Merge branch 'master' into xselinux

2009-12-03 10:13:41 -05:00 · 2009-12-03 10:13:41 -05:00 · e331a05c77
commit e331a05c77
parent 9448ca6e07 46b03739ac
102 changed files with 2152 additions and 189 deletions
--- a/5
+++ b/5
@ -1,6 +1,7 @@
 * Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
 - Add separate x_pointer and x_keyboard classes inheriting from x_device. 
  From Eamon Walsh.
- Deprecated the userdom_xwindwos_client_template().
+- Deprecated the userdom_xwindows_client_template().
 - Misc Gentoo fixes from Corentin Labbe.
 - Debian policykit fixes from Martin Orr.
 - Fix unconfined_r use of unconfined_java_t.
@ -19,9 +20,11 @@
 	kdump (Dan Walsh)
 	modemmanager(Dan Walsh)
 	nslcd (Dan Walsh)
 	puppet (Craig Grube)
 	rtkit (Dan Walsh)
 	seunshare (Dan Walsh)
 	shorewall (Dan Walsh)
 	tgtd (Matthew Ife)
 	tuned (Miroslav Grepl)
 	xscreensaver (Corentin Labbe)
--- a/2
+++ b/2
@ -1 +1 @@
-2.20090730
+2.20091117
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@ -376,6 +376,7 @@ class system
 	syslog_read  
 	syslog_mod
 	syslog_console
 	module_request
 }
 #
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@ -1,5 +1,5 @@
-policy_module(certwatch, 1.4.1)
+policy_module(certwatch, 1.5.0)
 ########################################
 #
--- a/policy/modules/admin/kismet.fc
+++ b/policy/modules/admin/kismet.fc
@ -1,3 +1,5 @@
 HOME_DIR/\.kismet(/.*)?			gen_context(system_u:object_r:kismet_home_t,s0)
 /usr/bin/kismet			--	gen_context(system_u:object_r:kismet_exec_t,s0)
 /var/lib/kismet(/.*)?			gen_context(system_u:object_r:kismet_var_lib_t,s0)
 /var/log/kismet(/.*)?			gen_context(system_u:object_r:kismet_log_t,s0)
--- a/policy/modules/admin/kismet.te
+++ b/policy/modules/admin/kismet.te
@ -1,5 +1,5 @@
-policy_module(kismet, 1.3.1)
+policy_module(kismet, 1.4.1)
 ########################################
 #
@ -11,6 +11,9 @@ type kismet_exec_t;
 application_domain(kismet_t, kismet_exec_t)
 role system_r types kismet_t;
 type kismet_home_t;
 userdom_user_home_content(kismet_home_t)
 type kismet_log_t;
 logging_log_file(kismet_log_t)
@ -39,6 +42,11 @@ allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
 allow kismet_t self:unix_stream_socket create_stream_socket_perms;
 allow kismet_t self:tcp_socket create_stream_socket_perms;
 manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
 manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
 manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
 userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
 allow kismet_t kismet_log_t:dir setattr;
 logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@ -1,5 +1,5 @@
-policy_module(mrtg, 1.7.1)
+policy_module(mrtg, 1.8.0)
 ########################################
 #
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@ -1,5 +1,5 @@
-policy_module(portage, 1.8.1)
+policy_module(portage, 1.9.0)
 ########################################
 #
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@ -1,5 +1,5 @@
-policy_module(prelink, 1.7.1)
+policy_module(prelink, 1.8.0)
 ########################################
 #
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@ -1,5 +1,5 @@
-policy_module(readahead, 1.9.1)
+policy_module(readahead, 1.10.0)
 ########################################
 #
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@ -19,6 +19,8 @@ application_domain(tzdata_t, tzdata_exec_t)
 files_read_etc_files(tzdata_t)
 files_search_spool(tzdata_t)
 fs_getattr_xattr_fs(tzdata_t)
 term_dontaudit_list_ptys(tzdata_t)
 locallogin_dontaudit_use_fds(tzdata_t)
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@ -1,5 +1,5 @@
-policy_module(usermanage, 1.13.1)
+policy_module(usermanage, 1.14.0)
 ########################################
 #
@ -242,6 +242,10 @@ optional_policy(`
 	nscd_domtrans(groupadd_t)
 ')
 optional_policy(`
 	puppet_rw_tmp(groupadd_t)
 ')
 optional_policy(`
 	rpm_use_fds(groupadd_t)
 	rpm_rw_pipes(groupadd_t)
@ -520,6 +524,10 @@ optional_policy(`
 	nscd_domtrans(useradd_t)
 ')
 optional_policy(`
 	puppet_rw_tmp(useradd_t)
 ')
 optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@ -1,5 +1,5 @@
-policy_module(vpn, 1.11.1)
+policy_module(vpn, 1.12.0)
 ########################################
 #
--- a/policy/modules/apps/awstats.te
+++ b/policy/modules/apps/awstats.te
@ -1,5 +1,5 @@
-policy_module(awstats, 1.1.1)
+policy_module(awstats, 1.2.0)
 ########################################
 #
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@ -1,5 +1,5 @@
-policy_module(calamaris, 1.5.0)
+policy_module(calamaris, 1.5.1)
 ########################################
 #
@ -59,12 +59,12 @@ files_read_etc_runtime_files(calamaris_t)
 libs_read_lib_files(calamaris_t)
 auth_use_nsswitch(calamaris_t)
 logging_send_syslog_msg(calamaris_t)
 miscfiles_read_localization(calamaris_t)
 sysnet_read_config(calamaris_t)
 userdom_dontaudit_list_user_home_dirs(calamaris_t)
 squid_read_log(calamaris_t)
@ -80,7 +80,3 @@ optional_policy(`
 optional_policy(`
 	mta_send_mail(calamaris_t)
 ')
 optional_policy(`
 	nis_use_ypbind(calamaris_t)
 ')
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@ -1,5 +1,5 @@
-policy_module(cdrecord, 2.1.1)
+policy_module(cdrecord, 2.2.0)
 ########################################
 #
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
@ -1,5 +1,5 @@
-policy_module(cpufreqselector, 1.0.1)
+policy_module(cpufreqselector, 1.1.0)
 ########################################
 #
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@ -1,5 +1,5 @@
-policy_module(gpg, 2.1.1)
+policy_module(gpg, 2.2.1)
 ########################################
 #
@ -104,11 +104,36 @@ files_dontaudit_search_var(gpg_t)
 auth_use_nsswitch(gpg_t)
 miscfiles_read_localization(gpg_t)
 logging_send_syslog_msg(gpg_t)
 miscfiles_read_localization(gpg_t)
 userdom_use_user_terminals(gpg_t)
 # sign/encrypt user files
 userdom_manage_user_tmp_files(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
 mta_write_config(gpg_t)
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(gpg_t)
 	fs_manage_nfs_files(gpg_t)
 ')
 tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_dirs(gpg_t)
 	fs_manage_cifs_files(gpg_t)
 ')
 optional_policy(`
 	xserver_use_xdm_fds(gpg_t)
 	xserver_rw_xdm_pipes(gpg_t)
 ')
 optional_policy(`
 	cron_system_entry(gpg_t, gpg_exec_t)
 	cron_read_system_job_tmp_files(gpg_t)
 ')
 ########################################
 #
@ -146,23 +171,13 @@ files_read_etc_files(gpg_helper_t)
 auth_use_nsswitch(gpg_helper_t)
 userdom_use_user_terminals(gpg_helper_t)
 # sign/encrypt user files
 userdom_manage_user_tmp_files(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
 tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gpg_t)
+	fs_dontaudit_rw_nfs_files(gpg_helper_t)
 	fs_manage_nfs_files(gpg_t)
 ')
 tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gpg_t)
+	fs_dontaudit_rw_cifs_files(gpg_helper_t)
 	fs_manage_cifs_files(gpg_t)
 ')
 optional_policy(`
 	xserver_use_xdm_fds(gpg_t)
 	xserver_rw_xdm_pipes(gpg_t)
 ')
 ########################################
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@ -1,5 +1,5 @@
-policy_module(java, 2.1.1)
+policy_module(java, 2.2.0)
 ########################################
 #
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@ -45,6 +45,12 @@ interface(`mozilla_role',`
 	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
 	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
 	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
 	mozilla_dbus_chat($2)
 	optional_policy(`
 		pulseaudio_role($1, mozilla_t)
 	')
 ')
 ########################################
@ -64,6 +70,7 @@ interface(`mozilla_read_user_home_files',`
 	allow $1 mozilla_home_t:dir list_dir_perms;
 	allow $1 mozilla_home_t:file read_file_perms;
 	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
 	userdom_search_user_home_dirs($1)
 ')
@ -86,6 +93,43 @@ interface(`mozilla_write_user_home_files',`
 	userdom_search_user_home_dirs($1)
 ')
 ########################################
 ## <summary>
 ##	Dontaudit attempts to read/write mozilla home directory content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mozilla_dontaudit_rw_user_home_files',`
 	gen_require(`
 		type mozilla_home_t;
 	')
 	dontaudit $1 mozilla_home_t:file rw_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Dontaudit attempts to write mozilla home directory content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mozilla_dontaudit_manage_user_home_files',`
 	gen_require(`
 		type mozilla_home_t;
 	')
 	dontaudit $1 mozilla_home_t:dir manage_dir_perms;
 	dontaudit $1 mozilla_home_t:file manage_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Run mozilla in the mozilla domain.
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@ -1,5 +1,5 @@
-policy_module(mozilla, 2.1.0)
+policy_module(mozilla, 2.1.1)
 ########################################
 #
@ -59,6 +59,7 @@ manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 userdom_search_user_home_dirs(mozilla_t)
 userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
 # Mozpluggerrc
 allow mozilla_t mozilla_conf_t:file read_file_perms;
@ -97,6 +98,7 @@ corenet_tcp_connect_http_cache_port(mozilla_t)
 corenet_tcp_connect_ftp_port(mozilla_t)
 corenet_tcp_connect_ipp_port(mozilla_t)
 corenet_tcp_connect_generic_port(mozilla_t)
 corenet_tcp_connect_soundd_port(mozilla_t)
 corenet_sendrecv_http_client_packets(mozilla_t)
 corenet_sendrecv_http_cache_client_packets(mozilla_t)
 corenet_sendrecv_ftp_client_packets(mozilla_t)
@ -114,6 +116,8 @@ dev_read_sound(mozilla_t)
 dev_dontaudit_rw_dri(mozilla_t)
 dev_getattr_sysfs_dirs(mozilla_t)
 domain_dontaudit_read_all_domains_state(mozilla_t)
 files_read_etc_runtime_files(mozilla_t)
 files_read_usr_files(mozilla_t)
 files_read_etc_files(mozilla_t)
@ -231,6 +235,10 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(mozilla_t)
 	dbus_session_bus_client(mozilla_t)
 	optional_policy(`
 		networkmanager_dbus_chat(mozilla_t)
 	')
 ')
 optional_policy(`
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@ -1,5 +1,5 @@
-policy_module(podsleuth, 1.2.0)
+policy_module(podsleuth, 1.2.1)
 ########################################
 #
@ -71,6 +71,8 @@ miscfiles_read_localization(podsleuth_t)
 sysnet_dns_name_resolve(podsleuth_t)
 userdom_signal_unpriv_users(podsleuth_t)
 optional_policy(`
 	dbus_system_bus_client(podsleuth_t)
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@ -1,5 +1,5 @@
-policy_module(pulseaudio, 1.0.1)
+policy_module(pulseaudio, 1.1.0)
 ########################################
 #
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@ -1,5 +1,5 @@
-policy_module(qemu, 1.2.1)
+policy_module(qemu, 1.3.0)
 ########################################
 #
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@ -80,6 +80,11 @@ template(`screen_role_template',`
 	relabel_files_pattern($3, screen_home_t, screen_home_t)
 	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
 	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
 	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
 	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
 	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
 	kernel_read_system_state($1_screen_t)
 	kernel_read_kernel_sysctls($1_screen_t)
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@ -1,5 +1,5 @@
-policy_module(screen, 2.1.1)
+policy_module(screen, 2.2.1)
 ########################################
 #
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@ -41,6 +41,14 @@ interface(`seunshare_run',`
 	seunshare_domtrans($1)
 	role $2 types seunshare_t;
 	allow $1 seunshare_t:process signal_perms;
 	ifdef(`hide_broken_symptoms', `
 		dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
 		dontaudit seunshare_t $1:udp_socket rw_socket_perms;
 		dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
 	')
 ')
 ########################################
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@ -1,5 +1,5 @@
-policy_module(seunshare, 1.0.0)
+policy_module(seunshare, 1.0.1)
 ########################################
 #
@ -16,7 +16,7 @@ role system_r types seunshare_t;
 # seunshare local policy
 #
-allow seunshare_t self:capability setpcap;
+allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
 allow seunshare_t self:process { setexec signal getcap setcap };
 allow seunshare_t self:fifo_file rw_file_perms;
@ -30,6 +30,16 @@ files_mounton_all_poly_members(seunshare_t)
 auth_use_nsswitch(seunshare_t)
 logging_send_syslog_msg(seunshare_t)
 miscfiles_read_localization(seunshare_t)
 userdom_use_user_terminals(seunshare_t)
 ifdef(`hide_broken_symptoms', `
 	fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
 	optional_policy(`
 		mozilla_dontaudit_manage_user_home_files(seunshare_t)
 	')
 ')
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@ -1,5 +1,5 @@
-policy_module(vmware, 2.1.1)
+policy_module(vmware, 2.2.0)
 ########################################
 #
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@ -1,5 +1,5 @@
-policy_module(webalizer, 1.9.1)
+policy_module(webalizer, 1.10.0)
 ########################################
 #
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@ -1,5 +1,5 @@
-policy_module(wireshark, 2.0.1)
+policy_module(wireshark, 2.1.0)
 ########################################
 #
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@ -54,6 +54,8 @@ ifdef(`distro_redhat',`
 /etc/cron.weekly/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/cron.monthly/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/dhcp/dhclient\.d(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
@ -123,8 +125,9 @@ ifdef(`distro_gentoo',`
 #
 /sbin				-d	gen_context(system_u:object_r:bin_t,s0)
 /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
 /sbin/nologin			--	gen_context(system_u:object_r:shell_exec_t,s0)
 #
 # /opt
@ -135,7 +138,6 @@ ifdef(`distro_gentoo',`
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /opt/real/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
 ifdef(`distro_gentoo',`
 /opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
 /opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -211,6 +213,8 @@ ifdef(`distro_gentoo',`
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
@ -220,7 +224,10 @@ ifdef(`distro_gentoo',`
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@ -263,6 +270,7 @@ ifdef(`distro_redhat', `
 /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@ -447,7 +447,7 @@ interface(`corecmd_bin_domtrans',`
 		type bin_t;
 	')
-	corecmd_bin_spec_domtrans($1,$2)
+	corecmd_bin_spec_domtrans($1, $2)
 	type_transition $1 bin_t:process $2;
 ')
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@ -1,5 +1,5 @@
-policy_module(corecommands, 1.12.0)
+policy_module(corecommands, 1.12.1)
 ########################################
 #
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.12.1)
+policy_module(corenetwork, 1.13.0)
 ########################################
 #
@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pulseaudio, tcp,4713,s0)
 network_port(puppet, tcp, 8140, s0)
 network_port(pxe, udp,4011,s0)
 network_port(pyzor, udp,24441,s0)
 network_port(radacct, udp,1646,s0, udp,1813,s0)
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@ -47,8 +47,10 @@
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
 /dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
 /dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
 /dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/lirc[0-9]+		-c	gen_context(system_u:object_r:lirc_device_t,s0)
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
@ -61,10 +63,12 @@
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
 /dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
 /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
@ -82,6 +86,7 @@
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/rfkill		-c	gen_context(system_u:object_r:wireless_device_t,s0)
 /dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
@ -101,7 +106,8 @@ ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@ -168,6 +174,7 @@ ifdef(`distro_gentoo',`
 ifdef(`distro_redhat',`
 # originally from named.fc
 /var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',`
 	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
 	relabelfrom_fifo_files_pattern($1, device_t, device_node)
 	relabelfrom_sock_files_pattern($1, device_t, device_node)
-	relabel_blk_files_pattern($1, device_t,{ device_t device_node })
+	relabel_blk_files_pattern($1, device_t, { device_t device_node })
-	relabel_chr_files_pattern($1, device_t,{ device_t device_node })
+	relabel_chr_files_pattern($1, device_t, { device_t device_node })
 ')
 ########################################
@ -1690,6 +1690,78 @@ interface(`dev_read_kmsg',`
 	read_chr_files_pattern($1, device_t, kmsg_device_t)
 ')
 ########################################
 ## <summary>
 ##	Get the attributes of the ksm devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_getattr_ksm_dev',`
 	gen_require(`
 		type device_t, ksm_device_t;
 	')
 	getattr_chr_files_pattern($1, device_t, ksm_device_t)
 ')
 ########################################
 ## <summary>
 ##	Set the attributes of the ksm devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_setattr_ksm_dev',`
 	gen_require(`
 		type device_t, ksm_device_t;
 	')
 	setattr_chr_files_pattern($1, device_t, ksm_device_t)
 ')
 ########################################
 ## <summary>
 ##	Read the ksm devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_read_ksm',`
 	gen_require(`
 		type device_t, ksm_device_t;
 	')
 	read_chr_files_pattern($1, device_t, ksm_device_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write to ksm devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_rw_ksm',`
 	gen_require(`
 		type device_t, ksm_device_t;
 	')
 	rw_chr_files_pattern($1, device_t, ksm_device_t)
 ')
 ########################################
 ## <summary>
 ##	Get the attributes of the kvm devices.
@ -1762,6 +1834,61 @@ interface(`dev_rw_kvm',`
 	rw_chr_files_pattern($1, device_t, kvm_device_t)
 ')
 ######################################
 ## <summary>
 ##	Read the lirc device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_read_lirc',`
 	gen_require(`
 		type device_t, lirc_device_t;
 	')
 	read_chr_files_pattern($1, device_t, lirc_device_t)
 ')
 ######################################
 ## <summary>
 ##	Read and write the lirc device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_rw_lirc',`
 	gen_require(`
 		type device_t, lirc_device_t;
 	')
 	rw_chr_files_pattern($1, device_t, lirc_device_t)
 ')
 ######################################
 ## <summary>
 ##	Automatic type transition to the type
 ##	for lirc device nodes when created in /dev.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_filetrans_lirc',`
 	gen_require(`
 		type device_t, lirc_device_t;
 	')
 	filetrans_pattern($1, device_t, lirc_device_t, chr_file)
 ')
 ########################################
 ## <summary>
 ##	Read the lvm comtrol device.
@ -1798,6 +1925,24 @@ interface(`dev_rw_lvm_control',`
 	rw_chr_files_pattern($1, device_t, lvm_control_t)
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write lvm control device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_dontaudit_rw_lvm_control',`
 	gen_require(`
 		type lvm_control_t;
 	')
 	dontaudit $1 lvm_control_t:chr_file rw_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Delete the lvm control device.
@ -2044,6 +2189,78 @@ interface(`dev_dontaudit_rw_misc',`
 	dontaudit $1 misc_device_t:chr_file rw_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Get the attributes of the modem devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_getattr_modem_dev',`
 	gen_require(`
 		type device_t, modem_device_t;
 	')
 	getattr_chr_files_pattern($1, device_t, modem_device_t)
 ')
 ########################################
 ## <summary>
 ##	Set the attributes of the modem devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_setattr_modem_dev',`
 	gen_require(`
 		type device_t, modem_device_t;
 	')
 	setattr_chr_files_pattern($1, device_t, modem_device_t)
 ')
 ########################################
 ## <summary>
 ##	Read the modem devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_read_modem',`
 	gen_require(`
 		type device_t, modem_device_t;
 	')
 	read_chr_files_pattern($1, device_t, modem_device_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write to modem devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_rw_modem',`
 	gen_require(`
 		type device_t, modem_device_t;
 	')
 	rw_chr_files_pattern($1, device_t, modem_device_t)
 ')
 ########################################
 ## <summary>
 ##	Get the attributes of the mouse devices.
@ -2303,6 +2520,24 @@ interface(`dev_setattr_null_dev',`
 	setattr_chr_files_pattern($1, device_t, null_device_t)
 ')
 ########################################
 ## <summary>
 ##	Delete the null device (/dev/null).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_delete_null',`
 	gen_require(`
 		type device_t, null_device_t;
 	')
 	delete_chr_files_pattern($1, device_t, null_device_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write to the null device (/dev/null).
@ -3597,6 +3832,24 @@ interface(`dev_write_watchdog',`
 	write_chr_files_pattern($1, device_t, watchdog_device_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write the the wireless device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_rw_wireless',`
 	gen_require(`
 		type device_t, wireless_device_t;
 	')
 	rw_chr_files_pattern($1, device_t, wireless_device_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write Xen devices.
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@
-policy_module(devices, 1.8.2)
+policy_module(devices, 1.9.1)
 ########################################
 #
@ -83,6 +83,12 @@ dev_node(ipmi_device_t)
 type kmsg_device_t;
 dev_node(kmsg_device_t)
 #
 # ksm_device_t is the type of /dev/ksm
 #
 type ksm_device_t;
 dev_node(ksm_device_t)
 #
 # kvm_device_t is the type of
 # /dev/kvm
@ -90,6 +96,12 @@ dev_node(kmsg_device_t)
 type kvm_device_t;
 dev_node(kvm_device_t)
 #
 # Type for /dev/lirc
 #
 type lirc_device_t;
 dev_node(lirc_device_t)
 #
 # Type for /dev/mapper/control
 #
@ -109,6 +121,12 @@ neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_f
 type misc_device_t;
 dev_node(misc_device_t)
 #
 # A general type for modem devices.
 #
 type modem_device_t;
 dev_node(modem_device_t)
 #
 # A more general type for mouse devices.
 #
@ -224,6 +242,12 @@ dev_node(vmware_device_t)
 type watchdog_device_t;
 dev_node(watchdog_device_t)
 #
 # wireless control devices
 #
 type wireless_device_t;
 dev_node(wireless_device_t)
 type xen_device_t;
 dev_node(xen_device_t)
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -110,7 +110,11 @@ interface(`files_pid_file',`
 ## </param>
 #
 interface(`files_config_file',`
 	gen_require(`
 		attribute configfile;
 	')
 	files_type($1)
 	typeattribute $1 configfile;
 ')
 ########################################
@ -1150,6 +1154,102 @@ interface(`files_unmount_all_file_type_fs',`
 	allow $1 file_type:filesystem unmount;
 ')
 #############################################
 ## <summary>
 ##	Manage all configuration directories on filesystem
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	The type of domain performing this action
 ##	</summary>
 ## </param>
 ##
 #
 interface(`files_manage_config_dirs',`
 	gen_require(`
 		attribute configfile;
 	')
 	manage_dirs_pattern($1, configfile, configfile)
 ')
 #########################################
 ## <summary>
 ##	Relabel configuration directories
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
 ##	Type of domain performing this action
 ##	</summary>
 ## </param>
 ##
 #
 interface(`files_relabel_config_dirs',`
 	gen_require(`
 		attribute configfile;
 	')
 	relabel_dirs_pattern($1, configfile, configfile)
 ')
 ########################################
 ## <summary>
 ##	Read config files in /etc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_read_config_files',`
 	gen_require(`
 		attribute configfile;
 	')
 	allow $1 configfile:dir list_dir_perms;
 	read_files_pattern($1, configfile, configfile)
 	read_lnk_files_pattern($1, configfile, configfile)
 ')
 ###########################################
 ## <summary>
 ## 	Manage all configuration files on filesystem
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
 ##	The type of domain performing this action
 ## 	</summary>
 ## </param>
 ##
 #
 interface(`files_manage_config_files',`
 	gen_require(`
 		attribute configfile;
 	')
 	manage_files_pattern($1, configfile, configfile)
 ')
 #######################################
 ## <summary>
 ##	Relabel configuration files
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
 ##	Type of domain performing this action
 ##	</summary>
 ## </param>
 ##
 #
 interface(`files_relabel_config_files',`
 	gen_require(`
 		attribute configfile;
 	')
 	relabel_files_pattern($1, configfile, configfile)
 ')
 ########################################
 ## <summary>
 ##	Mount a filesystem on all mount points.
@ -1485,6 +1585,25 @@ interface(`files_boot_filetrans',`
 	filetrans_pattern($1, boot_t, $2, $3)
 ')
 ########################################
 ## <summary>
 ##	read files in the /boot directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`files_read_boot_files',`
 	gen_require(`
 		type boot_t;
 	')
 	manage_files_pattern($1, boot_t, boot_t)
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@ -1713,6 +1832,25 @@ interface(`files_dontaudit_list_default',`
 	dontaudit $1 default_t:dir list_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories with
 ##	the default file type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_manage_default_dirs',`
 	gen_require(`
 		type default_t;
 	')
 	manage_dirs_pattern($1, default_t, default_t)
 ')
 ########################################
 ## <summary>
 ##	Mount a filesystem on a directory with the default file type.
@ -1787,6 +1925,25 @@ interface(`files_dontaudit_read_default_files',`
 	dontaudit $1 default_t:file read_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files with
 ##	the default file type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_manage_default_files',`
 	gen_require(`
 		type default_t;
 	')
 	manage_files_pattern($1, default_t, default_t)
 ')
 ########################################
 ## <summary>
 ##	Read symbolic links with the default file type.
@ -1913,6 +2070,25 @@ interface(`files_rw_etc_dirs',`
 	allow $1 etc_t:dir rw_dir_perms;
 ')
 ##########################################
 ## <summary>
 ## 	Manage generic directories in /etc
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access
 ##	</summary>
 ## </param>
 ##
 #
 interface(`files_manage_etc_dirs',`
 	gen_require(`
 		type etc_t;
 	')
 	manage_dirs_pattern($1, etc_t, etc_t)
 ')
 ########################################
 ## <summary>
 ##	Read generic files in /etc.
@ -3390,6 +3566,24 @@ interface(`files_setattr_all_tmp_dirs',`
 	allow $1 tmpfile:dir { search_dir_perms setattr };
 ')
 ########################################
 ## <summary>
 ##	List all tmp directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_list_all_tmp',`
 	gen_require(`
 		attribute tmpfile;
 	')
 	allow $1 tmpfile:dir list_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@ -4222,6 +4416,24 @@ interface(`files_list_var_lib',`
 	list_dirs_pattern($1, var_t, var_lib_t)
 ')
 ###########################################
 ## <summary>
 ##	Read-write /var/lib directories
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_rw_var_lib_dirs',`
 	gen_require(`
 		type var_lib_t;
 	')
 	rw_dirs_pattern($1, var_lib_t, var_lib_t)
 ')
 ########################################
 ## <summary>
 ##	Create objects in the /var/lib directory
@ -4955,7 +5167,7 @@ interface(`files_polyinstantiate_all',`
 	selinux_compute_member($1)
 	# Need sys_admin capability for mounting
-	allow $1 self:capability { chown fsetid sys_admin };
+	allow $1 self:capability { chown fsetid sys_admin fowner };
 	# Need to give access to the directories to be polyinstantiated
 	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -1,5 +1,5 @@
-policy_module(files, 1.12.0)
+policy_module(files, 1.12.1)
 ########################################
 #
@ -11,6 +11,7 @@ attribute files_unconfined_type;
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
 attribute configfile;
 # For labeling types that are to be polyinstantiated
 attribute polydir;
@ -52,7 +53,7 @@ files_mountpoint(default_t)
 #
 # etc_t is the type of the system etc directories.
 #
-type etc_t;
+type etc_t, configfile;
 files_type(etc_t)
 # compatibility aliases for removed types:
 typealias etc_t alias automount_etc_t;
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@ -1 +1 @@
-# This module currently does not have any file contexts.
+/dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -308,6 +308,26 @@ interface(`fs_rw_anon_inodefs_files',`
 	rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or write files on
 ##	anon_inodefs file systems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_dontaudit_rw_anon_inodefs_files',`
 	gen_require(`
 		type anon_inodefs_t;
 	')
 	dontaudit $1 anon_inodefs_t:file rw_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Mount an automount pseudo filesystem.
@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',`
 	domain_auto_transition_pattern($1, cifs_t, $2)
 ')
 #######################################
 ## <summary>
 ##	Create, read, write, and delete dirs
 ##	on a configfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_manage_configfs_dirs',`
 	gen_require(`
 		type configfs_t;
 	')
 	manage_dirs_pattern($1, configfs_t, configfs_t)
 ')
 #######################################
 ## <summary>
 ##	Create, read, write, and delete files
 ##	on a configfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_manage_configfs_files',`
 	gen_require(`
 		type configfs_t;
 	')
 	manage_files_pattern($1, configfs_t, configfs_t)
 ')
 ########################################
 ## <summary>
 ##	Mount a DOS filesystem, such as
@ -1535,6 +1593,24 @@ interface(`fs_rw_hugetlbfs_files',`
 	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 ')
 ########################################
 ## <summary>
 ##	Allow the type to associate to hugetlbfs filesystems.
 ## </summary>
 ## <param name="type">
 ##	<summary>
 ##	The type of the object to be associated.
 ##	</summary>
 ## </param>
 #
 interface(`fs_associate_hugetlbfs',`
 	gen_require(`
 		type hugetlbfs_t;
 	')
 	allow $1 hugetlbfs_t:filesystem associate;
 ')
 ########################################
 ## <summary>
 ##	Search inotifyfs filesystem.
@ -2540,6 +2616,42 @@ interface(`fs_search_nfsd_fs',`
 	allow $1 nfsd_fs_t:dir search_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	List NFS server directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_list_nfsd_fs',`
 	gen_require(`
 		type nfsd_fs_t;
 	')
 	allow $1 nfsd_fs_t:dir list_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Getattr files on an nfsd filesystem
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_getattr_nfsd_files',`
 	gen_require(`
 		type nfsd_fs_t;
 	')
 	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write NFS server files.
@ -3570,6 +3682,104 @@ interface(`fs_manage_tmpfs_blk_files',`
 	manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 ########################################
 ## <summary>
 ##	Mount a XENFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_mount_xenfs',`
 	gen_require(`
 		type xenfs_t;
 	')
 	allow $1 xenfs_t:filesystem mount;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
 ##	on a XENFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`fs_manage_xenfs_dirs',`
 	gen_require(`
 		type xenfs_t;
 	')
 	allow $1 xenfs_t:dir manage_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to create, read,
 ##	write, and delete directories
 ##	on a XENFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`fs_dontaudit_manage_xenfs_dirs',`
 	gen_require(`
 		type xenfs_t;
 	')
 	dontaudit $1 xenfs_t:dir manage_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
 ##	on a XENFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`fs_manage_xenfs_files',`
 	gen_require(`
 		type xenfs_t;
 	')
 	manage_files_pattern($1, xenfs_t, xenfs_t)
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to create,
 ##	read, write, and delete files
 ##	on a XENFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`fs_dontaudit_manage_xenfs_files',`
 	gen_require(`
 		type xenfs_t;
 	')
 	dontaudit $1 xenfs_t:file manage_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Mount all filesystems.
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@ -1,5 +1,5 @@
-policy_module(filesystem, 1.12.0)
+policy_module(filesystem, 1.12.1)
 ########################################
 #
@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
 type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
-genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
 allow tmpfs_t noxattrfs:filesystem associate;
 type xenfs_t;
 fs_noxattr_type(xenfs_t)
 files_mountpoint(xenfs_t)
 genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
 ##############################
 #
 # Filesystems without extended attribute support
@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
 genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
 ########################################
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',`
 		type kernel_t;
 	')
-	kernel_domtrans_to($1,$2)
+	kernel_domtrans_to($1, $2)
 	ifdef(`enable_mcs',`
 		range_transition kernel_t $2:process $3;
@ -483,13 +483,32 @@ interface(`kernel_clear_ring_buffer',`
 	allow $1 kernel_t:system syslog_mod;
 ')
 ########################################
 ## <summary>
 ##	Allows caller to request the kernel to load a module
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`kernel_request_load_module',`
 	gen_require(`
 		type kernel_t;
 	')
 	allow $1 kernel_t:system module_request;
 ')
 ########################################
 ## <summary>
 ##	Get information on all System V IPC objects.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -939,6 +958,29 @@ interface(`kernel_dontaudit_getattr_core_if',`
 	dontaudit $1 proc_kcore_t:file getattr;
 ')
 ########################################
 ## <summary>
 ##	Allows caller to read the core kernel interface.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`kernel_read_core_if',`
 	gen_require(`
 		type proc_t, proc_kcore_t;
 		attribute can_dump_kernel;
 	')
 	allow $1 self:capability sys_rawio;
 	read_files_pattern($1, proc_t, proc_kcore_t)
 	list_dirs_pattern($1, proc_t, proc_t)
 	typeattribute $1 can_dump_kernel;
 ')
 ########################################
 ## <summary>
 ##	Allow caller to read kernel messages
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@
-policy_module(kernel, 1.11.0)
+policy_module(kernel, 1.11.2)
 ########################################
 #
@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0)
 # assertion related attributes
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
 attribute can_dump_kernel;
 neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 type proc_mdstat_t, proc_type;
@ -355,7 +356,7 @@ optional_policy(`
 ')
 optional_policy(`
-	unconfined_domain(kernel_t)
+	unconfined_domain_noaudit(kernel_t)
 ')
 ########################################
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@ -1,5 +1,5 @@
-policy_module(mcs, 1.1.1)
+policy_module(mcs, 1.2.0)
 ########################################
 #
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@ -28,6 +28,7 @@
 /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@ -529,7 +529,7 @@ interface(`storage_dontaudit_read_removable_device',`
 	')
-	dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
+	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
 ')
 ########################################
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@ -1,5 +1,5 @@
-policy_module(storage, 1.7.0)
+policy_module(storage, 1.7.1)
 ########################################
 #
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@ -13,6 +13,7 @@
 /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
 /dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
 /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@ -196,7 +196,7 @@ interface(`term_use_all_terms',`
 	dev_list_all_dev_nodes($1)
 	allow $1 devpts_t:dir list_dir_perms;
-	allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
+	allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
 ')
 ########################################
@ -472,6 +472,24 @@ interface(`term_dontaudit_manage_pty_dirs',`
 	dontaudit $1 devpts_t:dir manage_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of generic pty devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the process to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_getattr_generic_ptys',`
 	gen_require(`
 		type devpts_t;
 	')
 	dontaudit $1 devpts_t:chr_file getattr;
 ')
 ########################################
 ## <summary>
 ##	ioctl of generic pty devices.
@ -575,6 +593,25 @@ interface(`term_dontaudit_use_generic_ptys',`
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 #######################################
 ## <summary>
 ##	Set the attributes of the tty device
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`term_setattr_controlling_term',`
 	gen_require(`
 		type devtty_t;
 	')
 	dev_list_all_dev_nodes($1)
 	allow $1 devtty_t:chr_file setattr;
 ')
 ########################################
 ## <summary>
 ##	Read and write the controlling
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@ -1,5 +1,5 @@
-policy_module(terminal, 1.7.0)
+policy_module(terminal, 1.7.1)
 ########################################
 #
@ -44,6 +44,7 @@ mls_trusted_object(devtty_t)
 type ptmx_t;
 dev_node(ptmx_t)
 mls_trusted_object(ptmx_t)
 allow ptmx_t devpts_t:filesystem associate;
 #
 # tty_device_t is the type of /dev/*tty*
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@ -1,5 +1,5 @@
-policy_module(cron, 2.1.2)
+policy_module(cron, 2.2.0)
 gen_require(`
 	class passwd rootok;
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@ -1,5 +1,5 @@
-policy_module(dbus, 1.11.1)
+policy_module(dbus, 1.12.0)
 gen_require(`
 	class dbus all_dbus_perms;
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@ -1,5 +1,5 @@
-policy_module(nscd, 1.9.2)
+policy_module(nscd, 1.10.0)
 gen_require(`
 	class nscd all_nscd_perms;
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@ -1,5 +1,5 @@
-policy_module(openvpn, 1.8.2)
+policy_module(openvpn, 1.9.0)
 ########################################
 #
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@ -1,5 +1,5 @@
-policy_module(policykit, 1.0.1)
+policy_module(policykit, 1.1.0)
 ########################################
 #
--- a/policy/modules/services/puppet.fc
+++ b/policy/modules/services/puppet.fc
@ -0,0 +1,11 @@
 /etc/puppet(/.*)?			gen_context(system_u:object_r:puppet_etc_t,s0)
 /etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
 /usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
 /usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 /var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
 /var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
 /var/run/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_run_t,s0)
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@ -0,0 +1,31 @@
 ## <summary>Puppet client daemon</summary>
 ## <desc>
 ##	<p>
 ##	Puppet is a configuration management system written in Ruby.
 ##	The client daemon is responsible for periodically requesting the
 ##	desired system state from the server and ensuring the state of
 ##	the client system matches.
 ##	</p>
 ## </desc>
 ################################################
 ## <summary>
 ##	Read / Write to Puppet temp files.  Puppet uses
 ##	some system binaries (groupadd, etc) that run in
 ##	a non-puppet domain and redirects output into temp
 ##	files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access
 ##	</summary>
 ## </param>
 #
 interface(`puppet_rw_tmp', `
 	gen_require(`
 		type puppet_tmp_t;
 	')
 	allow $1 puppet_tmp_t:file rw_file_perms;
 	files_search_tmp($1)
 ')
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@ -0,0 +1,234 @@
 policy_module(puppet, 1.0.0)
 ########################################
 #
 # Declarations
 #
 ## <desc>
 ## <p>
 ## Allow Puppet client to manage all file
 ## types.
 ## </p>
 ## </desc>
 gen_tunable(puppet_manage_all_files, false)
 type puppet_t;
 type puppet_exec_t;
 init_daemon_domain(puppet_t, puppet_exec_t)
 type puppet_etc_t;
 files_config_file(puppet_etc_t)
 type puppet_initrc_exec_t;
 init_script_file(puppet_initrc_exec_t)
 type puppet_log_t;
 logging_log_file(puppet_log_t)
 type puppet_tmp_t;
 files_tmp_file(puppet_tmp_t)
 type puppet_var_lib_t;
 files_type(puppet_var_lib_t)
 type puppet_var_run_t;
 files_pid_file(puppet_var_run_t)
 type puppetmaster_t;
 type puppetmaster_exec_t;
 init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
 type puppetmaster_initrc_exec_t;
 init_script_file(puppetmaster_initrc_exec_t)
 type puppetmaster_tmp_t;
 files_tmp_file(puppetmaster_tmp_t)
 ########################################
 #
 # Puppet personal policy
 #
 allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
 allow puppet_t self:process { signal signull getsched setsched };
 allow puppet_t self:fifo_file rw_fifo_file_perms;
 allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppet_t self:tcp_socket create_stream_socket_perms;
 allow puppet_t self:udp_socket create_socket_perms;
 read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
 manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 files_search_var_lib(puppet_t)
 setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
 create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
 create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
 append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
 logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
 manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
 manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
 files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
 kernel_dontaudit_search_sysctl(puppet_t)
 kernel_dontaudit_search_kernel_sysctl(puppet_t)
 kernel_read_system_state(puppet_t)
 kernel_read_crypto_sysctls(puppet_t)
 corecmd_exec_bin(puppet_t)
 corecmd_exec_shell(puppet_t)
 corenet_all_recvfrom_netlabel(puppet_t)
 corenet_all_recvfrom_unlabeled(puppet_t)
 corenet_tcp_sendrecv_generic_if(puppet_t)
 corenet_tcp_sendrecv_generic_node(puppet_t)
 corenet_tcp_bind_generic_node(puppet_t)
 corenet_tcp_connect_puppet_port(puppet_t)
 corenet_sendrecv_puppet_client_packets(puppet_t)
 dev_read_rand(puppet_t)
 dev_read_sysfs(puppet_t)
 dev_read_urand(puppet_t)
 domain_read_all_domains_state(puppet_t)
 domain_interactive_fd(puppet_t)
 files_manage_config_files(puppet_t)
 files_manage_config_dirs(puppet_t)
 files_manage_etc_dirs(puppet_t)
 files_manage_etc_files(puppet_t)
 files_read_usr_symlinks(puppet_t)
 files_relabel_config_dirs(puppet_t)
 files_relabel_config_files(puppet_t)
 selinux_search_fs(puppet_t)
 selinux_set_all_booleans(puppet_t)
 selinux_set_generic_booleans(puppet_t)
 selinux_validate_context(puppet_t)
 term_dontaudit_getattr_unallocated_ttys(puppet_t)
 term_dontaudit_getattr_all_user_ttys(puppet_t)
 init_all_labeled_script_domtrans(puppet_t)
 init_domtrans_script(puppet_t)
 init_read_utmp(puppet_t)
 init_signull_script(puppet_t)
 logging_send_syslog_msg(puppet_t)
 miscfiles_read_hwdata(puppet_t)
 miscfiles_read_localization(puppet_t)
 seutil_domtrans_setfiles(puppet_t)
 seutil_domtrans_semanage(puppet_t)
 sysnet_dns_name_resolve(puppet_t)
 sysnet_run_ifconfig(puppet_t, system_r)
 tunable_policy(`puppet_manage_all_files',`
 	auth_manage_all_files_except_shadow(puppet_t)
 ')
 optional_policy(`
 	consoletype_domtrans(puppet_t)
 ')
 optional_policy(`
 	hostname_exec(puppet_t)
 ')
 optional_policy(`
 	files_rw_var_files(puppet_t)
 	rpm_domtrans(puppet_t)
 	rpm_manage_db(puppet_t)
 	rpm_manage_log(puppet_t)
 ')
 optional_policy(`
 	unconfined_domain(puppet_t)
 ')
 optional_policy(`
 	usermanage_domtrans_groupadd(puppet_t)
 	usermanage_domtrans_useradd(puppet_t)
 ')
 ########################################
 #
 # Pupper master personal policy
 #
 allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
 allow puppetmaster_t self:process { signal_perms getsched setsched };
 allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
 allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppetmaster_t self:socket create;
 allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
 allow puppetmaster_t self:udp_socket create_socket_perms;
 list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
 allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
 manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
 manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_system_state(puppetmaster_t)
 kernel_read_crypto_sysctls(puppetmaster_t)
 corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
 corenet_all_recvfrom_netlabel(puppetmaster_t)
 corenet_all_recvfrom_unlabeled(puppetmaster_t)
 corenet_tcp_sendrecv_generic_if(puppetmaster_t)
 corenet_tcp_sendrecv_generic_node(puppetmaster_t)
 corenet_tcp_bind_generic_node(puppetmaster_t)
 corenet_tcp_bind_puppet_port(puppetmaster_t)
 corenet_sendrecv_puppet_server_packets(puppetmaster_t)
 dev_read_rand(puppetmaster_t)
 dev_read_urand(puppetmaster_t)
 domain_read_all_domains_state(puppetmaster_t)
 files_read_etc_files(puppetmaster_t)
 files_search_var_lib(puppetmaster_t)
 logging_send_syslog_msg(puppetmaster_t)
 miscfiles_read_localization(puppetmaster_t)
 sysnet_dns_name_resolve(puppetmaster_t)
 sysnet_run_ifconfig(puppetmaster_t, system_r)
 optional_policy(`
 	hostname_exec(puppetmaster_t)
 ')
 optional_policy(`
 	files_read_usr_symlinks(puppetmaster_t)
 	rpm_exec(puppetmaster_t)
 	rpm_read_db(puppetmaster_t)
 ')
--- a/policy/modules/services/tgtd.fc
+++ b/policy/modules/services/tgtd.fc
@ -0,0 +1,3 @@
 /etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
 /usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
 /var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
--- a/policy/modules/services/tgtd.if
+++ b/policy/modules/services/tgtd.if
@ -0,0 +1,11 @@
 ## <summary>Linux Target Framework Daemon.</summary>
 ## <desc>
 ##	<p>
 ##	Linux target framework (tgt) aims to simplify various
 ##	SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
 ##	and maintenance. Our key goals are the clean integration into
 ##	the scsi-mid layer and implementing a great portion of tgt
 ##	in user space.
 ##	</p>
 ## </desc>
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@ -0,0 +1,67 @@
 policy_module(tgtd, 1.0.0)
 ########################################
 #
 # TGTD personal declarations.
 #
 type tgtd_t;
 type tgtd_exec_t;
 init_daemon_domain(tgtd_t, tgtd_exec_t)
 type tgtd_initrc_exec_t;
 init_script_file(tgtd_initrc_exec_t)
 type tgtd_tmp_t;
 files_tmp_file(tgtd_tmp_t)
 type tgtd_tmpfs_t;
 files_tmpfs_file(tgtd_tmpfs_t)
 type tgtd_var_lib_t;
 files_type(tgtd_var_lib_t)
 ########################################
 #
 # TGTD personal policy.
 #
 allow tgtd_t self:capability sys_resource;
 allow tgtd_t self:process { setrlimit signal };
 allow tgtd_t self:fifo_file rw_fifo_file_perms;
 allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
 allow tgtd_t self:shm create_shm_perms;
 allow tgtd_t self:sem create_sem_perms;
 allow tgtd_t self:tcp_socket create_stream_socket_perms;
 allow tgtd_t self:udp_socket create_socket_perms;
 allow tgtd_t self:unix_dgram_socket create_socket_perms;
 manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
 files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
 manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
 fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
 manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
 manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
 files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
 kernel_read_fs_sysctls(tgtd_t)
 corenet_all_recvfrom_netlabel(tgtd_t)
 corenet_all_recvfrom_unlabeled(tgtd_t)
 corenet_tcp_sendrecv_generic_if(tgtd_t)
 corenet_tcp_sendrecv_generic_node(tgtd_t)
 corenet_tcp_sendrecv_iscsi_port(tgtd_t)
 corenet_tcp_bind_generic_node(tgtd_t)
 corenet_tcp_bind_iscsi_port(tgtd_t)
 corenet_sendrecv_iscsi_server_packets(tgtd_t)
 files_read_etc_files(tgtd_t)
 storage_getattr_fixed_disk_dev(tgtd_t)
 logging_send_syslog_msg(tgtd_t)
 miscfiles_read_localization(tgtd_t)
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@ -1,5 +1,5 @@
-policy_module(virt, 1.2.1)
+policy_module(virt, 1.3.0)
 ########################################
 #
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@ -1,5 +1,5 @@
-policy_module(xserver, 3.2.3)
+policy_module(xserver, 3.3.0)
 gen_require(`
 	class x_drawable all_x_drawable_perms;
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
@ -99,5 +99,23 @@ interface(`application_exec_all',`
 interface(`application_domain',`
 	application_type($1)
 	application_executable_file($2)
-	domain_entry_file($1,$2)
+	domain_entry_file($1, $2)
 ')
 ########################################
 ## <summary>
 ##	Send signull to all application domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`application_signull',`
 	gen_require(`
 		attribute application_domain_type;
 	')
 	allow $1 application_domain_type:process signull;
 ')
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
@ -1,5 +1,5 @@
-policy_module(application, 1.1.0)
+policy_module(application, 1.1.1)
 # Attribute of user applications
 attribute application_domain_type;
@ -11,3 +11,7 @@ optional_policy(`
 	ssh_sigchld(application_domain_type)
 	ssh_rw_stream_sockets(application_domain_type)
 ')
 optional_policy(`
 	sudo_sigchld(application_domain_type)
 ')
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@ -6,6 +6,7 @@
 /sbin/dump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/dumpe2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/e2fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/e4fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/e2label		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/fdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@ -1,5 +1,5 @@
-policy_module(fstools, 1.13.0)
+policy_module(fstools, 1.13.1)
 ########################################
 #
@ -144,6 +144,7 @@ logging_send_syslog_msg(fsadm_t)
 miscfiles_read_localization(fsadm_t)
 modutils_read_module_config(fsadm_t)
 modutils_read_module_deps(fsadm_t)
 seutil_read_config(fsadm_t)
@ -177,4 +178,5 @@ optional_policy(`
 optional_policy(`
 	xen_append_log(fsadm_t)
 	xen_rw_image_files(fsadm_t)
 ')
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',`
 	files_search_etc($1)
 ')
 #########################################
 ## <summary>
 ##	Transition to the init script domain
 ## 	for all labeled init script types
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
 ##		Domain allowed access
 ##	</summary>
 ## </param>
 #
 interface(`init_all_labeled_script_domtrans',`
 	gen_require(`
 		attribute init_script_file_type;
 	')
 	init_labeled_script_domtrans($1, init_script_file_type)
 ')
 ########################################
 ## <summary>
 ##	Start and stop daemon programs directly.
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -687,6 +687,10 @@ optional_policy(`
 	postfix_list_spool(initrc_t)
 ')
 optional_policy(`
 	puppet_rw_tmp(initrc_t)
 ')
 optional_policy(`
 	quota_manage_flags(initrc_t)
 ')
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@ -1,3 +1,6 @@
 /etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 /etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
 /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 /etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@ -187,6 +187,31 @@ interface(`ipsec_domtrans_racoon',`
 	domtrans_pattern($1, racoon_exec_t, racoon_t)
 ')
 ########################################
 ## <summary>
 ##	Execute racoon and allow the specified role the domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`ipsec_run_racoon',`
 	gen_require(`
 		type racoon_t;
 	')
 	ipsec_domtrans_racoon($1)
 	role $2 types racoon_t;
 ')
 ########################################
 ## <summary>
 ##	Execute setkey in the setkey domain.
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@ -1,11 +1,18 @@
-policy_module(ipsec, 1.10.0)
+policy_module(ipsec, 1.10.1)
 ########################################
 #
 # Declarations
 #
 ## <desc>
 ## <p>
 ## Allow racoon to read shadow
 ## </p>
 ## </desc>
 gen_tunable(racoon_read_shadow, false)
 type ipsec_t;
 type ipsec_exec_t;
 init_daemon_domain(ipsec_t, ipsec_exec_t)
@ -15,6 +22,9 @@ role system_r types ipsec_t;
 type ipsec_conf_file_t;
 files_type(ipsec_conf_file_t)
 type ipsec_initrc_exec_t;
 init_script_file(ipsec_initrc_exec_t)
 # type for file(s) containing ipsec keys - RSA or preshared
 type ipsec_key_file_t;
 files_type(ipsec_key_file_t)
@ -43,6 +53,9 @@ type racoon_exec_t;
 init_daemon_domain(racoon_t, racoon_exec_t)
 role system_r types racoon_t;
 type racoon_tmp_t;
 files_tmp_file(racoon_tmp_t)
 type setkey_t;
 type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
@ -53,21 +66,23 @@ role system_r types setkey_t;
 # ipsec Local policy
 #
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
 dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process { signal setsched };
+allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
 allow ipsec_t self:fifo_file read_fifo_file_perms;
 allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@ -82,7 +97,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
 # so try flipping back into the ipsec_mgmt_t domain
 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
 allow ipsec_mgmt_t ipsec_t:process sigchld;
 kernel_read_kernel_sysctls(ipsec_t)
@ -92,6 +107,7 @@ kernel_read_proc_symlinks(ipsec_t)
 kernel_read_system_state(ipsec_t)
 kernel_read_network_state(ipsec_t)
 kernel_read_software_raid_state(ipsec_t)
 kernel_request_load_module(ipsec_t)
 kernel_getattr_core_if(ipsec_t)
 kernel_getattr_message_if(ipsec_t)
@ -120,7 +136,9 @@ dev_read_urand(ipsec_t)
 domain_use_interactive_fds(ipsec_t)
 files_list_tmp(ipsec_t)
 files_read_etc_files(ipsec_t)
 files_read_usr_files(ipsec_t)
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
@ -159,7 +177,7 @@ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@ -280,6 +298,15 @@ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
 allow racoon_t self:key_socket create_socket_perms;
 allow racoon_t self:fifo_file rw_fifo_file_perms;
 manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
 manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
 files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
 can_exec(racoon_t, racoon_exec_t)
 can_exec(racoon_t, setkey_exec_t)
 # manage pid file
 manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
@ -297,6 +324,9 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
 corecmd_exec_shell(racoon_t)
 corecmd_exec_bin(racoon_t)
 corenet_all_recvfrom_unlabeled(racoon_t)
 corenet_tcp_sendrecv_all_if(racoon_t)
 corenet_udp_sendrecv_all_if(racoon_t)
@ -314,6 +344,8 @@ domain_ipsec_setcontext_all_domains(racoon_t)
 files_read_etc_files(racoon_t)
 fs_dontaudit_getattr_xattr_fs(racoon_t)
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
@ -328,6 +360,13 @@ logging_send_audit_msgs(racoon_t)
 miscfiles_read_localization(racoon_t)
 sysnet_exec_ifconfig(racoon_t)
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
 ')
 ########################################
 #
 # Setkey local policy
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@ -1,7 +1,13 @@
-/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
-/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
 /sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@ -69,3 +69,99 @@ interface(`iptables_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, iptables_exec_t)
 ')
 #####################################
 ## <summary>
 ##	Execute iptables in the iptables domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
 #
 interface(`iptables_initrc_domtrans',`
 	gen_require(`
 		type iptables_initrc_exec_t;
 	')
 	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
 ')
 #####################################
 ## <summary>
 ##	Set the attributes of iptables config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`iptables_setattr_config',`
 	gen_require(`
 		type iptables_conf_t;
 	')
 	files_search_etc($1)
 	allow $1 iptables_conf_t:file setattr;
 ')
 #####################################
 ## <summary>
 ##	Read iptables config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`iptables_read_config',`
 	gen_require(`
 		type iptables_conf_t;
 	')
 	files_search_etc($1)
 	allow $1 iptables_conf_t:dir list_dir_perms;
 	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
 #####################################
 ## <summary>
 ##	Create files in /etc with the type used for
 ##	the iptables config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
 #
 interface(`iptables_etc_filetrans_config',`
 	gen_require(`
 		type iptables_conf_t;
 	')
 	files_etc_filetrans($1, iptables_conf_t, file)
 ')
 ###################################
 ## <summary>
 ##	Manage iptables config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`iptables_manage_config',`
 	gen_require(`
 		type iptables_conf_t;
 		type etc_t;
 	')
 	files_search_etc($1)
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@ -1,5 +1,5 @@
-policy_module(iptables, 1.9.1)
+policy_module(iptables, 1.10.1)
 ########################################
 #
@ -11,6 +11,12 @@ type iptables_exec_t;
 init_system_domain(iptables_t, iptables_exec_t)
 role system_r types iptables_t;
 type iptables_initrc_exec_t;
 init_script_file(iptables_initrc_exec_t)
 type iptables_conf_t;
 files_config_file(iptables_conf_t)
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
@ -27,6 +33,9 @@ dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
 allow iptables_t self:rawip_socket create_socket_perms;
 manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
 files_etc_filetrans(iptables_t, iptables_conf_t, file)
 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
 files_pid_filetrans(iptables_t, iptables_var_run_t, file)
@ -36,6 +45,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
 kernel_read_kernel_sysctls(iptables_t)
@ -99,6 +109,10 @@ optional_policy(`
 	ppp_dontaudit_use_fds(iptables_t)
 ')
 optional_policy(`
 	psad_rw_tmp_files(iptables_t)
 ')
 optional_policy(`
 	rhgb_dontaudit_use_ptys(iptables_t)
 ')
--- a/policy/modules/system/iscsi.if
+++ b/policy/modules/system/iscsi.if
@ -17,3 +17,42 @@ interface(`iscsid_domtrans',`
 	domtrans_pattern($1, iscsid_exec_t, iscsid_t)
 ')
 ########################################
 ## <summary>
 ##	Connect to ISCSI using a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
 #
 interface(`iscsi_stream_connect',`
 	gen_require(`
 		type iscsid_t, iscsi_var_lib_t;
 	')
 	files_search_pids($1)
 	stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t)
 ')
 ########################################
 ## <summary>
 ##	Read iscsi lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`iscsi_read_lib_files',`
 	gen_require(`
 		type iscsi_var_lib_t;
 	')
 	read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
 	allow $1 iscsi_var_lib_t:dir list_dir_perms;
 	files_search_var_lib($1)
 ')
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@ -1,5 +1,5 @@
-policy_module(iscsi, 1.6.0)
+policy_module(iscsi, 1.6.1)
 ########################################
 #
@ -55,6 +55,7 @@ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
 files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
 kernel_read_system_state(iscsid_t)
 kernel_search_debugfs(iscsid_t)
 corenet_all_recvfrom_unlabeled(iscsid_t)
 corenet_all_recvfrom_netlabel(iscsid_t)
@ -73,6 +74,6 @@ files_read_etc_files(iscsid_t)
 logging_send_syslog_msg(iscsid_t)
-miscfiles_read_localization(iscsid_t)
+auth_use_nsswitch(iscsid_t)
-sysnet_dns_name_resolve(iscsid_t)
+miscfiles_read_localization(iscsid_t)
--- a/policy/modules/system/kdump.te
+++ b/policy/modules/system/kdump.te
@ -1,5 +1,5 @@
-policy_module(kdump, 1.0.0)
+policy_module(kdump, 1.0.1)
 #######################################
 #
@ -29,6 +29,7 @@ files_read_etc_runtime_files(kdump_t)
 files_read_kernel_img(kdump_t)
 kernel_read_system_state(kdump_t)
 kernel_read_core_if(kdump_t)
 dev_read_framebuffer(kdump_t)
 dev_read_sysfs(kdump_t)
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@ -1,5 +1,5 @@
-policy_module(libraries, 2.5.1)
+policy_module(libraries, 2.6.0)
 ########################################
 #
@ -117,6 +117,10 @@ optional_policy(`
 	apt_use_ptys(ldconfig_t)
 ')
 optional_policy(`
 	puppet_rw_tmp(ldconfig_t)
 ')
 optional_policy(`
 	# When you install a kernel the postinstall builds a initrd image in tmp 
 	# and executes ldconfig on it. If you dont allow this kernel installs 
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -1,5 +1,5 @@
-policy_module(logging, 1.14.1)
+policy_module(logging, 1.15.0)
 ########################################
 #
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@ -19,6 +19,25 @@ interface(`lvm_domtrans',`
 	domtrans_pattern($1, lvm_exec_t, lvm_t)
 ')
 ########################################
 ## <summary>
 ##	Execute lvm programs in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
 #
 interface(`lvm_exec',`
 	gen_require(`
 		type lvm_exec_t;
 	')
 	corecmd_search_sbin($1)
 	can_exec($1, lvm_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Execute lvm programs in the lvm domain.
@ -85,3 +104,22 @@ interface(`lvm_manage_config',`
 	manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
 	manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
 ')
 ######################################
 ## <summary>
 ##	Execute a domain transition to run clvmd.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`lvm_domtrans_clvmd',`
 	gen_require(`
 		type clvmd_t, clvmd_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
 ')
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@ -1,5 +1,5 @@
-policy_module(lvm, 1.11.0)
+policy_module(lvm, 1.11.1)
 ########################################
 #
@ -10,6 +10,9 @@ type clvmd_t;
 type clvmd_exec_t;
 init_daemon_domain(clvmd_t, clvmd_exec_t)
 type clvmd_initrc_exec_t;
 init_script_file(clvmd_initrc_exec_t)
 type clvmd_var_run_t;
 files_pid_file(clvmd_var_run_t)
@ -102,6 +105,7 @@ fs_getattr_all_fs(clvmd_t)
 fs_search_auto_mountpoints(clvmd_t)
 fs_dontaudit_list_tmpfs(clvmd_t)
 fs_dontaudit_read_removable_files(clvmd_t)
 fs_rw_anon_inodefs_files(clvmd_t)
 storage_dontaudit_getattr_removable_dev(clvmd_t)
 storage_manage_fixed_disk(clvmd_t)
@ -168,7 +172,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
 allow lvm_t self:file rw_file_perms;
-allow lvm_t self:fifo_file rw_fifo_file_perms;
+allow lvm_t self:fifo_file manage_fifo_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
 allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -192,12 +196,12 @@ files_lock_filetrans(lvm_t, lvm_lock_t, file)
 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-files_var_lib_filetrans(lvm_t, lvm_var_lib_t,{ dir file })
+files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
 manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
 manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
 manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
-files_pid_filetrans(lvm_t, lvm_var_run_t,{ file sock_file })
+files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
@ -214,6 +218,7 @@ kernel_read_kernel_sysctls(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
 kernel_search_debugfs(lvm_t)
 corecmd_exec_bin(lvm_t)
 corecmd_exec_shell(lvm_t)
@ -255,6 +260,10 @@ fs_list_tmpfs(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
 fs_dontaudit_read_removable_files(lvm_t)
 fs_dontaudit_getattr_tmpfs_files(lvm_t)
 fs_rw_anon_inodefs_files(lvm_t)
 mls_file_read_all_levels(lvm_t)
 mls_file_write_to_clearance(lvm_t)
 selinux_get_fs_mount(lvm_t)
 selinux_validate_context(lvm_t)
@ -274,9 +283,12 @@ storage_dev_filetrans_fixed_disk(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
 term_use_all_terms(lvm_t)
 init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
 logging_send_syslog_msg(lvm_t)
@ -313,7 +325,9 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(lvm_t)
 	optional_policy(`
 		hal_dbus_chat(lvm_t)
 	')
 ')
 optional_policy(`
@ -328,6 +342,10 @@ optional_policy(`
 	udev_read_db(lvm_t)
 ')
 optional_policy(`
 	virt_manage_images(lvm_t)
 ')
 optional_policy(`
 	xen_append_log(lvm_t)
 	xen_dontaudit_rw_unix_stream_sockets(lvm_t)
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@ -85,6 +85,45 @@ interface(`miscfiles_read_fonts',`
 	read_lnk_files_pattern($1, fonts_t, fonts_t)
 ')
 ########################################
 ## <summary>
 ##	Set the attributes on a fonts directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`miscfiles_setattr_fonts_dirs',`
 	gen_require(`
 		type fonts_t;
 	')
 	allow $1 fonts_t:dir setattr;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the attributes
 ##	on a fonts directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
 	gen_require(`
 		type fonts_t;
 	')
 	dontaudit $1 fonts_t:dir setattr;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to write fonts.
@ -253,6 +292,25 @@ interface(`miscfiles_legacy_read_localization',`
 	allow $1 locale_t:file execute;
 ')
 ########################################
 ## <summary>
 ##	Search man pages.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`miscfiles_search_man_pages',`
 	gen_require(`
 		type man_t;
 	')
 	allow $1 man_t:dir search_dir_perms;
 	files_search_usr($1)
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to search man pages.
@ -268,7 +326,7 @@ interface(`miscfiles_dontaudit_search_man_pages',`
 		type man_t;
 	')
-	dontaudit $1 man_t:dir search;
+	dontaudit $1 man_t:dir search_dir_perms;
 ')
 ########################################
@ -358,8 +416,8 @@ interface(`miscfiles_read_public_files',`
 	')
 	allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
-	read_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
+	read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
-	read_lnk_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
+	read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
 ')
 ########################################
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@ -1,5 +1,5 @@
-policy_module(miscfiles, 1.7.0)
+policy_module(miscfiles, 1.7.1)
 ########################################
 #
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@ -1,6 +1,7 @@
 /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.d(/.*)?		gen_context(system_u:object_r:modules_conf_t,s0)
 ifdef(`distro_gentoo',`
 # gentoo init scripts still manage this file
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@ -1,5 +1,23 @@
 ## <summary>Policy for kernel module utilities</summary>
 ######################################
 ## <summary>
 ##	Getattr the dependencies of kernel modules.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`modutils_getattr_module_deps',`
 	gen_require(`
 		type modules_dep_t;
 	')
 	getattr_files_pattern($1, modules_object_t, modules_dep_t)
 ')
 ########################################
 ## <summary>
 ##	Read the dependencies of kernel modules.
@ -41,8 +59,8 @@ interface(`modutils_read_module_config',`
 	files_search_etc($1)
 	files_search_boot($1)
-	allow $1 modules_conf_t:file read_file_perms;
+	read_files_pattern($1, modules_conf_t, modules_conf_t)
-	allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
+	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 ########################################
@ -61,7 +79,7 @@ interface(`modutils_rename_module_config',`
 		type modules_conf_t;
 	')
-	allow $1 modules_conf_t:file rename_file_perms;
+	rename_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 ########################################
@ -80,7 +98,26 @@ interface(`modutils_delete_module_config',`
 		type modules_conf_t;
 	')
-	allow $1 modules_conf_t:file unlink;
+	delete_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 ########################################
 ## <summary>
 ##	Manage files with the configuration options used when
 ##	loading modules.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`modutils_manage_module_config',`
 	gen_require(`
 		type modules_conf_t;
 	')
 	manage_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 ########################################
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@ -1,5 +1,5 @@
-policy_module(modutils, 1.9.0)
+policy_module(modutils, 1.9.1)
 gen_require(`
 	bool secure_mode_insmod;
@ -45,7 +45,7 @@ files_tmp_file(update_modules_tmp_t)
 can_exec(depmod_t, depmod_exec_t)
 # Read conf.modules.
-allow depmod_t modules_conf_t:file read_file_perms;
+read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
 allow depmod_t modules_dep_t:file manage_file_perms;
 files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
@ -82,8 +82,22 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(depmod_t)
 ')
 tunable_policy(`use_samba_home_dirs',`
 	fs_read_cifs_files(depmod_t)
 ')
 optional_policy(`
 	rpm_rw_pipes(depmod_t)
 	rpm_manage_script_tmp_files(depmod_t)
 ')
 optional_policy(`
 	# Read System.map from home directories.
 	unconfined_domain(depmod_t)
 ')
 ########################################
@ -91,19 +105,23 @@ optional_policy(`
 # insmod local policy
 #
-allow insmod_t self:capability { dac_override net_raw sys_tty_config };
+allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 allow insmod_t self:udp_socket create_socket_perms;
 allow insmod_t self:rawip_socket create_socket_perms;
 # Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms;
+list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
 read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
 read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
 can_exec(insmod_t, insmod_exec_t)
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
 kernel_read_network_state(insmod_t)
 kernel_write_proc_files(insmod_t)
 kernel_mount_debugfs(insmod_t)
 kernel_mount_kvmfs(insmod_t)
@ -112,6 +130,7 @@ kernel_read_debugfs(insmod_t)
 kernel_read_kernel_sysctls(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
 kernel_read_hotplug_sysctls(insmod_t)
 kernel_setsched(insmod_t)
 corecmd_exec_bin(insmod_t)
 corecmd_exec_shell(insmod_t)
@ -124,9 +143,6 @@ dev_rw_agp(insmod_t)
 dev_read_sound(insmod_t)
 dev_write_sound(insmod_t)
 dev_rw_apm_bios(insmod_t)
 # cjp: why is this needed?  insmod cannot mounton any dir
 # and it also transitions to mount
 dev_mount_usbfs(insmod_t)
 domain_signal_all_domains(insmod_t)
 domain_use_interactive_fds(insmod_t)
@ -159,16 +175,25 @@ seutil_read_file_contexts(insmod_t)
 userdom_use_user_terminals(insmod_t)
-ifdef(`distro_ubuntu',`
+userdom_dontaudit_search_user_home_dirs(insmod_t)
 	optional_policy(`
 		unconfined_domain(insmod_t)
 	')
 ')
 if( ! secure_mode_insmod ) {
 	kernel_domtrans_to(insmod_t, insmod_exec_t)
 }
 optional_policy(`
 	alsa_domtrans(insmod_t)
 ')
 optional_policy(`
 	firstboot_dontaudit_rw_pipes(insmod_t)
 	firstboot_dontaudit_rw_stream_sockets(insmod_t)
 ')
 optional_policy(`
 	hal_write_log(insmod_t)
 ')
 optional_policy(`
 	hotplug_search_config(insmod_t)
 ')
@ -205,7 +230,7 @@ optional_policy(`
 ')
 optional_policy(`
-	unconfined_dontaudit_rw_pipes(insmod_t)
+	unconfined_domain(insmod_t)
 ')
 optional_policy(`
@ -228,7 +253,7 @@ can_exec(update_modules_t, insmod_exec_t)
 can_exec(update_modules_t, update_modules_exec_t)
 # manage module loading configuration
-allow update_modules_t modules_conf_t:file manage_file_perms;
+manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
 files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
 files_etc_filetrans(update_modules_t, modules_conf_t, file)
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
@ -1,3 +1,4 @@
 /dev/.mdadm.map		--	gen_context(system_u:object_r:mdadm_map_t,s0)
 /sbin/mdadm		--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /sbin/mdmpd		--	gen_context(system_u:object_r:mdadm_exec_t,s0)
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@ -1,5 +1,5 @@
-policy_module(raid, 1.9.0)
+policy_module(raid, 1.9.1)
 ########################################
 #
@ -11,6 +11,9 @@ type mdadm_exec_t;
 init_daemon_domain(mdadm_t, mdadm_exec_t)
 role system_r types mdadm_t;
 type mdadm_map_t;
 files_type(mdadm_map_t)
 type mdadm_var_run_t;
 files_pid_file(mdadm_var_run_t)
@ -24,6 +27,10 @@ dontaudit mdadm_t self:capability sys_tty_config;
 allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
 allow mdadm_t self:fifo_file rw_fifo_file_perms;
 # create .mdadm files in /dev
 allow mdadm_t mdadm_map_t:file manage_file_perms;
 dev_filetrans(mdadm_t, mdadm_map_t, file)
 manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
 files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@ -1,5 +1,24 @@
 ## <summary>SELinux MLS/MCS label translation service.</summary>
 ########################################
 ## <summary>
 ##	Execute setrans server in the setrans domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
 #
 #
 interface(`setrans_initrc_domtrans',`
 	gen_require(`
 		type setrans_initrc_exec_t;
 	')
 	init_labeled_script_domtrans($1, setrans_initrc_exec_t)
 ')
 #######################################
 ## <summary>
 ##	Allow a domain to translate contexts.
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@ -1,5 +1,5 @@
-policy_module(setrans, 1.6.0)
+policy_module(setrans, 1.6.1)
 gen_require(`
 	class context contains;
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@ -6,8 +6,11 @@
 /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
 /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 /lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
 /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 /sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@ -1,5 +1,23 @@
 ## <summary>Policy for udev.</summary>
 ########################################
 ## <summary>
 ##	Send generic signals to udev.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`udev_signal',`
 	gen_require(`
 		type udev_t;
 	')
 	allow $1 udev_t:process signal;
 ')
 ########################################
 ## <summary>
 ##	Execute udev in the udev domain.
@ -169,3 +187,23 @@ interface(`udev_rw_db',`
 	dev_list_all_dev_nodes($1)
 	allow $1 udev_tbl_t:file rw_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
 ##	udev pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`udev_manage_pid_files',`
 	gen_require(`
 		type udev_var_run_t;
 	')
 	files_search_var_lib($1)
 	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@ -1,5 +1,5 @@
-policy_module(udev, 1.11.0)
+policy_module(udev, 1.11.1)
 ########################################
 #
@ -66,9 +66,11 @@ dev_filetrans(udev_t, udev_tbl_t, file)
 manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 kernel_read_system_state(udev_t)
 kernel_request_load_module(udev_t)
 kernel_getattr_core_if(udev_t)
 kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
@ -111,6 +113,7 @@ files_search_mnt(udev_t)
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
 mcs_ptrace_all(udev_t)
@ -140,6 +143,7 @@ logging_send_syslog_msg(udev_t)
 logging_send_audit_msgs(udev_t)
 miscfiles_read_localization(udev_t)
 miscfiles_read_hwdata(udev_t)
 modutils_domtrans_insmod(udev_t)
 # read modules.inputmap:
@ -193,6 +197,10 @@ optional_policy(`
 	alsa_read_rw_config(udev_t)
 ')
 optional_policy(`
 	bluetooth_domtrans(udev_t)
 ')
 optional_policy(`
 	brctl_domtrans(udev_t)
 ')
@ -205,10 +213,19 @@ optional_policy(`
 	consoletype_exec(udev_t)
 ')
 optional_policy(`
 	cups_domtrans_config(udev_t)
 ')
 optional_policy(`
 	dbus_system_bus_client(udev_t)
 ')
 optional_policy(`
 	devicekit_read_pid_files(udev_t)
 	devicekit_dgram_send(udev_t)
 ')
 optional_policy(`
 	lvm_domtrans(udev_t)
 ')
@ -227,6 +244,10 @@ optional_policy(`
 	hotplug_search_pids(udev_t)
 ')
 optional_policy(`
 	mount_domtrans(udev_t)
 ')
 optional_policy(`
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
@ -241,6 +262,14 @@ optional_policy(`
 	raid_domtrans_mdadm(udev_t)
 ')
 optional_policy(`
 	unconfined_signal(udev_t)
 ')
 optional_policy(`
 	vbetool_domtrans(udev_t)
 ')
 optional_policy(`
 	kernel_write_xen_state(udev_t)
 	kernel_read_xen_state(udev_t)
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@
-policy_module(unconfined, 3.0.1)
+policy_module(unconfined, 3.1.0)
 ########################################
 #
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -1,5 +1,5 @@
-policy_module(userdomain, 4.2.4)
+policy_module(userdomain, 4.3.0)
 ########################################
 #
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@ -2,6 +2,8 @@
 /usr/bin/virsh		--	gen_context(system_u:object_r:xm_exec_t,s0)
 /usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)
 ifdef(`distro_debian',`
 /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
 /usr/lib/xen-[^/]*/bin/xend --	gen_context(system_u:object_r:xend_exec_t,s0)
@ -19,14 +21,18 @@ ifdef(`distro_debian',`
 /var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
 /var/log/evtchnd\.log	--	gen_context(system_u:object_r:evtchnd_var_log_t,s0)
 /var/log/xen(/.*)?		gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xen-hotplug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend\.log	--	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend-debug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/run/evtchnd	-s	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
 /var/run/evtchnd\.pid	--	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
 /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
 /var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xend\.pid	--	gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenner(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@ -71,7 +71,30 @@ interface(`xen_read_image_files',`
 	')
 	files_list_var_lib($1)
-	read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
+
 	list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
 	read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
 ')
 ########################################
 ## <summary>
 ##	Allow the specified domain to read/write
 ##	xend image files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
 ##	Domain allowed to transition.
 ## 	</summary>
 ## </param>
 #
 interface(`xen_rw_image_files',`
 	gen_require(`
 		type xen_image_t, xend_var_lib_t;
 	')
 	files_list_var_lib($1)
 	allow $1 xend_var_lib_t:dir search_dir_perms;
 	rw_files_pattern($1, xen_image_t, xen_image_t)
 ')
 ########################################
@ -167,11 +190,14 @@ interface(`xen_stream_connect_xenstore',`
 #
 interface(`xen_stream_connect',`
 	gen_require(`
-		type xend_t, xend_var_run_t;
+		type xend_t, xend_var_run_t, xend_var_lib_t;
 	')
 	files_search_pids($1)
 	stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
 	files_search_var_lib($1)
 	stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
 ')
 ########################################
--- a/Show More
+++ b/Show More
`@ -1 +1 @@`
	`# This module currently does not have any file contexts.`	`/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)`