- geard seems to do a lot of relabeling

- Allow system_mail_t to append to munin_var_lib_t - Allow mozilla_plugin to read alsa_rw_ content - Allow asterisk to connect to the apache ports - Dontaudit attempts to read fixed disk - Dontaudit search gconf_home_t - Allow rsync to create swift_server.lock with swift.log labeling - Add labeling for swift lock files - Use swift_virt_lock in swift.te - Allow openwsman to getattr on sblim_sfcbd executable - Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t - Allow openwsman_t to read/write sblim-sfcb shared mem - Allow openwsman to stream connec to sblim-sfcbd - Allow openwsman to create tmpfs files/dirs - dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcb - Allow sblim_sfcbd to execute shell - Allow swift to create lock file - Allow openwsman to use tcp/80 - Allow neutron to create also dirs in /tmp - Allow seunshare domains to getattr on all executables - Allow ssh-keygen to create temporary files/dirs needed by OpenSt - Allow named_filetrans_domain to create /run/netns - Allow ifconfig to create /run/netns
2014-05-20 07:59:07 +02:00 · 2014-05-20 07:59:07 +02:00 · cccaf8f646
commit cccaf8f646
parent 7768984e85
3 changed files with 414 additions and 174 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3174,10 +3174,10 @@ index 1dc7a85..c6f4da0 100644
 +	corecmd_shell_domtrans($1_seunshare_t, $1_t)
 ')
 diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..fb30c11 100644
+index 7590165..b516b43 100644
 --- a/policy/modules/apps/seunshare.te
 +++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,62 @@ policy_module(seunshare, 1.1.0)
 # Declarations
 #
@ -3203,6 +3203,7 @@ index 7590165..fb30c11 100644
 -allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
 +corecmd_exec_shell(seunshare_domain)
 +corecmd_exec_bin(seunshare_domain)
 +corecmd_getattr_all_executables(seunshare_domain)
 -corecmd_exec_shell(seunshare_t)
 -corecmd_exec_bin(seunshare_t)
@ -8813,7 +8814,7 @@ index 6a1e4d1..1b9b0b5 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..b9da2b3 100644
+index cf04cb5..32d58ca 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -8961,7 +8962,7 @@ index cf04cb5..b9da2b3 100644
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +237,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +237,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
@ -9155,6 +9156,7 @@ index cf04cb5..b9da2b3 100644
 +
 +optional_policy(`
 +	sysnet_filetrans_named_content(named_filetrans_domain)
 +    sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
 +')
 +
 +optional_policy(`
@ -15037,13 +15039,13 @@ index e7d1738..089cc7a 100644
 ########################################
 #
 diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
-index 7be4ddf..d5ef507 100644
+index 7be4ddf..71e675a 100644
 --- a/policy/modules/kernel/kernel.fc
 +++ b/policy/modules/kernel/kernel.fc
@@ -1 +1,3 @@
 -# This module currently does not have any file contexts.
 +
-+/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/class/net/ib.* 	  --	gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
 index e100d88..fb8a1f1 100644
@ -22131,10 +22133,10 @@ index fe0c682..e8dcfa7 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..a8b01bf 100644
+index cc877c7..1d92018 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
+@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
 #
 ## <desc>
@ -22178,6 +22180,9 @@ index cc877c7..a8b01bf 100644
 init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
 -role system_r types ssh_keygen_t;
 +
 +type ssh_keygen_tmp_t;
 +files_tmp_file(ssh_keygen_tmp_t)
 +
 +type sshd_keygen_t;
 +type sshd_keygen_exec_t;
 +init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
@ -22214,7 +22219,7 @@ index cc877c7..a8b01bf 100644
 type ssh_t;
 type ssh_exec_t;
-@@ -73,9 +95,11 @@ type ssh_home_t;
+@@ -73,9 +98,11 @@ type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 userdom_user_home_content(ssh_home_t)
@ -22228,7 +22233,7 @@ index cc877c7..a8b01bf 100644
 ##############################
 #
-@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -86,6 +113,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
 allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow ssh_t self:fd use;
 allow ssh_t self:fifo_file rw_fifo_file_perms;
@ -22236,7 +22241,7 @@ index cc877c7..a8b01bf 100644
 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
 allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow ssh_t self:shm create_shm_perms;
-@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -93,15 +121,11 @@ allow ssh_t self:sem create_sem_perms;
 allow ssh_t self:msgq create_msgq_perms;
 allow ssh_t self:msg { send receive };
 allow ssh_t self:tcp_socket create_stream_socket_perms;
@ -22253,7 +22258,7 @@ index cc877c7..a8b01bf 100644
 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -110,33 +134,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
 manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
 manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@ -22301,7 +22306,7 @@ index cc877c7..a8b01bf 100644
 dev_read_urand(ssh_t)
 fs_getattr_all_fs(ssh_t)
-@@ -157,40 +187,46 @@ files_read_var_files(ssh_t)
+@@ -157,40 +190,46 @@ files_read_var_files(ssh_t)
 logging_send_syslog_msg(ssh_t)
 logging_read_generic_logs(ssh_t)
@ -22367,7 +22372,7 @@ index cc877c7..a8b01bf 100644
 ')
 optional_policy(`
-@@ -198,6 +234,7 @@ optional_policy(`
+@@ -198,6 +237,7 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
@ -22375,7 +22380,7 @@ index cc877c7..a8b01bf 100644
 ##############################
 #
 # ssh_keysign_t local policy
-@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -209,6 +249,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
 allow ssh_keysign_t sshd_key_t:file { getattr read };
 dev_read_urand(ssh_keysign_t)
@ -22383,7 +22388,7 @@ index cc877c7..a8b01bf 100644
 files_read_etc_files(ssh_keysign_t)
-@@ -226,39 +264,57 @@ optional_policy(`
+@@ -226,39 +267,57 @@ optional_policy(`
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
@ -22453,7 +22458,7 @@ index cc877c7..a8b01bf 100644
 ')
 optional_policy(`
-@@ -266,6 +322,15 @@ optional_policy(`
+@@ -266,6 +325,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -22469,7 +22474,7 @@ index cc877c7..a8b01bf 100644
 	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
 ')
-@@ -275,6 +340,18 @@ optional_policy(`
+@@ -275,6 +343,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -22488,7 +22493,7 @@ index cc877c7..a8b01bf 100644
 	oddjob_domtrans_mkhomedir(sshd_t)
 ')
-@@ -289,13 +366,93 @@ optional_policy(`
+@@ -289,13 +369,93 @@ optional_policy(`
 ')
 optional_policy(`
@ -22582,7 +22587,7 @@ index cc877c7..a8b01bf 100644
 ########################################
 #
 # ssh_keygen local policy
-@@ -304,19 +461,29 @@ optional_policy(`
+@@ -304,19 +464,33 @@ optional_policy(`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
@ -22600,6 +22605,10 @@ index cc877c7..a8b01bf 100644
 +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 +userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 +
 +manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
 +manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
 +files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
 +
 +kernel_read_system_state(ssh_keygen_t)
 kernel_read_kernel_sysctls(ssh_keygen_t)
@ -22613,7 +22622,7 @@ index cc877c7..a8b01bf 100644
 dev_read_urand(ssh_keygen_t)
 term_dontaudit_use_console(ssh_keygen_t)
-@@ -333,6 +500,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -333,6 +507,12 @@ auth_use_nsswitch(ssh_keygen_t)
 logging_send_syslog_msg(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@ -22626,7 +22635,7 @@ index cc877c7..a8b01bf 100644
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +514,140 @@ optional_policy(`
+@@ -341,3 +521,140 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
@ -29787,7 +29796,7 @@ index 79a45f6..89b43aa 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..43c0bc6 100644
+index 17eda24..956662b 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -30064,9 +30073,10 @@ index 17eda24..43c0bc6 100644
 +	fs_manage_tmpfs_files(init_t)
 +	fs_manage_tmpfs_symlinks(init_t)
 +	fs_manage_tmpfs_sockets(init_t)
 +	fs_manage_tmpfs_chr_files(init_t)
 +	fs_exec_tmpfs_files(init_t)
 	fs_read_tmpfs_symlinks(init_t)
- 	fs_rw_tmpfs_chr_files(init_t)
+-	fs_rw_tmpfs_chr_files(init_t)
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 +	fs_tmpfs_filetrans_named_content(init_t)
 +
@ -33440,7 +33450,7 @@ index 4e94884..b144ffe 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..1259fbd 100644
+index 59b04c1..13c21e8 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -33527,7 +33537,19 @@ index 59b04c1..1259fbd 100644
 init_dontaudit_use_fds(auditctl_t)
-@@ -148,6 +176,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -136,9 +164,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
 +manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t)
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 -allow auditd_t var_log_t:dir search_dir_perms;
 +logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit")
 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
@@ -148,6 +177,7 @@ kernel_read_kernel_sysctls(auditd_t)
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
 kernel_read_system_state(auditd_t)
@ -33535,7 +33557,7 @@ index 59b04c1..1259fbd 100644
 dev_read_sysfs(auditd_t)
-@@ -155,9 +184,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +185,6 @@ fs_getattr_all_fs(auditd_t)
 fs_search_auto_mountpoints(auditd_t)
 fs_rw_anon_inodefs_files(auditd_t)
@ -33545,7 +33567,7 @@ index 59b04c1..1259fbd 100644
 corenet_all_recvfrom_netlabel(auditd_t)
 corenet_tcp_sendrecv_generic_if(auditd_t)
 corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +209,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +210,17 @@ logging_send_syslog_msg(auditd_t)
 logging_domtrans_dispatcher(auditd_t)
 logging_signal_dispatcher(auditd_t)
@ -33567,7 +33589,7 @@ index 59b04c1..1259fbd 100644
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +264,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +265,29 @@ corecmd_exec_shell(audisp_t)
 domain_use_interactive_fds(audisp_t)
@ -33598,7 +33620,7 @@ index 59b04c1..1259fbd 100644
 ')
 ########################################
-@@ -268,7 +305,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +306,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
 corecmd_exec_bin(audisp_remote_t)
@ -33606,7 +33628,7 @@ index 59b04c1..1259fbd 100644
 corenet_all_recvfrom_netlabel(audisp_remote_t)
 corenet_tcp_sendrecv_generic_if(audisp_remote_t)
 corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +316,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +317,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
 files_read_etc_files(audisp_remote_t)
@ -33626,7 +33648,7 @@ index 59b04c1..1259fbd 100644
 sysnet_dns_name_resolve(audisp_remote_t)
-@@ -326,7 +370,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +371,6 @@ files_read_etc_files(klogd_t)
 logging_send_syslog_msg(klogd_t)
@ -33634,7 +33656,7 @@ index 59b04c1..1259fbd 100644
 mls_file_read_all_levels(klogd_t)
-@@ -355,13 +398,12 @@ optional_policy(`
+@@ -355,13 +399,12 @@ optional_policy(`
 # sys_admin for the integrated klog of syslog-ng and metalog
 # sys_nice for rsyslog
 # cjp: why net_admin!
@ -33651,7 +33673,7 @@ index 59b04c1..1259fbd 100644
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,8 +411,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
@ -33662,7 +33684,7 @@ index 59b04c1..1259fbd 100644
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +433,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -33712,7 +33734,7 @@ index 59b04c1..1259fbd 100644
 # syslog-ng can listen and connect on tcp port 514 (rsh)
 corenet_tcp_sendrecv_generic_if(syslogd_t)
 corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +482,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
@ -33721,7 +33743,7 @@ index 59b04c1..1259fbd 100644
 corenet_tcp_connect_syslogd_port(syslogd_t)
 corenet_tcp_connect_postgresql_port(syslogd_t)
 corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +494,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -33749,7 +33771,7 @@ index 59b04c1..1259fbd 100644
 domain_use_interactive_fds(syslogd_t)
 files_read_etc_files(syslogd_t)
-@@ -448,13 +527,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
@ -33767,7 +33789,7 @@ index 59b04c1..1259fbd 100644
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +549,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +550,11 @@ init_use_fds(syslogd_t)
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
@ -33782,7 +33804,7 @@ index 59b04c1..1259fbd 100644
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
-@@ -507,15 +590,40 @@ optional_policy(`
+@@ -507,15 +591,40 @@ optional_policy(`
 ')
 optional_policy(`
@ -33823,7 +33845,7 @@ index 59b04c1..1259fbd 100644
 ')
 optional_policy(`
-@@ -526,3 +634,26 @@ optional_policy(`
+@@ -526,3 +635,26 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
@ -38115,7 +38137,7 @@ index 2cea692..e094fc0 100644
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..f1782ee 100644
+index a392fc4..4302955 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -38403,7 +38425,7 @@ index a392fc4..f1782ee 100644
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +377,50 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +377,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
 term_dontaudit_use_ptmx(ifconfig_t)
 term_dontaudit_use_generic_ptys(ifconfig_t)
@ -38426,6 +38448,7 @@ index a392fc4..f1782ee 100644
 +sysnet_dns_name_resolve(ifconfig_t)
 sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
 +sysnet_filetrans_named_content_ifconfig(ifconfig_t)
 -userdom_use_user_terminals(ifconfig_t)
 +userdom_use_inherited_user_terminals(ifconfig_t)
@ -38460,7 +38483,7 @@ index a392fc4..f1782ee 100644
 	optional_policy(`
 		dev_dontaudit_rw_cardmgr(ifconfig_t)
 	')
-@@ -336,7 +431,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +432,11 @@ ifdef(`hide_broken_symptoms',`
 ')
 optional_policy(`
@ -38473,7 +38496,7 @@ index a392fc4..f1782ee 100644
 ')
 optional_policy(`
-@@ -350,7 +449,15 @@ optional_policy(`
+@@ -350,7 +450,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -38490,7 +38513,7 @@ index a392fc4..f1782ee 100644
 ')
 optional_policy(`
-@@ -371,3 +478,13 @@ optional_policy(`
+@@ -371,3 +479,13 @@ optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
@ -42095,7 +42118,7 @@ index db75976..4ca3a28 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..102478f 100644
+index 9dc60c6..87b5cc3 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -43573,13 +43596,14 @@ index 9dc60c6..102478f 100644
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1145,10 +1559,14 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1559,15 @@ template(`userdom_admin_user_template',`
 	dev_rename_all_blk_files($1_t)
 	dev_rename_all_chr_files($1_t)
 	dev_create_generic_symlinks($1_t)
 +	dev_rw_generic_usb_dev($1_t)
 +	dev_rw_usbfs($1_t)
 +	dev_read_kmsg($1_t)
 +	dev_read_cpuid($1_t)
 	domain_setpriority_all_domains($1_t)
 	domain_read_all_domains_state($1_t)
@ -43588,7 +43612,7 @@ index 9dc60c6..102478f 100644
 	domain_dontaudit_ptrace_all_domains($1_t)
 	# signal all domains:
 	domain_kill_all_domains($1_t)
-@@ -1159,29 +1577,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1578,38 @@ template(`userdom_admin_user_template',`
 	domain_sigchld_all_domains($1_t)
 	# for lsof
 	domain_getattr_all_sockets($1_t)
@ -43631,7 +43655,7 @@ index 9dc60c6..102478f 100644
 	# The following rule is temporary until such time that a complete
 	# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1618,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1619,8 @@ template(`userdom_admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
@ -43640,7 +43664,7 @@ index 9dc60c6..102478f 100644
 	userdom_manage_user_home_content_dirs($1_t)
 	userdom_manage_user_home_content_files($1_t)
 	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1627,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1628,17 @@ template(`userdom_admin_user_template',`
 	userdom_manage_user_home_content_sockets($1_t)
 	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@ -43659,7 +43683,7 @@ index 9dc60c6..102478f 100644
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1240,7 +1673,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1674,7 @@ template(`userdom_admin_user_template',`
 ##	</summary>
 ## </param>
 #
@ -43668,7 +43692,7 @@ index 9dc60c6..102478f 100644
 	allow $1 self:capability { dac_read_search dac_override };
 	corecmd_exec_shell($1)
-@@ -1250,6 +1683,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1684,8 @@ template(`userdom_security_admin_template',`
 	dev_relabel_all_dev_nodes($1)
 	files_create_boot_flag($1)
@ -43677,7 +43701,7 @@ index 9dc60c6..102478f 100644
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1262,8 +1697,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1698,10 @@ template(`userdom_security_admin_template',`
 	selinux_set_enforce_mode($1)
 	selinux_set_all_booleans($1)
 	selinux_set_parameters($1)
@ -43689,7 +43713,7 @@ index 9dc60c6..102478f 100644
 	auth_relabel_shadow($1)
 	init_exec($1)
-@@ -1274,29 +1711,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1712,31 @@ template(`userdom_security_admin_template',`
 	logging_read_audit_config($1)
 	seutil_manage_bin_policy($1)
@ -43732,7 +43756,7 @@ index 9dc60c6..102478f 100644
 	')
 	optional_policy(`
-@@ -1357,14 +1796,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1797,17 @@ interface(`userdom_user_home_content',`
 	gen_require(`
 		attribute user_home_content_type;
 		type user_home_t;
@ -43751,7 +43775,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -1405,6 +1847,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1405,6 +1848,51 @@ interface(`userdom_user_tmpfs_file',`
 ## <summary>
 ##	Allow domain to attach to TUN devices created by administrative users.
 ## </summary>
@ -43803,7 +43827,7 @@ index 9dc60c6..102478f 100644
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
-@@ -1509,11 +1996,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',`
 	')
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -43835,7 +43859,7 @@ index 9dc60c6..102478f 100644
 ##	Do not audit attempts to search user home directories.
 ## </summary>
 ## <desc>
-@@ -1555,6 +2062,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',`
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -43850,7 +43874,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -1570,9 +2085,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',`
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -43862,7 +43886,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -1629,6 +2146,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2147,42 @@ interface(`userdom_relabelto_user_home_dirs',`
 	allow $1 user_home_dir_t:dir relabelto;
 ')
@ -43905,7 +43929,7 @@ index 9dc60c6..102478f 100644
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1708,6 +2261,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2262,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
 	')
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -43914,7 +43938,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -1741,10 +2296,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2297,12 @@ interface(`userdom_list_all_user_home_content',`
 #
 interface(`userdom_list_user_home_content',`
 	gen_require(`
@ -43929,7 +43953,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -1769,7 +2326,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2327,25 @@ interface(`userdom_manage_user_home_content_dirs',`
 ########################################
 ## <summary>
@ -43956,7 +43980,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1779,53 +2354,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1779,53 +2355,70 @@ interface(`userdom_manage_user_home_content_dirs',`
 #
 interface(`userdom_delete_all_user_home_content_dirs',`
 	gen_require(`
@ -44039,7 +44063,7 @@ index 9dc60c6..102478f 100644
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
-@@ -1845,6 +2437,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2438,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
 ########################################
 ## <summary>
@ -44065,7 +44089,7 @@ index 9dc60c6..102478f 100644
 ##	Mmap user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1875,15 +2486,18 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,15 +2487,18 @@ interface(`userdom_mmap_user_home_content_files',`
 interface(`userdom_read_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -44086,7 +44110,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1891,18 +2505,18 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1891,18 +2506,18 @@ interface(`userdom_read_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -44110,7 +44134,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1910,17 +2524,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
+@@ -1910,17 +2525,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -44136,7 +44160,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1928,7 +2546,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
+@@ -1928,7 +2547,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -44163,7 +44187,7 @@ index 9dc60c6..102478f 100644
 	gen_require(`
 		type user_home_t;
 	')
-@@ -1938,7 +2574,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2575,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 ########################################
 ## <summary>
@ -44172,7 +44196,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1946,10 +2582,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2583,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -44185,7 +44209,7 @@ index 9dc60c6..102478f 100644
 	')
 	userdom_search_user_home_content($1)
-@@ -1958,7 +2593,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2594,7 @@ interface(`userdom_delete_all_user_home_content_files',`
 ########################################
 ## <summary>
@ -44194,7 +44218,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1966,12 +2601,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2602,66 @@ interface(`userdom_delete_all_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
@ -44263,7 +44287,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -2007,8 +2696,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2697,7 @@ interface(`userdom_read_user_home_content_symlinks',`
 		type user_home_dir_t, user_home_t;
 	')
@ -44273,7 +44297,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -2024,20 +2712,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2713,14 @@ interface(`userdom_read_user_home_content_symlinks',`
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -44298,7 +44322,7 @@ index 9dc60c6..102478f 100644
 ########################################
 ## <summary>
-@@ -2120,7 +2802,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2803,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
 ########################################
 ## <summary>
@ -44307,7 +44331,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2128,19 +2810,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2811,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -44331,7 +44355,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2148,12 +2828,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2829,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
@ -44347,7 +44371,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -2390,11 +3070,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2390,11 +3071,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 #
 interface(`userdom_read_user_tmp_files',`
 	gen_require(`
@ -44362,7 +44386,7 @@ index 9dc60c6..102478f 100644
 	files_search_tmp($1)
 ')
-@@ -2414,7 +3094,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3095,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -44371,7 +44395,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -2538,6 +3218,26 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,6 +3219,26 @@ interface(`userdom_manage_user_tmp_files',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user
@ -44398,7 +44422,7 @@ index 9dc60c6..102478f 100644
 ##	temporary symbolic links.
 ## </summary>
 ## <param name="domain">
-@@ -2661,6 +3361,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3362,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 	files_tmp_filetrans($1, user_tmp_t, $2, $3)
 ')
@ -44424,7 +44448,7 @@ index 9dc60c6..102478f 100644
 ########################################
 ## <summary>
 ##	Read user tmpfs files.
-@@ -2677,13 +3396,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3397,14 @@ interface(`userdom_read_user_tmpfs_files',`
 	')
 	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -44440,7 +44464,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2704,7 +3424,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3425,7 @@ interface(`userdom_rw_user_tmpfs_files',`
 ########################################
 ## <summary>
@ -44449,7 +44473,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2712,14 +3432,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3433,30 @@ interface(`userdom_rw_user_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
@ -44484,7 +44508,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -2814,6 +3550,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3551,24 @@ interface(`userdom_use_user_ttys',`
 ########################################
 ## <summary>
@ -44509,7 +44533,7 @@ index 9dc60c6..102478f 100644
 ##	Read and write a user domain pty.
 ## </summary>
 ## <param name="domain">
-@@ -2832,22 +3586,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3587,34 @@ interface(`userdom_use_user_ptys',`
 ########################################
 ## <summary>
@ -44552,7 +44576,7 @@ index 9dc60c6..102478f 100644
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-@@ -2856,14 +3622,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3623,33 @@ interface(`userdom_use_user_ptys',`
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -44590,7 +44614,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -2882,8 +3667,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3668,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
 		type user_tty_device_t, user_devpts_t;
 	')
@ -44620,7 +44644,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -2955,69 +3759,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3760,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
@ -44721,7 +44745,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3025,12 +3828,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3829,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 ##	</summary>
 ## </param>
 #
@ -44736,7 +44760,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -3094,7 +3897,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +3898,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
@ -44745,7 +44769,7 @@ index 9dc60c6..102478f 100644
 	allow unpriv_userdomain $1:process sigchld;
 ')
-@@ -3110,16 +3913,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,16 +3914,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -44767,7 +44791,7 @@ index 9dc60c6..102478f 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3127,30 +3932,12 @@ interface(`userdom_search_user_home_content',`
+@@ -3127,30 +3933,12 @@ interface(`userdom_search_user_home_content',`
 ##	</summary>
 ## </param>
 #
@ -44800,7 +44824,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -3214,7 +4001,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4002,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
 		type user_devpts_t;
 	')
@ -44827,7 +44851,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -3269,7 +4074,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,7 +4075,83 @@ interface(`userdom_write_user_tmp_files',`
 		type user_tmp_t;
 	')
@ -44912,7 +44936,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -3287,7 +4168,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3287,7 +4169,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
 		type user_tty_device_t;
 	')
@ -44921,7 +44945,7 @@ index 9dc60c6..102478f 100644
 ')
 ########################################
-@@ -3306,6 +4187,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3306,6 +4188,7 @@ interface(`userdom_read_all_users_state',`
 	')
 	read_files_pattern($1, userdomain, userdomain)
@ -44929,7 +44953,7 @@ index 9dc60c6..102478f 100644
 	kernel_search_proc($1)
 ')
-@@ -3382,6 +4264,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4265,42 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
@ -44972,7 +44996,7 @@ index 9dc60c6..102478f 100644
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4320,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4321,24 @@ interface(`userdom_sigchld_all_users',`
 ########################################
 ## <summary>
@ -44997,7 +45021,7 @@ index 9dc60c6..102478f 100644
 ##	Create keys for all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -3435,4 +4371,1680 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4372,1680 @@ interface(`userdom_dbus_send_all_users',`
 	')
 	allow $1 userdomain:dbus send_msg;
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -536,7 +536,7 @@ index 058d908..2f6c3a9 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..5508cee 100644
+index eb50f07..cfd3aa9 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -731,7 +731,7 @@ index eb50f07..5508cee 100644
 dev_getattr_all_chr_files(abrt_t)
 dev_getattr_all_blk_files(abrt_t)
-@@ -176,29 +189,40 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +189,42 @@ files_getattr_all_files(abrt_t)
 files_read_config_files(abrt_t)
 files_read_etc_runtime_files(abrt_t)
 files_read_var_symlinks(abrt_t)
@ -756,14 +756,16 @@ index eb50f07..5508cee 100644
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
-+logging_read_generic_logs(abrt_t)
+-auth_use_nsswitch(abrt_t)
 +storage_dontaudit_read_fixed_disk(abrt_t)
 logging_read_generic_logs(abrt_t)
 +logging_send_syslog_msg(abrt_t)
 +logging_stream_connect_syslog(abrt_t)
 +logging_read_syslog_pid(abrt_t)
 +
- auth_use_nsswitch(abrt_t)
+auth_use_nsswitch(abrt_t)
- 
+
 -logging_read_generic_logs(abrt_t)
 +init_read_utmp(abrt_t)
 +miscfiles_read_generic_certs(abrt_t)
@ -775,7 +777,7 @@ index eb50f07..5508cee 100644
 tunable_policy(`abrt_anon_write',`
 	miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +230,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +232,11 @@ tunable_policy(`abrt_anon_write',`
 optional_policy(`
 	apache_list_modules(abrt_t)
@ -792,7 +794,7 @@ index eb50f07..5508cee 100644
 ')
 optional_policy(`
-@@ -222,6 +242,20 @@ optional_policy(`
+@@ -222,6 +244,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -813,7 +815,7 @@ index eb50f07..5508cee 100644
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
 	policykit_read_reload(abrt_t)
-@@ -234,6 +268,11 @@ optional_policy(`
+@@ -234,6 +270,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -825,7 +827,7 @@ index eb50f07..5508cee 100644
 	rpm_exec(abrt_t)
 	rpm_dontaudit_manage_db(abrt_t)
 	rpm_manage_cache(abrt_t)
-@@ -243,6 +282,7 @@ optional_policy(`
+@@ -243,6 +284,7 @@ optional_policy(`
 	rpm_signull(abrt_t)
 ')
@ -833,7 +835,7 @@ index eb50f07..5508cee 100644
 optional_policy(`
 	sendmail_domtrans(abrt_t)
 ')
-@@ -253,9 +293,17 @@ optional_policy(`
+@@ -253,9 +295,17 @@ optional_policy(`
 	sosreport_delete_tmp_files(abrt_t)
 ')
@ -852,7 +854,7 @@ index eb50f07..5508cee 100644
 #
 allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +314,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +316,13 @@ tunable_policy(`abrt_handle_event',`
 	can_exec(abrt_t, abrt_handle_event_exec_t)
 ')
@ -867,7 +869,7 @@ index eb50f07..5508cee 100644
 #
 allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +333,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +335,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -875,7 +877,7 @@ index eb50f07..5508cee 100644
 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +342,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +344,20 @@ corecmd_read_all_executables(abrt_helper_t)
 domain_read_all_domains_state(abrt_helper_t)
@ -896,7 +898,7 @@ index eb50f07..5508cee 100644
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +363,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +365,25 @@ ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -923,7 +925,7 @@ index eb50f07..5508cee 100644
 #
 allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +399,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +401,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
 dev_read_urand(abrt_retrace_coredump_t)
@ -937,7 +939,7 @@ index eb50f07..5508cee 100644
 optional_policy(`
 	rpm_exec(abrt_retrace_coredump_t)
 	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +417,11 @@ optional_policy(`
+@@ -343,10 +419,11 @@ optional_policy(`
 #######################################
 #
@ -951,7 +953,7 @@ index eb50f07..5508cee 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +440,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +442,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 dev_read_urand(abrt_retrace_worker_t)
@ -1003,7 +1005,7 @@ index eb50f07..5508cee 100644
 #######################################
 #
-@@ -404,7 +489,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +491,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1012,7 +1014,7 @@ index eb50f07..5508cee 100644
 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +498,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +500,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
 corecmd_exec_bin(abrt_watch_log_t)
 logging_read_all_logs(abrt_watch_log_t)
@ -1056,7 +1058,7 @@ index eb50f07..5508cee 100644
 ')
 #######################################
-@@ -430,10 +541,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +543,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
@ -7969,7 +7971,7 @@ index 2077053..198a02a 100644
 	domain_system_change_exemption($1)
 	role_transition $2 asterisk_initrc_exec_t system_r;
 diff --git a/asterisk.te b/asterisk.te
-index 7e41350..1076937 100644
+index 7e41350..e8e1672 100644
 --- a/asterisk.te
 +++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
@ -8003,7 +8005,15 @@ index 7e41350..1076937 100644
 corenet_all_recvfrom_netlabel(asterisk_t)
 corenet_tcp_sendrecv_generic_if(asterisk_t)
 corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t)
+@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
 corenet_sendrecv_sip_client_packets(asterisk_t)
 corenet_tcp_connect_sip_port(asterisk_t)
 +corenet_tcp_connect_http_port(asterisk_t)
 dev_rw_generic_usb_dev(asterisk_t)
 dev_read_sysfs(asterisk_t)
@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t)
 domain_use_interactive_fds(asterisk_t)
@ -8011,7 +8021,7 @@ index 7e41350..1076937 100644
 files_search_spool(asterisk_t)
 files_dontaudit_search_home(asterisk_t)
-@@ -150,8 +148,6 @@ auth_use_nsswitch(asterisk_t)
+@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t)
 logging_search_logs(asterisk_t)
 logging_send_syslog_msg(asterisk_t)
@ -28277,10 +28287,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..781c76d
+index 0000000..cb68ca9
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,125 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@ -28315,6 +28325,8 @@ index 0000000..781c76d
 +allow gear_t self:unix_stream_socket create_stream_socket_perms;
 +allow gear_t self:tcp_socket create_stream_socket_perms;
 +
 +allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
 +
 +manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
 +manage_files_pattern(gear_t, gear_log_t, gear_log_t)
 +manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
@ -28328,6 +28340,7 @@ index 0000000..781c76d
 +manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 +manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 +files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
 +allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
 +
 +manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
 +manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
@ -45714,7 +45727,7 @@ index 6194b80..cafb2b0 100644
 ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..633063d 100644
+index 11ac8e4..fb431ea 100644
 --- a/mozilla.te
 +++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@ -46152,7 +46165,7 @@ index 11ac8e4..633063d 100644
 ')
 optional_policy(`
-@@ -300,259 +324,252 @@ optional_policy(`
+@@ -300,259 +324,253 @@ optional_policy(`
 ########################################
 #
@ -46474,6 +46487,7 @@ index 11ac8e4..633063d 100644
 -	allow mozilla_plugin_t self:process { execmem execstack };
 +optional_policy(`
 +	alsa_read_rw_config(mozilla_plugin_t)
 +	alsa_read_rw_config(mozilla_plugin_config_t)
 +	alsa_read_home_files(mozilla_plugin_t)
 ')
@ -46551,7 +46565,7 @@ index 11ac8e4..633063d 100644
 ')
 optional_policy(`
-@@ -560,7 +577,11 @@ optional_policy(`
+@@ -560,7 +578,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -46564,7 +46578,7 @@ index 11ac8e4..633063d 100644
 ')
 optional_policy(`
-@@ -568,108 +589,131 @@ optional_policy(`
+@@ -568,108 +590,131 @@ optional_policy(`
 ')
 optional_policy(`
@ -48305,7 +48319,7 @@ index ed81cac..8f217ea 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index ff1d68c..0c688c5 100644
+index ff1d68c..4cf1204 100644
 --- a/mta.te
 +++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@ -48532,7 +48546,7 @@ index ff1d68c..0c688c5 100644
 ')
 optional_policy(`
-@@ -258,10 +282,15 @@ optional_policy(`
+@@ -258,10 +282,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -48542,13 +48556,14 @@ index ff1d68c..0c688c5 100644
 optional_policy(`
 +	munin_dontaudit_leaks(system_mail_t)
 +	munin_append_var_lib_files(system_mail_t)
 +')
 +
 +optional_policy(`
 	nagios_read_tmp_files(system_mail_t)
 ')
-@@ -272,6 +301,19 @@ optional_policy(`
+@@ -272,6 +302,19 @@ optional_policy(`
 	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@ -48568,7 +48583,7 @@ index ff1d68c..0c688c5 100644
 ')
 optional_policy(`
-@@ -287,42 +329,36 @@ optional_policy(`
+@@ -287,42 +330,36 @@ optional_policy(`
 ')
 optional_policy(`
@ -48621,7 +48636,7 @@ index ff1d68c..0c688c5 100644
 allow mailserver_delivery mail_spool_t:dir list_dir_perms;
 create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,40 +367,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,40 +368,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@ -48670,7 +48685,7 @@ index ff1d68c..0c688c5 100644
 	files_search_var_lib(mailserver_delivery)
 	mailman_domtrans(mailserver_delivery)
-@@ -372,6 +394,17 @@ optional_policy(`
+@@ -372,6 +395,17 @@ optional_policy(`
 ')
 optional_policy(`
@ -48688,7 +48703,7 @@ index ff1d68c..0c688c5 100644
 	postfix_rw_inherited_master_pipes(mailserver_delivery)
 ')
-@@ -381,24 +414,49 @@ optional_policy(`
+@@ -381,24 +415,49 @@ optional_policy(`
 ########################################
 #
@ -48875,7 +48890,7 @@ index eb4b72a..af28bb5 100644
 +/var/www/html/cgi/munin.*       	gen_context(system_u:object_r:munin_script_exec_t,s0)
 +/var/www/cgi-bin/munin.*		gen_context(system_u:object_r:munin_script_exec_t,s0)
 diff --git a/munin.if b/munin.if
-index b744fe3..900d083 100644
+index b744fe3..50c386e 100644
 --- a/munin.if
 +++ b/munin.if
@@ -1,12 +1,13 @@
@ -48946,7 +48961,7 @@ index b744fe3..900d083 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -80,15 +84,53 @@ interface(`munin_read_config',`
+@@ -80,15 +84,73 @@ interface(`munin_read_config',`
 		type munin_etc_t;
 	')
@ -48978,6 +48993,26 @@ index b744fe3..900d083 100644
 +
 +')
 +
 +#######################################
 +## <summary>
 +##	Append munin library files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`munin_append_var_lib_files',`
 +	gen_require(`
 +		type munin_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)	
 +	append_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
 +
 +')
 +
 +######################################
 +## <summary>
 +##	dontaudit read and write an leaked file descriptors
@ -49002,7 +49037,7 @@ index b744fe3..900d083 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',`
+@@ -147,8 +209,8 @@ interface(`munin_dontaudit_search_lib',`
 ########################################
 ## <summary>
@ -49013,7 +49048,7 @@ index b744fe3..900d083 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',`
+@@ -157,7 +219,7 @@ interface(`munin_dontaudit_search_lib',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -49022,7 +49057,7 @@ index b744fe3..900d083 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -167,11 +209,15 @@ interface(`munin_admin',`
+@@ -167,11 +229,15 @@ interface(`munin_admin',`
 		attribute munin_plugin_domain, munin_plugin_tmp_content;
 		type munin_t, munin_etc_t, munin_tmp_t;
 		type munin_log_t, munin_var_lib_t, munin_var_run_t;
@ -49041,7 +49076,7 @@ index b744fe3..900d083 100644
 	init_labeled_script_domtrans($1, munin_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -193,5 +239,5 @@ interface(`munin_admin',`
+@@ -193,5 +259,5 @@ interface(`munin_admin',`
 	files_list_pids($1)
 	admin_pattern($1, munin_var_run_t)
@ -53135,10 +53170,10 @@ index 0000000..28936b4
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..f691a30
+index 0000000..2c40c73
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,310 @@
+@@ -0,0 +1,314 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@ -53271,6 +53306,10 @@ index 0000000..f691a30
 +	ssh_exec_keygen(nova_api_t)
 +')
 +
 +optional_policy(`
 +    gnome_dontaudit_search_config(nova_api_t)
 +')
 +
 +#optional_policy(`
 +#	unconfined_domain(nova_api_t)
 +#')
@ -59379,10 +59418,10 @@ index 0000000..42ed4ba
 +')
 diff --git a/openwsman.te b/openwsman.te
 new file mode 100644
-index 0000000..a0161d5
+index 0000000..3bcd32c
 --- /dev/null
 +++ b/openwsman.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,74 @@
 +policy_module(openwsman, 1.0.0)
 +
 +########################################
@ -59397,6 +59436,9 @@ index 0000000..a0161d5
 +type openwsman_tmp_t;
 +files_tmp_file(openwsman_tmp_t)
 +
 +type openwsman_tmpfs_t;
 +files_tmpfs_file(openwsman_tmpfs_t)
 +
 +type openwsman_log_t;
 +logging_log_file(openwsman_log_t)
 +
@ -59422,6 +59464,10 @@ index 0000000..a0161d5
 +manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
 +files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
 +
 +manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
 +manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
 +fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
 +
 +manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
 +logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
 +
@ -59433,12 +59479,23 @@ index 0000000..a0161d5
 +
 +corenet_tcp_connect_pegasus_https_port(openwsman_t)
 +corenet_tcp_bind_vnc_port(openwsman_t)
 +corenet_tcp_bind_http_port(openwsman_t)
 +
 +dev_read_urand(openwsman_t)
 +
 +logging_send_syslog_msg(openwsman_t)
 +logging_send_audit_msgs(openwsman_t)
 +
 +optional_policy(`
 +    sblim_stream_connect_sfcbd(openwsman_t)
 +    sblim_rw_semaphores_sfcbd(openwsman_t)
 +    sblim_getattr_exec_sfcbd(openwsman_t)
 +')
 +
 +optional_policy(`
 +    unconfined_domain(openwsman_t)
 +')
 +
 diff --git a/oracleasm.fc b/oracleasm.fc
 new file mode 100644
 index 0000000..80fb8c3
@ -73632,10 +73689,10 @@ index afc0068..3105104 100644
 +	')
 ')
 diff --git a/quantum.te b/quantum.te
-index 8644d8b..9494e23 100644
+index 8644d8b..4398f8e 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -5,92 +5,136 @@ policy_module(quantum, 1.1.0)
+@@ -5,92 +5,137 @@ policy_module(quantum, 1.1.0)
 # Declarations
 #
@ -73699,7 +73756,8 @@ index 8644d8b..9494e23 100644
 +logging_log_filetrans(neutron_t, neutron_log_t, dir)
 +
 +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
-+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
 -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
 -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
@ -82908,7 +82966,7 @@ index f1140ef..642e062 100644
 +	files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
 ')
 diff --git a/rsync.te b/rsync.te
-index abeb302..61b21d2 100644
+index abeb302..7c1f218 100644
 --- a/rsync.te
 +++ b/rsync.te
@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
@ -83029,7 +83087,7 @@ index abeb302..61b21d2 100644
 logging_log_filetrans(rsync_t, rsync_log_t, file)
 manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
 kernel_read_system_state(rsync_t)
 kernel_read_network_state(rsync_t)
@ -83155,6 +83213,8 @@ index abeb302..61b21d2 100644
 optional_policy(`
 -	inetd_service_domain(rsync_t, rsync_exec_t)
 +	swift_manage_data_files(rsync_t)
 +    swift_manage_lock(rsync_t)
 +    swift_filetrans_named_lock(rsync_t)
 ')
 diff --git a/rtas.fc b/rtas.fc
 new file mode 100644
@ -87331,7 +87391,7 @@ index 68a550d..e976fc6 100644
 /var/run/gather(/.*)?	gen_context(system_u:object_r:sblim_var_run_t,s0)
 diff --git a/sblim.if b/sblim.if
-index 98c9e0a..d4aa009 100644
+index 98c9e0a..562666e 100644
 --- a/sblim.if
 +++ b/sblim.if
@@ -1,8 +1,36 @@
@ -87382,21 +87442,19 @@ index 98c9e0a..d4aa009 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',`
+@@ -40,34 +68,129 @@ interface(`sblim_read_pid_files',`
 ########################################
 ## <summary>
 -##	All of the rules required to
 -##	administrate an sblim environment.
 +##	Transition to sblim named content
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
 -##	Domain allowed access.
 +##      Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
 -## <param name="role">
 +#
 +interface(`sblim_filetrans_named_content',`
 +	gen_require(`
@ -87408,12 +87466,91 @@ index 98c9e0a..d4aa009 100644
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate
+##	Connect to sblim_sfcb over a unix stream socket.
-+##	an gatherd environment
+ ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -## <param name="role">
 +#
 +interface(`sblim_stream_connect_sfcbd',`
 +	gen_require(`
 +		type sblim_sfcb_t, sblim_var_lib_t;
 +        type sblim_tmp_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
 +	stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
 +')
 +
 +#######################################
 +## <summary>
 +##  Getattr on sblim executable.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed to transition.
 +##  </summary>
 +## </param>
 +#
 +interface(`sblim_getattr_exec_sfcbd',`
 +    gen_require(`
 +        type sblim_sfcbd_exec_t;
 +    ')
 +
 +	allow $1 sblim_sfcbd_exec_t:file getattr;
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Connect to sblim_sfcb over a unix stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sblim_stream_connect_sfcb',`
 +	gen_require(`
 +		type sblim_sfcb_t, sblim_var_lib_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
 +')
 +
 +#######################################
 +## <summary>
 +##	Allow read and write access to sblim semaphores.
 +## </summary>
 +## <param name="domain">
 ##	<summary>
 -##	Role allowed access.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sblim_rw_semaphores_sfcbd',`
 +	gen_require(`
 +		type sblim_sfcbd_t;
 +	')
 +
 +	allow $1 sblim_sfcbd_t:sem rw_sem_perms;
 +')
 +
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
 +##	an gatherd environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -87448,7 +87585,7 @@ index 98c9e0a..d4aa009 100644
 	files_search_pids($1)
 	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 299756b..99eda9b 100644
+index 299756b..1edabdf 100644
 --- a/sblim.te
 +++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -87554,7 +87691,7 @@ index 299756b..99eda9b 100644
 ')
 optional_policy(`
-@@ -117,6 +133,35 @@ optional_policy(`
+@@ -117,6 +133,43 @@ optional_policy(`
 # Reposd local policy
 #
@ -87586,11 +87723,19 @@ index 299756b..99eda9b 100644
 +corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
 +corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
 +
 +corecmd_exec_shell(sblim_sfcbd_t)
 +corecmd_exec_bin(sblim_sfcbd_t)
 +
 +dev_read_rand(sblim_sfcbd_t)
 +dev_read_urand(sblim_sfcbd_t)
 +
 +domain_read_all_domains_state(sblim_sfcbd_t)
 +domain_use_interactive_fds(sblim_sfcbd_t)
 +
 +optional_policy(`
 +    rpm_exec(sblim_sfcbd_t)
 +    rpm_dontaudit_manage_db(sblim_sfcbd_t)
 +')
 diff --git a/screen.fc b/screen.fc
 index e7c2cf7..435aaa6 100644
 --- a/screen.fc
@ -94054,10 +94199,10 @@ index 49d688d..f07cc80 100644
 sysnet_dns_name_resolve(svnserve_t)
 diff --git a/swift.fc b/swift.fc
 new file mode 100644
-index 0000000..744f0ce
+index 0000000..a4ec18a
 --- /dev/null
 +++ b/swift.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,30 @@
 +/usr/bin/swift-account-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-reaper		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
@ -94077,6 +94222,7 @@ index 0000000..744f0ce
 +
 +/usr/lib/systemd/system/openstack-swift.*      --  gen_context(system_u:object_r:swift_unit_file_t,s0)
 +
 +/var/lock/swift.*                   gen_context(system_u:object_r:swift_lock_t,s0)
 +/var/cache/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_cache_t,s0)
 +/var/run/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_run_t,s0)
 +
@ -94089,10 +94235,10 @@ index 0000000..744f0ce
 +')
 diff --git a/swift.if b/swift.if
 new file mode 100644
-index 0000000..df82c36
+index 0000000..6a1f575
 --- /dev/null
 +++ b/swift.if
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,155 @@
 +
 +## <summary>policy for swift</summary>
 +
@ -94154,6 +94300,43 @@ index 0000000..df82c36
 +	manage_dirs_pattern($1, swift_data_t, swift_data_t)
 +')
 +
 +#####################################
 +## <summary>
 +##	Read and write swift lock files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`swift_manage_lock',`
 +	gen_require(`
 +		type swift_lock_t;
 +	')
 +
 +	files_search_locks($1)
 +    manage_files_pattern($1, swift_lock_t, swift_lock_t)
 +')
 +
 +#######################################
 +## <summary>
 +##  Transition content labels to swift named content
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##      Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`swift_filetrans_named_lock',`
 +    gen_require(`
 +        type swift_lock_t;
 +    ')
 +
 +    files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
 +')
 +
 +########################################
 +## <summary>
 +##	Execute swift server in the swift domain.
@ -94213,10 +94396,10 @@ index 0000000..df82c36
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..159ae72
+index 0000000..9ee77b2
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,97 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@ -94228,6 +94411,9 @@ index 0000000..159ae72
 +type swift_exec_t;
 +init_daemon_domain(swift_t, swift_exec_t)
 +
 +type swift_lock_t;
 +files_lock_file(swift_lock_t)
 +
 +type swift_tmp_t;
 +files_tmp_file(swift_tmp_t)
 +
@ -94258,6 +94444,10 @@ index 0000000..159ae72
 +allow swift_t self:unix_stream_socket create_stream_socket_perms;
 +allow swift_t self:unix_dgram_socket create_socket_perms;
 +
 +manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
 +manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
 +files_lock_filetrans(swift_t, swift_lock_t, { dir file })
 +
 +manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
 +manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
 +files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
@ -94305,6 +94495,7 @@ index 0000000..159ae72
 +
 +optional_policy(`
 +    rpm_exec(swift_t)
 +    rpm_dontaudit_manage_db(swift_t)
 +')
 diff --git a/swift_alias.fc b/swift_alias.fc
 new file mode 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 53%{?dist}
+Release: 54%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,31 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue May 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-54
 - geard seems to do a lot of relabeling
 - Allow system_mail_t to append to munin_var_lib_t
 - Allow mozilla_plugin to read alsa_rw_ content
 - Allow asterisk to connect to the apache ports
 - Dontaudit attempts to read fixed disk
 - Dontaudit search gconf_home_t
 - Allow rsync to create  swift_server.lock with swift.log labeling
 - Add labeling for swift lock files
 - Use swift_virt_lock in swift.te
 - Allow openwsman to getattr on sblim_sfcbd executable
 - Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t
 - Allow openwsman_t to read/write sblim-sfcb shared mem
 - Allow openwsman to stream connec to sblim-sfcbd
 - Allow openwsman to create tmpfs files/dirs
 - dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcbd_t
 - Allow sblim_sfcbd to execute shell
 - Allow swift to create lock file
 - Allow openwsman to use tcp/80
 - Allow neutron to create also dirs in /tmp
 - Allow seunshare domains to getattr on all executables
 - Allow ssh-keygen to create temporary files/dirs needed by OpenStack
 - Allow named_filetrans_domain to create /run/netns
 - Allow ifconfig to create /run/netns
 * Tue May 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-53
 - Add missing dyntransition for sandbox_x_domain