 @@ -29,7 +29,7 @@ type squid_cache_t;
@@ -52827,7 +53190,15 @@ index d24bd07..e5f4599 100644
  type squid_var_run_t;
  files_pid_file(squid_var_run_t)
  
-@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+@@ -69,6 +72,7 @@ allow squid_t self:udp_socket create_socket_perms;
+ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
++files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
+ 
+ allow squid_t squid_conf_t:dir list_dir_perms;
+ read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+@@ -85,11 +89,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
  manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
  fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
  
@@ -52844,7 +53215,7 @@ index d24bd07..e5f4599 100644
  
  files_dontaudit_getattr_boot_dirs(squid_t)
  
-@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +178,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
  tunable_policy(`squid_connect_any',`
  	corenet_tcp_connect_all_ports(squid_t)
  	corenet_tcp_bind_all_ports(squid_t)
@@ -52854,7 +53225,7 @@ index d24bd07..e5f4599 100644
  ')
  
  tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +194,7 @@ optional_policy(`
+@@ -185,6 +195,7 @@ optional_policy(`
  	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
  	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
  	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -52862,13 +53233,13 @@ index d24bd07..e5f4599 100644
  
  	sysnet_dns_name_resolve(httpd_squid_script_t)
  
-@@ -206,3 +216,7 @@ optional_policy(`
+@@ -206,3 +217,7 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
 +
 +optional_policy(`
-+	kerberos_manage_host_rcache(squid_t)
++	kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
 +')
 diff --git a/sssd.fc b/sssd.fc
 index 4271815..4bc00ea 100644
@@ -52969,7 +53340,7 @@ index 941380a..e1095f0 100644
  	# Allow sssd_t to restart the apache service
  	sssd_initrc_domtrans($1)
 diff --git a/sssd.te b/sssd.te
-index 8ffa257..1dfa5ce 100644
+index 8ffa257..20d8944 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -53061,10 +53432,11 @@ index 8ffa257..1dfa5ce 100644
  
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
-@@ -87,4 +108,18 @@ optional_policy(`
+@@ -87,4 +108,19 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_manage_host_rcache(sssd_t)
++	kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
 +	kerberos_read_home_content(sssd_t)
 +')
 +
@@ -53119,10 +53491,10 @@ index 0000000..5ab0840
 +/var/lib/subversion/repo(/.*)?		gen_context(system_u:object_r:svnserve_content_t,s0)	
 diff --git a/svnserve.if b/svnserve.if
 new file mode 100644
-index 0000000..bab5617
+index 0000000..19d13a7
 --- /dev/null
 +++ b/svnserve.if
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,119 @@
 +
 +## <summary>policy for svnserve</summary>
 +
@@ -53219,12 +53591,6 @@ index 0000000..bab5617
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`svnserve_admin',`
 +	gen_require(`
@@ -53896,7 +54262,7 @@ index 58e7ec0..e4119f7 100644
 +	allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
 +')
 diff --git a/telnet.te b/telnet.te
-index f40e67b..3519e88 100644
+index f40e67b..0634c00 100644
 --- a/telnet.te
 +++ b/telnet.te
 @@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
@@ -53942,13 +54308,14 @@ index f40e67b..3519e88 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_search_nfs(telnetd_t)
-@@ -98,3 +92,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -98,3 +92,13 @@ tunable_policy(`use_nfs_home_dirs',`
  tunable_policy(`use_samba_home_dirs',`
  	fs_search_cifs(telnetd_t)
  ')
 +
 +optional_policy(`
 +	kerberos_keytab_template(telnetd, telnetd_t)
++	kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
 +	kerberos_manage_host_rcache(telnetd_t)
 +')
 +
@@ -54378,10 +54745,10 @@ index 0000000..9127cec
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..7eea9cd
+index 0000000..e379b1b
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,109 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -54456,6 +54823,10 @@ index 0000000..7eea9cd
 +
 +auth_use_nsswitch(thumb_t)
 +
++tunable_policy(`selinuxuser_execmod',`
++	libs_legacy_use_shared_libs(thumb_t)
++')
++
 +miscfiles_read_fonts(thumb_t)
 +miscfiles_read_localization(thumb_t)
 +
@@ -56612,7 +56983,7 @@ index 7c5d8d8..85b7d8b 100644
 +	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
  ')
 diff --git a/virt.te b/virt.te
-index ad3068a..5759ef5 100644
+index ad3068a..55dd15c 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@@ -56888,7 +57259,7 @@ index ad3068a..5759ef5 100644
 +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
 +ifdef(`hide_broken_symptoms',`
 +	# caused by some bogus kernel code
-+	dontaudit virtd_t self:capability sys_module;
++	dontaudit virtd_t self:capability { sys_module sys_ptrace };
 +')
  
 -allow virtd_t self:fifo_file rw_fifo_file_perms;
@@ -57079,7 +57450,7 @@ index ad3068a..5759ef5 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -335,6 +506,14 @@ optional_policy(`
+@@ -335,19 +506,30 @@ optional_policy(`
  	optional_policy(`
  		hal_dbus_chat(virtd_t)
  	')
@@ -57094,12 +57465,14 @@ index ad3068a..5759ef5 100644
  ')
  
  optional_policy(`
-@@ -343,11 +522,14 @@ optional_policy(`
+ 	dnsmasq_domtrans(virtd_t)
+ 	dnsmasq_signal(virtd_t)
  	dnsmasq_kill(virtd_t)
- 	dnsmasq_read_pid_files(virtd_t)
+-	dnsmasq_read_pid_files(virtd_t)
  	dnsmasq_signull(virtd_t)
 +	dnsmasq_create_pid_dirs(virtd_t)
 +	dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
++	dnsmasq_manage_pid_files(virtd_t)
  ')
  
  optional_policy(`
@@ -57139,7 +57512,15 @@ index ad3068a..5759ef5 100644
  ')
  
  optional_policy(`
-@@ -403,20 +591,36 @@ optional_policy(`
+@@ -384,6 +572,7 @@ optional_policy(`
+ 	kernel_read_xen_state(virtd_t)
+ 	kernel_write_xen_state(virtd_t)
+ 
++	xen_exec(virtd_t)
+ 	xen_stream_connect(virtd_t)
+ 	xen_stream_connect_xenstore(virtd_t)
+ 	xen_read_image_files(virtd_t)
+@@ -403,20 +592,36 @@ optional_policy(`
  # virtual domains common policy
  #
  
@@ -57179,7 +57560,7 @@ index ad3068a..5759ef5 100644
  corecmd_exec_bin(virt_domain)
  corecmd_exec_shell(virt_domain)
  
-@@ -427,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -427,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
  corenet_tcp_sendrecv_all_ports(virt_domain)
  corenet_tcp_bind_generic_node(virt_domain)
  corenet_tcp_bind_vnc_port(virt_domain)
@@ -57193,7 +57574,7 @@ index ad3068a..5759ef5 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -438,10 +644,12 @@ dev_write_sound(virt_domain)
+@@ -438,10 +645,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -57206,7 +57587,7 @@ index ad3068a..5759ef5 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -449,25 +657,430 @@ files_search_all(virt_domain)
+@@ -449,25 +658,429 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -57428,8 +57809,7 @@ index ad3068a..5759ef5 100644
 +fs_mounton_tmpfs(virtd_lxc_t)
 +fs_remount_all_fs(virtd_lxc_t)
 +fs_rw_cgroup_files(virtd_lxc_t)
-+fs_unmount_xattr_fs(virtd_lxc_t)
-+fs_unmount_configfs(virtd_lxc_t)
++fs_unmount_all_fs(virtd_lxc_t)
 +fs_relabelfrom_tmpfs(virtd_lxc_t)
 +
 +selinux_mount_fs(virtd_lxc_t)
@@ -57714,10 +58094,22 @@ index f21389b..482db56 100644
  # cjp: why?
  userdom_read_user_home_content_files(vmware_t)
 diff --git a/vnstatd.if b/vnstatd.if
-index 727fe95..958de01 100644
+index 727fe95..47ec114 100644
 --- a/vnstatd.if
 +++ b/vnstatd.if
-@@ -135,8 +135,11 @@ interface(`vnstatd_admin',`
+@@ -123,20 +123,17 @@ interface(`vnstatd_manage_lib_files',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
+-##	<summary>
+-##	Role allowed access.
+-##	</summary>
+-## </param>
+-## <rolecap/>
+ #
+ interface(`vnstatd_admin',`
+ 	gen_require(`
  		type vnstatd_t, vnstatd_var_lib_t;
  	')
  
@@ -58127,10 +58519,31 @@ index 9d24449..2666317 100644
  /opt/picasa/wine/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
  
 diff --git a/wine.if b/wine.if
-index f9a73d0..00a98f1 100644
+index f9a73d0..4b83bb0 100644
 --- a/wine.if
 +++ b/wine.if
-@@ -29,12 +29,16 @@
+@@ -10,10 +10,9 @@
+ ##	for wine applications.
+ ##	</p>
+ ## </desc>
+-## <param name="userdomain_prefix">
++## <param name="user_role">
+ ##	<summary>
+-##	The prefix of the user domain (e.g., user
+-##	is the prefix for user_t).
++##	The role associated with the user domain.
+ ##	</summary>
+ ## </param>
+ ## <param name="user_domain">
+@@ -21,20 +20,19 @@
+ ##	The type of the user domain.
+ ##	</summary>
+ ## </param>
+-## <param name="user_role">
+-##	<summary>
+-##	The role associated with the user domain.
+-##	</summary>
+-## </param>
  #
  template(`wine_role',`
  	gen_require(`
@@ -58147,7 +58560,7 @@ index f9a73d0..00a98f1 100644
  	allow wine_t $2:fd use;
  	allow wine_t $2:process { sigchld signull };
  	allow wine_t $2:unix_stream_socket connectto;
-@@ -44,8 +48,7 @@ template(`wine_role',`
+@@ -44,8 +42,7 @@ template(`wine_role',`
  	allow $2 wine_t:process signal_perms;
  
  	allow $2 wine_t:fd use;
@@ -58157,7 +58570,7 @@ index f9a73d0..00a98f1 100644
  	allow $2 wine_t:unix_stream_socket connectto;
  
  	# X access, Home files
-@@ -86,6 +89,7 @@ template(`wine_role',`
+@@ -86,6 +83,7 @@ template(`wine_role',`
  #
  template(`wine_role_template',`
  	gen_require(`
@@ -58165,7 +58578,7 @@ index f9a73d0..00a98f1 100644
  		type wine_exec_t;
  	')
  
-@@ -96,12 +100,12 @@ template(`wine_role_template',`
+@@ -96,12 +94,12 @@ template(`wine_role_template',`
  	role $2 types $1_wine_t;
  
  	allow $1_wine_t self:process { execmem execstack };
@@ -58180,7 +58593,7 @@ index f9a73d0..00a98f1 100644
  
  	domain_mmap_low($1_wine_t)
  
-@@ -109,6 +113,10 @@ template(`wine_role_template',`
+@@ -109,6 +107,10 @@ template(`wine_role_template',`
  		dontaudit $1_wine_t self:memprotect mmap_zero;
  	')
  
@@ -58326,10 +58739,36 @@ index 1a1b374..f22f770 100644
  ')
  
 diff --git a/xen.if b/xen.if
-index 77d41b6..138efd8 100644
+index 77d41b6..cc73c96 100644
 --- a/xen.if
 +++ b/xen.if
-@@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',`
+@@ -20,6 +20,25 @@ interface(`xen_domtrans',`
+ 
+ ########################################
+ ## <summary>
++##	Allow the specified domain to execute xend
++##	in the caller domain.
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access.
++## 	</summary>
++## </param>
++#
++interface(`xen_exec',`
++	gen_require(`
++		type xend_exec_t;
++	')
++
++	can_exec($1, xend_exec_t)
++')
++
++########################################
++## <summary>
+ ##	Inherit and use xen file descriptors.
+ ## </summary>
+ ## <param name="domain">
+@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',`
  	dontaudit $1 xend_t:fd use;
  ')
  
@@ -58356,7 +58795,7 @@ index 77d41b6..138efd8 100644
  ########################################
  ## <summary>
  ##	Read xend image files.
-@@ -87,6 +107,26 @@ interface(`xen_read_image_files',`
+@@ -87,6 +126,26 @@ interface(`xen_read_image_files',`
  ## 	</summary>
  ## </param>
  #
@@ -58383,7 +58822,7 @@ index 77d41b6..138efd8 100644
  interface(`xen_rw_image_files',`
  	gen_require(`
  		type xen_image_t, xend_var_lib_t;
-@@ -161,7 +201,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -58392,7 +58831,7 @@ index 77d41b6..138efd8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -180,7 +220,7 @@ interface(`xen_stream_connect_xenstore',`
+@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',`
  
  ########################################
  ## <summary>
@@ -58401,7 +58840,7 @@ index 77d41b6..138efd8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -213,14 +253,15 @@ interface(`xen_stream_connect',`
+@@ -213,14 +272,15 @@ interface(`xen_stream_connect',`
  interface(`xen_domtrans_xm',`
  	gen_require(`
  		type xm_t, xm_exec_t;
@@ -58419,7 +58858,7 @@ index 77d41b6..138efd8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',`
+@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',`
  #
  interface(`xen_stream_connect_xm',`
  	gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 39f79857..5059ec6d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,25 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jun 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-4
+- Add support for ecryptfs
+  * ecryptfs does not support xattr
+  * we need labeling for HOMEDIR
+- Add policy for (u)mount.ecryptfs*
+- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache
+- Allow dovecot to manage Maildir content, fix transitions to Maildir
+- Allow postfix_local to transition to dovecot_deliver
+- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
+- Cleanup interface definitions
+- Allow apmd to change with the logind daemon
+- Changes required for sanlock in rhel6
+- Label /run/user/apache as httpd_tmp_t
+- Allow thumb to use lib_t as execmod if boolean turned on
+- Allow squid to create the squid directory in /var with the correct labe
+- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com)
+- Allow virtd to exec xend_exec_t without transition
+- Allow virtd_lxc_t to unmount all file systems
+
 * Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
 - PolicyKit path has changed
 - Allow httpd connect to dirsrv socket

From c74d194317e529f3952a891929125f27a30d92c4 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Tue, 19 Jun 2012 13:40:53 +0200
Subject: [PATCH 3/3] - apcupsd needs to read /etc/passwd - Sanlock allso sends
 sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit
 mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash
 to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files -
 Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand
 - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for
 /usr/bin - Fixes for cloudform services   * support FIPS - Allow polipo to
 work as web caching - Allow chfn to execute tmux

---
 policy-rawhide.patch         |  30 +++++-----
 policy_contrib-rawhide.patch | 108 ++++++++++++++++++++++-------------
 selinux-policy.spec          |  18 +++++-
 3 files changed, 100 insertions(+), 56 deletions(-)

diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 1bcf4e22..96b449d3 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -58144,7 +58144,7 @@ index 3a45f23..f4754f0 100644
  # fork
  # setexec
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index f462e95..d29da40 100644
+index f462e95..e8f76cb 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
 @@ -393,6 +393,10 @@ class system
@@ -58163,7 +58163,7 @@ index f462e95..d29da40 100644
  	mac_admin	# unused by SELinux
  	syslog
 +	wake_alarm
-+	epolwakeup
++	epollwakeup
  }
  
  #
@@ -60153,7 +60153,7 @@ index 7590165..59539e8 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..cdbf6c7 100644
+index db981df..b77f19f 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -60231,7 +60231,7 @@ index db981df..cdbf6c7 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -174,53 +183,77 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +183,76 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -60244,7 +60244,6 @@ index db981df..cdbf6c7 100644
  /usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 -/usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/.*					gen_context(system_u:object_r:bin_t,s0)
 +/usr/bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/esh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -60326,7 +60325,7 @@ index db981df..cdbf6c7 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +268,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +267,15 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -60342,7 +60341,7 @@ index db981df..cdbf6c7 100644
  /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +288,18 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -60362,7 +60361,7 @@ index db981df..cdbf6c7 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -60373,7 +60372,7 @@ index db981df..cdbf6c7 100644
  /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',`
+@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',`
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
@@ -60394,7 +60393,7 @@ index db981df..cdbf6c7 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +367,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +366,12 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -60407,7 +60406,7 @@ index db981df..cdbf6c7 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +382,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +381,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -60419,7 +60418,7 @@ index db981df..cdbf6c7 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +435,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +434,14 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -60435,7 +60434,7 @@ index db981df..cdbf6c7 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +452,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +451,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -85742,10 +85741,10 @@ index 0000000..2497606
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..76b90b2
+index 0000000..a558441
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,420 @@
+@@ -0,0 +1,421 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -85906,6 +85905,7 @@ index 0000000..76b90b2
 +	gnome_manage_home_config_dirs(systemd_logind_t)
 +	gnome_manage_home_config(systemd_logind_t)
 +	gnome_list_gkeyringd_tmp_dirs(systemd_logind_t)
++	gnome_manage_gstreamer_home_dirs(systemd_logind_t)
 +')
 +
 +optional_policy(`
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 8566bc43..2ee50851 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -3746,7 +3746,7 @@ index e342775..1fedbe5 100644
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index d052bf0..77e6e19 100644
+index d052bf0..6c7828b 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -3759,7 +3759,7 @@ index d052bf0..77e6e19 100644
  ########################################
  #
  # apcupsd local policy
-@@ -76,6 +79,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+@@ -76,24 +79,31 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
  
  # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
  term_use_unallocated_ttys(apcupsd_t)
@@ -3767,7 +3767,13 @@ index d052bf0..77e6e19 100644
  
  #apcupsd runs shutdown, probably need a shutdown domain
  init_rw_utmp(apcupsd_t)
-@@ -87,13 +91,17 @@ miscfiles_read_localization(apcupsd_t)
+ init_telinit(apcupsd_t)
+ 
++auth_read_passwd(apcupsd_t)
++
+ logging_send_syslog_msg(apcupsd_t)
+ 
+ miscfiles_read_localization(apcupsd_t)
  
  sysnet_dns_name_resolve(apcupsd_t)
  
@@ -8433,10 +8439,10 @@ index b40f3f7..3676ecc 100644
  #
 diff --git a/cloudform.fc b/cloudform.fc
 new file mode 100644
-index 0000000..f2968f8
+index 0000000..3fe384f
 --- /dev/null
 +++ b/cloudform.fc
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,22 @@
 +/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 +
@@ -8453,8 +8459,7 @@ index 0000000..f2968f8
 +/var/log/deltacloud-core(/.*)?	gen_context(system_u:object_r:deltacloudd_log_t,s0)
 +/var/log/iwhd\.log		--		gen_context(system_u:object_r:iwhd_log_t,s0)
 +/var/log/mongodb(/.*)?		gen_context(system_u:object_r:mongod_log_t,s0)
-+
-+
++/var/log/thin\.log              --	gen_context(system_u:object_r:thin_log_t,s0)
 +
 +/var/run/mongodb(/.*)?		gen_context(system_u:object_r:mongod_var_run_t,s0)
 +/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -8508,10 +8513,10 @@ index 0000000..7f55959
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..2709243
+index 0000000..787b40a
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,236 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -8525,6 +8530,9 @@ index 0000000..2709243
 +cloudform_domain_template(mongod)
 +cloudform_domain_template(thin)
 +
++type thin_log_t;
++logging_log_file(thin_log_t)
++
 +type deltacloudd_log_t;
 +logging_log_file(deltacloudd_log_t)
 +
@@ -8572,10 +8580,15 @@ index 0000000..2709243
 +allow cloudform_domain self:fifo_file rw_fifo_file_perms;
 +allow cloudform_domain self:tcp_socket create_stream_socket_perms;
 +
++kernel_read_system_state(cloudform_domain)
++
++dev_read_rand(cloudform_domain)
 +dev_read_urand(cloudform_domain)
 +
 +files_read_etc_files(cloudform_domain)
 +
++auth_read_passwd(cloudform_domain)
++
 +miscfiles_read_certs(cloudform_domain)
 +miscfiles_read_localization(cloudform_domain)
 +
@@ -8714,6 +8727,10 @@ index 0000000..2709243
 +allow thin_t self:udp_socket create_socket_perms;
 +allow thin_t self:unix_stream_socket create_stream_socket_perms;
 +
++manage_files_pattern(thin_t, thin_log_t, thin_log_t)
++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
++logging_log_filetrans(thin_t, thin_log_t, { file dir })
++
 +manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
 +files_pid_filetrans(thin_t, thin_var_run_t, { file })
 +
@@ -12843,7 +12860,7 @@ index 848bb92..25c56f7 100644
 +
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --git a/cups.if b/cups.if
-index 305ddf4..3629b92 100644
+index 305ddf4..11d010a 100644
 --- a/cups.if
 +++ b/cups.if
 @@ -9,6 +9,11 @@
@@ -12928,7 +12945,7 @@ index 305ddf4..3629b92 100644
  	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -350,9 +384,41 @@ interface(`cups_admin',`
+@@ -350,9 +384,42 @@ interface(`cups_admin',`
  	admin_pattern($1, cupsd_var_run_t)
  	files_list_pids($1)
  
@@ -12963,6 +12980,7 @@ index 305ddf4..3629b92 100644
 +
 +	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "classes.conf")
 +	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf")
++	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf.O")
 +	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf")
 +	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf.default")
 +	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "lpoptions")
@@ -20118,7 +20136,7 @@ index 7ff9d6d..6b0a7ff 100644
  	allow $1 glance_api_t:process signal_perms;
  	ps_process_pattern($1, glance_api_t)
 diff --git a/glance.te b/glance.te
-index 4afb81f..842165a 100644
+index 4afb81f..40df3ea 100644
 --- a/glance.te
 +++ b/glance.te
 @@ -57,12 +57,17 @@ manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -20139,10 +20157,11 @@ index 4afb81f..842165a 100644
  miscfiles_read_localization(glance_domain)
  
  optional_policy(`
-@@ -80,6 +85,14 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
+@@ -80,6 +85,15 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
  
  corenet_tcp_bind_generic_node(glance_registry_t)
  corenet_tcp_bind_glance_registry_port(glance_registry_t)
++corenet_tcp_connect_mysqld_port(glance_registry_t)
 +corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
 +
 +logging_send_syslog_msg(glance_registry_t)
@@ -20154,7 +20173,7 @@ index 4afb81f..842165a 100644
  
  ########################################
  #
-@@ -94,11 +107,11 @@ can_exec(glance_api_t, glance_tmp_t)
+@@ -94,11 +108,11 @@ can_exec(glance_api_t, glance_tmp_t)
  corecmd_exec_shell(glance_api_t)
  
  corenet_tcp_bind_generic_node(glance_api_t)
@@ -30146,7 +30165,7 @@ index b397fde..30bfefb 100644
 +')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 0724816..c1fa8ea 100644
+index 0724816..0749777 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3)
@@ -30316,7 +30335,7 @@ index 0724816..c1fa8ea 100644
  
  manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -323,31 +350,46 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -323,31 +350,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
  manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
  
@@ -30358,6 +30377,7 @@ index 0724816..c1fa8ea 100644
 +corenet_tcp_connect_soundd_port(mozilla_plugin_t)
 +corenet_tcp_connect_vnc_port(mozilla_plugin_t)
 +corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
++corenet_tcp_connect_monopd_port(mozilla_plugin_t)
 +corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
 +corenet_tcp_bind_generic_node(mozilla_plugin_t)
 +corenet_udp_bind_generic_node(mozilla_plugin_t)
@@ -30369,7 +30389,7 @@ index 0724816..c1fa8ea 100644
  dev_read_video_dev(mozilla_plugin_t)
  dev_write_video_dev(mozilla_plugin_t)
  dev_read_sysfs(mozilla_plugin_t)
-@@ -356,6 +398,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -356,6 +399,7 @@ dev_write_sound(mozilla_plugin_t)
  # for nvidia driver
  dev_rw_xserver_misc(mozilla_plugin_t)
  dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -30377,7 +30397,7 @@ index 0724816..c1fa8ea 100644
  
  domain_use_interactive_fds(mozilla_plugin_t)
  domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,15 +406,22 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,15 +407,22 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
  files_read_config_files(mozilla_plugin_t)
  files_read_usr_files(mozilla_plugin_t)
  files_list_mnt(mozilla_plugin_t)
@@ -30400,7 +30420,7 @@ index 0724816..c1fa8ea 100644
  logging_send_syslog_msg(mozilla_plugin_t)
  
  miscfiles_read_localization(mozilla_plugin_t)
-@@ -384,35 +434,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -384,35 +435,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
  
  term_getattr_all_ttys(mozilla_plugin_t)
  term_getattr_all_ptys(mozilla_plugin_t)
@@ -30413,6 +30433,7 @@ index 0724816..c1fa8ea 100644
  userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 -userdom_read_user_tmp_files(mozilla_plugin_t)
 +userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
++userdom_delete_user_tmp_files(mozilla_plugin_t)
 +userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
 +userdom_manage_home_certs(mozilla_plugin_t)
  userdom_read_user_tmp_symlinks(mozilla_plugin_t)
@@ -30447,7 +30468,7 @@ index 0724816..c1fa8ea 100644
  
  optional_policy(`
  	alsa_read_rw_config(mozilla_plugin_t)
-@@ -422,35 +463,135 @@ optional_policy(`
+@@ -422,24 +465,36 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(mozilla_plugin_t)
  	dbus_session_bus_client(mozilla_plugin_t)
@@ -30467,7 +30488,14 @@ index 0724816..c1fa8ea 100644
  ')
  
  optional_policy(`
- 	java_exec(mozilla_plugin_t)
+-	java_exec(mozilla_plugin_t)
++	gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
+ ')
+ 
+ optional_policy(`
+-	mplayer_exec(mozilla_plugin_t)
+-	mplayer_read_user_home_files(mozilla_plugin_t)
++	java_exec(mozilla_plugin_t)
  ')
  
 +#optional_policy(`
@@ -30475,16 +30503,13 @@ index 0724816..c1fa8ea 100644
 +#')
 +
  optional_policy(`
- 	mplayer_exec(mozilla_plugin_t)
- 	mplayer_read_user_home_files(mozilla_plugin_t)
+-	pcscd_stream_connect(mozilla_plugin_t)
++	mplayer_exec(mozilla_plugin_t)
++	mplayer_read_user_home_files(mozilla_plugin_t)
  ')
  
  optional_policy(`
--	pcscd_stream_connect(mozilla_plugin_t)
--')
--
--optional_policy(`
- 	pulseaudio_exec(mozilla_plugin_t)
+@@ -447,10 +502,102 @@ optional_policy(`
  	pulseaudio_stream_connect(mozilla_plugin_t)
  	pulseaudio_setattr_home_dir(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -30506,14 +30531,14 @@ index 0724816..c1fa8ea 100644
 +optional_policy(`
 +	xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
 +	xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
-+	xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
  	xserver_read_xdm_pid(mozilla_plugin_t)
  	xserver_stream_connect(mozilla_plugin_t)
  	xserver_use_user_fonts(mozilla_plugin_t)
 +	xserver_read_user_iceauth(mozilla_plugin_t)
 +	xserver_read_user_xauth(mozilla_plugin_t)
-+	xserver_append_xdm_home_files(mozilla_plugin_t);
-+')
++	xserver_append_xdm_home_files(mozilla_plugin_t)
++	xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
+ ')
 +
 +########################################
 +#
@@ -30572,7 +30597,7 @@ index 0724816..c1fa8ea 100644
 +
 +optional_policy(`
 +	xserver_use_user_fonts(mozilla_plugin_config_t)
- ')
++')
 +ifdef(`distro_redhat',`
 +	typealias mozilla_plugin_t  alias nsplugin_t;
 +	typealias mozilla_plugin_exec_t  alias nsplugin_exec_t;
@@ -39145,10 +39170,10 @@ index 0000000..d00f6ba
 +')
 diff --git a/polipo.te b/polipo.te
 new file mode 100644
-index 0000000..c08cddc
+index 0000000..781625a
 --- /dev/null
 +++ b/polipo.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,172 @@
 +policy_module(polipo, 1.0.0)
 +
 +########################################
@@ -39254,6 +39279,7 @@ index 0000000..c08cddc
 +corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
 +corenet_tcp_bind_http_cache_port(polipo_daemon)
 +corenet_sendrecv_http_cache_server_packets(polipo_daemon)
++corenet_tcp_connect_http_port(polipo_daemon)
 +
 +files_read_usr_files(polipo_daemon)
 +
@@ -50252,7 +50278,7 @@ index cfe3172..3eb745d 100644
 +
  ')
 diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..f1314b0 100644
+index e02eb6c..c4130e0 100644
 --- a/sanlock.te
 +++ b/sanlock.te
 @@ -1,4 +1,4 @@
@@ -50291,7 +50317,7 @@ index e02eb6c..f1314b0 100644
 -allow sanlock_t self:capability { sys_nice ipc_lock };
 -allow sanlock_t self:process { setsched signull };
 +allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
-+allow sanlock_t self:process { setsched signull signal };
++allow sanlock_t self:process { setsched signull signal sigkill };
 +
  allow sanlock_t self:fifo_file rw_fifo_file_perms;
  allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
@@ -54745,10 +54771,10 @@ index 0000000..9127cec
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..e379b1b
+index 0000000..89684c9
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,110 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -54819,6 +54845,7 @@ index 0000000..e379b1b
 +files_read_usr_files(thumb_t)
 +files_read_non_security_files(thumb_t)
 +
++fs_getattr_all_fs(thumb_t)
 +fs_read_dos_files(thumb_t)
 +
 +auth_use_nsswitch(thumb_t)
@@ -56983,7 +57010,7 @@ index 7c5d8d8..85b7d8b 100644
 +	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
  ')
 diff --git a/virt.te b/virt.te
-index ad3068a..55dd15c 100644
+index ad3068a..caef8cf 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@@ -57587,7 +57614,7 @@ index ad3068a..55dd15c 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -449,25 +658,429 @@ files_search_all(virt_domain)
+@@ -449,25 +658,430 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -57787,6 +57814,7 @@ index ad3068a..55dd15c 100644
 +dev_relabel_all_dev_nodes(virtd_lxc_t)
 +dev_rw_sysfs(virtd_lxc_t)
 +dev_read_sysfs(virtd_lxc_t)
++dev_read_urand(virtd_lxc_t)
 +
 +domain_use_interactive_fds(virtd_lxc_t)
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5059ec6d..bbb13164 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,22 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jun 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-5
+- apcupsd needs to read /etc/passwd
+- Sanlock allso sends sigkill
+- Allow glance_registry to connect to the mysqld port
+- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
+- Allow firefox plugins/flash to connect to port 1234
+- Allow mozilla plugins to delete user_tmp_t files
+- Add transition name rule for printers.conf.O
+- Allow virt_lxc_t to read urand
+- Allow systemd_loigind to list gstreamer_home_dirs
+- Fix labeling for /usr/bin
+- Fixes for cloudform services
+  * support FIPS
+- Allow polipo to work as web caching
+- Allow chfn to execute tmux
+
 * Fri Jun 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-4
 - Add support for ecryptfs
   * ecryptfs does not support xattr