From a7dce2ac5cb4e351ed3701b73682f2e8fc64bab5 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 11 Jan 2013 19:30:57 +0100
Subject: [PATCH] * Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
 - Allow gnomeclock to talk to puppet over dbus - Allow numad access
 discovered by Dominic - Add support for HOME_DIR/.maildir - Fix
 attribute_role for mozilla_plugin_t domain to allow staff_r to access this d
 - Allow udev to relabel udev_var_run_t lnk_files - New bin_t file in mcelog

---
 policy-rawhide-base.patch    |  65 ++--
 policy-rawhide-contrib.patch | 567 +++++++++++++++++++----------------
 selinux-policy.spec          |  10 +-
 3 files changed, 349 insertions(+), 293 deletions(-)

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4a2ac6f4..b33c9019 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -112432,7 +112432,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..0c58f76 100644
+index 644d4d7..f079522 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -112455,7 +112455,7 @@ index 644d4d7..0c58f76 100644
  /etc/avahi/.*\.action 		--	gen_context(system_u:object_r:bin_t,s0)
  
  /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -69,6 +71,13 @@ ifdef(`distro_redhat',`
+@@ -69,16 +71,25 @@ ifdef(`distro_redhat',`
  /etc/kde/env(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
@@ -112469,7 +112469,11 @@ index 644d4d7..0c58f76 100644
  /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
  
  /etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -79,6 +88,7 @@ ifdef(`distro_redhat',`
+ /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
++/etc/mcelog/.*\.setup		--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ ifdef(`distro_redhat',`
+ /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  ')
  
  /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
@@ -112477,7 +112481,7 @@ index 644d4d7..0c58f76 100644
  
  /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
  
-@@ -101,8 +111,6 @@ ifdef(`distro_redhat',`
+@@ -101,8 +112,6 @@ ifdef(`distro_redhat',`
  
  /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
  
@@ -112486,7 +112490,7 @@ index 644d4d7..0c58f76 100644
  /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +142,11 @@ ifdef(`distro_debian',`
+@@ -134,10 +143,11 @@ ifdef(`distro_debian',`
  
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -112499,7 +112503,7 @@ index 644d4d7..0c58f76 100644
  
  ifdef(`distro_gentoo',`
  /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +160,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +161,7 @@ ifdef(`distro_gentoo',`
  #
  # /sbin
  #
@@ -112508,7 +112512,7 @@ index 644d4d7..0c58f76 100644
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +176,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +177,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -112516,7 +112520,7 @@ index 644d4d7..0c58f76 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -178,33 +188,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +189,49 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -112575,7 +112579,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +241,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +242,28 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -112611,7 +112615,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +277,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +278,15 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -112627,7 +112631,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +298,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +299,17 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -112648,7 +112652,7 @@ index 644d4d7..0c58f76 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +324,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +325,15 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -112664,7 +112668,7 @@ index 644d4d7..0c58f76 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +347,21 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +348,21 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -112688,7 +112692,7 @@ index 644d4d7..0c58f76 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,8 +379,12 @@ ifdef(`distro_redhat', `
+@@ -321,8 +380,12 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -112701,7 +112705,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -332,9 +394,11 @@ ifdef(`distro_redhat', `
+@@ -332,9 +395,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -112713,7 +112717,7 @@ index 644d4d7..0c58f76 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +447,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +448,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -112730,7 +112734,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +465,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +466,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -142913,7 +142917,7 @@ index 0f64692..d7e8a01 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..6e4726f 100644
+index a5ec88b..99fd5da 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -142954,7 +142958,7 @@ index a5ec88b..6e4726f 100644
  
  allow udev_t udev_exec_t:file write;
  can_exec(udev_t, udev_exec_t)
-@@ -63,31 +64,35 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +64,36 @@ can_exec(udev_t, udev_helper_exec_t)
  # read udev config
  allow udev_t udev_etc_t:file read_file_perms;
  
@@ -142974,6 +142978,7 @@ index a5ec88b..6e4726f 100644
 -files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 +files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
 +allow udev_t udev_var_run_t:file mounton;
++allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms;
 +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
  
 +kernel_load_module(udev_t)
@@ -142997,7 +143002,7 @@ index a5ec88b..6e4726f 100644
  
  #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
  kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +103,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
  
  dev_rw_sysfs(udev_t)
  dev_manage_all_dev_nodes(udev_t)
@@ -143005,7 +143010,7 @@ index a5ec88b..6e4726f 100644
  dev_rw_generic_files(udev_t)
  dev_delete_generic_files(udev_t)
  dev_search_usbfs(udev_t)
-@@ -106,23 +112,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +113,31 @@ dev_relabel_all_dev_nodes(udev_t)
  # preserved, instead of short circuiting the relabel
  dev_relabel_generic_symlinks(udev_t)
  dev_manage_generic_symlinks(udev_t)
@@ -143041,7 +143046,7 @@ index a5ec88b..6e4726f 100644
  
  mls_file_read_all_levels(udev_t)
  mls_file_write_all_levels(udev_t)
-@@ -144,17 +158,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +159,20 @@ auth_use_nsswitch(udev_t)
  init_read_utmp(udev_t)
  init_dontaudit_write_utmp(udev_t)
  init_getattr_initctl(udev_t)
@@ -143063,7 +143068,7 @@ index a5ec88b..6e4726f 100644
  
  seutil_read_config(udev_t)
  seutil_read_default_contexts(udev_t)
-@@ -170,6 +187,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
  sysnet_manage_config(udev_t)
  sysnet_etc_filetrans_config(udev_t)
  
@@ -143072,7 +143077,7 @@ index a5ec88b..6e4726f 100644
  userdom_dontaudit_search_user_home_content(udev_t)
  
  ifdef(`distro_gentoo',`
-@@ -179,16 +198,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +199,9 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -143091,7 +143096,7 @@ index a5ec88b..6e4726f 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -217,6 +229,10 @@ optional_policy(`
+@@ -217,6 +230,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -143102,7 +143107,7 @@ index a5ec88b..6e4726f 100644
  	consoletype_exec(udev_t)
  ')
  
-@@ -226,6 +242,7 @@ optional_policy(`
+@@ -226,6 +243,7 @@ optional_policy(`
  
  optional_policy(`
  	cups_domtrans_config(udev_t)
@@ -143110,7 +143115,7 @@ index a5ec88b..6e4726f 100644
  ')
  
  optional_policy(`
-@@ -235,10 +252,20 @@ optional_policy(`
+@@ -235,10 +253,20 @@ optional_policy(`
  optional_policy(`
  	devicekit_read_pid_files(udev_t)
  	devicekit_dgram_send(udev_t)
@@ -143131,7 +143136,7 @@ index a5ec88b..6e4726f 100644
  ')
  
  optional_policy(`
-@@ -264,6 +291,10 @@ optional_policy(`
+@@ -264,6 +292,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -143142,7 +143147,7 @@ index a5ec88b..6e4726f 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -278,6 +309,15 @@ optional_policy(`
+@@ -278,6 +310,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -143158,7 +143163,7 @@ index a5ec88b..6e4726f 100644
  	unconfined_signal(udev_t)
  ')
  
-@@ -290,6 +330,7 @@ optional_policy(`
+@@ -290,6 +331,7 @@ optional_policy(`
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 65fe9bee..ea72e389 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -7164,10 +7164,10 @@ index 536ec3c..271b976 100644
 -
 -miscfiles_read_localization(bcfg2_t)
 diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..005bb7e 100644
+index 2b9a3a1..1cb1b4f 100644
 --- a/bind.fc
 +++ b/bind.fc
-@@ -1,54 +1,69 @@
+@@ -1,54 +1,70 @@
 -/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -7202,6 +7202,7 @@ index 2b9a3a1..005bb7e 100644
 +/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 +/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
  /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-anchor --	gen_context(system_u:object_r:named_exec_t,s0)
  
 -/var/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 -/var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
@@ -11852,15 +11853,24 @@ index 3f2b672..a7aaf98 100644
 +    unconfined_domain(condor_startd_t)
 +')
 diff --git a/consolekit.fc b/consolekit.fc
-index 23c9558..29e5fd3 100644
+index 23c9558..ee585a7 100644
 --- a/consolekit.fc
 +++ b/consolekit.fc
-@@ -1,3 +1,5 @@
-+/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
-+
- /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
+@@ -1,7 +1,9 @@
+-/usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
++#/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
  
- /var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
+-/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
++#/usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
+ 
+-/var/run/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+-/var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+-/var/run/console-kit-daemon\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
++
++#/var/run/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/run/console-kit-daemon\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 diff --git a/consolekit.if b/consolekit.if
 index 5b830ec..0647a3b 100644
 --- a/consolekit.if
@@ -32985,10 +32995,10 @@ index 327f3f7..65bfa15 100644
 +	')
  ')
 diff --git a/mandb.te b/mandb.te
-index 5a414e0..4e159c2 100644
+index 5a414e0..708f675 100644
 --- a/mandb.te
 +++ b/mandb.te
-@@ -10,9 +10,12 @@ roleattribute system_r mandb_roles;
+@@ -10,25 +10,34 @@ roleattribute system_r mandb_roles;
  
  type mandb_t;
  type mandb_exec_t;
@@ -33002,7 +33012,10 @@ index 5a414e0..4e159c2 100644
  ########################################
  #
  # Local policy
-@@ -22,14 +25,17 @@ allow mandb_t self:process signal;
+ #
+ 
+-allow mandb_t self:process signal;
++allow mandb_t self:process { setsched signal };
  allow mandb_t self:fifo_file rw_fifo_file_perms;
  allow mandb_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -33010,6 +33023,7 @@ index 5a414e0..4e159c2 100644
 +manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
 +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
 +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
++can_exec(mandb_t, mandb_exec_t)
 +
  kernel_read_system_state(mandb_t)
  
@@ -33018,10 +33032,10 @@ index 5a414e0..4e159c2 100644
  domain_use_interactive_fds(mandb_t)
  
 -files_read_etc_files(mandb_t)
--
++files_search_locks(mandb_t)
+ 
  miscfiles_manage_man_cache(mandb_t)
  
- optional_policy(`
 diff --git a/mcelog.if b/mcelog.if
 index 9dbe694..f89651e 100644
 --- a/mcelog.if
@@ -35349,7 +35363,7 @@ index 6194b80..110cdc6 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..a85da32 100644
+index 6a306ee..03196be 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -35413,13 +35427,12 @@ index 6a306ee..a85da32 100644
  type mozilla_plugin_t;
  type mozilla_plugin_exec_t;
 -userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
--role mozilla_plugin_roles types mozilla_plugin_t;
--
++application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+ role mozilla_plugin_roles types mozilla_plugin_t;
+ 
 -type mozilla_plugin_home_t;
 -userdom_user_home_content(mozilla_plugin_home_t)
-+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
-+role mozilla_roles types mozilla_plugin_t;
- 
+-
  type mozilla_plugin_tmp_t;
 +userdom_user_tmp_content(mozilla_plugin_tmp_t)
  userdom_user_tmp_file(mozilla_plugin_tmp_t)
@@ -36516,21 +36529,23 @@ index c97c177..9e68dfb 100644
  netutils_domtrans_ping(mrtg_t)
  
 diff --git a/mta.fc b/mta.fc
-index f42896c..2f102b2 100644
+index f42896c..8654c3c 100644
 --- a/mta.fc
 +++ b/mta.fc
-@@ -2,33 +2,40 @@ HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
+@@ -2,33 +2,42 @@ HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
 -HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 -HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 +HOME_DIR/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
++HOME_DIR/.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
  
 -/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  
 -/etc/aliases	--	gen_context(system_u:object_r:etc_aliases_t,s0)
++/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
++
 +/etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
  /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 -/etc/mail(/.*)?	gen_context(system_u:object_r:etc_mail_t,s0)
@@ -36540,14 +36555,14 @@ index f42896c..2f102b2 100644
 +ifdef(`distro_redhat',`
 +/etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
 +')
- 
--/usr/bin/esmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
++
 +/root/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
 +/root/\.forward		--	gen_context(system_u:object_r:mail_home_t,s0)
 +/root/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
 +/root/\.mailrc		--	gen_context(system_u:object_r:mail_home_t,s0)
 +/root/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
-+
+ 
+-/usr/bin/esmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 +/usr/bin/esmtp		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  
@@ -36573,7 +36588,7 @@ index f42896c..2f102b2 100644
 -/var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..0005ac0 100644
+index ed81cac..7d1522c 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -37508,7 +37523,7 @@ index ed81cac..0005ac0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1046,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -37633,6 +37648,7 @@ index ed81cac..0005ac0 100644
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
 +	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
 +	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
 +')
 +
@@ -37656,6 +37672,7 @@ index ed81cac..0005ac0 100644
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
 +	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
 +	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
 +')
 +
@@ -44341,7 +44358,7 @@ index 0d3c270..709dda1 100644
 +	')
  ')
 diff --git a/numad.te b/numad.te
-index f5d145d..9510740 100644
+index f5d145d..a4fed11 100644
 --- a/numad.te
 +++ b/numad.te
 @@ -1,4 +1,4 @@
@@ -44350,7 +44367,7 @@ index f5d145d..9510740 100644
  
  ########################################
  #
-@@ -8,37 +8,38 @@ policy_module(numad, 1.0.3)
+@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3)
  type numad_t;
  type numad_exec_t;
  init_daemon_domain(numad_t, numad_exec_t)
@@ -44375,32 +44392,36 @@ index f5d145d..9510740 100644
 +# numad local policy
  #
  
-+allow numad_t self:process { fork };
++allow numad_t self:capability sys_ptrace;
  allow numad_t self:fifo_file rw_fifo_file_perms;
 -allow numad_t self:msg { send receive };
  allow numad_t self:msgq create_msgq_perms;
-+allow numad_t self:msg { send receive };
++allow numad_t self:msg create_msg_perms;
  allow numad_t self:unix_stream_socket create_stream_socket_perms;
  
 -allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 -logging_log_filetrans(numad_t, numad_log_t, file)
 +manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
-+logging_log_filetrans(numad_t, numad_var_log_t, { file })
++logging_log_filetrans(numad_t, numad_var_log_t, file)
  
  manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
--files_pid_filetrans(numad_t, numad_var_run_t, file)
-+files_pid_filetrans(numad_t, numad_var_run_t, { file })
- 
- kernel_read_system_state(numad_t)
+ files_pid_filetrans(numad_t, numad_var_run_t, file)
+@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
  
  dev_read_sysfs(numad_t)
  
 -files_read_etc_files(numad_t)
 +domain_use_interactive_fds(numad_t)
-+
++domain_read_all_domains_state(numad_t)
++domain_setpriority_all_domains(numad_t)
  
 -miscfiles_read_localization(numad_t)
-+fs_search_cgroup_dirs(numad_t)
++fs_manage_cgroup_dirs(numad_t)
++fs_rw_cgroup_files(numad_t)
++
++tunable_policy(`deny_ptrace',`',`
++	virt_ptrace(numad_t)
++')
 diff --git a/nut.fc b/nut.fc
 index 379af96..371119d 100644
 --- a/nut.fc
@@ -55503,7 +55524,7 @@ index 6864479..0e7d875 100644
 +/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 +/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
 diff --git a/pulseaudio.if b/pulseaudio.if
-index fa3dc8e..ec47fb6 100644
+index fa3dc8e..59808e5 100644
 --- a/pulseaudio.if
 +++ b/pulseaudio.if
 @@ -2,47 +2,44 @@
@@ -55788,7 +55809,7 @@ index fa3dc8e..ec47fb6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -291,62 +300,72 @@ interface(`pulseaudio_manage_home_files',`
+@@ -291,62 +300,74 @@ interface(`pulseaudio_manage_home_files',`
  ##	</summary>
  ## </param>
  #
@@ -55805,7 +55826,9 @@ index fa3dc8e..ec47fb6 100644
 +	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
 +	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
 +	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
-+	gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++	optional_policy(`
++		gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++	')
  ')
  
  ########################################
@@ -56531,7 +56554,7 @@ index 7cb8b1f..b7b5ee7 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index f2309f4..9282fbb 100644
+index f2309f4..fd38d93 100644
 --- a/puppet.te
 +++ b/puppet.te
 @@ -1,4 +1,4 @@
@@ -56925,7 +56948,7 @@ index f2309f4..9282fbb 100644
  
  selinux_validate_context(puppetmaster_t)
  
-@@ -314,26 +390,27 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +390,31 @@ auth_use_nsswitch(puppetmaster_t)
  logging_send_syslog_msg(puppetmaster_t)
  
  miscfiles_read_generic_certs(puppetmaster_t)
@@ -56935,32 +56958,34 @@ index f2309f4..9282fbb 100644
  
  sysnet_run_ifconfig(puppetmaster_t, system_r)
  
--optional_policy(`
--	hostname_exec(puppetmaster_t)
--')
 +mta_send_mail(puppetmaster_t)
- 
++
  optional_policy(`
--	mta_send_mail(puppetmaster_t)
+-	hostname_exec(puppetmaster_t)
 +	tunable_policy(`puppetmaster_use_db',`
 +		mysql_stream_connect(puppetmaster_t)
 +	')
  ')
  
  optional_policy(`
--	mysql_stream_connect(puppetmaster_t)
+-	mta_send_mail(puppetmaster_t)
 +	tunable_policy(`puppetmaster_use_db',`
 +		postgresql_stream_connect(puppetmaster_t)
 +	')
  ')
  
+ optional_policy(`
+-	mysql_stream_connect(puppetmaster_t)
++	gnomeclock_dbus_chat(puppetmaster_t)
+ ')
+ 
  optional_policy(`
 -	postgresql_stream_connect(puppetmaster_t)
 +	hostname_exec(puppetmaster_t)
  ')
  
  optional_policy(`
-@@ -342,3 +419,9 @@ optional_policy(`
+@@ -342,3 +423,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -80785,7 +80810,7 @@ index c30da4c..014e40c 100644
 +/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..347f807 100644
+index 9dec06c..e2c53bf 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -81763,7 +81788,7 @@ index 9dec06c..347f807 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,94 +603,205 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +603,223 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -81794,6 +81819,9 @@ index 9dec06c..347f807 100644
  ##	</summary>
  ## </param>
 -## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
 +#
 +interface(`virt_manage_images',`
 +	gen_require(`
@@ -81818,7 +81846,8 @@ index 9dec06c..347f807 100644
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
+ ## </param>
+-## <param name="object">
 +#
 +interface(`virt_manage_default_image_type',`
 +    gen_require(`
@@ -81838,11 +81867,11 @@ index 9dec06c..347f807 100644
 +## </summary>
 +## <param name="domain">
  ##	<summary>
--##	The type of the object to be created.
+-##	The object class of the object being created.
 +##	Domain allowed to transition.
  ##	</summary>
  ## </param>
--## <param name="object">
+-## <param name="name" optional="true">
 +#
 +interface(`virt_systemctl',`
 +	gen_require(`
@@ -81859,37 +81888,58 @@ index 9dec06c..347f807 100644
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate
-+##	an virt environment
++##	Ptrace the svirt domain
 +## </summary>
 +## <param name="domain">
  ##	<summary>
--##	The object class of the object being created.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="name" optional="true">
-+## <param name="role">
- ##	<summary>
 -##	The name of the object being created.
-+##	Role allowed access.
++##	Domain allowed to transition.
  ##	</summary>
  ## </param>
 -## <infoflow type="write" weight="10"/>
-+## <rolecap/>
  #
 -interface(`virt_pid_filetrans',`
-+interface(`virt_admin',`
++interface(`virt_ptrace',`
  	gen_require(`
 -		type virt_var_run_t;
++		attribute virt_domain;
+ 	')
+ 
+-	files_search_pids($1)
+-	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
++	allow $1 virt_domain:self ptrace;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read virt log files.
++##	All of the rules required to administrate
++##	an virt environment
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
+ ## <rolecap/>
+ #
+-interface(`virt_read_log',`
++interface(`virt_admin',`
+ 	gen_require(`
+-		type virt_log_t;
 +		type virtd_t, virtd_initrc_exec_t;
 +		attribute virt_domain;
 +		type virt_lxc_t;
 +		type virtd_unit_file_t;
  	')
  
--	files_search_pids($1)
--	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+-	logging_search_logs($1)
+-	read_files_pattern($1, virt_log_t, virt_log_t)
 +	allow $1 virtd_t:process signal_perms;
 +	ps_process_pattern($1, virtd_t)
 +	tunable_policy(`deny_ptrace',`',`
@@ -81922,7 +81972,7 @@ index 9dec06c..347f807 100644
  
  ########################################
  ## <summary>
--##	Read virt log files.
+-##	Append virt log files.
 +##	Execute qemu in the svirt domain, and
 +##	allow the specified role the svirt domain.
  ## </summary>
@@ -81937,9 +81987,9 @@ index 9dec06c..347f807 100644
 +##	The role to be allowed the sandbox domain.
  ##	</summary>
  ## </param>
- ## <rolecap/>
++## <rolecap/>
  #
--interface(`virt_read_log',`
+-interface(`virt_append_log',`
 +interface(`virt_transition_svirt',`
  	gen_require(`
 -		type virt_log_t;
@@ -81950,7 +82000,7 @@ index 9dec06c..347f807 100644
  	')
  
 -	logging_search_logs($1)
--	read_files_pattern($1, virt_log_t, virt_log_t)
+-	append_files_pattern($1, virt_log_t, virt_log_t)
 +	allow $1 virt_domain:process transition;
 +	role $2 types virt_domain;
 +	role $2 types virt_bridgehelper_t;
@@ -81969,7 +82019,8 @@ index 9dec06c..347f807 100644
  
  ########################################
  ## <summary>
--##	Append virt log files.
+-##	Create, read, write, and delete
+-##	virt log files.
 +##	Do not audit attempts to write virt daemon unnamed pipes.
  ## </summary>
  ## <param name="domain">
@@ -81979,7 +82030,7 @@ index 9dec06c..347f807 100644
  ##	</summary>
  ## </param>
  #
--interface(`virt_append_log',`
+-interface(`virt_manage_log',`
 +interface(`virt_dontaudit_write_pipes',`
  	gen_require(`
 -		type virt_log_t;
@@ -81987,41 +82038,17 @@ index 9dec06c..347f807 100644
  	')
  
 -	logging_search_logs($1)
--	append_files_pattern($1, virt_log_t, virt_log_t)
+-	manage_dirs_pattern($1, virt_log_t, virt_log_t)
+-	manage_files_pattern($1, virt_log_t, virt_log_t)
+-	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
 +	dontaudit $1 virtd_t:fd use;
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
  ')
  
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	virt log files.
-+##	Send a sigkill to virtual machines
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -955,20 +809,17 @@ interface(`virt_append_log',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_manage_log',`
-+interface(`virt_kill_svirt',`
- 	gen_require(`
--		type virt_log_t;
-+		attribute virt_domain;
- 	')
- 
--	logging_search_logs($1)
--	manage_dirs_pattern($1, virt_log_t, virt_log_t)
--	manage_files_pattern($1, virt_log_t, virt_log_t)
--	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+	allow $1 virt_domain:process sigkill;
- ')
- 
  ########################################
  ## <summary>
 -##	Search virt image directories.
-+##	Send a signal to virtual machines
++##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -82030,7 +82057,7 @@ index 9dec06c..347f807 100644
  ## </param>
  #
 -interface(`virt_search_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_kill_svirt',`
  	gen_require(`
 -		attribute virt_image_type;
 +		attribute virt_domain;
@@ -82038,56 +82065,39 @@ index 9dec06c..347f807 100644
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir search_dir_perms;
-+	allow $1 virt_domain:process signal;
++	allow $1 virt_domain:process sigkill;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt image files.
-+##	Manage virt home files.
++##	Send a signal to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,57 +845,57 @@ interface(`virt_search_images',`
+@@ -995,36 +845,17 @@ interface(`virt_search_images',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_images',`
-+interface(`virt_manage_home_files',`
++interface(`virt_signal_svirt',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		type virt_home_t;
- 	')
- 
+-	')
+-
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir list_dir_perms;
 -	list_dirs_pattern($1, virt_image_type, virt_image_type)
 -	read_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+	userdom_search_user_home_dirs($1)
-+	manage_files_pattern($1, virt_home_t, virt_home_t)
-+')
- 
+-
 -	tunable_policy(`virt_use_nfs',`
 -		fs_list_nfs($1)
 -		fs_read_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
-+##	allow domain to read
-+##	virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access
-+##	</summary>
-+## </param>
-+#
-+interface(`virt_read_tmpfs_files',`
-+	gen_require(`
-+		attribute virt_tmpfs_type;
++		attribute virt_domain;
  	')
  
 -	tunable_policy(`virt_use_samba',`
@@ -82095,13 +82105,64 @@ index 9dec06c..347f807 100644
 -		fs_read_cifs_files($1)
 -		fs_read_cifs_symlinks($1)
 -	')
-+	allow $1 virt_tmpfs_type:file read_file_perms;
++	allow $1 virt_domain:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Read and write all virt image
 -##	character files.
++##	Manage virt home files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1032,58 +863,57 @@ interface(`virt_read_images',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_rw_all_image_chr_files',`
++interface(`virt_manage_home_files',`
+ 	gen_require(`
+-		attribute virt_image_type;
++		type virt_home_t;
+ 	')
+ 
+-	virt_search_lib($1)
+-	allow $1 virt_image_type:dir list_dir_perms;
+-	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, virt_home_t, virt_home_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	svirt cache files.
++##	allow domain to read
++##	virt tmpfs files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain allowed access
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_manage_svirt_cache',`
+-	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+-	virt_manage_virt_cache($1)
++interface(`virt_read_tmpfs_files',`
++	gen_require(`
++		attribute virt_tmpfs_type;
++	')
++
++	allow $1 virt_tmpfs_type:file read_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt cache content.
 +##	allow domain to manage
 +##	virt tmpfs files
  ## </summary>
@@ -82112,100 +82173,40 @@ index 9dec06c..347f807 100644
  ##	</summary>
  ## </param>
  #
--interface(`virt_rw_all_image_chr_files',`
+-interface(`virt_manage_virt_cache',`
 +interface(`virt_manage_tmpfs_files',`
  	gen_require(`
--		attribute virt_image_type;
-+		attribute virt_tmpfs_type;
- 	')
- 
--	virt_search_lib($1)
--	allow $1 virt_image_type:dir list_dir_perms;
--	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+	allow $1 virt_tmpfs_type:file manage_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	svirt cache files.
-+##	Create .virt directory in the user home directory
-+##	with an correct label.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1053,15 +903,27 @@ interface(`virt_rw_all_image_chr_files',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_manage_svirt_cache',`
--	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
--	virt_manage_virt_cache($1)
-+interface(`virt_filetrans_home_content',`
-+	gen_require(`
-+		type virt_home_t;
-+		type svirt_home_t;
-+	')
-+
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-+
-+	optional_policy(`
-+		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+		gnome_data_filetrans($1, svirt_home_t, dir, "images")
-+	')
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	virt cache content.
-+##	Dontaudit attempts to Read virt_image_type devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1069,117 +931,103 @@ interface(`virt_manage_svirt_cache',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_manage_virt_cache',`
-+interface(`virt_dontaudit_read_chr_dev',`
- 	gen_require(`
 -		type virt_cache_t;
-+		attribute virt_image_type;
++		attribute virt_tmpfs_type;
  	')
  
 -	files_search_var($1)
 -	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
 -	manage_files_pattern($1, virt_cache_t, virt_cache_t)
 -	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-+	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++	allow $1 virt_tmpfs_type:file manage_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt image files.
-+##	Creates types and rules for a basic
-+##	virt_lxc process domain.
++##	Create .virt directory in the user home directory
++##	with an correct label.
  ## </summary>
--## <param name="domain">
-+## <param name="prefix">
+ ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Prefix for the domain.
+@@ -1091,95 +921,131 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_images',`
-+template(`virt_lxc_domain_template',`
++interface(`virt_filetrans_home_content',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		attribute svirt_lxc_domain;
++		type virt_home_t;
++		type svirt_home_t;
  	')
  
 -	virt_search_lib($1)
@@ -82214,86 +82215,64 @@ index 9dec06c..347f807 100644
 -	manage_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+	type $1_t, svirt_lxc_domain;
-+	domain_type($1_t)
-+	domain_user_exemption_target($1_t)
-+	mls_rangetrans_target($1_t)
-+	mcs_constrained($1_t)
-+	role system_r types $1_t;
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
  
 -	tunable_policy(`virt_use_nfs',`
 -		fs_manage_nfs_dirs($1)
 -		fs_manage_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
-+	kernel_read_system_state($1_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute a qemu_exec_t in the callers domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_exec_qemu',`
-+	gen_require(`
-+		type qemu_exec_t;
- 	')
- 
+-	')
+-
 -	tunable_policy(`virt_use_samba',`
 -		fs_manage_cifs_files($1)
 -		fs_manage_cifs_files($1)
 -		fs_read_cifs_symlinks($1)
-+	can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Transition to virt named content
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##      Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`virt_filetrans_named_content',`
-+	gen_require(`
-+		type virt_lxc_var_run_t;
-+		type virt_var_run_t;
++	optional_policy(`
++		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++		gnome_data_filetrans($1, svirt_home_t, dir, "images")
  	')
-+
-+	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
-+	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
-+	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
  ')
  
  ########################################
  ## <summary>
 -##	All of the rules required to
 -##	administrate an virt environment.
-+##	Execute qemu in the svirt domain, and
-+##	allow the specified role the svirt domain.
++##	Dontaudit attempts to Read virt_image_type devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
- ## <param name="role">
+-## <param name="role">
++#
++interface(`virt_dontaudit_read_chr_dev',`
++	gen_require(`
++		attribute virt_image_type;
++	')
++
++	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++')
++
++########################################
++## <summary>
++##	Creates types and rules for a basic
++##	virt_lxc process domain.
++## </summary>
++## <param name="prefix">
  ##	<summary>
 -##	Role allowed access.
-+##	The role to be allowed the sandbox domain.
++##	Prefix for the domain.
  ##	</summary>
  ## </param>
- ## <rolecap/>
+-## <rolecap/>
  #
 -interface(`virt_admin',`
-+interface(`virt_transition_svirt_lxc',`
++template(`virt_lxc_domain_template',`
  	gen_require(`
 -		attribute virt_domain, virt_image_type, virt_tmpfs_type;
 -		attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
@@ -82318,30 +82297,94 @@ index 9dec06c..347f807 100644
 -
 -	fs_search_tmpfs($1)
 -	admin_pattern($1, virt_tmpfs_type)
--
++	type $1_t, svirt_lxc_domain;
++	domain_type($1_t)
++	domain_user_exemption_target($1_t)
++	mls_rangetrans_target($1_t)
++	mcs_constrained($1_t)
++	role system_r types $1_t;
+ 
 -	files_search_tmp($1)
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++	kernel_read_system_state($1_t)
++')
+ 
 -	files_search_etc($1)
 -	admin_pattern($1, { virt_etc_t virt_etc_rw_t })
--
++########################################
++## <summary>
++##	Execute a qemu_exec_t in the callers domain
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_exec_qemu',`
++	gen_require(`
++		type qemu_exec_t;
++	')
+ 
 -	logging_search_logs($1)
 -	admin_pattern($1, virt_log_t)
--
++	can_exec($1, qemu_exec_t)
++')
+ 
 -	files_search_pids($1)
 -	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++########################################
++## <summary>
++##	Transition to virt named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_filetrans_named_content',`
++	gen_require(`
++		type virt_lxc_var_run_t;
++		type virt_var_run_t;
++	')
+ 
 -	files_search_var($1)
 -	admin_pattern($1, svirt_cache_t)
--
++	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
++	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
++')
+ 
 -	files_search_var_lib($1)
 -	admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+	allow $1 svirt_lxc_domain:process transition;
-+	role $2 types svirt_lxc_domain;
++########################################
++## <summary>
++##	Execute qemu in the svirt domain, and
++##	allow the specified role the svirt domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`virt_transition_svirt_lxc',`
++	gen_require(`
++		attribute svirt_lxc_domain;
++	')
  
 -	files_search_locks($1)
 -	admin_pattern($1, virt_lock_t)
--
++	allow $1 svirt_lxc_domain:process transition;
++	role $2 types svirt_lxc_domain;
+ 
 -	dev_list_all_dev_nodes($1)
 -	allow $1 virt_ptynode:chr_file rw_term_perms;
 +	allow svirt_lxc_domain $1:process sigchld;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ffb3b30e..907e2682 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,14 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
+- Allow gnomeclock to talk to puppet over dbus
+- Allow numad access discovered by Dominic
+- Add support for HOME_DIR/.maildir
+- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain
+- Allow udev to relabel udev_var_run_t lnk_files
+- New bin_t file in mcelog
+
 * Thu Jan 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-2
 - Remove all mcs overrides and replace with t1 != mcs_constrained_types
 - Add attribute_role for iptables