Blob Blame History Raw
diff --git a/.gitmodules b/.gitmodules
index 360bd0388..e794aa369 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,4 @@
 [submodule "policy/modules/contrib"]
 	path = policy/modules/contrib
-	url = http://oss.tresys.com/git/refpolicy-contrib.git
+    url = https://github.com/fedora-selinux/selinux-policy-contrib
+    branch = rawhide
diff --git a/Makefile b/Makefile
index ec7b5cba8..e2936c695 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
 SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
 SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
 SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
 LOADPOLICY ?= $(tc_usrsbindir)/load_policy
 SETFILES ?= $(tc_sbindir)/setfiles
 XMLLINT ?= $(BINDIR)/xmllint
@@ -250,7 +251,7 @@ seusers := $(appconf)/seusers
 appdir := $(contextpath)
 user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
 user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts openssh_contexts systemd_contexts snapperd_contexts) $(contextpath)/files/media $(user_default_contexts_names)
 net_contexts := $(builddir)net_contexts
 
 all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
@@ -609,15 +610,16 @@ resetlabels:
 # Clean everything
 #
 bare: clean
-	rm -f $(polxml)
-	rm -f $(layerxml)
-	rm -f $(modxml)
-	rm -f $(tunxml)
-	rm -f $(boolxml)
-	rm -f $(mod_conf)
-	rm -f $(booleans)
-	rm -fR $(htmldir)
-	rm -f $(tags)
+	pwd
+	#rm -f $(polxml)
+	#rm -f $(layerxml)
+	#rm -f $(modxml)
+	#rm -f $(tunxml)
+	#rm -f $(boolxml)
+	#rm -f $(mod_conf)
+	#rm -f $(booleans)
+	#rm -fR $(htmldir)
+	#rm -f $(tags)
 # don't remove these files if we're given a local root
 ifndef LOCAL_ROOT
 	rm -f $(fcsort)
diff --git a/Rules.modular b/Rules.modular
index 313d8375b..4f261a9dd 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
 # Build module packages
 #
 $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
-	@echo "Compliling $(NAME) $(@F) module"
+	@echo "Compiling $(NAME) $(@F) module"
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
@@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs)
 	@echo "Validating policy linking."
 	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
 	$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+	$(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
 	@echo "Success."
 
 ########################################
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
index 801d97b6f..698d54ce8 100644
--- a/config/appconfig-mcs/default_contexts
+++ b/config/appconfig-mcs/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/openssh_contexts b/config/appconfig-mcs/openssh_contexts
new file mode 100644
index 000000000..6de0b016d
--- /dev/null
+++ b/config/appconfig-mcs/openssh_contexts
@@ -0,0 +1 @@
+privsep_preauth=sshd_net_t
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 881a292e3..5606c4ea6 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0 staff_r:cronjob_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
diff --git a/config/appconfig-mcs/sysadm_u_default_contexts b/config/appconfig-mcs/sysadm_u_default_contexts
new file mode 100644
index 000000000..b8fda9543
--- /dev/null
+++ b/config/appconfig-mcs/sysadm_u_default_contexts
@@ -0,0 +1,12 @@
+system_r:local_login_t:s0	sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	sysadm_r:sysadm_t:s0
+system_r:sshd_t:s0		sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0		sysadm_r:sysadm_t:s0
+system_r:initrc_su_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
new file mode 100644
index 000000000..ff32accd1
--- /dev/null
+++ b/config/appconfig-mcs/systemd_contexts
@@ -0,0 +1 @@
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
index cacbc939f..56d6071c2 100644
--- a/config/appconfig-mcs/user_u_default_contexts
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 user_r:cronjob_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
index d387b428b..150f281d1 100644
--- a/config/appconfig-mcs/virtual_domain_context
+++ b/config/appconfig-mcs/virtual_domain_context
@@ -1 +1,2 @@
 system_u:system_r:svirt_t:s0
+system_u:system_r:svirt_tcg_t:s0
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
index 801d97b6f..698d54ce8 100644
--- a/config/appconfig-mls/default_contexts
+++ b/config/appconfig-mls/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/openssh_contexts b/config/appconfig-mls/openssh_contexts
new file mode 100644
index 000000000..6de0b016d
--- /dev/null
+++ b/config/appconfig-mls/openssh_contexts
@@ -0,0 +1 @@
+privsep_preauth=sshd_net_t
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 881a292e3..5606c4ea6 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0 staff_r:cronjob_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts
new file mode 100644
index 000000000..ff32accd1
--- /dev/null
+++ b/config/appconfig-mls/systemd_contexts
@@ -0,0 +1 @@
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
index cacbc939f..56d6071c2 100644
--- a/config/appconfig-mls/user_u_default_contexts
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 user_r:cronjob_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
index 64a0a90c3..25ee341c1 100644
--- a/config/appconfig-standard/default_contexts
+++ b/config/appconfig-standard/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t	user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
+system_r:crond_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
 system_r:local_login_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
 system_r:remote_login_t	user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
 system_r:sshd_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/openssh_contexts b/config/appconfig-standard/openssh_contexts
new file mode 100644
index 000000000..6de0b016d
--- /dev/null
+++ b/config/appconfig-standard/openssh_contexts
@@ -0,0 +1 @@
+privsep_preauth=sshd_net_t
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index c2a5ea871..300694ce8 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
 system_r:remote_login_t		staff_r:staff_t
 system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t		staff_r:cronjob_t
+system_r:crond_t		staff_r:staff_t staff_r:cronjob_t
 system_r:xdm_t			staff_r:staff_t
 staff_r:staff_su_t		staff_r:staff_t
 staff_r:staff_sudo_t		staff_r:staff_t
diff --git a/config/appconfig-standard/sysadm_u_default_contexts b/config/appconfig-standard/sysadm_u_default_contexts
new file mode 100644
index 000000000..b8fda9543
--- /dev/null
+++ b/config/appconfig-standard/sysadm_u_default_contexts
@@ -0,0 +1,12 @@
+system_r:local_login_t:s0	sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	sysadm_r:sysadm_t:s0
+system_r:sshd_t:s0		sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0		sysadm_r:sysadm_t:s0
+system_r:initrc_su_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
new file mode 100644
index 000000000..ff32accd1
--- /dev/null
+++ b/config/appconfig-standard/systemd_contexts
@@ -0,0 +1 @@
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
index f5bfac34a..63b7eecd1 100644
--- a/config/appconfig-standard/user_u_default_contexts
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t		user_r:user_t
 system_r:remote_login_t		user_r:user_t
 system_r:sshd_t			user_r:user_t
-system_r:crond_t		user_r:cronjob_t
+system_r:crond_t		user_r:user_t user_r:cronjob_t
 system_r:xdm_t			user_r:user_t
 user_r:user_su_t		user_r:user_t
 user_r:user_sudo_t		user_r:user_t
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
index c049e104b..150f281d1 100644
--- a/config/appconfig-standard/virtual_domain_context
+++ b/config/appconfig-standard/virtual_domain_context
@@ -1 +1,2 @@
-system_u:system_r:svirt_t
+system_u:system_r:svirt_t:s0
+system_u:system_r:svirt_tcg_t:s0
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index d392decfe..4565e9b87 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -19,3 +19,4 @@
 /usr/local/lib64 /usr/lib
 /usr/local/lib /usr/lib
 /var/run/lock /var/lock
+/sbin /usr/sbin
diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
deleted file mode 100644
index 5bebd82d4..000000000
--- a/man/man8/ftpd_selinux.8
+++ /dev/null
@@ -1,65 +0,0 @@
-.TH  "ftpd_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
-.SH "NAME"
-.PP
-ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
-.SH "DESCRIPTION"
-.PP
-Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
-.SH FILE_CONTEXTS
-.PP
-SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon.  Policy governs the access that daemons have to files.
-.TP
-Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
-.PP
-.B
-semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
-.TP
-.B
-restorecon -F -R -v /var/ftp
-.TP
-Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type.  This also requires the allow_ftpd_anon_write boolean to be set.
-.PP
-.B
-semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
-.TP
-.B
-restorecon -F -R -v /var/ftp/incoming
-
-.SH BOOLEANS
-.PP
-SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
-.TP
-Allow ftp servers to read and write files with the public_content_rw_t file type.
-.PP
-.B
-setsebool -P allow_ftpd_anon_write on
-.TP
-Allow ftp servers to read or write files in the user home directories.
-.PP
-.B
-setsebool -P ftp_home_dir on
-.TP
-Allow ftp servers to read or write all files on the system.
-.PP
-.B
-setsebool -P allow_ftpd_full_access on
-.TP
-Allow ftp servers to use cifs for public file transfer services.
-.PP
-.B
-setsebool -P allow_ftpd_use_cifs on
-.TP
-Allow ftp servers to use nfs for public file transfer services.
-.PP
-.B
-setsebool -P allow_ftpd_use_nfs on
-.TP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR	
-.PP
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-.PP
-
-selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
deleted file mode 100644
index e9c43b190..000000000
--- a/man/man8/git_selinux.8
+++ /dev/null
@@ -1,109 +0,0 @@
-.TH  "git_selinux"  "8"  "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
-.de EX
-.nf
-.ft CW
-..
-.de EE
-.ft R
-.fi
-..
-.SH "NAME"
-git_selinux \- Security Enhanced Linux Policy for the Git daemon.
-.SH "DESCRIPTION"
-Security-Enhanced Linux secures the Git server via flexible mandatory access
-control.
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type. 
-Policy governs the access daemons have to these files. 
-SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
-.PP 
-The following file contexts types are by default defined for Git:
-.EX
-git_system_content_t 
-.EE 
-- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
-.EX
-git_session_content_t 
-.EE 
-- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
-.SH BOOLEANS
-SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
-.PP
-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. 
-.EX
-sudo setsebool -P git_system_enable_homedirs 1
-.EE
-.PP
-Allow the Git system daemon to read system shared repositories on NFS shares.
-.EX
-sudo setsebool -P git_system_use_nfs 1
-.EE
-.PP
-Allow the Git system daemon to read system shared repositories on Samba shares.
-.EX
-sudo setsebool -P git_system_use_cifs 1
-.EE
-.PP
-Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
-.EX
-sudo setsebool -P use_nfs_home_dirs 1
-.EE
-.PP
-Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
-.EX
-sudo setsebool -P use_samba_home_dirs 1
-.EE
-.PP
-To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
-.EX
-sudo setsebool -P git_system_enable_homedirs 1
-.EE
-.PP
-To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
-.EX
-sudo setsebool -P git_session_bind_all_unreserved_ports 1
-.EE
-.SH GIT_SHELL
-The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
-.PP
-To add a new Linux user and map him to this Git shell user domain automatically:
-.EX
-sudo useradd -Z git_shell_u joe
-.EE
-.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
-Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
-.PP
-To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
-.EX
-policy_module(project1, 1.0.0)
-git_content_template(project1)
-.EE
-Next create a file named project1.fc and add a file context specification for the new repository type to it:
-.EX
-/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
-.EE
-Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
-.EX
-make -f /usr/share/selinux/devel/Makefile project.pp
-sudo semodule -i project1.pp
-sudo restorecon -R -v /srv/git/project1
-.EE
-To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
-.EX
-policy_module(project1user, 1.0.0) 
-git_role_template(project1user)
-git_content_delegation(project1user_t, git_project1_content_t)
-gen_user(project1user_u, user, project1user_r, s0, s0)
-.EE
-Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
-.EX
-make -f /usr/share/selinux/devel/Makefile project1user.pp
-sudo semodule -i project1user.pp
-sudo useradd -Z project1user_u jane
-.EE
-.PP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR	
-This manual page was written by Dominick Grift <domg472@gmail.com>.
-.SH "SEE ALSO"
-selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
deleted file mode 100644
index 16e8b1323..000000000
--- a/man/man8/httpd_selinux.8
+++ /dev/null
@@ -1,120 +0,0 @@
-.TH  "httpd_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
-.de EX
-.nf
-.ft CW
-..
-.de EE
-.ft R
-.fi
-..
-.SH "NAME"
-httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the httpd server via flexible mandatory access
-control.  
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type. 
-Policy governs the access daemons have to these files. 
-SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
-.PP 
-The following file contexts types are defined for httpd:
-.EX
-httpd_sys_content_t 
-.EE 
-- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
-.EX
-httpd_sys_script_exec_t  
-.EE 
-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
-.EX
-httpd_sys_content_rw_t 
-.EE
-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
-.EX
-httpd_sys_content_ra_t 
-.EE
-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
-.EX
-httpd_unconfined_script_exec_t  
-.EE 
-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options.  It is better to use this script rather than turning off SELinux protection for httpd.
-
-.SH NOTE
-With certain policies you can define additional file contexts based on roles like user or staff.  httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
-
-.SH SHARING FILES
-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for httpd you would execute:
-
-.EX
-setsebool -P allow_httpd_anon_write=1
-.EE
-
-or 
-
-.EX
-setsebool -P allow_httpd_sys_script_anon_write=1
-.EE
-
-.SH BOOLEANS
-SELinux policy is customizable based on least access required.  SELinux can be setup to prevent certain http scripts from working.  httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
-.PP
-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
-
-.EX
-setsebool -P httpd_enable_cgi 1
-.EE
-
-.PP
-SELinux policy for httpd can be setup to not allowed to access users home directories.  If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
-
-.EX
-setsebool -P httpd_enable_homedirs 1
-chcon -R -t httpd_sys_content_t ~user/public_html
-.EE
-
-.PP
-SELinux policy for httpd can be setup to not allow access to the controlling terminal.  In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required.  Set the httpd_tty_comm boolean to allow terminal access.
-
-.EX
-setsebool -P httpd_tty_comm 1
-.EE
-
-.PP
-httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute.  Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
-
-.EX
-setsebool -P httpd_unified 0
-.EE
-
-.PP
-SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack.  I certain situations, you may want http modules to send mail.  You can turn on the httpd_send_mail boolean.
-
-.EX
-setsebool -P httpd_can_sendmail 1
-.PP
-httpd can be configured to turn off internal scripting (PHP).  PHP and other
-loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
-
-.EX
-setsebool -P httpd_builtin_scripting 0
-.EE
-
-.PP
-SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
-This would prevent a hacker from breaking into you httpd server and attacking 
-other machines.  If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
-
-.EX
-setsebool -P httpd_can_network_connect 1
-.EE
-
-.PP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR	
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), httpd(8), chcon(1), setsebool(8)
-
-
diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
deleted file mode 100644
index a8f81c8e7..000000000
--- a/man/man8/kerberos_selinux.8
+++ /dev/null
@@ -1,28 +0,0 @@
-.TH  "kerberos_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
-.de EX
-.nf
-.ft CW
-..
-.de EE
-.ft R
-.fi
-..
-.SH "NAME"
-kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the system via flexible mandatory access
-control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.  
-.SH BOOLEANS
-.PP
-You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
-.EX
-setsebool -P allow_kerberos 1
-.EE
-.PP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR	
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
deleted file mode 100644
index fce0b4815..000000000
--- a/man/man8/named_selinux.8
+++ /dev/null
@@ -1,30 +0,0 @@
-.TH  "named_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
-.de EX
-.nf
-.ft CW
-..
-.de EE
-.ft R
-.fi
-..
-.SH "NAME"
-named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the named server via flexible mandatory access
-control.  
-.SH BOOLEANS
-SELinux policy is customizable based on least access required.  So by 
-default SELinux policy does not allow named to write master zone files.  If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
-.EX
-setsebool -P named_write_master_zones 1
-.EE
-.PP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR	
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), named(8), chcon(1), setsebool(8)
-
-
diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8
deleted file mode 100644
index 8e30c4c65..000000000
--- a/man/man8/nfs_selinux.8
+++ /dev/null
@@ -1,31 +0,0 @@
-.TH  "nfs_selinux"  "8"  "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
-.SH "NAME"
-nfs_selinux \- Security Enhanced Linux Policy for NFS
-.SH "DESCRIPTION"
-
-Security Enhanced Linux secures the NFS server via flexible mandatory access
-control.  
-.SH BOOLEANS
-SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
-
-.TP
-setsebool -P nfs_export_all_ro 1
-.TP
-If you want to share files read/write you must set the nfs_export_all_rw boolean.
-.TP
-setsebool -P nfs_export_all_rw 1
-
-.TP
-These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
-
-.TP
-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
-.TP
-setsebool -P use_nfs_home_dirs 1
-.TP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR	
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), chcon(1), setsebool(8)
diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8
deleted file mode 100644
index 6271c951f..000000000
--- a/man/man8/nis_selinux.8
+++ /dev/null
@@ -1 +0,0 @@
-.so man8/ypbind_selinux.8
diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
deleted file mode 100644
index ad9ccf5cd..000000000
--- a/man/man8/rsync_selinux.8
+++ /dev/null
@@ -1,52 +0,0 @@
-.TH  "rsync_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
-.de EX
-.nf
-.ft CW
-..
-.de EE
-.ft R
-.fi
-..
-.SH "NAME"
-rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the rsync server via flexible mandatory access
-control.  
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type. 
-Policy governs the access daemons have to these files. 
-If you want to share files using the rsync daemon, you must label the files and directories public_content_t.  So if you created a special directory /var/rsync, you 
-would need to label the directory with the chcon tool.
-.TP
-chcon -t public_content_t /var/rsync
-.TP
-.TP
-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
-.TP
-semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
-.TP
-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
-.TP
-/var/rsync(/.*)? system_u:object_r:publix_content_t:s0
-.TP
-Run the restorecon command to apply the changes:
-.TP
-restorecon -R -v /var/rsync/
-.EE
-
-.SH SHARING FILES
-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for rsync you would execute:
-
-.EX
-setsebool -P allow_rsync_anon_write=1
-.EE
-
-.SH BOOLEANS
-.TP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR	
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
deleted file mode 100644
index ca702c799..000000000
--- a/man/man8/samba_selinux.8
+++ /dev/null
@@ -1,56 +0,0 @@
-.TH  "samba_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
-.SH "NAME"
-samba_selinux \- Security Enhanced Linux Policy for Samba
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the Samba server via flexible mandatory access
-control.  
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type. 
-Policy governs the access daemons have to these files. 
-If you want to share files other than home directories, those files must be 
-labeled samba_share_t.  So if you created a special directory /var/eng, you 
-would need to label the directory with the chcon tool.
-.TP
-chcon -t samba_share_t /var/eng
-.TP
-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
-.TP
-semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
-.TP
-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
-.TP
-/var/eng(/.*)? system_u:object_r:samba_share_t:s0
-.TP
-Run the restorecon command to apply the changes:
-.TP
-restorecon -R -v /var/eng/
-
-.SH SHARING FILES
-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:
-
-setsebool -P allow_smbd_anon_write=1
-
-.SH BOOLEANS
-.br 
-SELinux policy is customizable based on least access required.  So by 
-default SELinux policy turns off SELinux sharing of home directories and 
-the use of Samba shares from a remote machine as a home directory.
-.TP
-If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. 
-.br
-
-setsebool -P samba_enable_home_dirs 1
-.TP
-If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
-.br 
-
-setsebool -P use_samba_home_dirs 1
-.TP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-
-.SH AUTHOR	
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
deleted file mode 100644
index 5061a5f04..000000000
--- a/man/man8/ypbind_selinux.8
+++ /dev/null
@@ -1,19 +0,0 @@
-.TH  "ypbind_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
-.SH "NAME"
-ypbind_selinux \- Security Enhanced Linux Policy for NIS.
-.SH "DESCRIPTION"
-
-Security-Enhanced Linux secures the system via flexible mandatory access
-control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.  
-.SH BOOLEANS
-.TP
-You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
-.TP
-setsebool -P allow_ypbind 1
-.TP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-.SH AUTHOR	
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
-.SH "SEE ALSO"
-selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --git a/policy/constraints b/policy/constraints
index 3a45f236b..ee7d7b392 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh }
 	or ( t1 == process_uncond_exempt )
 );
 
+constrain process dyntransition
+(
+	u1 == u2
+	or ( t1 == can_change_process_identity and t2 == process_user_target )
+);
+
+constrain process dyntransition
+(
+	r1 == r2
+	or ( t1 == can_change_process_identity and t2 == process_user_target )
+);
+
 # These permissions do not have ubac constraints:
 # fork
 # setexec
@@ -150,6 +162,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
 exempted_ubac_constraint(appletalk_socket, ubacsock)
 exempted_ubac_constraint(dccp_socket, ubacsock)
 exempted_ubac_constraint(tun_socket, ubacsock)
+exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
+exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
+exempted_ubac_constraint(netlink_connector_socket, ubacsock)
+exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
+exempted_ubac_constraint(netlink_generic_socket, ubacsock)
+exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
+exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
+exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
 
 constrain socket_class_set { create relabelto relabelfrom } 
 (
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a94b16980..7c6132221 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -120,6 +120,60 @@ common x_device
 	destroy
 }
 
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+}
+
 #
 # Define the access vectors.
 #
@@ -379,6 +433,7 @@ class security
 	setsecparam
 	setcheckreqprot
 	read_policy
+	validate_trans
 }
 
 
@@ -393,62 +448,32 @@ class system
 	syslog_mod
 	syslog_console
 	module_request
+	module_load
+	# these are overloaded userspace
+	# permissions from systemd
+	halt
+	reboot
+	status
+	start
+	stop
+	enable
+	disable
+	reload
+	undefined
 }
 
 #
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
 #
 
 class capability
-{
-	# The capabilities are defined in include/linux/capability.h
-	# Capabilities >= 32 are defined in the capability2 class.
-	# Care should be taken to ensure that these are consistent with
-	# those definitions. (Order matters)
+inherits cap
 
-	chown           
-	dac_override    
-	dac_read_search 
-	fowner          
-	fsetid          
-	kill            
-	setgid           
-	setuid           
-	setpcap          
-	linux_immutable  
-	net_bind_service 
-	net_broadcast    
-	net_admin        
-	net_raw          
-	ipc_lock         
-	ipc_owner        
-	sys_module       
-	sys_rawio        
-	sys_chroot       
-	sys_ptrace       
-	sys_pacct        
-	sys_admin        
-	sys_boot         
-	sys_nice         
-	sys_resource     
-	sys_time         
-	sys_tty_config  
-	mknod
-	lease
-	audit_write
-	audit_control
-	setfcap
-}
-
-class capability2 
+class capability2
+inherits cap2
 {
-	mac_override	# unused by SELinux
-	mac_admin	# unused by SELinux
-	syslog
-	wake_alarm
-	block_suspend
+	epolwakeup
 }
-
 #
 # Define the access vector interpretation for controlling
 # changes to passwd information.
@@ -690,6 +715,8 @@ class nscd
 	shmemhost
 	getserv
 	shmemserv
+	getnetgrp
+	shmemnetgrp
 }
 
 # Define the access vector interpretation for controlling
@@ -831,6 +858,38 @@ inherits socket
 	attach_queue
 }
 
+class binder
+{
+	impersonate
+	call
+	set_context_mgr
+	transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
 class x_pointer
 inherits x_device
 
@@ -865,3 +924,28 @@ inherits database
 	implement
 	execute
 }
+
+class service
+{
+	start
+	stop
+	status
+	reload
+	enable
+	disable
+}
+
+class proxy
+{
+	read
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 14a479911..6e16f5e63 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -121,6 +121,18 @@ class kernel_service
 
 class tun_socket
 
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
 # Still More SE-X Windows stuff
 class x_pointer			# userspace
 class x_keyboard		# userspace
@@ -131,4 +143,15 @@ class db_view			# userspace
 class db_sequence		# userspace
 class db_language		# userspace
 
+# systemd services 
+class service 
+
+# gssd services 
+class proxy
+
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
 # FLASK
diff --git a/policy/global_booleans b/policy/global_booleans
index 66e85ea54..d02654d7f 100644
--- a/policy/global_booleans
+++ b/policy/global_booleans
@@ -6,7 +6,7 @@
 
 ## <desc>
 ## <p>
-## Enabling secure mode disallows programs, such as
+## disallow programs, such as
 ## newrole, from transitioning to administrative
 ## user domains.
 ## </p>
diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab618..b82865c43 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -4,54 +4,61 @@
 # file should be used.
 #
 
+## <desc>
+## <p>
+## Deny any process from ptracing or debugging any other processes.
+## </p>
+## </desc>
+gen_tunable(deny_ptrace, false)
+
 ## <desc>
 ## <p>
 ## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
 ## </p>
 ## </desc>
-gen_tunable(allow_execheap,false)
+gen_tunable(selinuxuser_execheap,false)
 
 ## <desc>
 ## <p>
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
 ## </p>
 ## </desc>
-gen_tunable(allow_execmem,false)
+gen_tunable(deny_execmem,false)
 
 ## <desc>
 ## <p>
-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
 ## </p>
 ## </desc>
-gen_tunable(allow_execmod,false)
+gen_tunable(selinuxuser_execmod,false)
 
 ## <desc>
 ## <p>
-## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
 ## </p>
 ## </desc>
-gen_tunable(allow_execstack,false)
+gen_tunable(selinuxuser_execstack,false)
 
 ## <desc>
 ## <p>
 ## Enable polyinstantiated directory support.
 ## </p>
 ## </desc>
-gen_tunable(allow_polyinstantiation,false)
+gen_tunable(polyinstantiation_enabled,false)
 
 ## <desc>
 ## <p>
 ## Allow system to run with NIS
 ## </p>
 ## </desc>
-gen_tunable(allow_ypbind,false)
+gen_tunable(nis_enabled,false)
 
 ## <desc>
 ## <p>
 ## Allow logging in and using the system from /dev/console.
 ## </p>
 ## </desc>
-gen_tunable(console_login,true)
+gen_tunable(login_console_enabled,true)
 
 ## <desc>
 ## <p>
@@ -66,15 +73,6 @@ gen_tunable(console_login,true)
 ## </desc>
 gen_tunable(global_ssp,false)
 
-## <desc>
-## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, and user temp
-## files
-## </p>
-## </desc>
-gen_tunable(mail_read_content,false)
-
 ## <desc>
 ## <p>
 ## Allow any files/directories to be exported read/write via NFS.
@@ -103,6 +101,20 @@ gen_tunable(use_nfs_home_dirs,false)
 ## </desc>
 gen_tunable(use_samba_home_dirs,false)
 
+## <desc>
+## <p>
+## Support ecryptfs home directories
+## </p>
+## </desc>
+gen_tunable(use_ecryptfs_home_dirs,false)
+
+## <desc>
+## <p>
+## Support fusefs home directories
+## </p>
+## </desc>
+gen_tunable(use_fusefs_home_dirs,false)
+
 ## <desc>
 ## <p>
 ## Allow users to run TCP servers (bind to ports and accept connection from
@@ -110,4 +122,20 @@ gen_tunable(use_samba_home_dirs,false)
 ## and may change other protocols.
 ## </p>
 ## </desc>
-gen_tunable(user_tcp_server,false)
+gen_tunable(selinuxuser_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to run UDP servers (bind to ports and accept connection from
+## the same domain and outside users)  disabling this may break avahi 
+## discovering services on the network and other udp related services.
+## </p>
+## </desc>
+gen_tunable(selinuxuser_udp_server,false)
+
+## <desc>
+## <p>
+## Allow the mount commands to mount any directory or file.
+## </p>
+## </desc>
+gen_tunable(mount_anyfile, false)
diff --git a/policy/mcs b/policy/mcs
index 216b3d125..064ec83b6 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -1,4 +1,6 @@
 ifdef(`enable_mcs',`
+default_range dir_file_class_set target low;
+
 #
 # Define sensitivities 
 #
@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
 #  - /proc/pid operations are not constrained.
 
 mlsconstrain file { read ioctl lock execute execute_no_trans }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain file { write setattr append unlink link rename }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain fifo_file { open }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain key { create link read search setattr view write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	((( h1 dom h2 ) and ( l2 eq h2 )) or
+	 ( t1 != mcs_constrained_type ));
 
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+	(( l2 eq h2 )  or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { transition dyntransition }
-	(( h1 dom h2 ) or ( t1 == mcssetcats ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { ptrace }
-	(( h1 dom h2) or ( t1 == mcsptraceall ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { sigkill sigstop }
-	(( h1 dom h2 ) or ( t1 == mcskillall ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
 mlsconstrain { db_tuple } { insert relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
+mlsconstrain context contains
+	(( h1 dom h2 ) and ( l1 domby l2));
+
 # Access control for any database objects based on MCS rules.
 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
 	( h1 dom h2 );
@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 	( h1 dom h2 );
 
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom sendto }
+	(( l1 dom l2 ) or (t1 != mcs_constrained_type));
+
+mlsconstrain { packet peer } { recv }
+	(( l1 dom l2 ) or
+	 ((t1 != mcs_constrained_type) and (t2 != mcs_constrained_type)));
+
+# the netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { egress ingress }
+	     	(( l1 dom l2 ) or (t1 != mcs_constrained_type));
+
 ') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
index f11e5e2b7..c67dbb976 100644
--- a/policy/mls
+++ b/policy/mls
@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 
 # new file labels must be dominated by the relabeling subjects clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
-	( h1 dom h2 );
+	(( h1 dom h2 ) or
+	(( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
+	( t1 == mlsfilewrite ));
 
 # the file "read" ops (note the check is dominance of the low level)
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
@@ -156,15 +158,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
 # these access vectors have no MLS restrictions
 # filesystem { transition associate }
 
-
-
-
 #
 # MLS policy for the socket classes
 #
 
 # new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
 	( h1 dom h2 );
 
 # the socket "read+write" ops
@@ -180,7 +179,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 
 
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -191,11 +190,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
 	(( l1 eq l2 ) or 
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsnetwrite ));
+	 ( t1 == mlsnetwrite ) or
+	 ( t2 == mlstrustedobject ));
 
 # used by netlabel to restrict normal domains to same level connections
 mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
@@ -252,6 +252,11 @@ mlsconstrain msg receive
 	 (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsipcread ));
 
+mlsconstrain key { create link read search setattr view write }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsprocwrite ));
+
 # the ipc "write" ops (implicit single level)
 mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
 	(( l1 eq l2 ) or
@@ -361,9 +366,6 @@ mlsconstrain { peer packet } { recv }
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
-
-
-
 #
 # MLS policy for the process class
 #
@@ -763,13 +765,14 @@ mlsconstrain context contains
 #
 
 # make sure these database classes are "single level"
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
+mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto }
 	( l2 eq h2 );
+
 mlsconstrain { db_tuple } { insert relabelto }
 	( l2 eq h2 );
 
 # new database labels must be dominated by the relabeling subjects clearance
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
+mlsconstrain { db_database db_schema db_table db_column } { relabelto }
 	( h1 dom h2 );
 
 # the database "read" ops (note the check is dominance of the low level)
@@ -833,7 +836,7 @@ mlsconstrain { db_tuple } { use select }
 	 ( t1 == mlsdbread ) or
 	 ( t2 == mlstrustedobject ));
 
-# the "single level" file "write" ops
+# the "single level" database "write" ops
 mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 2626ebf95..5745bb240 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,11 +1,16 @@
+/etc/default/grub	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/lilo\.conf.*		gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/yaboot\.conf.*		gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/zipl\.conf.*		gen_context(system_u:object_r:bootloader_etc_t,s0)
 
-/etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-
-/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/grub.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/zipl			--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/usr/sbin/grub.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/lilo.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/ybin.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/zipl		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
-/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub2-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/var/lib/os-prober(/.*)?	gen_context(system_u:object_r:bootloader_var_lib_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index cc8df9d7d..90467f3af 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
 	domtrans_pattern($1, bootloader_exec_t, bootloader_t)
 ')
 
+######################################
+## <summary>
+##  Execute bootloader in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`bootloader_exec',`
+    gen_require(`
+        type bootloader_exec_t;
+    ')
+
+    can_exec($1, bootloader_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute bootloader interactively and do
@@ -38,16 +56,18 @@ interface(`bootloader_domtrans',`
 #
 interface(`bootloader_run',`
 	gen_require(`
+		type bootloader_t;
 		attribute_role bootloader_roles;
 	')
 
 	bootloader_domtrans($1)
 	roleattribute $2 bootloader_roles;
+
 ')
 
 ########################################
 ## <summary>
-##	Execute bootloader in the caller domain.
+##	Read the bootloader configuration file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55,36 +75,37 @@ interface(`bootloader_run',`
 ##	</summary>
 ## </param>
 #
-interface(`bootloader_exec',`
+interface(`bootloader_read_config',`
 	gen_require(`
-		type bootloader_exec_t;
+		type bootloader_etc_t;
 	')
 
-	corecmd_search_bin($1)
-	can_exec($1, bootloader_exec_t)
+	allow $1 bootloader_etc_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read the bootloader configuration file.
+##	Read and write the bootloader
+##	configuration file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`bootloader_read_config',`
+interface(`bootloader_rw_config',`
 	gen_require(`
 		type bootloader_etc_t;
 	')
 
-	allow $1 bootloader_etc_t:file read_file_perms;
+	allow $1 bootloader_etc_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write the bootloader
+##	Manage the bootloader
 ##	configuration file.
 ## </summary>
 ## <param name="domain">
@@ -94,12 +115,12 @@ interface(`bootloader_read_config',`
 ## </param>
 ## <rolecap/>
 #
-interface(`bootloader_rw_config',`
+interface(`bootloader_manage_config',`
 	gen_require(`
 		type bootloader_etc_t;
 	')
 
-	allow $1 bootloader_etc_t:file rw_file_perms;
+	manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t)
 ')
 
 ########################################
@@ -119,7 +140,7 @@ interface(`bootloader_rw_tmp_files',`
 	')
 
 	files_search_tmp($1)
-	allow $1 bootloader_tmp_t:file rw_file_perms;
+	allow $1 bootloader_tmp_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -141,3 +162,24 @@ interface(`bootloader_create_runtime_file',`
 	allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
 	files_boot_filetrans($1, boot_runtime_t, file)
 ')
+
+########################################
+## <summary>
+##	Type transition files created in /etc
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bootloader_filetrans_config',`
+	gen_require(`
+		type bootloader_etc_t;
+	')
+
+	files_etc_filetrans($1,bootloader_etc_t,file, "grub")
+	files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
+	files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
+	files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 0fd5c5f2e..a14addb41 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -20,13 +20,20 @@ type bootloader_t;
 type bootloader_exec_t;
 application_domain(bootloader_t, bootloader_exec_t)
 role bootloader_roles types bootloader_t;
+role system_r types bootloader_t;
+
+type bootloader_var_run_t;
+files_pid_file(bootloader_var_run_t)
+
+type bootloader_var_lib_t;
+files_type(bootloader_var_lib_t)
 
 #
 # bootloader_etc_t is the configuration file,
 # grub.conf, lilo.conf, etc.
 #
 type bootloader_etc_t alias etc_bootloader_t;
-files_type(bootloader_etc_t)
+files_config_file(bootloader_etc_t)
 
 #
 # The temp file is used for initrd creation;
@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t)
 # bootloader local policy
 #
 
-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
+manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
+manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
+files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
+
+manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
+manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
+manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t)
+files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file })
+
 kernel_getattr_core_if(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t)
 
 fs_getattr_xattr_fs(bootloader_t)
 fs_getattr_tmpfs(bootloader_t)
+fs_list_hugetlbfs(bootloader_t)
+fs_list_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
 #Needed for ia64
 fs_manage_dos_files(bootloader_t)
@@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t)
 mls_file_write_all_levels(bootloader_t)
 
 term_getattr_all_ttys(bootloader_t)
+term_getattr_all_ptys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
+term_dontaudit_getattr_generic_ptys(bootloader_t)
+term_use_unallocated_ttys(bootloader_t)
 
 corecmd_exec_all_executables(bootloader_t)
 
@@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t)
 files_create_boot_dirs(bootloader_t)
 files_manage_boot_files(bootloader_t)
 files_manage_boot_symlinks(bootloader_t)
+files_manage_kernel_modules(bootloader_t)
 files_read_etc_files(bootloader_t)
 files_exec_etc_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)
 files_read_kernel_modules(bootloader_t)
+files_read_kernel_symbol_table(bootloader_t)
 # for nscd
 files_dontaudit_search_pids(bootloader_t)
 # for blkid.tab
@@ -111,6 +134,8 @@ files_manage_etc_runtime_files(bootloader_t)
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+
+init_read_state(bootloader_t)
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)
 init_use_script_fds(bootloader_t)
@@ -118,19 +143,20 @@ init_rw_script_pipes(bootloader_t)
 
 libs_read_lib_files(bootloader_t)
 libs_exec_lib_files(bootloader_t)
+libs_exec_ld_so(bootloader_t)
 
-logging_send_syslog_msg(bootloader_t)
-logging_rw_generic_logs(bootloader_t)
+auth_use_nsswitch(bootloader_t)
 
-miscfiles_read_localization(bootloader_t)
+logging_send_syslog_msg(bootloader_t)
+logging_manage_generic_logs(bootloader_t)
 
 modutils_domtrans_insmod(bootloader_t)
 
 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
-seutil_dontaudit_search_config(bootloader_t)
 
-userdom_use_user_terminals(bootloader_t)
+userdom_getattr_user_tmp_files(bootloader_t)
+userdom_use_inherited_user_terminals(bootloader_t)
 userdom_dontaudit_search_user_home_dirs(bootloader_t)
 
 ifdef(`distro_debian',`
@@ -173,6 +199,10 @@ ifdef(`distro_redhat',`
 	')
 ')
 
+optional_policy(`
+	devicekit_dontaudit_read_pid_files(bootloader_t)
+')
+
 optional_policy(`
 	fstools_exec(bootloader_t)
 ')
@@ -182,6 +212,14 @@ optional_policy(`
 	hal_write_log(bootloader_t)
 ')
 
+optional_policy(`
+	gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
+	fsadm_manage_pid(bootloader_t)
+')
+
 optional_policy(`
 	kudzu_domtrans(bootloader_t)
 ')
@@ -194,18 +232,19 @@ optional_policy(`
 ')
 
 optional_policy(`
-	modutils_exec_insmod(bootloader_t)
-	modutils_read_module_deps(bootloader_t)
-	modutils_read_module_config(bootloader_t)
 	modutils_exec_insmod(bootloader_t)
 	modutils_exec_depmod(bootloader_t)
 	modutils_exec_update_mods(bootloader_t)
+	modutils_domtrans_insmod_uncond(bootloader_t)
+	modutils_list_module_config(bootloader_t)
+	modutils_read_module_deps(bootloader_t)
+	modutils_read_module_config(bootloader_t)
 ')
 
 optional_policy(`
-	nscd_use(bootloader_t)
+	rpm_rw_pipes(bootloader_t)
 ')
 
 optional_policy(`
-	rpm_rw_pipes(bootloader_t)
+	udev_read_pid_files(bootloader_t)
 ')
diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
index b7f053bf6..5d4fc3188 100644
--- a/policy/modules/admin/consoletype.fc
+++ b/policy/modules/admin/consoletype.fc
@@ -1,2 +1,4 @@
 
 /sbin/consoletype	--	gen_context(system_u:object_r:consoletype_exec_t,s0)
+
+/usr/sbin/consoletype	--	gen_context(system_u:object_r:consoletype_exec_t,s0)
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index 0f57d3bc0..655d07f01 100644
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, consoletype_exec_t, consoletype_t)
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit consoletype_t $1:socket_class_set { read write };
-	')
 ')
 
 ########################################
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index cd5e005ce..247259ac4 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0)
 
 type consoletype_t;
 type consoletype_exec_t;
-init_domain(consoletype_t, consoletype_exec_t)
-init_system_domain(consoletype_t, consoletype_exec_t)
+application_domain(consoletype_t, consoletype_exec_t)
+role system_r types consoletype_t;
 
 ########################################
 #
@@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t)
 mls_file_read_all_levels(consoletype_t)
 mls_file_write_all_levels(consoletype_t)
 
-term_use_all_terms(consoletype_t)
+term_use_all_inherited_terms(consoletype_t)
+term_use_ptmx(consoletype_t)
 
 init_use_fds(consoletype_t)
 init_use_script_ptys(consoletype_t)
 init_use_script_fds(consoletype_t)
 init_rw_script_pipes(consoletype_t)
+init_rw_inherited_script_tmp_files(consoletype_t)
 
-userdom_use_user_terminals(consoletype_t)
+userdom_use_inherited_user_terminals(consoletype_t)
 
 ifdef(`distro_redhat',`
 	fs_rw_tmpfs_chr_files(consoletype_t)
@@ -79,16 +81,14 @@ optional_policy(`
 ')
 
 optional_policy(`
-	files_read_etc_files(consoletype_t)
-	firstboot_use_fds(consoletype_t)
-	firstboot_rw_pipes(consoletype_t)
+	devicekit_dontaudit_read_pid_files(consoletype_t)
+	devicekit_dontaudit_rw_log(consoletype_t)
 ')
 
 optional_policy(`
-	hal_dontaudit_use_fds(consoletype_t)
-	hal_dontaudit_rw_pipes(consoletype_t)
-	hal_dontaudit_rw_dgram_sockets(consoletype_t)
-	hal_dontaudit_write_log(consoletype_t)
+	files_read_etc_files(consoletype_t)
+	firstboot_use_fds(consoletype_t)
+	firstboot_rw_pipes(consoletype_t)
 ')
 
 optional_policy(`
@@ -114,6 +114,7 @@ optional_policy(`
 
 optional_policy(`
 	userdom_use_unpriv_users_fds(consoletype_t)
+	userdom_dontaudit_rw_dgram_socket(consoletype_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
index d6cc2d970..0685b190d 100644
--- a/policy/modules/admin/dmesg.fc
+++ b/policy/modules/admin/dmesg.fc
@@ -1,2 +1,4 @@
 
 /bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+/usr/bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 72bc6d815..bb4a6f0d7 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -9,6 +9,10 @@ type dmesg_t;
 type dmesg_exec_t;
 init_system_domain(dmesg_t, dmesg_exec_t)
 
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh)
+')
+
 ########################################
 #
 # Local policy
@@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config;
 
 allow dmesg_t self:process signal_perms;
 
+kernel_read_system_state(dmesg_t)
 kernel_read_kernel_sysctls(dmesg_t)
 kernel_read_ring_buffer(dmesg_t)
 kernel_clear_ring_buffer(dmesg_t)
 kernel_change_ring_buffer_level(dmesg_t)
 kernel_list_proc(dmesg_t)
 kernel_read_proc_symlinks(dmesg_t)
+kernel_dontaudit_write_kernel_sysctl(dmesg_t)
 
 dev_read_sysfs(dmesg_t)
+dev_read_kmsg(dmesg_t)
+dev_read_raw_memory(dmesg_t)
 
 fs_search_auto_mountpoints(dmesg_t)
 
@@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t)
 logging_send_syslog_msg(dmesg_t)
 logging_write_generic_logs(dmesg_t)
 
-miscfiles_read_localization(dmesg_t)
+miscfiles_read_hwdata(dmesg_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-userdom_use_user_terminals(dmesg_t)
+userdom_use_inherited_user_terminals(dmesg_t)
+
+optional_policy(`
+	abrt_rw_inherited_cache(dmesg_t)
+')
 
 optional_policy(`
 	seutil_sigchld_newrole(dmesg_t)
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f4b..1a09bead7 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -1,15 +1,22 @@
 /bin/ping.* 		--	gen_context(system_u:object_r:ping_exec_t,s0)
-/bin/tracepath.*		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/bin/tracepath.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 
 /sbin/arping		--	gen_context(system_u:object_r:netutils_exec_t,s0)
 
 /usr/bin/lft		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/mtr		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/ping.* 	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/bin/tracepath.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 
-/usr/sbin/fping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/lib/heartbeat/send_arp     --      gen_context(system_u:object_r:ping_exec_t,s0)
+
+/usr/sbin/arping	--	gen_context(system_u:object_r:netutils_exec_t,s0)
+/usr/sbin/fping.* 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/sbin/hping2	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/mtr		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/sbin/send_arp	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/tcpdump	--	gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index c6ca761c9..0c86bfd54 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -42,6 +42,7 @@ interface(`netutils_run',`
 	')
 
 	netutils_domtrans($1)
+	allow $1 netutils_t:process { signal sigkill };
 	role $2 types netutils_t;
 ')
 
@@ -161,6 +162,7 @@ interface(`netutils_run_ping',`
 
 	netutils_domtrans_ping($1)
 	role $2 types ping_t;
+	allow $1 ping_t:process { signal sigkill };
 ')
 
 ########################################
@@ -183,13 +185,14 @@ interface(`netutils_run_ping',`
 interface(`netutils_run_ping_cond',`
 	gen_require(`
 		type ping_t;
-		bool user_ping;
+		bool selinuxuser_ping;
 	')
 
 	role $2 types ping_t;
 
-	if ( user_ping ) {
+	if ( selinuxuser_ping ) {
 		netutils_domtrans_ping($1)
+		allow $1 ping_t:process { signal sigkill };
 	}
 ')
 
@@ -254,6 +257,7 @@ interface(`netutils_run_traceroute',`
 	')
 
 	netutils_domtrans_traceroute($1)
+	allow $1 traceroute_t:process { signal sigkill };
 	role $2 types traceroute_t;
 ')
 
@@ -277,13 +281,14 @@ interface(`netutils_run_traceroute',`
 interface(`netutils_run_traceroute_cond',`
 	gen_require(`
 		type traceroute_t;
-		bool user_ping;
+		bool selinuxuser_ping;
 	')
 
 	role $2 types traceroute_t;
 
-	if( user_ping ) {
+	if( selinuxuser_ping ) {
 		netutils_domtrans_traceroute($1)
+		allow $1 traceroute_t:process { signal sigkill };
 	}
 ')
 
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c44c3592a..cba535365 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
 
 ## <desc>
 ## <p>
-## Control users use of ping and traceroute
+## Allow confined users the ability to execute the ping and traceroute commands.
 ## </p>
 ## </desc>
-gen_tunable(user_ping, false)
+gen_tunable(selinuxuser_ping, false)
 
 type netutils_t;
 type netutils_exec_t;
@@ -33,25 +33,28 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 #
 
 # Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot  setpcap };
 dontaudit netutils_t self:capability { dac_override sys_tty_config };
 allow netutils_t self:process { setcap signal_perms };
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:netlink_socket create_socket_perms;
+# For tcpdump.
+allow netutils_t self:netlink_netfilter_socket create_socket_perms;
 allow netutils_t self:packet_socket create_socket_perms;
 allow netutils_t self:udp_socket create_socket_perms;
 allow netutils_t self:tcp_socket create_stream_socket_perms;
 allow netutils_t self:socket create_socket_perms;
+allow netutils_t self:netlink_socket create_socket_perms;
 
 manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
 manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
 files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
 
 kernel_search_proc(netutils_t)
-kernel_read_network_state(netutils_t)
 kernel_read_all_sysctls(netutils_t)
+kernel_read_network_state(netutils_t)
+kernel_request_load_module(netutils_t)
 
-corenet_all_recvfrom_unlabeled(netutils_t)
 corenet_all_recvfrom_netlabel(netutils_t)
 corenet_tcp_sendrecv_generic_if(netutils_t)
 corenet_raw_sendrecv_generic_if(netutils_t)
@@ -66,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
 corenet_udp_bind_generic_node(netutils_t)
 
 dev_read_sysfs(netutils_t)
+dev_read_usbmon_dev(netutils_t)
+dev_write_usbmon_dev(netutils_t)
+dev_rw_generic_usb_dev(netutils_t)
 
 fs_getattr_xattr_fs(netutils_t)
 
@@ -80,14 +86,18 @@ init_use_script_ptys(netutils_t)
 
 auth_use_nsswitch(netutils_t)
 
-logging_send_syslog_msg(netutils_t)
+libs_use_ld_so(netutils_t)
 
-miscfiles_read_localization(netutils_t)
+logging_send_syslog_msg(netutils_t)
 
 term_dontaudit_use_console(netutils_t)
-userdom_use_user_terminals(netutils_t)
+userdom_use_inherited_user_terminals(netutils_t)
 userdom_use_all_users_fds(netutils_t)
 
+optional_policy(`
+    kdump_dontaudit_inherited_kdumpctl_tmp_pipes(netutils_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(netutils_t)
 ')
@@ -110,11 +120,10 @@ allow ping_t self:capability { setuid net_raw };
 allow ping_t self:process { getcap setcap };
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:rawip_socket create_socket_perms;
+allow ping_t self:packet_socket create_socket_perms;
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
 
-corenet_all_recvfrom_unlabeled(ping_t)
 corenet_all_recvfrom_netlabel(ping_t)
 corenet_tcp_sendrecv_generic_if(ping_t)
 corenet_raw_sendrecv_generic_if(ping_t)
@@ -124,6 +133,9 @@ corenet_raw_bind_generic_node(ping_t)
 corenet_tcp_sendrecv_all_ports(ping_t)
 
 fs_dontaudit_getattr_xattr_fs(ping_t)
+fs_dontaudit_rw_anon_inodefs_files(ping_t)
+
+dev_read_urand(ping_t)
 
 domain_use_interactive_fds(ping_t)
 
@@ -131,14 +143,14 @@ files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
 kernel_read_system_state(ping_t)
+kernel_read_network_state(ping_t)
+kernel_request_load_module(ping_t)
 
 auth_use_nsswitch(ping_t)
 
-logging_send_syslog_msg(ping_t)
-
-miscfiles_read_localization(ping_t)
+init_rw_inherited_script_tmp_files(ping_t)
 
-userdom_use_user_terminals(ping_t)
+logging_send_syslog_msg(ping_t)
 
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
@@ -146,13 +158,28 @@ ifdef(`hide_broken_symptoms',`
 	optional_policy(`
 		nagios_dontaudit_rw_log(ping_t)
 		nagios_dontaudit_rw_pipes(ping_t)
+        nagios_dontaudit_write_pipes_nrpe(ping_t)
 	')
 ')
 
+term_use_all_inherited_terms(ping_t)
+
+tunable_policy(`selinuxuser_ping',`
+	term_use_all_ttys(ping_t)
+	term_use_all_ptys(ping_t)
+',`
+	term_dontaudit_use_all_ttys(ping_t)
+	term_dontaudit_use_all_ptys(ping_t)
+')
+
 optional_policy(`
 	munin_append_log(ping_t)
 ')
 
+optional_policy(`
+	nagios_rw_inerited_tmp_files(ping_t)
+')
+
 optional_policy(`
 	pcmcia_use_cardmgr_fds(ping_t)
 ')
@@ -161,6 +188,15 @@ optional_policy(`
 	hotplug_use_fds(ping_t)
 ')
 
+optional_policy(`
+	openshift_rw_inherited_content(ping_t)
+	openshift_dontaudit_rw_inherited_fifo_files(ping_t)
+')
+
+optional_policy(`
+	zabbix_read_tmp(ping_t)
+')
+
 ########################################
 #
 # Traceroute local policy
@@ -174,7 +210,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)
 
-corenet_all_recvfrom_unlabeled(traceroute_t)
 corenet_all_recvfrom_netlabel(traceroute_t)
 corenet_tcp_sendrecv_generic_if(traceroute_t)
 corenet_udp_sendrecv_generic_if(traceroute_t)
@@ -198,6 +233,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
 domain_use_interactive_fds(traceroute_t)
 
 files_read_etc_files(traceroute_t)
+files_read_usr_files(traceroute_t)
 files_dontaudit_search_var(traceroute_t)
 
 init_use_fds(traceroute_t)
@@ -206,11 +242,17 @@ auth_use_nsswitch(traceroute_t)
 
 logging_send_syslog_msg(traceroute_t)
 
-miscfiles_read_localization(traceroute_t)
-
-userdom_use_user_terminals(traceroute_t)
 
 #rules needed for nmap
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
-files_read_usr_files(traceroute_t)
+
+term_use_all_inherited_terms(traceroute_t)
+
+tunable_policy(`selinuxuser_ping',`
+	term_use_all_ttys(traceroute_t)
+	term_use_all_ptys(traceroute_t)
+',`
+	term_dontaudit_use_all_ttys(traceroute_t)
+	term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
index 688abc2ae..3d89250a6 100644
--- a/policy/modules/admin/su.fc
+++ b/policy/modules/admin/su.fc
@@ -3,3 +3,4 @@
 
 /usr/(local/)?bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su		--	gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 03ec5cafe..1e3ace4cf 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -41,13 +41,14 @@ template(`su_restricted_domain_template', `
 
 	allow $2 $1_su_t:process signal;
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
 	allow $1_su_t self:key { search write };
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
+    allow $1_su_t self:netlink_selinux_socket create_socket_perms;
 
 	# Transition from the user domain to this domain.
 	domtrans_pattern($2, su_exec_t, $1_su_t)
@@ -58,6 +59,7 @@ template(`su_restricted_domain_template', `
 	allow $2 $1_su_t:fifo_file rw_file_perms;
 	allow $2 $1_su_t:process sigchld;
 
+    kernel_getattr_core_if($1_su_t)
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
 	kernel_search_key($1_su_t)
@@ -86,10 +88,10 @@ template(`su_restricted_domain_template', `
 	# Write to utmp.
 	init_rw_utmp($1_su_t)
 	init_search_script_keys($1_su_t)
+    init_getattr_initctl($1_su_t)
 
 	logging_send_syslog_msg($1_su_t)
 
-	miscfiles_read_localization($1_su_t)
 
 	ifdef(`distro_redhat',`
 		# RHEL5 and possibly newer releases incl. Fedora
@@ -119,11 +121,6 @@ template(`su_restricted_domain_template', `
 		userdom_spec_domtrans_unpriv_users($1_su_t)
 	')
 
-	ifdef(`hide_broken_symptoms',`
-		# dontaudit leaked sockets from parent
-		dontaudit $1_su_t $2:socket_class_set { read write };
-	')
-
 	optional_policy(`
 		cron_read_pipes($1_su_t)
 	')
@@ -172,14 +169,6 @@ template(`su_role_template',`
 	role $2 types $1_su_t;
 
 	allow $3 $1_su_t:process signal;
-
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
-	dontaudit $1_su_t self:capability sys_tty_config;
-	allow $1_su_t self:process { setexec setsched setrlimit };
-	allow $1_su_t self:fifo_file rw_fifo_file_perms;
-	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-	allow $1_su_t self:key { search write };
-
 	allow $1_su_t $3:key search;
 
 	# Transition from the user domain to this domain.
@@ -194,125 +183,16 @@ template(`su_role_template',`
 	allow $3 $1_su_t:process sigchld;
 
 	kernel_read_system_state($1_su_t)
-	kernel_read_kernel_sysctls($1_su_t)
-	kernel_search_key($1_su_t)
-	kernel_link_key($1_su_t)
-
-	# for SSP
-	dev_read_urand($1_su_t)
-
-	fs_search_auto_mountpoints($1_su_t)
-
-	# needed for pam_rootok
-	selinux_compute_access_vector($1_su_t)
-
-	auth_domtrans_chk_passwd($1_su_t)
-	auth_dontaudit_read_shadow($1_su_t)
-	auth_use_nsswitch($1_su_t)
-	auth_rw_faillog($1_su_t)
-
-	corecmd_search_bin($1_su_t)
+	kernel_dontaudit_getattr_core_if($1_su_t)
 
-	domain_use_interactive_fds($1_su_t)
+	auth_use_pam($1_su_t)
 
-	files_read_etc_files($1_su_t)
-	files_read_etc_runtime_files($1_su_t)
-	files_search_var_lib($1_su_t)
-	files_dontaudit_getattr_tmp_dirs($1_su_t)
-
-	init_dontaudit_use_fds($1_su_t)
-	# Write to utmp.
-	init_rw_utmp($1_su_t)
+	init_dontaudit_getattr_initctl($1_su_t)
 
 	mls_file_write_all_levels($1_su_t)
 
 	logging_send_syslog_msg($1_su_t)
 
-	miscfiles_read_localization($1_su_t)
-
-	userdom_use_user_terminals($1_su_t)
-	userdom_search_user_home_dirs($1_su_t)
-
-	ifdef(`distro_redhat',`
-		# RHEL5 and possibly newer releases incl. Fedora
-		auth_domtrans_upd_passwd($1_su_t)
-
-		optional_policy(`
-			locallogin_search_keys($1_su_t)
-		')
-	')
-
-	ifdef(`distro_rhel4',`
-		domain_role_change_exemption($1_su_t)
-		domain_subj_id_change_exemption($1_su_t)
-		domain_obj_id_change_exemption($1_su_t)
-
-		selinux_get_fs_mount($1_su_t)
-		selinux_validate_context($1_su_t)
-		selinux_compute_create_context($1_su_t)
-		selinux_compute_relabel_context($1_su_t)
-		selinux_compute_user_contexts($1_su_t)
-
-		# Relabel ttys and ptys.
-		term_relabel_all_ttys($1_su_t)
-		term_relabel_all_ptys($1_su_t)
-		# Close and re-open ttys and ptys to get the fd into the correct domain.
-		term_use_all_ttys($1_su_t)
-		term_use_all_ptys($1_su_t)
-
-		seutil_read_config($1_su_t)
-		seutil_read_default_contexts($1_su_t)
-
-		if(secure_mode) {
-			# Only allow transitions to unprivileged user domains.
-			userdom_spec_domtrans_unpriv_users($1_su_t)
-		} else {
-			# Allow transitions to all user domains
-			userdom_spec_domtrans_all_users($1_su_t)
-		}
-
-		optional_policy(`
-			unconfined_domtrans($1_su_t)
-			unconfined_signal($1_su_t)
-		')
-	')
-
-	ifdef(`hide_broken_symptoms',`
-		# dontaudit leaked sockets from parent
-		dontaudit $1_su_t $3:socket_class_set { read write };
-	')
-
-	tunable_policy(`allow_polyinstantiation',`
-		fs_mount_xattr_fs($1_su_t)
-		fs_unmount_xattr_fs($1_su_t)
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_search_nfs($1_su_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_search_cifs($1_su_t)
-	')
-
-	optional_policy(`
-		cron_read_pipes($1_su_t)
-	')
-
-	optional_policy(`
-		kerberos_use($1_su_t)
-	')
-
-	optional_policy(`
-		# used when the password has expired
-		usermanage_read_crack_db($1_su_t)
-	')
-
-	# Modify .Xauthority file (via xauth program).
-	optional_policy(`
-		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
-		xserver_domtrans_xauth($1_su_t)
-	')
 ')
 
 #######################################
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 85bb77e05..a4302332a 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -9,3 +9,82 @@ attribute su_domain_type;
 
 type su_exec_t;
 corecmd_executable_file(su_exec_t)
+
+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
+dontaudit su_domain_type self:capability sys_tty_config;
+allow su_domain_type self:process { setexec setsched setrlimit };
+allow su_domain_type self:fifo_file rw_fifo_file_perms;
+allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+allow su_domain_type self:key { search write };
+
+kernel_read_kernel_sysctls(su_domain_type)
+kernel_search_key(su_domain_type)
+kernel_link_key(su_domain_type)
+
+# for SSP
+dev_read_urand(su_domain_type)
+dev_dontaudit_getattr_all(su_domain_type)
+
+fs_search_auto_mountpoints(su_domain_type)
+
+# needed for pam_rootok
+selinux_compute_access_vector(su_domain_type)
+
+corecmd_search_bin(su_domain_type)
+
+domain_use_interactive_fds(su_domain_type)
+
+files_read_etc_files(su_domain_type)
+files_read_etc_runtime_files(su_domain_type)
+files_search_var_lib(su_domain_type)
+files_dontaudit_getattr_tmp_dirs(su_domain_type)
+
+init_dontaudit_use_fds(su_domain_type)
+# Write to utmp.
+init_rw_utmp(su_domain_type)
+init_read_state(su_domain_type)
+
+userdom_use_user_terminals(su_domain_type)
+userdom_search_user_home_dirs(su_domain_type)
+userdom_search_admin_dir(su_domain_type)
+
+ifdef(`distro_redhat',`
+	# RHEL5 and possibly newer releases incl. Fedora
+	auth_domtrans_upd_passwd(su_domain_type)
+
+	optional_policy(`
+		locallogin_search_keys(su_domain_type)
+	')
+')
+
+tunable_policy(`polyinstantiation_enabled',`
+	fs_mount_xattr_fs(su_domain_type)
+	fs_unmount_xattr_fs(su_domain_type)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_nfs(su_domain_type)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(su_domain_type)
+')
+
+optional_policy(`
+	cron_read_pipes(su_domain_type)
+')
+
+optional_policy(`
+	kerberos_use(su_domain_type)
+')
+
+optional_policy(`
+	# used when the password has expired
+	usermanage_read_crack_db(su_domain_type)
+')
+
+# Modify .Xauthority file (via xauth program).
+optional_policy(`
+	xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
+	xserver_domtrans_xauth(su_domain_type)
+')
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02a4..2b59ed0a0 100644
--- a/policy/modules/admin/sudo.fc
+++ b/policy/modules/admin/sudo.fc
@@ -1,2 +1,4 @@
 
 /usr/bin/sudo(edit)?	--	gen_context(system_u:object_r:sudo_exec_t,s0)
+
+/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 096019932..2e75ec7de 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
+		type sudo_db_t;
 		attribute sudodomain;
 	')
 
@@ -45,27 +46,13 @@ template(`sudo_role_template',`
 	domain_interactive_fd($1_sudo_t)
 	domain_role_change_exemption($1_sudo_t)
 	role $2 types $1_sudo_t;
+	userdom_home_manager($1_sudo_t)
 
-	##############################
-	#
-	# Local Policy
-	#
+	type $1_sudo_tmp_t;
+	files_tmp_file($1_sudo_tmp_t)
 
-	# Use capabilities.
-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
-	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_sudo_t self:process { setexec setrlimit };
-	allow $1_sudo_t self:fd use;
-	allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
-	allow $1_sudo_t self:shm create_shm_perms;
-	allow $1_sudo_t self:sem create_sem_perms;
-	allow $1_sudo_t self:msgq create_msgq_perms;
-	allow $1_sudo_t self:msg { send receive };
-	allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
-	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_sudo_t self:unix_dgram_socket sendto;
-	allow $1_sudo_t self:unix_stream_socket connectto;
-	allow $1_sudo_t self:key manage_key_perms;
+	allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
+	files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
 
 	allow $1_sudo_t $3:key search;
 
@@ -75,88 +62,30 @@ template(`sudo_role_template',`
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_sudo_t, $3)
 	corecmd_bin_domtrans($1_sudo_t, $3)
+	userdom_domtrans_user_home($1_sudo_t, $3)
+	userdom_domtrans_user_tmp($1_sudo_t, $3)
+	domain_entry_file($3, sudo_exec_t)
+	domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
+
 	allow $3 $1_sudo_t:fd use;
 	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
 	allow $3 $1_sudo_t:process signal_perms;
 
-	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
-	kernel_link_key($1_sudo_t)
-
-	corecmd_read_bin_symlinks($1_sudo_t)
-	corecmd_exec_all_executables($1_sudo_t)
-
-	dev_getattr_fs($1_sudo_t)
-	dev_read_urand($1_sudo_t)
-	dev_rw_generic_usb_dev($1_sudo_t)
-	dev_read_sysfs($1_sudo_t)
-
-	domain_use_interactive_fds($1_sudo_t)
-	domain_sigchld_interactive_fds($1_sudo_t)
-	domain_getattr_all_entry_files($1_sudo_t)
-
-	files_read_etc_files($1_sudo_t)
-	files_read_var_files($1_sudo_t)
-	files_read_usr_symlinks($1_sudo_t)
-	files_getattr_usr_files($1_sudo_t)
-	# for some PAM modules and for cwd
-	files_dontaudit_search_home($1_sudo_t)
-	files_list_tmp($1_sudo_t)
-
-	fs_search_auto_mountpoints($1_sudo_t)
-	fs_getattr_xattr_fs($1_sudo_t)
-
-	selinux_validate_context($1_sudo_t)
-	selinux_compute_relabel_context($1_sudo_t)
-
-	term_getattr_pty_fs($1_sudo_t)
-	term_relabel_all_ttys($1_sudo_t)
-	term_relabel_all_ptys($1_sudo_t)
+	seutil_libselinux_linked($1_sudo_t)
 
 	auth_run_chk_passwd($1_sudo_t, $2)
-	# sudo stores a token in the pam_pid directory
-	auth_manage_pam_pid($1_sudo_t)
 	auth_use_nsswitch($1_sudo_t)
 
-	init_rw_utmp($1_sudo_t)
-
-	logging_send_audit_msgs($1_sudo_t)
 	logging_send_syslog_msg($1_sudo_t)
 
-	miscfiles_read_localization($1_sudo_t)
-
-	seutil_search_default_contexts($1_sudo_t)
-	seutil_libselinux_linked($1_sudo_t)
-
-	userdom_spec_domtrans_all_users($1_sudo_t)
-	userdom_create_all_users_keys($1_sudo_t)
-	userdom_manage_user_home_content_files($1_sudo_t)
-	userdom_manage_user_home_content_symlinks($1_sudo_t)
-	userdom_manage_user_tmp_files($1_sudo_t)
-	userdom_manage_user_tmp_symlinks($1_sudo_t)
-	userdom_use_user_terminals($1_sudo_t)
-	# for some PAM modules and for cwd
-	userdom_dontaudit_search_user_home_content($1_sudo_t)
-	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit $1_sudo_t $3:socket_class_set { read write };
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_sudo_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_sudo_t)
-	')
-
 	optional_policy(`
-		dbus_system_bus_client($1_sudo_t)
+		mta_role($2, $1_sudo_t)
 	')
 
 	optional_policy(`
-		fprintd_dbus_chat($1_sudo_t)
+	    	kerberos_manage_host_rcache($1_sudo_t)
+		kerberos_read_config($1_sudo_t)
 	')
 
 ')
@@ -178,3 +107,41 @@ interface(`sudo_sigchld',`
 
 	allow $1 sudodomain:process sigchld;
 ')
+
+#######################################
+## <summary>
+##  Allow execute sudo in called domain.
+##  This interfaces is added for nova-stack policy.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sudo_exec',`
+    gen_require(`
+        type sudo_exec_t;
+    ')
+
+	can_exec($1, sudo_exec_t)
+')
+
+######################################
+## <summary>
+##  Allow to manage sudo database in called domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sudo_manage_db',`
+    gen_require(`
+        type sudo_db_t;
+    ')
+    
+    manage_dirs_pattern($1, sudo_db_t, sudo_db_t)
+    manage_files_pattern($1, sudo_db_t, sudo_db_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index d9fce57ab..174f89336 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,111 @@ attribute sudodomain;
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
+mls_trusted_object(sudo_db_t)
+
+manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
+manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
+
+##############################
+#
+# Local Policy
+#
+
+# Use capabilities.
+allow sudodomain self:capability { chown fowner setuid setgid dac_read_search dac_override sys_nice sys_resource };
+dontaudit sudodomain self:capability net_admin;
+allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sudodomain self:process { setexec setrlimit };
+allow sudodomain self:fd use;
+allow sudodomain self:fifo_file rw_fifo_file_perms;
+allow sudodomain self:shm create_shm_perms;
+allow sudodomain self:sem create_sem_perms;
+allow sudodomain self:msgq create_msgq_perms;
+allow sudodomain self:msg { send receive };
+allow sudodomain self:unix_dgram_socket create_socket_perms;
+allow sudodomain self:unix_stream_socket create_stream_socket_perms;
+allow sudodomain self:unix_dgram_socket sendto;
+allow sudodomain self:unix_stream_socket connectto;
+allow sudodomain self:key manage_key_perms;
+allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_getattr_core_if(sudodomain)
+kernel_link_key(sudodomain)
+kernel_read_kernel_sysctls(sudodomain)
+
+corecmd_read_bin_symlinks(sudodomain)
+corecmd_exec_all_executables(sudodomain)
+
+dev_getattr_fs(sudodomain)
+dev_read_urand(sudodomain)
+dev_rw_generic_usb_dev(sudodomain)
+dev_read_sysfs(sudodomain)
+dev_dontaudit_getattr_all(sudodomain)
+
+domain_use_interactive_fds(sudodomain)
+domain_sigchld_interactive_fds(sudodomain)
+domain_getattr_all_entry_files(sudodomain)
+
+files_read_etc_files(sudodomain)
+files_read_var_files(sudodomain)
+files_read_usr_files(sudodomain)
+# for some PAM modules and for cwd
+files_dontaudit_search_home(sudodomain)
+files_list_tmp(sudodomain)
+
+fs_search_auto_mountpoints(sudodomain)
+fs_getattr_all_fs(sudodomain)
+
+selinux_validate_context(sudodomain)
+selinux_compute_relabel_context(sudodomain)
+
+term_getattr_pty_fs(sudodomain)
+term_relabel_all_ttys(sudodomain)
+term_relabel_all_ptys(sudodomain)
+
+#auth_run_chk_passwd(sudodomain)
+# sudo stores a token in the pam_pid directory
+auth_manage_pam_pid(sudodomain)
+auth_manage_faillog(sudodomain)
+
+application_signal(sudodomain)
+
+init_rw_utmp(sudodomain)
+
+logging_send_audit_msgs(sudodomain)
+logging_set_audit_parameters(sudodomain)
+
+seutil_read_default_contexts(sudodomain)
+
+userdom_spec_domtrans_all_users(sudodomain)
+userdom_manage_user_home_content_files(sudodomain)
+userdom_manage_user_home_content_symlinks(sudodomain)
+userdom_manage_user_tmp_files(sudodomain)
+userdom_manage_user_tmp_symlinks(sudodomain)
+userdom_use_user_terminals(sudodomain)
+userdom_signal_all_users(sudodomain)
+userdom_exec_user_home_content_files(sudodomain)
+# for some PAM modules and for cwd
+userdom_search_user_home_content(sudodomain)
+userdom_search_admin_dir(sudodomain)
+userdom_manage_all_users_keys(sudodomain)
+
+tunable_policy(`authlogin_yubikey',`
+    auth_manage_home_content(sudodomain)
+')
+
+optional_policy(`
+	dbus_system_bus_client(sudodomain)
+
+	optional_policy(`
+		systemd_dbus_chat_logind(sudodomain)
+		init_getpgid(sudodomain)
+	')
+')
+
+optional_policy(`
+	fprintd_dbus_chat(sudodomain)
+')
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index f82f0ce0a..7b8915d47 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
 /usr/sbin/groupmod	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
 /usr/sbin/grpconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/sbin/grpunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/newusers	--	gen_context(system_u:object_r:useradd_exec_t,s0)
 /usr/sbin/pwconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/sbin/pwunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/sbin/useradd	--	gen_context(system_u:object_r:useradd_exec_t,s0)
@@ -27,6 +28,7 @@ ifdef(`distro_gentoo',`
 /usr/sbin/usermod	--	gen_context(system_u:object_r:useradd_exec_t,s0)
 /usr/sbin/vigr		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/sbin/vipw		--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/chpasswd	--	gen_context(system_u:object_r:passwd_exec_t,s0)
 
 /usr/share/cracklib(/.*)?	gen_context(system_u:object_r:crack_db_t,s0)
 
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 99e3903ea..fa68362ea 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, chfn_exec_t, chfn_t)
-
-	ifdef(`hide_broken_symptoms',`
-		dontaudit chfn_t $1:socket_class_set { read write };
-	')
 ')
 
 ########################################
@@ -42,6 +38,7 @@ interface(`usermanage_domtrans_chfn',`
 interface(`usermanage_run_chfn',`
 	gen_require(`
 		attribute_role chfn_roles;
+		type chfn_t;
 	')
 
 	usermanage_domtrans_chfn($1)
@@ -65,10 +62,25 @@ interface(`usermanage_domtrans_groupadd',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, groupadd_exec_t, groupadd_t)
+')
 
-	ifdef(`hide_broken_symptoms',`
-		dontaudit groupadd_t $1:socket_class_set { read write };
+########################################
+## <summary>
+##	Check access to the groupadd executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_access_check_groupadd',`
+	gen_require(`
+		type groupadd_exec_t;
 	')
+
+	corecmd_search_bin($1)
+	allow $1 groupadd_exec_t:file { getattr_file_perms execute };
 ')
 
 ########################################
@@ -90,6 +102,7 @@ interface(`usermanage_domtrans_groupadd',`
 #
 interface(`usermanage_run_groupadd',`
 	gen_require(`
+		type groupadd_t;
 		attribute_role groupadd_roles;
 	')
 
@@ -114,10 +127,6 @@ interface(`usermanage_domtrans_passwd',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, passwd_exec_t, passwd_t)
-
-	ifdef(`hide_broken_symptoms',`
-		dontaudit passwd_t $1:socket_class_set { read write };
-	')
 ')
 
 ########################################
@@ -174,6 +183,7 @@ interface(`usermanage_check_exec_passwd',`
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
+		type passwd_t;
 		attribute_role passwd_roles;
 	')
 
@@ -181,6 +191,25 @@ interface(`usermanage_run_passwd',`
 	roleattribute $2 passwd_roles;
 ')
 
+########################################
+## <summary>
+##	Check access to the passwd executable
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_access_check_passwd',`
+	gen_require(`
+		type passwd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 passwd_exec_t:file { getattr_file_perms execute };
+')
+
 ########################################
 ## <summary>
 ##	Execute password admin functions in
@@ -221,6 +250,7 @@ interface(`usermanage_domtrans_admin_passwd',`
 #
 interface(`usermanage_run_admin_passwd',`
 	gen_require(`
+		type sysadm_passwd_t;
 		attribute_role sysadm_passwd_roles;
 	')
 
@@ -263,10 +293,6 @@ interface(`usermanage_domtrans_useradd',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, useradd_exec_t, useradd_t)
-
-	ifdef(`hide_broken_symptoms',`
-		dontaudit useradd_t $1:socket_class_set { read write };
-	')
 ')
 
 ########################################
@@ -307,12 +333,32 @@ interface(`usermanage_check_exec_useradd',`
 interface(`usermanage_run_useradd',`
 	gen_require(`
 		attribute_role useradd_roles;
+		type useradd_t;
 	')
 
 	usermanage_domtrans_useradd($1)
 	roleattribute $2 useradd_roles;
 ')
 
+########################################
+## <summary>
+##	Check access to the useradd executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_access_check_useradd',`
+	gen_require(`
+		type useradd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 useradd_exec_t:file { getattr_file_perms execute };
+')
+
 ########################################
 ## <summary>
 ##	Read the crack database.
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1e7..6a7c8001a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
 domain_obj_id_change_exemption(chfn_t)
 application_domain(chfn_t, chfn_exec_t)
 role chfn_roles types chfn_t;
+role system_r types chfn_t;
 
 type crack_t;
 type crack_exec_t;
@@ -44,9 +45,11 @@ domain_obj_id_change_exemption(groupadd_t)
 init_system_domain(groupadd_t, groupadd_exec_t)
 role groupadd_roles types groupadd_t;
 
+
 type passwd_t;
 type passwd_exec_t;
 domain_obj_id_change_exemption(passwd_t)
+domain_system_change_exemption(passwd_t)
 application_domain(passwd_t, passwd_exec_t)
 role passwd_roles types passwd_t;
 
@@ -61,15 +64,19 @@ files_tmp_file(sysadm_passwd_tmp_t)
 type useradd_t;
 type useradd_exec_t;
 domain_obj_id_change_exemption(useradd_t)
+domain_system_change_exemption(useradd_t)
 init_system_domain(useradd_t, useradd_exec_t)
 role useradd_roles types useradd_t;
 
+type useradd_var_run_t;
+files_pid_file(useradd_var_run_t)
+
 ########################################
 #
 # Chfn local policy
 #
 
-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
 allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow chfn_t self:process { setrlimit setfscreate };
 allow chfn_t self:fd use;
@@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto;
 
 kernel_read_system_state(chfn_t)
 kernel_read_kernel_sysctls(chfn_t)
+kernel_dontaudit_getattr_core_if(chfn_t)
 
 selinux_get_fs_mount(chfn_t)
 selinux_validate_context(chfn_t)
@@ -94,25 +102,29 @@ selinux_compute_create_context(chfn_t)
 selinux_compute_relabel_context(chfn_t)
 selinux_compute_user_contexts(chfn_t)
 
-term_use_all_ttys(chfn_t)
-term_use_all_ptys(chfn_t)
+term_use_all_inherited_ttys(chfn_t)
+term_use_all_inherited_ptys(chfn_t)
+term_getattr_all_ptys(chfn_t)
 
 fs_getattr_xattr_fs(chfn_t)
 fs_search_auto_mountpoints(chfn_t)
 
 # for SSP
 dev_read_urand(chfn_t)
+dev_dontaudit_getattr_all(chfn_t)
 
+auth_manage_passwd(chfn_t)
+auth_use_pam(chfn_t)
 auth_run_chk_passwd(chfn_t, chfn_roles)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+#auth_dontaudit_read_shadow(chfn_t)
+#auth_use_nsswitch(chfn_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(chfn_t)
+corecmd_exec_bin(chfn_t)
 
 domain_use_interactive_fds(chfn_t)
 
-files_manage_etc_files(chfn_t)
 files_read_etc_runtime_files(chfn_t)
 files_dontaudit_search_var(chfn_t)
 files_dontaudit_search_home(chfn_t)
@@ -120,13 +132,15 @@ files_dontaudit_search_home(chfn_t)
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(chfn_t)
-
-miscfiles_read_localization(chfn_t)
+init_dontaudit_getattr_initctl(chfn_t)
 
 logging_send_syslog_msg(chfn_t)
 
 seutil_read_file_contexts(chfn_t)
 
+userdom_manage_user_tmp_files(chfn_t)
+userdom_tmp_filetrans_user_tmp(chfn_t, { file })
+
 userdom_use_unpriv_users_fds(chfn_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
@@ -136,6 +150,16 @@ optional_policy(`
 	nscd_run(chfn_t, chfn_roles)
 ')
 
+optional_policy(`
+	rssh_exec(chfn_t)
+')
+
+optional_policy(`
+	# allow to exec tmux
+	screen_exec(chfn_t)
+')
+
+
 ########################################
 #
 # Crack local policy
@@ -186,7 +210,7 @@ optional_policy(`
 # Groupadd local policy
 #
 
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write };
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
@@ -212,17 +236,18 @@ selinux_compute_create_context(groupadd_t)
 selinux_compute_relabel_context(groupadd_t)
 selinux_compute_user_contexts(groupadd_t)
 
-term_use_all_ttys(groupadd_t)
-term_use_all_ptys(groupadd_t)
+term_use_all_inherited_terms(groupadd_t)
+term_getattr_all_ptys(groupadd_t)
 
 init_use_fds(groupadd_t)
 init_read_utmp(groupadd_t)
 init_dontaudit_write_utmp(groupadd_t)
+init_dbus_chat(groupadd_t)
 
 domain_use_interactive_fds(groupadd_t)
 
-files_manage_etc_files(groupadd_t)
 files_relabel_etc_files(groupadd_t)
+files_read_etc_files(groupadd_t)
 files_read_etc_runtime_files(groupadd_t)
 files_read_usr_symlinks(groupadd_t)
 
@@ -232,14 +257,14 @@ corecmd_exec_bin(groupadd_t)
 logging_send_audit_msgs(groupadd_t)
 logging_send_syslog_msg(groupadd_t)
 
-miscfiles_read_localization(groupadd_t)
 
 auth_run_chk_passwd(groupadd_t, groupadd_roles)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
+auth_manage_passwd(groupadd_t)
+auth_manage_shadow(groupadd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
-auth_manage_shadow(groupadd_t)
 auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
 
@@ -250,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
 # for when /root is the cwd
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
+optional_policy(`
+    dbus_system_bus_client(groupadd_t)
+')
+
 optional_policy(`
 	dpkg_use_fds(groupadd_t)
 	dpkg_rw_pipes(groupadd_t)
@@ -273,7 +302,7 @@ optional_policy(`
 # Passwd local policy
 #
 
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_read_search dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
 dontaudit passwd_t self:capability sys_tty_config;
 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow passwd_t self:process { setrlimit setfscreate };
@@ -288,6 +317,7 @@ allow passwd_t self:shm create_shm_perms;
 allow passwd_t self:sem create_sem_perms;
 allow passwd_t self:msgq create_msgq_perms;
 allow passwd_t self:msg { send receive };
+allow passwd_t self:netlink_selinux_socket create_socket_perms;
 
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
@@ -296,6 +326,7 @@ kernel_read_kernel_sysctls(passwd_t)
 
 # for SSP
 dev_read_urand(passwd_t)
+dev_dontaudit_getattr_all(passwd_t)
 
 fs_getattr_xattr_fs(passwd_t)
 fs_search_auto_mountpoints(passwd_t)
@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 
-term_use_all_ttys(passwd_t)
-term_use_all_ptys(passwd_t)
+term_use_all_inherited_terms(passwd_t)
+term_getattr_all_ptys(passwd_t)
 
 auth_run_chk_passwd(passwd_t, passwd_roles)
+auth_manage_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(passwd_t)
+corecmd_exec_bin(passwd_t)
+
+corenet_tcp_connect_kerberos_password_port(passwd_t)
 
 domain_use_interactive_fds(passwd_t)
 
 files_read_etc_runtime_files(passwd_t)
-files_manage_etc_files(passwd_t)
+files_read_usr_files(passwd_t)
 files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
 files_relabel_etc_files(passwd_t)
 
+term_search_ptys(passwd_t)
+
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
@@ -338,12 +375,11 @@ init_use_fds(passwd_t)
 logging_send_audit_msgs(passwd_t)
 logging_send_syslog_msg(passwd_t)
 
-miscfiles_read_localization(passwd_t)
 
 seutil_read_config(passwd_t)
 seutil_read_file_contexts(passwd_t)
 
-userdom_use_user_terminals(passwd_t)
+userdom_use_inherited_user_terminals(passwd_t)
 userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
+userdom_rw_stream(passwd_t)
+
+# needed by gnome-keyring
+userdom_manage_user_tmp_files(passwd_t)
+userdom_manage_user_tmp_sockets(passwd_t)
+userdom_manage_user_tmp_dirs(passwd_t)
+
+optional_policy(`
+	gnome_exec_keyringd(passwd_t)
+	gnome_manage_cache_home_dir(passwd_t)
+	gnome_manage_generic_cache_sockets(passwd_t)
+	gnome_stream_connect_gkeyringd(passwd_t)
+')
 
 optional_policy(`
 	nscd_run(passwd_t, passwd_roles)
@@ -362,7 +412,7 @@ optional_policy(`
 # Password admin local policy
 #
 
-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 allow sysadm_passwd_t self:fd use;
@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t)
 fs_getattr_xattr_fs(sysadm_passwd_t)
 fs_search_auto_mountpoints(sysadm_passwd_t)
 
-term_use_all_ttys(sysadm_passwd_t)
-term_use_all_ptys(sysadm_passwd_t)
+term_use_all_inherited_terms(sysadm_passwd_t)
+term_getattr_all_ptys(sysadm_passwd_t)
 
+auth_manage_passwd(sysadm_passwd_t)
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t)
 
 domain_use_interactive_fds(sysadm_passwd_t)
 
-files_manage_etc_files(sysadm_passwd_t)
 files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(sysadm_passwd_t)
 
-miscfiles_read_localization(sysadm_passwd_t)
 
 logging_send_syslog_msg(sysadm_passwd_t)
 
-seutil_dontaudit_search_config(sysadm_passwd_t)
-
 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
@@ -446,8 +493,10 @@ optional_policy(`
 # Useradd local policy
 #
 
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:cap_userns { sys_ptrace };
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;
@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
 
+manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
+manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
+files_pid_filetrans(useradd_t, useradd_var_run_t, dir)
+
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
 
@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t)
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(useradd_t)
 
+kernel_getattr_core_if(useradd_t)
+dev_dontaudit_getattr_all(useradd_t)
+
 domain_use_interactive_fds(useradd_t)
 domain_read_all_domains_state(useradd_t)
+domain_dontaudit_read_all_domains_state(useradd_t)
 
-files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
 files_relabel_etc_files(useradd_t)
 files_read_etc_runtime_files(useradd_t)
+files_manage_etc_files(useradd_t)
+files_create_var_lib_dirs(useradd_t)
+files_rw_var_lib_dirs(useradd_t)
 
 fs_search_auto_mountpoints(useradd_t)
 fs_getattr_xattr_fs(useradd_t)
 
 mls_file_upgrade(useradd_t)
+mls_process_read_to_clearance(useradd_t)
 
-# Allow access to context for shadow file
-selinux_get_fs_mount(useradd_t)
-selinux_validate_context(useradd_t)
-selinux_compute_access_vector(useradd_t)
-selinux_compute_create_context(useradd_t)
-selinux_compute_relabel_context(useradd_t)
-selinux_compute_user_contexts(useradd_t)
-
-term_use_all_ttys(useradd_t)
-term_use_all_ptys(useradd_t)
+term_use_all_inherited_terms(useradd_t)
+term_getattr_all_ptys(useradd_t)
 
 auth_run_chk_passwd(useradd_t, useradd_roles)
 auth_rw_lastlog(useradd_t)
@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
+auth_manage_passwd(useradd_t)
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
 auth_etc_filetrans_shadow(useradd_t)
 
 init_use_fds(useradd_t)
 init_rw_utmp(useradd_t)
+init_dbus_chat(useradd_t)
 
 logging_send_audit_msgs(useradd_t)
 logging_send_syslog_msg(useradd_t)
 
-miscfiles_read_localization(useradd_t)
+
+seutil_semanage_policy(useradd_t)
+seutil_manage_file_contexts(useradd_t)
+seutil_manage_config(useradd_t)
+seutil_manage_login_config(useradd_t)
+seutil_manage_default_contexts(useradd_t)
 
 seutil_read_config(useradd_t)
 seutil_read_file_contexts(useradd_t)
 seutil_read_default_contexts(useradd_t)
+seutil_get_semanage_trans_lock(useradd_t)
+seutil_get_semanage_read_lock(useradd_t)
 seutil_run_semanage(useradd_t, useradd_roles)
 seutil_run_setfiles(useradd_t, useradd_roles)
+seutil_run_loadpolicy(useradd_t, useradd_roles)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
 userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
+userdom_delete_all_user_home_content(useradd_t)
 
 optional_policy(`
 	mta_manage_spool(useradd_t)
 ')
 
-ifdef(`distro_redhat',`
-	optional_policy(`
-		unconfined_domain(useradd_t)
-	')
+optional_policy(`
+	apache_manage_all_user_content(useradd_t)
 ')
 
 optional_policy(`
-	apache_manage_all_user_content(useradd_t)
+    dbus_system_bus_client(useradd_t)
 ')
 
 optional_policy(`
@@ -544,14 +601,27 @@ optional_policy(`
 	dpkg_rw_pipes(useradd_t)
 ')
 
+optional_policy(`
+    kerberos_manage_kdc_var_lib(useradd_t)
+')
+
 optional_policy(`
 	nscd_run(useradd_t, useradd_roles)
 ')
 
+optional_policy(`
+    openshift_manage_content(useradd_t)
+')
+
 optional_policy(`
 	puppet_rw_tmp(useradd_t)
 ')
 
+optional_policy(`
+	rpc_list_nfs_state_data(useradd_t)
+	rpc_read_nfs_state_data(useradd_t)
+')
+
 optional_policy(`
 	tunable_policy(`samba_domain_controller',`
 		samba_append_log(useradd_t)
@@ -562,3 +632,12 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+optional_policy(`
+    smsd_manage_lib_files(useradd_t)
+    smsd_manage_lib_dirs(useradd_t)
+')
+
+optional_policy(`
+	stapserver_manage_lib(useradd_t)
+')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85d3..e4f6fc227 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -43,18 +43,18 @@ interface(`seunshare_run',`
 	role $2 types seunshare_t;
 
 	allow $1 seunshare_t:process signal_perms;
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
-		dontaudit seunshare_t $1:udp_socket rw_socket_perms;
-		dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
-	')
 ')
 
 ########################################
 ## <summary>
-##	Role access for seunshare
+##	The role template for the seunshare module.
 ## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
@@ -66,15 +66,47 @@ interface(`seunshare_run',`
 ##	</summary>
 ## </param>
 #
-interface(`seunshare_role',`
+interface(`seunshare_role_template',`
 	gen_require(`
-		type seunshare_t;
+		attribute seunshare_domain;
+		type seunshare_exec_t;
 	')
 
-	role $2 types seunshare_t;
+	type $1_seunshare_t, seunshare_domain;
+	application_domain($1_seunshare_t, seunshare_exec_t)
+	role $2 types $1_seunshare_t;
 
-	seunshare_domtrans($1)
+	kernel_read_system_state($1_seunshare_t)
+
+    domain_dyntrans_type($1_seunshare_t)
+
+	auth_use_nsswitch($1_seunshare_t)
+
+	logging_send_syslog_msg($1_seunshare_t)
+
+	mls_process_set_level($1_seunshare_t)
+
+	domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
+	allow $1_seunshare_t $3:unix_stream_socket getattr;
+
+	# part of sandboxX.pp
+	optional_policy(`
+		sandbox_x_transition($1_seunshare_t, $2)
+	')
+
+	# part of sandbox.pp
+	optional_policy(`
+		sandbox_transition($1_seunshare_t, $2)
+	')
+
+	ps_process_pattern($3, $1_seunshare_t)
+	dontaudit $1_seunshare_t $3:file read;
+	allow $3 $1_seunshare_t:process signal_perms;
+	allow $3 $1_seunshare_t:fd use;
+
+	allow $1_seunshare_t $3:process transition;
+	dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
 
-	ps_process_pattern($2, seunshare_t)
-	allow $2 seunshare_t:process signal;
+	corecmd_bin_domtrans($1_seunshare_t, $1_t)
+	corecmd_shell_domtrans($1_seunshare_t, $1_t)
 ')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
index 759016583..f50f79935 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
 # Declarations
 #
 
-type seunshare_t;
+attribute seunshare_domain;
 type seunshare_exec_t;
-application_domain(seunshare_t, seunshare_exec_t)
-role system_r types seunshare_t;
 
 ########################################
 #
 # seunshare local policy
 #
+allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
 
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
+allow seunshare_domain self:fifo_file rw_file_perms;
+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
 
-allow seunshare_t self:fifo_file rw_file_perms;
-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+corecmd_exec_shell(seunshare_domain)
+corecmd_exec_bin(seunshare_domain)
+corecmd_getattr_all_executables(seunshare_domain)
 
-corecmd_exec_shell(seunshare_t)
-corecmd_exec_bin(seunshare_t)
+dev_read_urand(seunshare_domain)
+dev_dontaudit_rw_dri(seunshare_domain)
 
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
+files_mounton_rootfs(seunshare_domain)
+files_manage_generic_tmp_dirs(seunshare_domain)
+files_relabelfrom_tmp_dirs(seunshare_domain)
 
-auth_use_nsswitch(seunshare_t)
-
-logging_send_syslog_msg(seunshare_t)
-
-miscfiles_read_localization(seunshare_t)
-
-userdom_use_user_terminals(seunshare_t)
+fs_manage_cgroup_dirs(seunshare_domain)
+fs_manage_cgroup_files(seunshare_domain)
+fs_unmount_all_fs(seunshare_domain)
 
+userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain)
+userdom_use_inherited_user_terminals(seunshare_domain)
+userdom_list_user_home_content(seunshare_domain)
 ifdef(`hide_broken_symptoms', `
-	fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
+	fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
+ 	fs_dontaudit_list_inotifyfs(seunshare_domain)
 
 	optional_policy(`
-		mozilla_dontaudit_manage_user_home_files(seunshare_t)
+		gnome_dontaudit_rw_inherited_config(seunshare_domain)
 	')
+
+	optional_policy(`
+		mozilla_dontaudit_manage_user_home_files(seunshare_domain)
+		mozilla_plugin_dontaudit_leaks(seunshare_domain)
+	')
+')
+optional_policy(`
+	rsync_exec(seunshare_domain)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_mounton_nfs(seunshare_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_mounton_cifs(seunshare_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+	fs_mounton_fusefs(seunshare_domain)
 ')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 33e0f8dad..1eb3faaa3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
 #
 # /bin
 #
-/bin				-d	gen_context(system_u:object_r:bin_t,s0)
+/bin					gen_context(system_u:object_r:bin_t,s0)
 /bin/.*					gen_context(system_u:object_r:bin_t,s0)
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/esh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -46,6 +47,7 @@ ifdef(`distro_redhat',`
 /etc/apcupsd/offbattery		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/apcupsd/onbattery		--	gen_context(system_u:object_r:bin_t,s0)
 
+/etc/auto\.[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/avahi/.*\.action 		--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -67,18 +69,33 @@ ifdef(`distro_redhat',`
 /etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/kde/env(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/etc/kde/kdm(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
+/etc/redhat-lsb(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
+/etc/lxdm/LoginReady		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/lxdm/Post.*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/lxdm/Pre.*			--	gen_context(system_u:object_r:bin_t,s0)
+/etc/lxdm/Xsession		--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sddm/Xsession		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/sddm/wayland-session		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/sddm/Xsetup		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/sddm/Xstop		--	gen_context(system_u:object_r:bin_t,s0)
+
 /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/.*\.setup		--	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_redhat',`
 /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 ')
 
 /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/munin/plugins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
 
@@ -101,11 +118,8 @@ ifdef(`distro_redhat',`
 
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
 
-/etc/security/namespace.init	--	gen_context(system_u:object_r:bin_t,s0)
-
 /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/netconsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/readonly-root 	--	gen_context(system_u:object_r:bin_t,s0)
 
@@ -116,6 +130,9 @@ ifdef(`distro_redhat',`
 
 /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
+
+/etc/wdmd\.d/checkquorum\.wdmd	gen_context(system_u:object_r:bin_t,s0)
+
 /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
@@ -128,6 +145,8 @@ ifdef(`distro_debian',`
 /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
 ')
 
+/etc/dhcp/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
 #
 # /lib
 #
@@ -135,10 +154,12 @@ ifdef(`distro_debian',`
 /lib/nut/.*			--	gen_context(system_u:object_r:bin_t,s0)
 /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/security/pam_krb5/pam_krb5_cchelper	--	gen_context(system_u:object_r:bin_t,s0)
 /lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/devices/MAKEDEV	-l	gen_context(system_u:object_r:bin_t,s0)
 /lib/udev/scsi_id		--	gen_context(system_u:object_r:bin_t,s0)
 /lib/upstart(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/lib/security/pam_krb5(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
 /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
@@ -149,10 +170,12 @@ ifdef(`distro_gentoo',`
 /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
+/usr/lib/erlang/erts.*/bin(/.*)?        gen_context(system_u:object_r:bin_t,s0)
+
 #
 # /sbin
 #
-/sbin				-d	gen_context(system_u:object_r:bin_t,s0)
+/sbin					gen_context(system_u:object_r:bin_t,s0)
 /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
@@ -168,6 +191,7 @@ ifdef(`distro_gentoo',`
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/opt/google/chrome(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
@@ -179,34 +203,50 @@ ifdef(`distro_gentoo',`
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
+/root/bin(/.*)?				gen_context(system_u:object_r:bin_t,s0)
+
 #
 # /usr
 #
+/usr/bin				-d	gen_context(system_u:object_r:bin_t,s0)
 /usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-/usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/esh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/mksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/mountpoint		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/pingus.*			--	gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/yash			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
-/usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/libreoffice(/.*)?/bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/wicd/monitor\.py 	-- 	gen_context(system_u:object_r:bin_t, s0)
-/usr/lib/apt/methods.+		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/chromium-browser(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/courier(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-session\.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/cups(/.*)? 		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -218,19 +258,32 @@ ifdef(`distro_gentoo',`
 /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/nagios/plugins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/netsaint/plugins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/urlize  --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/utils.pm  --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/NetworkManager/nm\-.*	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/news/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/nspluginwrapper/np.*		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/portage/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/pm-utils(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/np.*	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ocf(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/portage/bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/pm-utils(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/readahead(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmd		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/tumbler-[^/]*/tumblerd	-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/security/pam_krb5(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vte/gnome-pty-helper	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-sleep(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper 	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yaboot/addnote	      	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/devices/MAKEDEV	-l	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udev/scsi_id		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/upstart(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
@@ -245,26 +298,41 @@ ifdef(`distro_gentoo',`
 /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/debug/usr/libexec(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xulrunner[^/]*/xulrunner[^/]* --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xulrunner[^/]*/updater --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xulrunner[^/]*/crashreporter --	gen_context(system_u:object_r:bin_t,s0)
+
 /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/xen/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-
 /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
 /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/libexec/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/cockpit-bridge         -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/sesh		        --	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/sudo/sesh		        --	gen_context(system_u:object_r:shell_exec_t,s0)
 
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+
+/usr/Brother(/.*)?              gen_context(system_u:object_r:bin_t,s0)
+/usr/Printer(/.*)?              gen_context(system_u:object_r:bin_t,s0)
+/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
+/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
+/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
+/usr/sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/nologin		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/SAPDatabase	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/SAPInstance	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/checkquorum.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite3/commands(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6?/configpath	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/getparams  --  gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6?/wait4ifup --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd)	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/tucan.*/tucan.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/virtualbox/.*\.sh 		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/wicd/daemon(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
+/usr/X11R6/lib/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_debian',`
 /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
 /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
 /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
 
+/usr/lib/.*/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nfs-utils/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/oracle/xe/apps(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/tuned/.*/.*\.sh  		--  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/authconfig/authconfig\.py --	gen_context(system_u:object_r:bin_t,s0)
+#/usr/share/authconfig/authconfig\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)	
 /usr/share/fedora-usermgmt/wrapper --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hplip/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hwbrowser/hwbrowser --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/kde4/apps/kajongg/kajongg.py --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/munin/plugins/plugin\.sh		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
 /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
@@ -387,17 +473,36 @@ ifdef(`distro_suse', `
 #
 # /var
 #
-/var/mailman/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/var/mailman.*/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/var/lib/dirsrv/scripts-INSTANCE    --  gen_context(system_u:object_r:bin_t,s0)
+/var/lib/iscan/interpreter		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
 /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
 
 /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
 /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /var/qmail/rc			--	gen_context(system_u:object_r:bin_t,s0)
 
+/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
+
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
+
+/var/usrlocal/(.*/)?bin(/.*)?    gen_context(system_u:object_r:bin_t,s0)
+
+#
+# /usr/lib
+#
+
+/usr/lib/dracut(/.*)?				gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/iscan/network			--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems/.*/agents(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage		--	gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a68..cb425934b 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -8,6 +8,22 @@
 ##	run init.
 ## </required>
 
+#####################################
+## <summary>
+##  corecmd stub bin_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`corecmd_stub_bin',`
+    gen_require(`
+        type bin_t;
+    ')
+')
+
 ########################################
 ## <summary>
 ##	Make the specified type usable for files
@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',`
 interface(`corecmd_bin_entry_type',`
 	gen_require(`
 		type bin_t;
+		type usr_t;
 	')
 
 	domain_entry_file($1, bin_t)
+	domain_entry_file($1, usr_t)
 ')
 
 ########################################
@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',`
 		type bin_t;
 	')
 
+	corecmd_read_bin_symlinks($1)
 	search_dirs_pattern($1, bin_t, bin_t)
 ')
 
@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',`
 		type bin_t;
 	')
 
+	corecmd_read_bin_symlinks($1)
 	list_dirs_pattern($1, bin_t, bin_t)
 ')
 
@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',`
 		type bin_t;
 	')
 
+	corecmd_read_bin_symlinks($1)
 	read_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -252,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
 	dontaudit $1 bin_t:file write;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to access check bin files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_access_check_bin',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:file audit_access;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links in bin directories.
@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',`
 		type bin_t;
 	')
 
+	corecmd_read_bin_symlinks(bin_t)
 	read_fifo_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',`
 		type bin_t;
 	')
 
+	corecmd_read_bin_symlinks($1)
 	read_sock_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',`
 	read_lnk_files_pattern($1, bin_t, bin_t)
 	list_dirs_pattern($1, bin_t, bin_t)
 	can_exec($1, bin_t)
+
+	ifdef(`enable_mls',`',`
+		files_exec_all_base_ro_files($1)
+	')
 ')
 
 ########################################
@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',`
 		type bin_t;
 	')
 
+	corecmd_read_bin_symlinks($1)
 	manage_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',`
 		type bin_t;
 	')
 
+	corecmd_read_bin_symlinks($1)
 	mmap_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',`
 interface(`corecmd_bin_spec_domtrans',`
 	gen_require(`
 		type bin_t;
+		type usr_t;
 	')
 
 	read_lnk_files_pattern($1, bin_t, bin_t)
 	domain_transition_pattern($1, bin_t, $2)
+
+	read_lnk_files_pattern($1, usr_t, usr_t)
+	domain_transition_pattern($1, usr_t, $2)
 ')
 
 ########################################
@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',`
 interface(`corecmd_bin_domtrans',`
 	gen_require(`
 		type bin_t;
+		type usr_t;
 	')
 
 	corecmd_bin_spec_domtrans($1, $2)
 	type_transition $1 bin_t:process $2;
+	type_transition $1 usr_t:process $2;
 ')
 
 ########################################
@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',`
 interface(`corecmd_exec_chroot',`
 	gen_require(`
 		type chroot_exec_t;
+        type bin_t;
 	')
 
 	read_lnk_files_pattern($1, bin_t, bin_t)
@@ -954,28 +1008,25 @@ interface(`corecmd_exec_chroot',`
 
 ########################################
 ## <summary>
-##	Get the attributes of all executable files.
+##	Do not audit attempts to access check executable files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`corecmd_getattr_all_executables',`
+interface(`corecmd_dontaudit_access_all_executables',`
 	gen_require(`
 		attribute exec_type;
-		type bin_t;
 	')
 
-	allow $1 bin_t:dir list_dir_perms;
-	getattr_files_pattern($1, bin_t, exec_type)
+	dontaudit $1 exec_type:file audit_access;
 ')
 
 ########################################
 ## <summary>
-##	Read all executable files.
+##	Get the attributes of all executable files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -984,12 +1035,14 @@ interface(`corecmd_getattr_all_executables',`
 ## </param>
 ## <rolecap/>
 #
-interface(`corecmd_read_all_executables',`
+interface(`corecmd_getattr_all_executables',`
 	gen_require(`
 		attribute exec_type;
+		type bin_t;
 	')
 
-	read_files_pattern($1, exec_type, exec_type)
+	allow $1 bin_t:dir list_dir_perms;
+	getattr_files_pattern($1, bin_t, exec_type)
 ')
 
 ########################################
@@ -1049,6 +1102,7 @@ interface(`corecmd_manage_all_executables',`
 		type bin_t;
 	')
 
+	manage_dirs_pattern($1, bin_t, exec_type)
 	manage_files_pattern($1, bin_t, exec_type)
 	manage_lnk_files_pattern($1, bin_t, bin_t)
 ')
@@ -1091,3 +1145,74 @@ interface(`corecmd_mmap_all_executables',`
 
 	mmap_files_pattern($1, bin_t, exec_type)
 ')
+
+########################################
+## <summary>
+##     Read all executable files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_read_all_executables',`
+       gen_require(`
+               attribute exec_type;
+       ')
+
+       read_files_pattern($1, exec_type, exec_type)
+')
+
+########################################
+## <summary>
+##	Read all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_entrypoint_all_executables',`
+	gen_require(`
+		attribute exec_type;
+	')
+
+    allow $1 exec_type:file entrypoint;
+')
+
+########################################
+## <summary>
+##	Create objects in the /bin directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`corecmd_bin_filetrans',`
+	gen_require(`
+		type bin_t;
+	')
+
+	filetrans_pattern($1, bin_t, $2, $3, $4)
+')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 20c76cff9..cc63dcc9c 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -13,7 +13,8 @@ attribute exec_type;
 #
 # bin_t is the type of files in the system bin/sbin directories.
 #
-type bin_t alias { ls_exec_t sbin_t };
+type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t };
+files_ro_base_file(bin_t)
 corecmd_executable_file(bin_t)
 dev_associate(bin_t)	#For /dev/MAKEDEV
 
@@ -21,6 +22,7 @@ dev_associate(bin_t)	#For /dev/MAKEDEV
 # shell_exec_t is the type of user shells such as /bin/bash.
 #
 type shell_exec_t;
+files_ro_base_file(shell_exec_t)
 corecmd_executable_file(shell_exec_t)
 
 type chroot_exec_t;
diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
index f9b25c12f..9af1f7a61 100644
--- a/policy/modules/kernel/corenetwork.fc
+++ b/policy/modules/kernel/corenetwork.fc
@@ -8,3 +8,6 @@
 
 /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
 /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
+
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 07126bdcc..04cf2dafe 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
 	')
 
 	typeattribute $1 reserved_port_type;
+	corenet_port($1)
 ')
 
 ########################################
@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',`
 	')
 
 	typeattribute $1 rpc_port_type;
+	corenet_port($1)
 ')
 
 ########################################
@@ -613,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
 	corenet_raw_receive_all_if($1)
 ')
 
+########################################
+## <summary>
+##	Send and receive DCCP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom };
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on generic nodes.
@@ -787,6 +807,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
 	corenet_raw_receive_generic_node($1)
 ')
 
+########################################
+## <summary>
+##	Bind DCCP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:dccp_socket node_bind;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to generic nodes.
@@ -853,6 +891,44 @@ interface(`corenet_udp_bind_generic_node',`
 	allow $1 node_t:udp_socket node_bind;
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to bind TCP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`corenet_dontaudit_tcp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	dontaudit $1 node_t:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to bind UDP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`corenet_dontaudit_udp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	dontaudit $1 node_t:udp_socket node_bind;
+')
+
 ########################################
 ## <summary>
 ##	Bind raw sockets to genric nodes.
@@ -926,6 +1002,24 @@ interface(`corenet_inout_generic_node',`
 	corenet_out_generic_node($1)
 ')
 
+########################################
+## <summary>
+##	Send and receive DCCP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom };
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on all nodes.
@@ -1100,6 +1194,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
 	corenet_raw_receive_all_nodes($1)
 ')
 
+########################################
+## <summary>
+##	Bind DCCP sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:dccp_socket node_bind;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all nodes.
@@ -1155,6 +1267,24 @@ interface(`corenet_raw_bind_all_nodes',`
 	allow $1 node_type:rawip_socket node_bind;
 ')
 
+########################################
+## <summary>
+##	Send and receive DCCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t, ephemeral_port_t;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on generic ports.
@@ -1167,10 +1297,30 @@ interface(`corenet_raw_bind_all_nodes',`
 #
 interface(`corenet_tcp_sendrecv_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t, ephemeral_port_t;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and
+##	receive DCCP network traffic on
+##	generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t, ephemeral_port_t;
 	')
 
-	allow $1 port_t:tcp_socket { send_msg recv_msg };
+	dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
 ')
 
 ########################################
@@ -1185,10 +1335,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
 #
 interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t, ephemeral_port_t;
 	')
 
-	dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
+	dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
 ')
 
 ########################################
@@ -1203,10 +1353,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
 #
 interface(`corenet_udp_send_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t, ephemeral_port_t;
 	')
 
-	allow $1 port_t:udp_socket send_msg;
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg;
 ')
 
 ########################################
@@ -1221,10 +1371,10 @@ interface(`corenet_udp_send_generic_port',`
 #
 interface(`corenet_udp_receive_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t, ephemeral_port_t;
 	')
 
-	allow $1 port_t:udp_socket recv_msg;
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg;
 ')
 
 ########################################
@@ -1242,6 +1392,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
 	corenet_udp_receive_generic_port($1)
 ')
 
+########################################
+## <summary>
+##	Bind DCCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_bind_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t, ephemeral_port_t;
+		attribute defined_port_type;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
+	dontaudit $1 defined_port_type:dccp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to generic ports.
@@ -1254,14 +1424,33 @@ interface(`corenet_udp_sendrecv_generic_port',`
 #
 interface(`corenet_tcp_bind_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t, ephemeral_port_t;
 		attribute defined_port_type;
 	')
 
-	allow $1 port_t:tcp_socket name_bind;
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
 	dontaudit $1 defined_port_type:tcp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to bind DCCP
+##	sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_bind_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t, ephemeral_port_t;
+	')
+
+	dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit bind TCP sockets to generic ports.
@@ -1274,10 +1463,10 @@ interface(`corenet_tcp_bind_generic_port',`
 #
 interface(`corenet_dontaudit_tcp_bind_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t, ephemeral_port_t;
 	')
 
-	dontaudit $1 port_t:tcp_socket name_bind;
+	dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
 ')
 
 ########################################
@@ -1292,14 +1481,32 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
 #
 interface(`corenet_udp_bind_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t, ephemeral_port_t;
 		attribute defined_port_type;
 	')
 
-	allow $1 port_t:udp_socket name_bind;
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind;
 	dontaudit $1 defined_port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Connect DCCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_connect_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t,ephemeral_port_t;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Connect TCP sockets to generic ports.
@@ -1312,10 +1519,28 @@ interface(`corenet_udp_bind_generic_port',`
 #
 interface(`corenet_tcp_connect_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t, ephemeral_port_t;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Send and receive DCCP network traffic on all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_all_ports',`
+	gen_require(`
+		attribute port_type;
 	')
 
-	allow $1 port_t:tcp_socket name_connect;
+	allow $1 port_type:dccp_socket { send_msg recv_msg };
 ')
 
 ########################################
@@ -1437,6 +1662,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
 	corenet_udp_receive_all_ports($1)
 ')
 
+########################################
+## <summary>
+##	Bind DCCP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:dccp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all ports.
@@ -1456,6 +1700,24 @@ interface(`corenet_tcp_bind_all_ports',`
 	allow $1 self:capability net_bind_service;
 ')
 
+########################################
+## <summary>
+##	Do not audit attepts to bind DCCP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:dccp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attepts to bind TCP sockets to any ports.
@@ -1511,6 +1773,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
 	dontaudit $1 port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Connect DCCP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:dccp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Connect TCP sockets to all ports.
@@ -1557,6 +1837,25 @@ interface(`corenet_tcp_connect_all_ports',`
 	allow $1 port_type:tcp_socket name_connect;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to connect DCCP sockets
+##	to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:dccp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to connect TCP sockets
@@ -1576,6 +1875,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',`
 	dontaudit $1 port_type:tcp_socket name_connect;
 ')
 
+########################################
+## <summary>
+##	Send and receive DCCP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on generic reserved ports.
@@ -1647,7 +1964,26 @@ interface(`corenet_udp_sendrecv_reserved_port',`
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to generic reserved ports.
+##	Bind DCCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_bind_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:dccp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to generic reserved ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1683,6 +2019,24 @@ interface(`corenet_udp_bind_reserved_port',`
 	allow $1 self:capability net_bind_service;
 ')
 
+########################################
+## <summary>
+##	Connect DCCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_connect_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:dccp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Connect TCP sockets to generic reserved ports.
@@ -1701,6 +2055,24 @@ interface(`corenet_tcp_connect_reserved_port',`
 	allow $1 reserved_port_t:tcp_socket name_connect;
 ')
 
+########################################
+## <summary>
+##	Send and receive DCCP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on all reserved ports.
@@ -1770,6 +2142,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
 	corenet_udp_receive_all_reserved_ports($1)
 ')
 
+########################################
+## <summary>
+##	Bind DCCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:dccp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all reserved ports.
@@ -1785,31 +2176,284 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
 		attribute reserved_port_type;
 	')
 
-	allow $1 reserved_port_type:tcp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+	allow $1 reserved_port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind DCCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:dccp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind DCCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:dccp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to all ports > 32768.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_ephemeral_ports',`
+	gen_require(`
+		attribute ephemeral_port_type;
+	')
+
+	allow $1 ephemeral_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all ports > 32768.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_ephemeral_ports',`
+	gen_require(`
+		attribute ephemeral_port_type;
+	')
+
+	allow $1 ephemeral_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Connect DCCP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:dccp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Connect TCP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Connect DCCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:dccp_socket name_connect;
+')
+
+#######################################
+## <summary>
+##  Connect TCP sockets to ports > 1024.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_unreserved_ports',`
+    gen_require(`
+        type unreserved_port_t;
+    ')
+
+    allow $1 unreserved_port_t:tcp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to bind TCP sockets to all reserved ports.
+##	Connect TCP sockets to all ports > 1024.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+interface(`corenet_tcp_connect_all_unreserved_ports',`
 	gen_require(`
-		attribute reserved_port_type;
+		attribute unreserved_port_type;
 	')
 
-	dontaudit $1 reserved_port_type:tcp_socket name_bind;
+	allow $1 unreserved_port_type:tcp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to all reserved ports.
+##	Connect TCP sockets to all ports > 32768.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1817,18 +2461,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_udp_bind_all_reserved_ports',`
+interface(`corenet_tcp_connect_all_ephemeral_ports',`
 	gen_require(`
-		attribute reserved_port_type;
+		attribute ephemeral_port_type;
 	')
 
-	allow $1 reserved_port_type:udp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+	allow $1 ephemeral_port_type:tcp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to bind UDP sockets to all reserved ports.
+##	Do not audit attempts to connect DCCP sockets
+##	all reserved ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1836,35 +2480,36 @@ interface(`corenet_udp_bind_all_reserved_ports',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
 	gen_require(`
 		attribute reserved_port_type;
 	')
 
-	dontaudit $1 reserved_port_type:udp_socket name_bind;
+	dontaudit $1 reserved_port_type:dccp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to all ports > 1024.
+##	Do not audit attempts to connect TCP sockets
+##	all reserved ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_bind_all_unreserved_ports',`
+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
 	gen_require(`
-		attribute unreserved_port_type;
+		attribute reserved_port_type;
 	')
 
-	allow $1 unreserved_port_type:tcp_socket name_bind;
+	dontaudit $1 reserved_port_type:tcp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to all ports > 1024.
+##	Connect DCCP sockets to rpc ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1872,17 +2517,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_udp_bind_all_unreserved_ports',`
+interface(`corenet_dccp_connect_all_rpc_ports',`
 	gen_require(`
-		attribute unreserved_port_type;
+		attribute rpc_port_type;
 	')
 
-	allow $1 unreserved_port_type:udp_socket name_bind;
+	allow $1 rpc_port_type:dccp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
-##	Connect TCP sockets to reserved ports.
+##	Connect TCP sockets to rpc ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1890,36 +2535,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_all_reserved_ports',`
+interface(`corenet_tcp_connect_all_rpc_ports',`
 	gen_require(`
-		attribute reserved_port_type;
+		attribute rpc_port_type;
 	')
 
-	allow $1 reserved_port_type:tcp_socket name_connect;
+	allow $1 rpc_port_type:tcp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
-##	Connect TCP sockets to all ports > 1024.
+##	Do not audit attempts to connect DCCP sockets
+##	all rpc ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_all_unreserved_ports',`
+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
 	gen_require(`
-		attribute unreserved_port_type;
+		attribute rpc_port_type;
 	')
 
-	allow $1 unreserved_port_type:tcp_socket name_connect;
+	dontaudit $1 rpc_port_type:dccp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to connect TCP sockets
-##	all reserved ports.
+##	all rpc ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1927,54 +2573,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 	gen_require(`
-		attribute reserved_port_type;
+		attribute rpc_port_type;
 	')
 
-	dontaudit $1 reserved_port_type:tcp_socket name_connect;
+	dontaudit $1 rpc_port_type:tcp_socket name_connect;
 ')
 
 ########################################
 ## <summary>
-##	Connect TCP sockets to rpc ports.
+##	Read and write the TUN/TAP virtual network device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	The domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_all_rpc_ports',`
+interface(`corenet_rw_tun_tap_dev',`
 	gen_require(`
-		attribute rpc_port_type;
+		type tun_tap_device_t;
 	')
 
-	allow $1 rpc_port_type:tcp_socket name_connect;
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to connect TCP sockets
-##	all rpc ports.
+##	Relabel to and from the TUN/TAP virtual network device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	The domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+interface(`corenet_relabel_tun_tap_dev',`
 	gen_require(`
-		attribute rpc_port_type;
+		type tun_tap_device_t;
 	')
 
-	dontaudit $1 rpc_port_type:tcp_socket name_connect;
+	relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write the TUN/TAP virtual network device.
+##	Read and write inherited TUN/TAP virtual network device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1982,13 +2628,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_rw_tun_tap_dev',`
+interface(`corenet_rw_inherited_tun_tap_dev',`
 	gen_require(`
 		type tun_tap_device_t;
 	')
 
-	dev_list_all_dev_nodes($1)
-	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+	allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
 ')
 
 ########################################
@@ -2047,6 +2692,25 @@ interface(`corenet_rw_ppp_dev',`
 	allow $1 ppp_device_t:chr_file rw_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Bind DCCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:dccp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all RPC ports.
@@ -2066,6 +2730,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
 	allow $1 self:capability net_bind_service;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to bind DCCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:dccp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to bind TCP sockets to all RPC ports.
@@ -2192,6 +2874,25 @@ interface(`corenet_tcp_recv_netlabel',`
 	corenet_tcp_recvfrom_netlabel($1)
 ')
 
+########################################
+## <summary>
+##	Receive DCCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+	allow $1 netlabel_peer_t:dccp_socket recvfrom;
+')
+
 ########################################
 ## <summary>
 ##	Receive TCP packets from a NetLabel connection.
@@ -2213,7 +2914,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 
 ########################################
 ## <summary>
-##	Receive TCP packets from an unlabled connection.
+##	Receive DCCP packets from an unlabled connection.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2221,10 +2922,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_recvfrom_unlabeled',`
-	kernel_tcp_recvfrom_unlabeled($1)
+interface(`corenet_dccp_recvfrom_unlabeled',`
+	gen_require(`
+		attribute corenet_unlabeled_type;
+	')
+
+	kernel_dccp_recvfrom_unlabeled($1)
 	kernel_recvfrom_unlabeled_peer($1)
 
+	typeattribute $1 corenet_unlabeled_type;
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
 	# older systems
@@ -2247,6 +2953,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
 	corenet_dontaudit_tcp_recvfrom_netlabel($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to receive DCCP packets from a NetLabel
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:dccp_socket recvfrom;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to receive TCP packets from a NetLabel
@@ -2267,6 +2993,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
 	dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to receive DCCP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',`
+	kernel_dontaudit_dccp_recvfrom_unlabeled($1)
+	kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to receive TCP packets from an unlabeled
@@ -2533,15 +3280,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
 ## <infoflow type="read" weight="10"/>
 #
 interface(`corenet_all_recvfrom_unlabeled',`
-	kernel_tcp_recvfrom_unlabeled($1)
-	kernel_udp_recvfrom_unlabeled($1)
-	kernel_raw_recvfrom_unlabeled($1)
-	kernel_recvfrom_unlabeled_peer($1)
-
-	# XXX - at some point the oubound/send access check will be removed
-	# but for right now we need to keep this in place so as not to break
-	# older systems
-	kernel_sendrecv_unlabeled_association($1)
+	gen_require(`
+                attribute corenet_unlabeled_type;
+	')
+	typeattribute $1 corenet_unlabeled_type;
 ')
 
 ########################################
@@ -2567,11 +3309,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
 #
 interface(`corenet_all_recvfrom_netlabel',`
 	gen_require(`
-		type netlabel_peer_t;
+		attribute netlabel_peer_type;
 	')
 
-	allow $1 netlabel_peer_t:peer recv;
-	allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+	typeattribute $1 netlabel_peer_type;
+')
+
+########################################
+## <summary>
+##	Enable unlabeled net packets
+## </summary>
+## <desc>
+##	<p>
+##	Allow unlabeled_packet_t to be used by all domains that use the network
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_enable_unlabeled_packets',`
+	gen_require(`
+		attribute corenet_unlabeled_type;
+	')
+
+	kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
 ')
 
 ########################################
@@ -2585,6 +3350,7 @@ interface(`corenet_all_recvfrom_netlabel',`
 ## </param>
 #
 interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+	kernel_dontaudit_dccp_recvfrom_unlabeled($1)
 	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
 	kernel_dontaudit_udp_recvfrom_unlabeled($1)
 	kernel_dontaudit_raw_recvfrom_unlabeled($1)
@@ -2613,7 +3379,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
 	')
 
 	dontaudit $1 netlabel_peer_t:peer recv;
-	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled DCCP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_dccp_recvfrom_labeled',`
+	allow { $1 $2 } self:association sendto;
+	allow $1 $2:{ association dccp_socket } recvfrom;
+	allow $2 $1:{ association dccp_socket } recvfrom;
+
+	allow $1 $2:peer recv;
+	allow $2 $1:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_dccp_recvfrom_netlabel($1)
+	corenet_dccp_recvfrom_netlabel($2)
 ')
 
 ########################################
@@ -2727,6 +3521,7 @@ interface(`corenet_raw_recvfrom_labeled',`
 ## </param>
 #
 interface(`corenet_all_recvfrom_labeled',`
+	corenet_dccp_recvfrom_labeled($1, $2)
 	corenet_tcp_recvfrom_labeled($1, $2)
 	corenet_udp_recvfrom_labeled($1, $2)
 	corenet_raw_recvfrom_labeled($1, $2)
@@ -3134,3 +3929,70 @@ interface(`corenet_unconfined',`
 
 	typeattribute $1 corenet_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Dontaudit bind tcp sockets to defined ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_defined_ports',`
+	gen_require(`
+		attribute defined_port_type;
+	')
+	dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Create all network named devices with the correct label
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_filetrans_all_named_dev',`
+
+	gen_require(`
+		type tun_tap_device_t;
+		type ppp_device_t;
+	')
+
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap0")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap1")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap2")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap3")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap4")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap5")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap6")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap7")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap8")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap9")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap10")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap11")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap12")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap13")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap14")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap15")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap16")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap20")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap21")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap22")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap23")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap24")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap25")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap26")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap27")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap28")
+	dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
+	dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 8e0f9cd14..b9f45b996 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -629,6 +629,26 @@ interface(`corenet_udp_bind_$1_port',`
 	$4
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to sbind to $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	dontaudit dollarsone $1_$2:udp_socket name_bind;
+	$4
+')
+
 ########################################
 ## <summary>
 ##	Make a TCP connection to the $1 port.
@@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',`
 
 	allow dollarsone $1_$2:tcp_socket name_connect;
 ')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to $1 port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_$1_port',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	dontaudit dollarsone $1_$2:tcp_socket name_connect;
+')
 '') dnl end create_port_interfaces
 
 define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b191055f9..37d51775f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
 # Declarations
 #
 
+attribute netlabel_peer_type;
 attribute client_packet_type;
 # This is an optimization for { port_type -port_t }
 attribute defined_port_type;
@@ -14,12 +15,14 @@ attribute node_type;
 attribute packet_type;
 attribute port_type;
 attribute reserved_port_type;
+attribute ephemeral_port_type;
 attribute rpc_port_type;
 attribute server_packet_type;
 # This is an optimization for { port_type -reserved_port_type }
 attribute unreserved_port_type;
 
 attribute corenet_unconfined_type;
+attribute corenet_unlabeled_type;
 
 type ppp_device_t;
 dev_node(ppp_device_t)
@@ -29,12 +32,25 @@ dev_node(ppp_device_t)
 #
 type tun_tap_device_t;
 dev_node(tun_tap_device_t)
+mls_trusted_object(tun_tap_device_t)
 
 ########################################
 #
 # Ports and packets
 #
 
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
+type intranet_packet_t;
+corenet_packet(intranet_packet_t)
+
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
+type internet_packet_t;
+corenet_packet(internet_packet_t)
+
 #
 # client_packet_t is the default type of IPv4 and IPv6 client packets.
 #
@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type;
 #
 type netlabel_peer_t;
 sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+mcs_constrained(netlabel_peer_t)
 
 #
 # port_t is the default type of INET port numbers.
@@ -58,6 +75,12 @@ sid port gen_context(system_u:object_r:port_t,s0)
 #
 type unreserved_port_t, port_type, unreserved_port_type;
 
+#
+# ephemeral_port_t is the default type of ephemeral port numbers.
+# cat /proc/sys/net/ipv4/ip_local_port_range 
+#
+type ephemeral_port_t, port_type, ephemeral_port_type;
+
 #
 # reserved_port_t is the type of INET port numbers below 1024.
 #
@@ -76,63 +99,81 @@ type server_packet_t, packet_type, server_packet_type;
 network_port(afs_bos, udp,7007,s0)
 network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
 network_port(afs_ka, udp,7004,s0)
-network_port(afs_pt, udp,7002,s0)
+network_port(afs_pt, tcp,7002,s0, udp,7002,s0)
 network_port(afs_vl, udp,7003,s0)
 network_port(afs3_callback, tcp,7001,s0, udp,7001,s0)
 network_port(agentx, udp,705,s0, tcp,705,s0)
 network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
-network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) 
+network_port(apc, tcp,3052,s0, udp,3052,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
-network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
+network_port(bacula, tcp,9103,s0, udp,9103,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
+network_port(brlp, tcp,4101,s0)
 network_port(biff) # no defined portcon
 network_port(certmaster, tcp,51235,s0)
+network_port(collectd, udp,25826,s0)
 network_port(chronyd, udp,323,s0)
 network_port(clamd, tcp,3310,s0)
 network_port(clockspeed, udp,4041,s0)
 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
 network_port(cma, tcp,1050,s0, udp,1050,s0)
 network_port(cobbler, tcp,25151,s0)
-network_port(commplex_link, tcp,5001,s0, udp,5001,s0)
+network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0)
 network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
 network_port(comsat, udp,512,s0)
 network_port(condor, tcp,9618,s0, udp,9618,s0)
-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
+network_port(conman, tcp,7890,s0, udp,7890,s0)
+network_port(connlcli, tcp,1358,s0, udp,1358,s0)
+network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+network_port(cyrus_imapd, tcp,2005,s0)
 network_port(daap, tcp,3689,s0, udp,3689,s0)
 network_port(dbskkd, tcp,1178,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dccm, tcp,5679,s0, udp,5679,s0)
+network_port(dey_keyneg, tcp,8750,s0, udp,8750,s0)
+network_port(dey_sapi, tcp,4330,s0)
 network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
 network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
-network_port(dns, tcp,53,s0, udp,53,s0)
+network_port(dogtag, tcp,7390,s0)
+network_port(dns, udp,53,s0, tcp,53,s0, tcp,853,s0, udp,853,s0)
+network_port(dnssec, tcp,8955,s0)
+network_port(echo, tcp,7,s0, udp,7,s0)
 network_port(efs, tcp,520,s0)
 network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0)
 network_port(epmap, tcp,135,s0, udp,135,s0)
 network_port(epmd, tcp,4369,s0, udp,4369,s0)
+network_port(fac_restore, tcp,5582,s0, udp,5582,s0)
 network_port(fingerd, tcp,79,s0)
-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
+network_port(freeipmi, tcp,9225,s0, udp,9225,s0)
+network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
 network_port(ftp_data, tcp,20,s0)
 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+network_port(gear, tcp,43273,s0, udp,43273,s0)
+network_port(geneve, tcp,6080,s0)
 network_port(gdomap, tcp,538,s0, udp,538,s0)
 network_port(gds_db, tcp,3050,s0, udp,3050,s0)
 network_port(giftd, tcp,1213,s0)
 network_port(git, tcp,9418,s0, udp,9418,s0)
+network_port(glance, tcp,9292,s0, udp,9292,s0)
 network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
+network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)
@@ -140,45 +181,60 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(intermapper, tcp,8181,s0)
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0)
 network_port(innd, tcp,119,s0)
 network_port(interwise, tcp,7778,s0, udp,7778,s0)
 network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
 network_port(ipmi, udp,623,s0, udp,664,s0)
 network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
 network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-network_port(ircd, tcp,6667,s0)
+network_port(ircd, tcp,6667,s0, tcp,6697,s0)
 network_port(isakmp, udp,500,s0)
 network_port(iscsi, tcp,3260,s0)
-network_port(isns, tcp,3205,s0, udp,3205,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0, tcp,51954,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
-network_port(jabber_interserver, tcp,5269,s0)
-network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
-network_port(kismet, tcp,2501,s0)
+network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0)
+network_port(jabber_router, tcp,5347,s0)
+network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
+network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
+network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
+network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
+network_port(lltng, tcp, 5345, s0)
+network_port(llmnr, tcp, 5355, s0, udp, 5355,s0)
+network_port(rabbitmq, tcp,25672,s0)
+network_port(rkt, tcp,18112,s0)
+network_port(rlogin, tcp,543,s0, tcp,2105,s0)
+network_port(rtsclient, tcp,2501,s0)
 network_port(kprop, tcp,754,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(l2tp, tcp,1701,s0, udp,1701,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0, tcp, 7389,s0)
 network_port(lirc, tcp,8765,s0)
-network_port(lmtp, tcp,24,s0, udp,24,s0)
+network_port(luci, tcp,8084,s0)
+network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0)
 network_port(lrrd) # no defined portcon
+network_port(lsm_plugin, tcp,18700,s0)
+network_port(l2tp, tcp,1701,s0, udp,1701,s0)
 network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(mailbox, tcp,2004,s0)
 network_port(matahari, tcp,49000,s0, udp,49000,s0)
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
-network_port(milter) # no defined portcon
+network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(mountd, tcp,20048,s0, udp,20048,s0)
 network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
 network_port(mpd, tcp,6600,s0)
-network_port(msgsrvr, tcp,8787,s0, udp,8787,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
@@ -186,101 +242,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mxi, tcp,8005,s0, udp,8005,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
+network_port(mythtv, tcp,6543-6544,s0)
 network_port(nessus, tcp,1241,s0)
 network_port(netport, tcp,3129,s0, udp,3129,s0)
 network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
-network_port(nfs, tcp,2049,s0, udp,2049,s0)
-network_port(nfsrdma, tcp,20049,s0, udp,20049,s0)
+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0)
+network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0)
 network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
 network_port(ntp, udp,123,s0)
+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
 network_port(oa_system, tcp,8022,s0, udp,8022,s0)
-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
 network_port(ocsp, tcp,9080,s0)
+network_port(openflow, tcp,6633,s0, tcp,6653,s0)
 network_port(openhpid, tcp,4743,s0, udp,4743,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(openvswitch, tcp,6634,s0)
+network_port(openqa, tcp,9526,s0)
+network_port(openqa_websockets, tcp,9527,s0)
+network_port(osapi_compute, tcp, 8774, s0)
+network_port(ovsdb, tcp, 6640, s0)
 network_port(pdps, tcp,1314,s0, udp,1314,s0)
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pingd, tcp,9125,s0)
+network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
+network_port(pki_ra, tcp,12888-12889,s0)
+network_port(pki_tps, tcp,7888-7889,s0)
 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
-network_port(postgresql, tcp,5432,s0)
+network_port(postgresql, tcp,5432,s0, tcp,9898,s0)
 network_port(postgrey, tcp,60000,s0)
 network_port(pptp, tcp,1723,s0, udp,1723,s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
+network_port(preupgrade, tcp, 8099, s0)
 network_port(printer, tcp,515,s0)
+network_port(prosody, tcp,5280-5281,s0)
 network_port(ptal, tcp,5703,s0)
-network_port(pulseaudio, tcp,4713,s0)
+network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
 network_port(puppet, tcp, 8140, s0)
 network_port(pxe, udp,4011,s0)
 network_port(pyzor, udp,24441,s0)
-network_port(radacct, udp,1646,s0, udp,1813,s0)
-network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
+network_port(nsd_control, tcp,8952,s0)
+network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)
+network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0)
 network_port(radsec, tcp,2083,s0)
 network_port(razor, tcp,2703,s0)
-network_port(redis, tcp,6379,s0)
+network_port(time, tcp,37,s0, udp,37,s0)
+network_port(redis, tcp,6379,s0, tcp,26379,s0, tcp,16379,s0)
 network_port(repository, tcp, 6363, s0)
 network_port(ricci, tcp,11111,s0, udp,11111,s0)
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0, udp,953,s0)
+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0)
 network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(rtsp, tcp,554,s0, udp,554,s0)
+network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0)
+network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0)
 network_port(rwho, udp,513,s0)
+network_port(salt, tcp,4505,s0, tcp,4506,s0)
 network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
 network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
+network_port(sge, tcp,6444,s0, tcp,6445,s0)
+network_port(shellinaboxd, tcp,4200,s0)
 network_port(sieve, tcp,4190,s0)
 network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
 network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
 network_port(socks) # no defined portcon
 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-network_port(spamd, tcp,783,s0)
+network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0)
 network_port(speech, tcp,8036,s0)
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-network_port(ssdp, tcp,1900,s0, udp,1900,s0)
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
 network_port(ssh, tcp,22,s0)
 network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
 network_port(svrloc, tcp,427,s0, udp,427,s0)
 network_port(swat, tcp,901,s0)
+network_port(swift, tcp,6200-6203,s0)
 network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
-network_port(syslogd, udp,514,s0)
-network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0, tcp,20514,s0, udp,20514,s0)
+network_port(syslog_tls, tcp,6514,s0, udp,6514,s0, tcp,10514,s0, udp,10514,s0)
 network_port(tcs, tcp, 30003, s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
-network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0, tcp,9150,s0)
 network_port(traceroute, udp,64000-64010,s0)
+network_port(tram, tcp, 4567, s0)
 network_port(transproxy, tcp,8081,s0)
 network_port(trisoap, tcp,10200,s0, udp,10200,s0)
 network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
 network_port(ups, tcp,3493,s0)
 network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
+network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0)
 network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
+network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0)
 network_port(wccp, udp,2048,s0)
 network_port(websm, tcp,9090,s0, udp,9090,s0)
-network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0)
+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
+network_port(xinuexpansion3, tcp,2023,s0, udp,2023,s0)
+network_port(xinuexpansion4, tcp,2024,s0, udp,2024,s0)
 network_port(xfs, tcp,7100,s0)
+network_port(xodbc_connect, tcp,6632,s0)
 network_port(xserver, tcp,6000-6020,s0)
 network_port(zarafa, tcp,236,s0, tcp,237,s0)
 network_port(zabbix, tcp,10051,s0)
@@ -288,19 +373,23 @@ network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
-network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
+network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0)
 network_port(zented, tcp,1229,s0, udp,1229,s0)
 network_port(zope, tcp,8021,s0)
 
 # Defaults for reserved ports.	Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise declared.
 
-portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
-portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 
 ########################################
 #
@@ -333,6 +422,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
+allow netlabel_peer_t lo_netif_t:netif ingress;
+allow netlabel_peer_type lo_netif_t:netif egress;
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
@@ -345,9 +436,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 
 # Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
+
+#
+# Rules coverning the use of unlabeled types
+# 
+kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type)
+kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type)
+kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type)
+kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type)
+kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type)
+
+allow netlabel_peer_type netlabel_peer_t:peer recv;
+allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
+allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress };
+allow netlabel_peer_t node_t:node recvfrom;
+
+typealias  neutron_port_t alias quantum_port_t;
+typealias  neutron_server_packet_t alias quantum_server_packet_t;
+typealias  neutron_client_packet_t alias quantum_client_packet_t;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index 3f6e16889..340e49fd6 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl
 ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
 ')
 
+define(`add_ephemeral_attribute',`dnl
+ifelse(eval(range_start($3) >= 50000 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type;
+',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl
+')
+
 # bindresvport in glibc starts searching for reserved ports at 512
 define(`add_rpc_attribute',`dnl
 ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
@@ -101,6 +106,7 @@ type $1_client_packet_t, packet_type, client_packet_type;
 type $1_server_packet_t, packet_type, server_packet_type;
 ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
 ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
+ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl
 ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
 ')
 
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index b31c05491..b15a7aa05 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
 /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
+/dev/bsr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
-/dev/cachefiles		-c	gen_context(system_u:object_r:cachefiles_device_t,s0)
 /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/crash		-c	gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
 /dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-/dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dlm.*		-c	gen_context(system_u:object_r:dlm_control_device_t,s0)
+/dev/dmfm.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/ecryptfs		-c	gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
+/dev/ptp.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -42,8 +45,15 @@
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
+/dev/gpiochip[0-9]+		-c	gen_context(system_u:object_r:gpio_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/infiniband/.*	-c	gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
+/dev/infiniband/issm[0-9]+		-c	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
+/dev/infiniband/umad[0-9]+		-c	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
+/dev/infiniband/.*	-b	gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
+/dev/infiniband/issm[0-9]+		-b	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
+/dev/infiniband/umad[0-9]+		-b	gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh)
 /dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 /dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
@@ -61,8 +71,10 @@
 /dev/loop-control	-c	gen_context(system_u:object_r:loop_control_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-/dev/mei		-c	gen_context(system_u:object_r:mei_device_t,s0)
+/dev/media.*	-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/mei[0-9]*       -c	gen_context(system_u:object_r:mei_device_t,s0)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/memory_bandwidth   -c  gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -72,7 +84,9 @@
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
+/dev/monwriter  -c  gen_context(system_u:object_r:monitor_device_t,s0)
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/mpt[0-9]*ctl         -c  gen_context(system_u:object_r:mptctl_device_t,s0)
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
@@ -80,7 +94,10 @@
 /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/nvme.*     -c  gen_context(system_u:object_r:nvme_device_t,s0)
+/dev/nvme.*     -b  gen_context(system_u:object_r:nvme_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+/dev/ndctl[0-9]		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
@@ -90,9 +107,11 @@
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/pps.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/prandom		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
+/dev/kfd		-c	gen_context(system_u:object_r:hsa_device_t,s0)
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -106,6 +125,7 @@
 /dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/spidev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
@@ -118,6 +138,15 @@
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
+/dev/vmci       -c  gen_context(system_u:object_r:vmci_device_t,s0)
+/dev/vsock       -c  gen_context(system_u:object_r:vsock_device_t,s0)
+/dev/vhci       -c  gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vchiq		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vc-mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/vfio/(vfio)?[0-9]*	-c	gen_context(system_u:object_r:vfio_device_t,s0)
+/dev/clp[0-9]*            -c  gen_context(system_u:object_r:vfio_device_t,s0)
+/dev/sclp[0-9]*            -c  gen_context(system_u:object_r:vfio_device_t,s0)
+/dev/vmcp[0-9]*     -c  gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -129,12 +158,14 @@ ifdef(`distro_suse', `
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
+/dev/cdc-wdm[0-9]	-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/winradio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/z90crypt		-c	gen_context(system_u:object_r:crypt_device_t,s0)
 /dev/zero		-c	gen_context(system_u:object_r:zero_device_t,s0)
 
 /dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
 
+/dev/ati/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
 
@@ -169,18 +200,26 @@ ifdef(`distro_suse', `
 
 /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
 
+/dev/ss[0-9]+		-c	gen_context(system_u:object_r:gpfs_device_t,s0)
+
 /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 
+/dev/uhid           -c  gen_context(system_u:object_r:uhid_device_t,s0)
+
 /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 
+/dev/vmbus/hv_vss		-c	gen_context(system_u:object_r:hypervvssd_device_t,s0)
+/dev/vmbus/hv_kvp		-c	gen_context(system_u:object_r:hypervkvp_device_t,s0)
+
 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/gntdev		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/gntalloc	-c	gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/privcmd	-c	gen_context(system_u:object_r:xen_device_t,s0)
 
 ifdef(`distro_debian',`
 # this is a static /dev dir "backup mount"
@@ -198,12 +237,27 @@ ifdef(`distro_debian',`
 /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 
-/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
-
 ifdef(`distro_redhat',`
 # originally from named.fc
 /var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
+/var/named/chroot_sdb/dev	-d	gen_context(system_u:object_r:device_t,s0)
+/var/named/chroot_sdb/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
+/var/named/chroot_sdb/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
+/var/named/chroot_sdb/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
+/
+/var/spool/postfix/dev    -d    gen_context(system_u:object_r:device_t,s0)
 ')
+
+#
+# /sys
+#
+/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online	gen_context(system_u:object_r:cpu_online_t,s0)
+
+/usr/lib/udev/devices(/.*)?		gen_context(system_u:object_r:device_t,s0)
+/usr/lib/udev/devices/lp.*	-c	gen_context(system_u:object_r:printer_device_t,s0)
+/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285ea6..6be6206e0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
 		type device_t;
 	')
 
-	relabelfrom_dirs_pattern($1, device_t, device_node)
-	relabelfrom_files_pattern($1, device_t, device_node)
-	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
-	relabelfrom_fifo_files_pattern($1, device_t, device_node)
-	relabelfrom_sock_files_pattern($1, device_t, device_node)
-	relabel_blk_files_pattern($1, device_t, { device_t device_node })
-	relabel_chr_files_pattern($1, device_t, { device_t device_node })
+	relabel_dirs_pattern($1, device_t, device_node)
+	relabel_files_pattern($1, device_t, device_node)
+	relabel_lnk_files_pattern($1, device_t, device_node)
+	relabel_fifo_files_pattern($1, device_t,  device_node)
+	relabel_sock_files_pattern($1, device_t, device_node)
+	relabel_blk_files_pattern($1, device_t, device_node)
+	relabel_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+##	Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	relabel_files_pattern($1, device_t, device_t)
 ')
 
 ########################################
@@ -207,6 +226,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
 	dontaudit $1 device_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to list all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_all_access_check',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:file_class_set audit_access;
+')
+
 ########################################
 ## <summary>
 ##	Add entries to directories in /dev.
@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',`
 	read_files_pattern($1, device_t, device_t)
 ')
 
+#######################################
+## <summary>
+##  Read generic files in /dev.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_generic_files',`
+    gen_require(`
+        type device_t;
+    ')
+
+    dontaudit $1 device_t:file { read getattr };
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic files in /dev.
@@ -460,6 +515,42 @@ interface(`dev_getattr_generic_blk_files',`
 	getattr_blk_files_pattern($1, device_t, device_t)
 ')
 
+########################################
+## <summary>
+##	Rename generic block device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rename_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	rename_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	write_sock_files_pattern($1, device_t, device_t)
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit getattr on generic block devices.
@@ -568,6 +659,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
 	dontaudit $1 device_t:chr_file getattr;
 ')
 
+########################################
+## <summary>
+##	Rename generic character device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rename_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	rename_chr_files_pattern($1, device_t, device_t)
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit setattr for generic character device files.
@@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to dontaudit access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
 
 ########################################
 ## <summary>
-##	Read symbolic links in device directories.
+##	Create symbolic links in device directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_read_generic_symlinks',`
+interface(`dev_create_generic_symlinks',`
 	gen_require(`
 		type device_t;
 	')
 
-	allow $1 device_t:lnk_file read_lnk_file_perms;
+	create_lnk_files_pattern($1, device_t, device_t)
 ')
 
 ########################################
 ## <summary>
-##	Create symbolic links in device directories.
+##	Delete symbolic links in device directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_create_generic_symlinks',`
+interface(`dev_delete_generic_symlinks',`
 	gen_require(`
 		type device_t;
 	')
 
-	create_lnk_files_pattern($1, device_t, device_t)
+	delete_lnk_files_pattern($1, device_t, device_t)
 ')
 
 ########################################
 ## <summary>
-##	Delete symbolic links in device directories.
+##	Read symbolic links in device directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_delete_generic_symlinks',`
+interface(`dev_read_generic_symlinks',`
 	gen_require(`
 		type device_t;
 	')
 
-	delete_lnk_files_pattern($1, device_t, device_t)
+	allow $1 device_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -875,6 +984,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',`
 	dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
 ')
 
+########################################
+## <summary>
+##	Read block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	read_blk_files_pattern($1, device_t, device_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, delete, read, and write block device files.
@@ -981,6 +1108,25 @@ interface(`dev_tmpfs_filetrans_dev',`
 	fs_tmpfs_filetrans($1, device_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Allow getattr on all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_all',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	allow $1 { device_t device_node }:dir_file_class_set getattr;
+')
+
 ########################################
 ## <summary>
 ##	Getattr on all block file device nodes.
@@ -1001,6 +1147,26 @@ interface(`dev_getattr_all_blk_files',`
 	getattr_blk_files_pattern($1, device_t, device_node)
 ')
 
+########################################
+## <summary>
+##	Read on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_read_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	read_blk_files_pattern($1, device_t, device_node)
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit getattr on all block file device nodes.
@@ -1034,6 +1200,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
 interface(`dev_getattr_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
 	getattr_chr_files_pattern($1, device_t, device_node)
@@ -1204,6 +1371,42 @@ interface(`dev_create_all_chr_files',`
 	create_chr_files_pattern($1, device_t, device_node)
 ')
 
+########################################
+## <summary>
+##	rw all inherited character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_node:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	rw all inherited blk device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_node:blk_file rw_inherited_blk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Delete all block device files.
@@ -1558,25 +1761,6 @@ interface(`dev_relabel_autofs_dev',`
 	allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read and write cachefiles character
-##	device nodes.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`dev_rw_cachefiles',`
-	gen_require(`
-		type device_t, cachefiles_device_t;
-	')
-
-	rw_chr_files_pattern($1, device_t, cachefiles_device_t)
-')
-
 ########################################
 ## <summary>
 ##	Read and write the PCMCIA card manager device.
@@ -1680,6 +1864,26 @@ interface(`dev_filetrans_cardmgr',`
 	filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2)
 ')
 
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for xserver misc device nodes when
+##	created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_xserver_misc',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+	')
+
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the CPU
@@ -1791,6 +1995,24 @@ interface(`dev_rw_crypto',`
 	rw_chr_files_pattern($1, device_t, crypt_device_t)
 ')
 
+########################################
+## <summary>
+##	Read and write the the ecrypt filesystem device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_ecryptfs',`
+	gen_require(`
+		type device_t, ecryptfs_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, ecryptfs_device_t)
+')
+
 #######################################
 ## <summary>
 ##	Set the attributes of the dlm control devices.
@@ -1881,6 +2103,25 @@ interface(`dev_rw_dri',`
 	rw_chr_files_pattern($1, device_t, dri_device_t)
 ')
 
+########################################
+## <summary>
+##	Read and write the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_inherited_dri',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+    allow $1 device_t:dir search_dir_perms;
+    allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit read and write on the dri devices.
@@ -2017,7 +2258,7 @@ interface(`dev_rw_input_dev',`
 
 ########################################
 ## <summary>
-##	Get the attributes of the framebuffer device node.
+##	Read input event devices (/dev/input).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2025,17 +2266,18 @@ interface(`dev_rw_input_dev',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_getattr_framebuffer_dev',`
+interface(`dev_rw_inherited_input_dev',`
 	gen_require(`
-		type device_t, framebuf_device_t;
+		type device_t, event_device_t;
 	')
 
-	getattr_chr_files_pattern($1, device_t, framebuf_device_t)
+    allow $1 device_t:dir search_dir_perms;
+    allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the framebuffer device node.
+##	Read ipmi devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2043,7 +2285,180 @@ interface(`dev_getattr_framebuffer_dev',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_setattr_framebuffer_dev',`
+interface(`dev_read_ipmi_dev',`
+	gen_require(`
+		type device_t, ipmi_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, ipmi_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write ipmi devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_ipmi_dev',`
+	gen_require(`
+		type device_t, ipmi_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, ipmi_device_t)
+')
+
+########################################
+## <summary>
+##	Manage ipmi devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_ipmi_dev',`
+	gen_require(`
+		type device_t, ipmi_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, ipmi_device_t)
+')
+
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for PCMCIA card manager device nodes when
+##	created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_ipmi',`
+	gen_require(`
+		type device_t, ipmi_device_t;
+	')
+
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
+##	Read infiniband devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_infiniband_dev',`
+	gen_require(`
+		type device_t, infiniband_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, infiniband_device_t)
+    read_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write ipmi devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_infiniband_dev',`
+	gen_require(`
+		type device_t, infiniband_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, infiniband_device_t)
+    rw_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
+########################################
+## <summary>
+##	Read infiniband mgmt devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_infiniband_mgmt_dev',`
+	gen_require(`
+		type device_t, infiniband_mgmt_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, infiniband_mgmt_device_t)
+    read_blk_files_pattern($1, device_t, infiniband_mgmt_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write ipmi devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_infiniband_mgmt_dev',`
+	gen_require(`
+		type device_t, infiniband_mgmt_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, infiniband_mgmt_device_t)
+    rw_blk_files_pattern($1, device_t, infiniband_mgmt_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_framebuffer_dev',`
+	gen_require(`
+		type device_t, framebuf_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_framebuffer_dev',`
 	gen_require(`
 		type device_t, framebuf_device_t;
 	')
@@ -2402,7 +2817,97 @@ interface(`dev_filetrans_lirc',`
 
 ########################################
 ## <summary>
-##	Get the attributes of the lvm comtrol device.
+##	Get the attributes of the loop comtrol device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_loop_control',`
+	gen_require(`
+		type device_t, loop_control_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
+##	Read the loop comtrol device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_loop_control',`
+	gen_require(`
+		type device_t, loop_control_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the loop control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_loop_control',`
+	gen_require(`
+		type device_t, loop_control_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write loop control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_loop_control',`
+	gen_require(`
+		type loop_control_device_t;
+	')
+
+	dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete the loop control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_loop_control_dev',`
+	gen_require(`
+		type device_t, loop_control_device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, loop_control_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the loop comtrol device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2530,6 +3035,24 @@ interface(`dev_read_raw_memory',`
 	typeattribute $1 memory_raw_read;
 ')
 
+########################################
+## <summary>
+##	Allow to be reader of raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_raw_memory_reader',`
+	gen_require(`
+		attribute memory_raw_read;
+	')
+
+	typeattribute $1 memory_raw_read;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read raw memory devices
@@ -2571,6 +3094,24 @@ interface(`dev_write_raw_memory',`
 	typeattribute $1 memory_raw_write;
 ')
 
+########################################
+## <summary>
+##	Allow to be writer of raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_raw_memory_writer',`
+	gen_require(`
+		attribute memory_raw_write;
+	')
+
+	typeattribute $1 memory_raw_write;
+')
+
 ########################################
 ## <summary>
 ##	Read and execute raw memory devices (e.g. /dev/mem).
@@ -2725,7 +3266,7 @@ interface(`dev_write_misc',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -2811,7 +3352,7 @@ interface(`dev_rw_modem',`
 
 ########################################
 ## <summary>
-##	Get the attributes of the mouse devices.
+##	Get the attributes of the monitor devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2819,17 +3360,17 @@ interface(`dev_rw_modem',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_getattr_mouse_dev',`
+interface(`dev_getattr_monitor_dev',`
 	gen_require(`
-		type device_t, mouse_device_t;
+		type device_t, monitor_device_t;
 	')
 
-	getattr_chr_files_pattern($1, device_t, mouse_device_t)
+	getattr_chr_files_pattern($1, device_t, monitor_device_t)
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the mouse devices.
+##	Set the attributes of the monitor devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2837,17 +3378,17 @@ interface(`dev_getattr_mouse_dev',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_setattr_mouse_dev',`
+interface(`dev_setattr_monitor_dev',`
 	gen_require(`
-		type device_t, mouse_device_t;
+		type device_t, monitor_device_t;
 	')
 
-	setattr_chr_files_pattern($1, device_t, mouse_device_t)
+	setattr_chr_files_pattern($1, device_t, monitor_device_t)
 ')
 
 ########################################
 ## <summary>
-##	Read the mouse devices.
+##	Read the monitor devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2855,12 +3396,84 @@ interface(`dev_setattr_mouse_dev',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_read_mouse',`
+interface(`dev_read_monitor_dev',`
 	gen_require(`
-		type device_t, mouse_device_t;
+		type device_t, monitor_device_t;
 	')
 
-	read_chr_files_pattern($1, device_t, mouse_device_t)
+	read_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to monitor devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_monitor_dev',`
+	gen_require(`
+		type device_t, monitor_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the mouse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_mouse_dev',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the mouse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_mouse_dev',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+##	Read the mouse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_mouse',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, mouse_device_t)
 ')
 
 ########################################
@@ -2903,20 +3516,20 @@ interface(`dev_getattr_mtrr_dev',`
 
 ########################################
 ## <summary>
-##	Read the memory type range
+##	Write the memory type range
 ##	registers (MTRR).  (Deprecated)
 ## </summary>
 ## <desc>
 ##	<p>
-##	Read the memory type range
+##	Write the memory type range
 ##	registers (MTRR).  This interface has
 ##	been deprecated, dev_rw_mtrr() should be
 ##	used instead.
 ##	</p>
 ##	<p>
 ##	The MTRR device ioctls can be used for
-##	reading and writing; thus, read access to the
-##	device cannot be separated from write access.
+##	reading and writing; thus, write access to the
+##	device cannot be separated from read access.
 ##	</p>
 ## </desc>
 ## <param name="domain">
@@ -2925,43 +3538,34 @@ interface(`dev_getattr_mtrr_dev',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_read_mtrr',`
+interface(`dev_write_mtrr',`
 	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
 	dev_rw_mtrr($1)
 ')
 
 ########################################
 ## <summary>
-##	Write the memory type range
-##	registers (MTRR).  (Deprecated)
+##	Do not audit attempts to write the memory type
+##	range registers (MTRR).
 ## </summary>
-## <desc>
-##	<p>
-##	Write the memory type range
-##	registers (MTRR).  This interface has
-##	been deprecated, dev_rw_mtrr() should be
-##	used instead.
-##	</p>
-##	<p>
-##	The MTRR device ioctls can be used for
-##	reading and writing; thus, write access to the
-##	device cannot be separated from read access.
-##	</p>
-## </desc>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dev_write_mtrr',`
-	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
-	dev_rw_mtrr($1)
+interface(`dev_dontaudit_write_mtrr',`
+	gen_require(`
+		type mtrr_device_t;
+	')
+
+	dontaudit $1 mtrr_device_t:file write_file_perms;
+	dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write the memory type
+##	Do not audit attempts to read the memory type
 ##	range registers (MTRR).
 ## </summary>
 ## <param name="domain">
@@ -2970,13 +3574,32 @@ interface(`dev_write_mtrr',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_dontaudit_write_mtrr',`
+interface(`dev_dontaudit_read_mtrr',`
 	gen_require(`
 		type mtrr_device_t;
 	')
 
-	dontaudit $1 mtrr_device_t:file write;
-	dontaudit $1 mtrr_device_t:chr_file write;
+	dontaudit $1 mtrr_device_t:file { open read };
+	dontaudit $1 mtrr_device_t:chr_file { open read };
+')
+
+########################################
+## <summary>
+##	Read the memory type range registers (MTRR).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_mtrr',`
+	gen_require(`
+		type device_t, mtrr_device_t;
+	')
+
+	read_files_pattern($1, device_t, mtrr_device_t)
+	read_chr_files_pattern($1, device_t, mtrr_device_t)
 ')
 
 ########################################
@@ -3142,6 +3765,80 @@ interface(`dev_create_null_dev',`
 	create_chr_files_pattern($1, device_t, null_device_t)
 ')
 
+########################################
+## <summary>
+##	Get the status of a null device service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_service_status_null_dev',`
+	gen_require(`
+		type null_device_t;
+	')
+
+	allow $1 null_device_t:service status;
+')
+
+########################################
+## <summary>
+##	Configure null_device as a unit files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dev_config_null_dev_service',`
+	gen_require(`
+		type null_device_t;
+	')
+
+	allow $1 null_device_t:service manage_service_perms;
+')
+
+########################################
+## <summary>
+##	Read Non-Volatile Memory Host Controller Interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_nvme',`
+	gen_require(`
+		type nvme_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, nvme_device_t)
+	read_blk_files_pattern($1, device_t, nvme_device_t)
+')
+
+########################################
+## <summary>
+##	Read/Write Non-Volatile Memory Host Controller Interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_nvme',`
+	gen_require(`
+		type nvme_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, nvme_device_t)
+	rw_blk_files_pattern($1, device_t, nvme_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -3161,6 +3858,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
 	dontaudit $1 nvram_device_t:chr_file getattr;
 ')
 
+########################################
+## <summary>
+##	Read BIOS non-volatile RAM.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_nvram',`
+	gen_require(`
+		type nvram_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, nvram_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write BIOS non-volatile RAM.
@@ -3254,7 +3969,25 @@ interface(`dev_rw_printer',`
 
 ########################################
 ## <summary>
-##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+##	Relabel the printer device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_printer',`
+	gen_require(`
+		type printer_device_t;
+	')
+
+	allow $1 printer_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the printer device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3262,12 +3995,13 @@ interface(`dev_rw_printer',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_read_printk',`
+interface(`dev_manage_printer',`
 	gen_require(`
-		type device_t, printk_device_t;
+		type device_t, printer_device_t;
 	')
 
-	read_chr_files_pattern($1, device_t, printk_device_t)
+	manage_chr_files_pattern($1, device_t, printer_device_t)
+	dev_filetrans_printer_named_dev($1)
 ')
 
 ########################################
@@ -3399,7 +4133,7 @@ interface(`dev_dontaudit_read_rand',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to append to random
+##	Do not audit attempts to append to the random
 ##	number generator devices (e.g., /dev/random)
 ## </summary>
 ## <param name="domain">
@@ -3413,7 +4147,7 @@ interface(`dev_dontaudit_append_rand',`
 		type random_device_t;
 	')
 
-	dontaudit $1 random_device_t:chr_file append_chr_file_perms;
+	dontaudit $1 random_device_t:chr_file { append };
 ')
 
 ########################################
@@ -3855,7 +4589,7 @@ interface(`dev_getattr_sysfs_dirs',`
 
 ########################################
 ## <summary>
-##	Search the sysfs directories.
+##	Set the attributes of sysfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3863,91 +4597,89 @@ interface(`dev_getattr_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_search_sysfs',`
+interface(`dev_setattr_sysfs_dirs',`
 	gen_require(`
 		type sysfs_t;
 	')
 
-	search_dirs_pattern($1, sysfs_t, sysfs_t)
+	allow $1 sysfs_t:dir setattr_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search sysfs.
+##	Get attributes of sysfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dev_dontaudit_search_sysfs',`
+interface(`dev_getattr_sysfs_fs',`
 	gen_require(`
 		type sysfs_t;
 	')
 
-	dontaudit $1 sysfs_t:dir search_dir_perms;
+	allow $1 sysfs_t:filesystem getattr;
 ')
 
 ########################################
 ## <summary>
-##	List the contents of the sysfs directories.
+##	Mount a filesystem on /sys
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allow access.
 ##	</summary>
 ## </param>
 #
-interface(`dev_list_sysfs',`
+interface(`dev_mounton_sysfs',`
 	gen_require(`
 		type sysfs_t;
 	')
 
-	list_dirs_pattern($1, sysfs_t, sysfs_t)
+	allow $1 sysfs_t:dir mounton;
 ')
 
 ########################################
 ## <summary>
-##	Write in a sysfs directories.
+##	Dontaudit attempts to mount a filesystem on /sys
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-# cjp: added for cpuspeed
-interface(`dev_write_sysfs_dirs',`
+interface(`dev_dontaudit_mounton_sysfs',`
 	gen_require(`
 		type sysfs_t;
 	')
 
-	allow $1 sysfs_t:dir write;
+	dontaudit $1 sysfs_t:dir mounton;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write in a sysfs directory.
+##	Mount sysfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dev_dontaudit_write_sysfs_dirs',`
+interface(`dev_mount_sysfs_fs',`
 	gen_require(`
 		type sysfs_t;
 	')
 
-	dontaudit $1 sysfs_t:dir write;
+	allow $1 sysfs_t:filesystem mount;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete sysfs
-##	directories.
+##	Unmount sysfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3955,65 +4687,295 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_unmount_sysfs_fs',`
 	gen_require(`
 		type sysfs_t;
 	')
 
-	manage_dirs_pattern($1, sysfs_t, sysfs_t)
+	allow $1 sysfs_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
-##	Read hardware state information.
+##	Search the sysfs directories.
 ## </summary>
-## <desc>
-##	<p>
-##	Allow the specified domain to read the contents of
-##	the sysfs filesystem.  This filesystem contains
-##	information, parameters, and other settings on the
-##	hardware installed on the system.
-##	</p>
-## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <infoflow type="read" weight="10"/>
 #
-interface(`dev_read_sysfs',`
+interface(`dev_search_sysfs',`
 	gen_require(`
 		type sysfs_t;
 	')
 
-	read_files_pattern($1, sysfs_t, sysfs_t)
-	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-
-	list_dirs_pattern($1, sysfs_t, sysfs_t)
+	search_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Allow caller to modify hardware state information.
+##	Do not audit attempts to search sysfs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dev_rw_sysfs',`
+interface(`dev_dontaudit_search_sysfs',`
 	gen_require(`
 		type sysfs_t;
 	')
 
-	rw_files_pattern($1, sysfs_t, sysfs_t)
+	dontaudit $1 sysfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of the sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_list_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+	list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Write in a sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:dir write;
+')
+
+########################################
+## <summary>
+##	Access check for a sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_access_check_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:dir audit_access;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write in a sysfs directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:dir write;
+')
+
+########################################
+## <summary>
+##	Read cpu online hardware state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read /sys/devices/system/cpu/online file.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	dev_search_sysfs($1)
+	read_files_pattern($1, cpu_online_t, cpu_online_t)
+')
+
+########################################
+## <summary>
+##	Relabel cpu online hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+		type sysfs_t;
+	')
+
+	dev_search_sysfs($1)
+	allow $1 cpu_online_t:file relabel_file_perms;
+')
+
+
+########################################
+## <summary>
+##	Read hardware state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the contents of
+##	the sysfs filesystem.  This filesystem contains
+##	information, parameters, and other settings on the
+##	hardware installed on the system.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	read_files_pattern($1, sysfs_t, sysfs_t)
+	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+	list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	rw_files_pattern($1, sysfs_t, sysfs_t)
 	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 
+########################################
+## <summary>
+##	Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Relabel hardware state files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+	relabel_files_pattern($1, sysfs_t, sysfs_t)
+	relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	manage_dirs_pattern($1, sysfs_t, sysfs_t)
+	manage_files_pattern($1, sysfs_t, sysfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write the TPM device.
@@ -4111,6 +5073,25 @@ interface(`dev_write_urand',`
 	write_chr_files_pattern($1, device_t, urandom_device_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write to pseudo
+##	random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_urand',`
+	gen_require(`
+		type urandom_device_t;
+	')
+
+	dontaudit $1 urandom_device_t:chr_file write;
+')
+
 ########################################
 ## <summary>
 ##	Getattr generic the USB devices.
@@ -4123,7 +5104,7 @@ interface(`dev_write_urand',`
 #
 interface(`dev_getattr_generic_usb_dev',`
 	gen_require(`
-		type usb_device_t;
+		type usb_device_t,device_t;
 	')
 
 	getattr_chr_files_pattern($1, device_t, usb_device_t)
@@ -4409,9 +5390,9 @@ interface(`dev_rw_usbfs',`
 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Get the attributes of video4linux devices.
+##	Read and write userio device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4419,17 +5400,17 @@ interface(`dev_rw_usbfs',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_getattr_video_dev',`
+interface(`dev_rw_userio_dev',`
 	gen_require(`
-		type device_t, v4l_device_t;
+		type device_t, userio_device_t;
 	')
 
-	getattr_chr_files_pattern($1, device_t, v4l_device_t)
+	rw_chr_files_pattern($1, device_t, userio_device_t)
 ')
 
-######################################
+########################################
 ## <summary>
-##	Read and write userio device.
+##	Get the attributes of video4linux devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4437,12 +5418,12 @@ interface(`dev_getattr_video_dev',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_rw_userio_dev',`
+interface(`dev_getattr_video_dev',`
 	gen_require(`
-		type device_t, userio_device_t;
+		type device_t, v4l_device_t;
 	')
 
-	rw_chr_files_pattern($1, device_t, userio_device_t)
+	getattr_chr_files_pattern($1, device_t, v4l_device_t)
 ')
 
 ########################################
@@ -4537,6 +5518,134 @@ interface(`dev_write_video_dev',`
 	write_chr_files_pattern($1, device_t, v4l_device_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of vfio devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of vfio device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_vfio_dev',`
+	gen_require(`
+		type vfio_device_t;
+	')
+
+	dontaudit $1 vfio_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of vfio device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of vfio device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_vfio_dev',`
+	gen_require(`
+		type vfio_device_t;
+	')
+
+	dontaudit $1 vfio_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read the vfio devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##	Write the vfio devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the VFIO devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow read/write the vhost net device
@@ -4555,6 +5664,24 @@ interface(`dev_rw_vhost',`
 	rw_chr_files_pattern($1, device_t, vhost_device_t)
 ')
 
+########################################
+## <summary>
+##	Allow read/write inheretid the vhost net device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_inherited_vhost',`
+	gen_require(`
+		type device_t, vhost_device_t;
+	')
+
+	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write VMWare devices.
@@ -4628,6 +5755,24 @@ interface(`dev_write_watchdog',`
 	write_chr_files_pattern($1, device_t, watchdog_device_t)
 ')
 
+########################################
+## <summary>
+##	RW to watchdog devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_watchdog',`
+	gen_require(`
+		type device_t, watchdog_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, watchdog_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write the the wireless device.
@@ -4760,6 +5905,44 @@ interface(`dev_rw_xserver_misc',`
 	rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_leaked_xserver_misc',`
+	gen_require(`
+		type xserver_misc_device_t;
+	')
+
+	dontaudit $1 xserver_misc_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_xserver_misc',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
+
+	dev_filetrans_xserver_named_dev($1)
+')
+
 ########################################
 ## <summary>
 ##	Read and write to the zero device (/dev/zero).
@@ -4851,3 +6034,1068 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Dontaudit getattr on all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of the mei devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_mei',`
+	gen_require(`
+		type device_t, mei_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, mei_device_t)
+')
+
+########################################
+## <summary>
+##	Read the mei devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_mei',`
+	gen_require(`
+		type device_t, mei_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, mei_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to mei devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_mei',`
+	gen_require(`
+		type device_t, mei_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, mei_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write uhid devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_uhid_dev',`
+	gen_require(`
+		type device_t, uhid_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, uhid_device_t)
+')
+
+
+########################################
+## <summary>
+##	Allow read/write the hypervkvp device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_hypervkvp',`
+	gen_require(`
+		type device_t, hypervkvp_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, hypervkvp_device_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write the hypervkvp device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_gpfs',`
+	gen_require(`
+		type device_t, gpfs_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, gpfs_device_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write the gpiochip device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_gpio',`
+	gen_require(`
+		type device_t, gpio_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, gpio_device_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write the hypervvssd device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_hypervvssd',`
+	gen_require(`
+		type device_t, hypervvssd_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, hypervvssd_device_t)
+')
+
+########################################
+## <summary>
+##	Create all named devices with the correct label
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_printer_named_dev',`
+
+	gen_require(`
+		type printer_device_t;
+
+	')
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
+	filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
+')
+
+########################################
+## <summary>
+##	Create all named devices with the correct label
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_all_named_dev',`
+
+gen_require(`
+	type device_t;
+	type usb_device_t;
+    type uhid_device_t;
+	type sound_device_t;
+	type apm_bios_t;
+	type mouse_device_t;
+	type autofs_device_t;
+	type lvm_control_t;
+	type crash_device_t;
+	type dlm_control_device_t;
+	type clock_device_t;
+	type v4l_device_t;
+	type vsock_device_t;
+	type vmci_device_t;
+	type vfio_device_t;
+	type event_device_t;
+	type xen_device_t;
+	type framebuf_device_t;
+	type null_device_t;
+	type random_device_t;
+	type dri_device_t;
+	type hsa_device_t;
+	type ipmi_device_t;
+	type memory_device_t;
+	type kmsg_device_t;
+	type qemu_device_t;
+	type ksm_device_t;
+	type kvm_device_t;
+	type lirc_device_t;
+	type cpu_device_t;
+	type scanner_device_t;
+	type modem_device_t;
+    type monitor_device_t;
+	type vhost_device_t;
+	type netcontrol_device_t;
+	type nvram_device_t;
+	type power_device_t;
+	type wireless_device_t;
+	type tpm_device_t;
+	type userio_device_t;
+	type urandom_device_t;
+	type usbmon_device_t;
+	type vmware_device_t;
+	type watchdog_device_t;
+	type crypt_device_t;
+	type zero_device_t;
+	type smartcard_device_t;
+	type mtrr_device_t;
+	type ecryptfs_device_t;
+    type mptctl_device_t;
+    type hypervkvp_device_t;
+    type hypervvssd_device_t;
+    type gpfs_device_t;
+    type gpio_device_t;
+')
+
+	dev_filetrans_printer_named_dev($1)
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9")
+	filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
+	filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8")
+	filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
+	filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
+	filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8")
+	filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
+	filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
+	filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock")
+	filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event3")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event4")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event5")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event6")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "event21")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
+	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
+	filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "000")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "001")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "002")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "003")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "004")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "005")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "006")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet")
+	filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random")
+	filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng")
+	filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915")
+	filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
+	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
+	filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mptctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt0ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt1ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt2ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt3ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt4ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt5ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt6ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt7ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt8ctl")
+	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt9ctl")
+	filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
+	filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
+	filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
+	filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8")
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
+	filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
+	filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
+	filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
+	filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9")
+	filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost")
+	filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency")
+	filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
+	filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
+	filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
+	filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9")
+	filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu")
+	filetrans_pattern($1, device_t, memory_device_t, chr_file, "port")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8")
+	filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9")
+	filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9")
+	filetrans_pattern($1, device_t, random_device_t, chr_file, "random")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
+	filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
+	filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9")
+	filetrans_pattern($1, device_t, power_device_t, chr_file, "smu")
+	filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8")
+	filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8")
+	filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9")
+	filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8")
+	filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner")
+	filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
+	filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9")
+	filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
+	filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
+	filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8")
+	filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9")
+	filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8")
+	filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9")
+	filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8")
+	filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9")
+	filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00")
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8")
+	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
+	filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6")
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2")
+	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
+	filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
+	filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp")
+	filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss")
+	filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0")
+	filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0")
+	filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1")
+	filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2")
+	dev_filetrans_xserver_named_dev($1)
+')
+
+########################################
+## <summary>
+##	Create all named devices with the correct label
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_xserver_named_dev',`
+
+	gen_require(`
+		type xserver_misc_device_t;
+	')
+
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
+	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 0b1a8715a..849b00191 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
 #
 type device_t;
 fs_associate_tmpfs(device_t)
-files_type(device_t)
+files_base_file(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
 fs_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
+dev_node(device_t)
 
 #
 # Type for /dev/agpgart
@@ -43,9 +44,6 @@ type cardmgr_dev_t;
 dev_node(cardmgr_dev_t)
 files_tmp_file(cardmgr_dev_t)
 
-type cachefiles_device_t;
-dev_node(cachefiles_device_t)
-
 #
 # clock_device_t is the type of
 # /dev/rtc.
@@ -65,6 +63,9 @@ dev_node(cpu_device_t)
 type crash_device_t;
 dev_node(crash_device_t)
 
+type ecryptfs_device_t;
+dev_node(ecryptfs_device_t)
+
 # for the IBM zSeries z90crypt hardware ssl accelorator
 type crypt_device_t;
 dev_node(crypt_device_t)
@@ -78,6 +79,9 @@ dev_node(dlm_control_device_t)
 type dri_device_t;
 dev_node(dri_device_t)
 
+type hsa_device_t;
+dev_node(hsa_device_t)
+
 type event_device_t;
 dev_node(event_device_t)
 
@@ -87,12 +91,45 @@ dev_node(event_device_t)
 type framebuf_device_t;
 dev_node(framebuf_device_t)
 
+#
+# Type for hyperv devices
+#
+type hypervkvp_device_t;
+dev_node(hypervkvp_device_t)
+
+type hypervvssd_device_t;
+dev_node(hypervvssd_device_t)
+
+#
+# Type for /dev/ss0
+#
+type gpfs_device_t;
+dev_node(gpfs_device_t)
+
+#
+# Type for /dev/gpiochip*
+#
+type gpio_device_t;
+dev_node(gpio_device_t)
+
 #
 # Type for /dev/ipmi/0
 #
 type ipmi_device_t;
 dev_node(ipmi_device_t)
 
+#
+# Type for /dev/infiniband
+#
+type infiniband_device_t;
+dev_node(infiniband_device_t)
+
+#
+# Type for /dev/infiniband mgmt devices
+#
+type infiniband_mgmt_device_t;
+dev_node(infiniband_mgmt_device_t)
+
 #
 # Type for /dev/kmsg
 #
@@ -111,6 +148,7 @@ dev_node(ksm_device_t)
 #
 type kvm_device_t;
 dev_node(kvm_device_t)
+mls_trusted_object(kvm_device_t)
 
 #
 # Type for /dev/lirc
@@ -118,6 +156,9 @@ dev_node(kvm_device_t)
 type lirc_device_t;
 dev_node(lirc_device_t)
 
+#
+# Type for /dev/mapper/control
+#
 type loop_control_device_t;
 dev_node(loop_control_device_t)
 
@@ -149,17 +190,30 @@ dev_node(misc_device_t)
 type modem_device_t;
 dev_node(modem_device_t)
 
+#
+# A general type for monitor devices.
+#
+type monitor_device_t;
+dev_node(monitor_device_t)
+
 #
 # A more general type for mouse devices.
 #
 type mouse_device_t;
 dev_node(mouse_device_t)
 
+#
+# Type for /dev/mptctl used to check RAID status.
+#
+type mptctl_device_t;
+dev_node(mptctl_device_t)
+
 #
 # Type for /dev/cpu/mtrr and /proc/mtrr
 #
 type mtrr_device_t;
 dev_node(mtrr_device_t)
+files_mountpoint(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 
 #
@@ -182,6 +236,12 @@ sid devnull gen_context(system_u:object_r:null_device_t,s0)
 type nvram_device_t;
 dev_node(nvram_device_t)
 
+#
+# Type for controller device nodes
+#
+type nvme_device_t;
+dev_node(nvme_device_t)
+
 #
 # Type for /dev/pmu
 #
@@ -227,6 +287,10 @@ files_mountpoint(sysfs_t)
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
 #
 # Type for /dev/tpm
 #
@@ -266,14 +330,30 @@ dev_node(usbmon_device_t)
 type userio_device_t;
 dev_node(userio_device_t)
 
+#
+# uhid_device_t is the type for /dev/uhid
+#
+type uhid_device_t;
+dev_node(uhid_device_t)
+
+type vfio_device_t;
+dev_node(vfio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)
 
+type vsock_device_t;
+dev_node(vsock_device_t)
+
+type vmci_device_t;
+dev_node(vmci_device_t)
+
 #
 # vhost_device_t is the type for /dev/vhost-net
 #
 type vhost_device_t;
 dev_node(vhost_device_t)
+mls_trusted_object(vhost_device_t)
 
 # Type for vmware devices.
 type vmware_device_t;
@@ -319,5 +399,8 @@ files_associate_tmp(device_node)
 #
 
 allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
-allow devices_unconfined_type mtrr_device_t:file *;
+allow devices_unconfined_type device_node:{ blk_file lnk_file } *;
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
+dev_getattr_all(devices_unconfined_type)
+
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d156..4b87be8e4 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
 	# start with basic domain
 	domain_base_type($1)
 
-	ifdef(`distro_redhat',`
-		optional_policy(`
-			unconfined_use_fds($1)
-		')
-	')
-
-	# send init a sigchld and signull
-	optional_policy(`
-		init_sigchld($1)
-		init_signull($1)
-	')
-
-	# these seem questionable:
-
-	optional_policy(`
-		rpm_use_fds($1)
-		rpm_read_pipes($1)
-	')
-
-	optional_policy(`
-		selinux_dontaudit_getattr_fs($1)
-		selinux_dontaudit_read_fs($1)
-	')
-
-	optional_policy(`
-		seutil_dontaudit_read_config($1)
-	')
+	# Only way to get corenet_unlabeled packets disabled to work
+	corenet_all_recvfrom_unlabeled($1)
 ')
 
 ########################################
@@ -133,6 +108,10 @@ interface(`domain_entry_file',`
 	typeattribute $2 entry_type;
 
 	corecmd_executable_file($2)
+
+	#optional_policy(`
+	#	unconfined_exec_typebounds($2)
+	#')
 ')
 
 ########################################
@@ -511,6 +490,26 @@ interface(`domain_signull_all_domains',`
 	allow $1 domain:process signull;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send 
+##	signulls to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_dontaudit_signull_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process signull;
+')
+
 ########################################
 ## <summary>
 ##	Send a stop signal to all domains.
@@ -569,6 +568,25 @@ interface(`domain_kill_all_domains',`
 	allow $1 self:capability kill;
 ')
 
+########################################
+## <summary>
+##	Destroy all domains semaphores
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_destroy_all_semaphores',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:sem destroy;
+')
+
 ########################################
 ## <summary>
 ##	Search the process state directory (/proc/pid) of all domains.
@@ -588,6 +606,42 @@ interface(`domain_search_all_domains_state',`
 	allow $1 domain:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Dontaudit search of process kernel keyrings
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_search_all_domains_keyrings',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:key search;
+')
+
+########################################
+## <summary>
+##	Dontaudit link of process kernel keyrings
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_link_all_domains_keyrings',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:key link;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search the process
@@ -631,7 +685,7 @@ interface(`domain_read_all_domains_state',`
 
 ########################################
 ## <summary>
-##	Get the attributes of all domains of all domains.
+##	Get the attributes of all domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -655,7 +709,7 @@ interface(`domain_getattr_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1354,6 +1408,24 @@ interface(`domain_manage_all_entry_files',`
 	allow $1 entry_type:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel from domain types on files if a user managed to mislable
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_relabelfrom',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:dir_file_class_set relabelfrom_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel to and from all entry point
@@ -1421,7 +1493,7 @@ interface(`domain_entry_file_spec_domtrans',`
 ## <summary>
 ##	Ability to mmap a low area of the address
 ##	space conditionally, as configured by
-##	/proc/sys/kernel/mmap_min_addr.
+##	/proc/sys/vm/mmap_min_addr.
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
@@ -1448,7 +1520,7 @@ interface(`domain_mmap_low',`
 ## <summary>
 ##	Ability to mmap a low area of the address
 ##	space unconditionally, as configured
-##	by /proc/sys/kernel/mmap_min_addr.
+##	by /proc/sys/vm/mmap_min_addr.
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
@@ -1506,6 +1578,40 @@ interface(`domain_unconfined_signal',`
 	allow $1 unconfined_domain_type:process signal;
 ')
 
+########################################
+## <summary>
+##	Named Filetrans Domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_named_filetrans',`
+	gen_require(`
+		attribute named_filetrans_domain;
+	')
+
+	typeattribute $1 named_filetrans_domain;
+')
+
+#####################################
+## <summary>
+##  named_filetrans_domain stub attribute interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`domain_stub_named_filetrans_domain',`
+    gen_require(`
+        attribute named_filetrans_domain;
+    ')
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to domains.
@@ -1530,4 +1636,101 @@ interface(`domain_unconfined',`
 	typeattribute $1 can_change_object_identity;
 	typeattribute $1 set_curr_context;
 	typeattribute $1 process_uncond_exempt;
+
+	mcs_process_set_categories($1)
+
+	userdom_filetrans_home_content($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all leaked sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_leaks',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:socket_class_set { read write };
+')
+
+########################################
+## <summary>
+##	Allow caller to transition to any domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_transition_all',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process transition;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to access check /proc
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_access_check',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:dir_file_class_set audit_access;
+')
+
+########################################
+## <summary>
+##	Allow set resource limits to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_setrlimit_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process setrlimit;
+')
+
+########################################
+## <summary>
+##	Allow set resource limits to all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_rlimitinh_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process rlimitinh;
 ')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb509..5831355b0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
 #
 # Declarations
 #
+## <desc>
+## <p>
+## Allow all domains to use other domains file descriptors
+## </p>
+## </desc>
+#
+gen_tunable(domain_fd_use, true)
+
+## <desc>
+## <p>
+## Allow all domains to execute in fips_mode
+## </p>
+## </desc>
+#
+gen_tunable(fips_mode, true)
+
+## <desc>
+## <p>
+## Allow all domains to have the kernel load modules
+## </p>
+## </desc>
+#
+gen_tunable(domain_kernel_load_modules, false)
 
 ## <desc>
 ## <p>
 ##	Control the ability to mmap a low area of the address space,
-##	as configured by /proc/sys/kernel/mmap_min_addr.
+##	as configured by /proc/sys/vm/mmap_min_addr.
 ## </p>
 ## </desc>
 gen_tunable(mmap_low_allowed, false)
 
+## <desc>
+## <p>
+##	Allow all domains write to kmsg_device,
+##  while kernel is executed with systemd.log_target=kmsg parameter.
+## </p>
+## </desc>
+gen_tunable(domain_can_write_kmsg, false)
+
 # Mark process types as domains
 attribute domain;
+attribute named_filetrans_domain;
 
 # Transitions only allowed from domains to other domains
 neverallow domain ~domain:process { transition dyntransition };
@@ -86,23 +118,59 @@ neverallow ~{ domain unlabeled_t } *:process *;
 allow domain self:dir list_dir_perms;
 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 allow domain self:file rw_file_perms;
+allow domain self:fifo_file rw_fifo_file_perms;
+allow domain self:sem create_sem_perms;
+allow domain self:shm create_shm_perms;
+
 kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+kernel_read_vm_overcommit_sysctls(domain)
+
 # Every domain gets the key ring, so we should default
 # to no one allowed to look at it; afs kernel support creates
 # a keyring
 kernel_dontaudit_search_key(domain)
 kernel_dontaudit_link_key(domain)
+kernel_dontaudit_search_debugfs(domain)
 
 # create child processes in the domain
-allow domain self:process { fork sigchld };
+allow domain self:process { getcap fork getsched signal_perms };
 
 # Use trusted objects in /dev
+dev_read_cpu_online(domain)
 dev_rw_null(domain)
 dev_rw_zero(domain)
 term_use_controlling_term(domain)
 
+# Allow all domains to read /dev/urandom. It is needed by all apps/services
+# linked to libgcrypt. There is no harm to allow it by default.
+dev_read_urand(domain)
+
 # list the root directory
 files_list_root(domain)
+# allow all domains to search through base_file_type directory, since users 
+# sometimes place labels within these directories.  (samba_share_t) for example.
+files_search_base_file_types(domain)
+
+files_read_inherited_tmp_files(domain)
+files_append_inherited_tmp_files(domain)
+files_read_all_base_ro_files(domain)
+files_dontaduit_getattr_kernel_symbol_table(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
+optional_policy(`
+    userdom_search_admin_dir(domain)
+')
+
+tunable_policy(`domain_can_write_kmsg',`
+    dev_write_kmsg(domain)
+')
+
+tunable_policy(`domain_kernel_load_modules',`
+	kernel_request_load_module(domain)
+')
 
 ifdef(`hide_broken_symptoms',`
 	# This check is in the general socket
@@ -120,9 +188,20 @@ tunable_policy(`global_ssp',`
 	dev_read_urand(domain)
 ')
 
+optional_policy(`
+	afs_rw_cache(domain)
+')
+
 optional_policy(`
 	libs_use_ld_so(domain)
 	libs_use_shared_libs(domain)
+	libs_read_lib_files(domain)
+')
+
+optional_policy(`
+	miscfiles_read_localization(domain)
+	miscfiles_read_man_pages(domain)
+	miscfiles_read_fonts(domain)
 ')
 
 optional_policy(`
@@ -133,6 +212,9 @@ optional_policy(`
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)
 	xserver_dontaudit_rw_xdm_pipes(domain)
+	xserver_dontaudit_append_xdm_home_files(domain)
+	xserver_dontaudit_write_log(domain)
+	xserver_dontaudit_xdm_rw_stream_sockets(domain)
 ')
 
 ########################################
@@ -145,14 +227,21 @@ optional_policy(`
 # be used on an attribute.
 
 # Use/sendto/connectto sockets created by any domain.
+allow unconfined_domain_type self:cap_userns all_cap_userns_perms;
 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
 
+allow unconfined_domain_type domain:system all_system_perms;
 # Use descriptors and pipes created by any domain.
 allow unconfined_domain_type domain:fd use;
 allow unconfined_domain_type domain:fifo_file rw_file_perms;
 
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
 # Act upon any other process.
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
+tunable_policy(`deny_ptrace',`',`
+	allow unconfined_domain_type domain:process ptrace;
+')
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -160,11 +249,393 @@ allow unconfined_domain_type domain:msg { send receive };
 
 # For /proc/pid
 allow unconfined_domain_type domain:dir list_dir_perms;
-allow unconfined_domain_type domain:file rw_file_perms;
+allow unconfined_domain_type domain:file manage_file_perms;
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
+corenet_filetrans_all_named_dev(named_filetrans_domain)
+
+dev_filetrans_all_named_dev(named_filetrans_domain)
+
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+files_filetrans_named_content(named_filetrans_domain)
+files_filetrans_system_conf_named_files(named_filetrans_domain)
+files_config_all_files(unconfined_domain_type)
+dev_config_null_dev_service(unconfined_domain_type)
+
+optional_policy(`
+    kdump_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
+    fstools_filetrans_named_content_fsadm(named_filetrans_domain)
+')
+
+optional_policy(`
+    container_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+    ipa_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	locallogin_filetrans_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
+    mandb_filetrans_named_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	snapper_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	seutil_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	wine_filetrans_named_content(named_filetrans_domain)
+')
+
+storage_filetrans_all_named_dev(named_filetrans_domain)
+
+term_filetrans_all_named_dev(named_filetrans_domain)
+
+optional_policy(`
+	init_disable_services(unconfined_domain_type)
+	init_enable_services(unconfined_domain_type)
+    init_reload_services(unconfined_domain_type)
+	init_status(unconfined_domain_type)
+	init_reboot(unconfined_domain_type)
+	init_halt(unconfined_domain_type)
+	init_undefined(unconfined_domain_type)
+	init_filetrans_named_content(named_filetrans_domain)
+')
+
+# Allow manage transient unit files
+optional_policy(`
+    init_start_transient_unit(unconfined_domain_type)
+    init_stop_transient_unit(unconfined_domain_type)
+    init_status_transient_unit(unconfined_domain_type)
+    init_reload_transient_unit(unconfined_domain_type)
+    init_enable_transient_unit(unconfined_domain_type)
+    init_disable_transient_unit(unconfined_domain_type)
+')
+
+optional_policy(`
+	auth_filetrans_named_content(named_filetrans_domain)
+	auth_filetrans_admin_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	libs_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	logging_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	miscfiles_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	abrt_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	alsa_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	apache_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+    apcupsd_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	bootloader_filetrans_config(named_filetrans_domain)
+')
+
+optional_policy(`
+	clock_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	cups_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	cvs_filetrans_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
+    dbus_filetrans_named_content_system(named_filetrans_domain)
+')
+
+optional_policy(`
+	devicekit_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	dnsmasq_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	gnome_filetrans_admin_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
+    iscsi_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+    iptables_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	kerberos_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	mta_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+    mplayer_filetrans_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	modules_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	mysql_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	networkmanager_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	ntp_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	nx_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	plymouthd_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	postgresql_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	postfix_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	prelink_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	pulseaudio_filetrans_admin_home_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	quota_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	rpcbind_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	rsync_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	sysnet_filetrans_named_content(named_filetrans_domain)
+	sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
+	sysnet_filetrans_named_content(unconfined_domain_type)
+	sysnet_filetrans_named_content_ifconfig(unconfined_domain_type)
+')
+
+optional_policy(`
+	systemd_login_status(unconfined_domain_type)
+	systemd_login_reboot(unconfined_domain_type)
+	systemd_login_halt(unconfined_domain_type)
+	systemd_login_undefined(unconfined_domain_type)
+	systemd_filetrans_named_content(named_filetrans_domain)
+	systemd_filetrans_named_hostname(named_filetrans_domain)
+	systemd_filetrans_home_content(named_filetrans_domain)
+    systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
+')
+
+optional_policy(`
+	sssd_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	tftp_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+	userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file })
+')
+
+optional_policy(`
+	ssh_filetrans_admin_home_content(named_filetrans_domain)
+	ssh_filetrans_keys(unconfined_domain_type)
+')
+
+optional_policy(`
+    userdom_filetrans_named_user_tmp_files(named_filetrans_domain)
+')
+
+optional_policy(`
+	virt_filetrans_named_content(named_filetrans_domain)
+')
+
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+optional_policy(`
+	seutil_dontaudit_read_config(domain)
+')
+
+optional_policy(`
+	init_sigchld(domain)
+	init_signull(domain)
+	init_read_machineid(domain)
+')
+
+ifdef(`distro_redhat',`
+	files_search_mnt(domain)
+')
+
+# these seem questionable:
+
+optional_policy(`
+	abrt_domtrans_helper(domain)
+	abrt_read_pid_files(domain)
+	abrt_read_state(domain)
+	abrt_signull(domain)
+	abrt_append_cache(domain)
+	abrt_rw_fifo_file(domain)
+')
+
+optional_policy(`
+	sosreport_append_tmp_files(domain)
+')
+
+tunable_policy(`domain_fd_use',`
+	# Allow all domains to use fds past to them
+	allow domain domain:fd use;
+')
+
+optional_policy(`
+	cron_dontaudit_write_system_job_tmp_files(domain)
+	cron_rw_pipes(domain)
+	cron_rw_system_job_pipes(domain)
+')
+
+optional_policy(`
+	devicekit_dbus_chat_power(domain)
+')
+
+ifdef(`hide_broken_symptoms',`
+    dontaudit domain self:capability { net_admin };
+	dontaudit domain self:udp_socket listen;
+	allow domain domain:key { link search };
+	dontaudit domain domain:socket_class_set { read write };
+	dontaudit domain self:capability sys_module;
+')
+
+optional_policy(`
+	ipsec_match_default_spd(domain)
+')
+
+optional_policy(`
+	ifdef(`hide_broken_symptoms',`
+		afs_rw_udp_sockets(domain)
+	')
+')
+
+optional_policy(`
+    rolekit_dbus_chat(domain)
+')
+
+optional_policy(`
+	ssh_rw_pipes(domain)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(domain)
+	unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
+dontaudit domain self:file create;
+
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_use_fds(domain)
+	')
+')
+
+# these seem questionable:
+
+optional_policy(`
+	puppet_rw_tmp(domain)
+')
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+
+optional_policy(`
+    rkhunter_append_lib_files(domain)
+')
+
+optional_policy(`
+	rpm_rw_script_inherited_pipes(domain)
+	rpm_use_fds(domain)
+	rpm_read_pipes(domain)
+	rpm_search_log(domain)
+	rpm_append_tmp_files(domain)
+	rpm_dontaudit_leaks(domain)
+	rpm_read_script_tmp_files(domain)
+	rpm_inherited_fifo(domain)
+	rpm_named_filetrans(named_filetrans_domain)
+')
+
+tunable_policy(`fips_mode',`
+	allow domain self:fifo_file manage_fifo_file_perms;
+	kernel_read_kernel_sysctls(domain)
+')
+
+optional_policy(`
+	tunable_policy(`fips_mode',`
+		prelink_exec(domain)
+	')
+')
+
+optional_policy(`
+    container_spc_stream_connect(domain)
+')
+
+optional_policy(`
+	unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index b876c48ad..2e591a538 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
 /fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /poweroff		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/[^/]+			--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 
 ifdef(`distro_suse',`
@@ -27,7 +28,7 @@ ifdef(`distro_suse',`
 #
 # /boot
 #
-/boot			-d	gen_context(system_u:object_r:boot_t,s0)
+/boot				gen_context(system_u:object_r:boot_t,s0)
 /boot/.*			gen_context(system_u:object_r:boot_t,s0)
 /boot/\.journal			<<none>>
 /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
@@ -38,27 +39,36 @@ ifdef(`distro_suse',`
 #
 # /emul
 #
-/emul			-d	gen_context(system_u:object_r:usr_t,s0)
+/emul				gen_context(system_u:object_r:usr_t,s0)
 /emul/.*			gen_context(system_u:object_r:usr_t,s0)
 
 #
 # /etc
 #
-/etc			-d	gen_context(system_u:object_r:etc_t,s0)
+/etc				gen_context(system_u:object_r:etc_t,s0)
 /etc/.*				gen_context(system_u:object_r:etc_t,s0)
 /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/\.updated		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/cmtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/killpower		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
-/etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/mtab~[0-9]*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/mtab\.tmp		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/mtab\.fuselock	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/securetty  	--  	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/sysctl\.conf(\.old)?               --      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.*				--      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.*             --      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.*                --      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* --      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/yum\.repos\.d(/.*)?                        gen_context(system_u:object_r:system_conf_t,s0)
+/etc/ostree/remotes.d(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
+
+/ostree/repo(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
+/ostree/deploy/rhel-atomic-host/deploy(/.*)?                      gen_context(system_u:object_r:system_conf_t,s0)
 
 /etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
 
@@ -70,7 +80,10 @@ ifdef(`distro_suse',`
 
 /etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf --	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf --    gen_context(system_u:object_r:etc_runtime_t,s0)
+
 
 ifdef(`distro_gentoo', `
 /etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -78,10 +91,6 @@ ifdef(`distro_gentoo', `
 /etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 
-ifdef(`distro_redhat',`
-/etc/rhgb(/.*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
-')
-
 ifdef(`distro_suse',`
 /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -104,7 +113,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
 /initrd			-d	gen_context(system_u:object_r:root_t,s0)
 
 #
-# /lib(64)?
+# /lib
 #
 /lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
 
@@ -125,10 +134,13 @@ ifdef(`distro_debian',`
 #
 # Mount points; do not relabel subdirectories, since
 # we don't want to change any removable media by default.
-/media(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
+/media(/[^/]*)?		-l	gen_context(system_u:object_r:mnt_t,s0)
 /media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /media/[^/]*/.*			<<none>>
 /media/\.hal-.*		--	gen_context(system_u:object_r:mnt_t,s0)
+/var/run/media(/[^/]*)?	-d	gen_context(system_u:object_r:mnt_t,s0)
+/var/run/media/.*		<<none>>
+/var/\.updated		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 
 #
 # /misc
@@ -138,7 +150,7 @@ ifdef(`distro_debian',`
 #
 # /mnt
 #
-/mnt(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
+/mnt(/[^/]*)?		-l	gen_context(system_u:object_r:mnt_t,s0)
 /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /mnt/[^/]*/.*			<<none>>
 
@@ -150,17 +162,22 @@ ifdef(`distro_debian',`
 #
 # /opt
 #
-/opt			-d	gen_context(system_u:object_r:usr_t,s0)
+/opt				gen_context(system_u:object_r:usr_t,s0)
 /opt/.*				gen_context(system_u:object_r:usr_t,s0)
 
-/opt/(.*/)?var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
+/opt/(.*/)?var/lib(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
 
 #
 # /proc
 #
-/proc			-d	<<none>>
 /proc/.*			<<none>>
 
+ifdef(`distro_redhat',`
+/rhev			-d	gen_context(system_u:object_r:mnt_t,s0)
+/rhev(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
+/rhev/[^/]*/.*			gen_context(system_u:object_r:mnt_t,s0)
+')
+
 #
 # /run
 #
@@ -169,6 +186,7 @@ ifdef(`distro_debian',`
 /run/.*\.*pid			<<none>>
 /run/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
 
+/sandbox(/.*)?                  gen_context(system_u:object_r:tmp_t,s0)
 #
 # /selinux
 #
@@ -178,13 +196,14 @@ ifdef(`distro_debian',`
 #
 # /srv
 #
-/srv			-d	gen_context(system_u:object_r:var_t,s0)
+/srv				gen_context(system_u:object_r:var_t,s0)
 /srv/.*				gen_context(system_u:object_r:var_t,s0)
 
 #
 # /tmp
 #
-/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp				gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp-inst			gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /tmp/.*				<<none>>
 /tmp/\.journal			<<none>>
 
@@ -194,9 +213,11 @@ ifdef(`distro_debian',`
 #
 # /usr
 #
-/usr			-d	gen_context(system_u:object_r:usr_t,s0)
+/usr				gen_context(system_u:object_r:usr_t,s0)
 /usr/.*				gen_context(system_u:object_r:usr_t,s0)
 /usr/\.journal			<<none>>
+/export(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+/ostree(/.*)?           gen_context(system_u:object_r:usr_t,s0)
 
 /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
@@ -204,15 +225,9 @@ ifdef(`distro_debian',`
 
 /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
-/usr/local/\.journal		<<none>>
-
-/usr/local/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
-
-/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
-/usr/local/lost\+found/.*	<<none>>
-
 /usr/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/lost\+found/.*		<<none>>
+/usr/lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
 
 /usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
 
@@ -220,8 +235,6 @@ ifdef(`distro_debian',`
 /usr/tmp/.*			<<none>>
 
 ifndef(`distro_redhat',`
-/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
-
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 ')
@@ -229,19 +242,33 @@ ifndef(`distro_redhat',`
 #
 # /var
 #
-/var			-d	gen_context(system_u:object_r:var_t,s0)
+/var				gen_context(system_u:object_r:var_t,s0)
 /var/.*				gen_context(system_u:object_r:var_t,s0)
 /var/\.journal			<<none>>
 
-/var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
+/var/db(/.*)?		gen_context(system_u:object_r:system_db_t,s0)
 
 /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
 
+/var/named/chroot/etc(/.*)? 	gen_context(system_u:object_r:etc_t,s0)
+
 /var/lib(/.*)?			gen_context(system_u:object_r:var_lib_t,s0)
 
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 
-/var/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
+/var/lib/stickshift/.stickshift-proxy.d(/.*)?   gen_context(system_u:object_r:etc_t,s0)
+/var/lib/stickshift/.limits.d(/.*)?        gen_context(system_u:object_r:etc_t,s0)
+
+/var/lib/openshift/.openshift-proxy.d(/.*)?   gen_context(system_u:object_r:etc_t,s0)
+/var/lib/openshift/.stickshift-proxy.d(/.*)?   gen_context(system_u:object_r:etc_t,s0)
+/var/lib/openshift/.limits.d(/.*)?        gen_context(system_u:object_r:etc_t,s0)
+
+/var/lib/servicelog/servicelog\.db    --  gen_context(system_u:object_r:system_db_t,s0)
+/var/lib/servicelog/servicelog\.db-journal  --  gen_context(system_u:object_r:system_db_t,s0)
+
+/var/lock			-d	gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock			-l	gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock/.*			<<none>>
 
 /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/log/lost\+found/.*		<<none>>
@@ -256,12 +283,14 @@ ifndef(`distro_redhat',`
 /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*\.*pid		<<none>>
+/var/run/lock/.*		<<none>>
 
 /var/spool(/.*)?		gen_context(system_u:object_r:var_spool_t,s0)
 /var/spool/postfix/etc(/.*)?	gen_context(system_u:object_r:etc_t,s0)
 
 /var/tmp		-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /var/tmp		-l	gen_context(system_u:object_r:tmp_t,s0)
+/var/tmp-inst		-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /var/tmp/.*			<<none>>
 /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*		<<none>>
@@ -271,3 +300,7 @@ ifdef(`distro_debian',`
 /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
+/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
+
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?           gen_context(system_u:object_r:root_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76ad..89f0b1244 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
 ##	Comains the file initial SID.
 ## </required>
 
+#####################################
+## <summary>
+##  files stub etc_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`files_stub_etc',`
+    gen_require(`
+        type etc_t;
+    ')
+')
+
+#####################################
+## <summary>
+##  files stub var_lock_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`files_stub_var_lock',`
+    gen_require(`
+        type var_lock_t;
+    ')
+')
+
+#####################################
+## <summary>
+##  files stub var_log_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`files_stub_var_log',`
+    gen_require(`
+        type var_log_t;
+    ')
+')
+
+#####################################
+## <summary>
+##  files stub var_lib_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`files_stub_var_lib',`
+    gen_require(`
+        type var_lib_t;
+    ')
+')
+
+#####################################
+## <summary>
+##  files stub var_run_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`files_stub_var_run',`
+    gen_require(`
+        type var_run_t;
+    ')
+')
+
+#####################################
+## <summary>
+##  files stub var_run_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`files_stub_var_spool',`
+    gen_require(`
+        type var_spool_t;
+    ')
+')
+
+#####################################
+## <summary>
+##  files stub var_run_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`files_stub_var',`
+    gen_require(`
+        type var_t;
+    ')
+')
+
+
+#####################################
+## <summary>
+##  files stub tmp_t interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`files_stub_tmp',`
+    gen_require(`
+        type tmp_t;
+    ')
+')
+
+
 ########################################
 ## <summary>
 ##	Make the specified type usable for files
@@ -55,6 +185,7 @@
 ##		<li>files_pid_file()</li>
 ##		<li>files_security_file()</li>
 ##		<li>files_security_mountpoint()</li>
+##		<li>files_spool_file()</li>
 ##		<li>files_tmp_file()</li>
 ##		<li>files_tmpfs_file()</li>
 ##		<li>logging_log_file()</li>
@@ -125,44 +256,59 @@ interface(`files_security_file',`
 	typeattribute $1 file_type, security_file_type, non_auth_file_type;
 ')
 
+
 ########################################
 ## <summary>
 ##	Make the specified type usable for
-##	lock files.
+##	filesystem mount points.
 ## </summary>
 ## <param name="type">
 ##	<summary>
-##	Type to be used for lock files.
+##	Type to be used for mount points.
 ##	</summary>
 ## </param>
 #
-interface(`files_lock_file',`
+interface(`files_mountpoint',`
 	gen_require(`
-		attribute lockfile;
+		attribute mountpoint;
 	')
 
 	files_type($1)
-	typeattribute $1 lockfile;
+	typeattribute $1 mountpoint;
 ')
 
 ########################################
 ## <summary>
-##	Make the specified type usable for
-##	filesystem mount points.
+##	Create a private type object in mountpoint dir
+##	with an automatic type transition
 ## </summary>
-## <param name="type">
+## <param name="domain">
 ##	<summary>
-##	Type to be used for mount points.
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
 ##	</summary>
 ## </param>
 #
-interface(`files_mountpoint',`
+interface(`files_mountpoint_filetrans',`
 	gen_require(`
 		attribute mountpoint;
 	')
 
-	files_type($1)
-	typeattribute $1 mountpoint;
+	filetrans_pattern($1, mountpoint, $2, $3, $4)
 ')
 
 ########################################
@@ -185,6 +331,26 @@ interface(`files_security_mountpoint',`
 	typeattribute $1 mountpoint;
 ')
 
+########################################
+## <summary>
+##	Make the specified type usable for
+##	lock files.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for lock files.
+##	</summary>
+## </param>
+#
+interface(`files_lock_file',`
+	gen_require(`
+		attribute lockfile;
+	')
+
+	files_type($1)
+	typeattribute $1 lockfile;
+')
+
 ########################################
 ## <summary>
 ##	Make the specified type usable for
@@ -521,7 +687,7 @@ interface(`files_mounton_non_security',`
 		attribute non_security_file_type;
 	')
 
-	allow $1 non_security_file_type:dir mounton;
+	allow $1 non_security_file_type:dir { write setattr mounton };
 	allow $1 non_security_file_type:file mounton;
 ')
 
@@ -543,6 +709,24 @@ interface(`files_write_non_security_dirs',`
 	allow $1 non_security_file_type:dir write;
 ')
 
+########################################
+## <summary>
+##	Allow attempts to setattr any directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	allow $1 non_security_file_type:dir { read setattr };
+')
+
 ########################################
 ## <summary>
 ##	Allow attempts to manage non-security directories
@@ -580,6 +764,42 @@ interface(`files_getattr_all_files',`
 	getattr_lnk_files_pattern($1, file_type, file_type)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all chr files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_chr_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	getattr_chr_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all blk files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_blk_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	getattr_blk_files_pattern($1, file_type, file_type)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -618,6 +838,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
 	dontaudit $1 non_security_file_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	non security dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of non security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:file setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of non security directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read all files.
@@ -683,88 +960,83 @@ interface(`files_read_non_security_files',`
 		attribute non_security_file_type;
 	')
 
+	list_dirs_pattern($1, non_security_file_type, non_security_file_type)
 	read_files_pattern($1, non_security_file_type, non_security_file_type)
 	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
 ########################################
 ## <summary>
-##	Read all directories on the filesystem, except
-##	the listed exceptions.
+##	Read/Write all inherited non-security files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="exception_types" optional="true">
-##	<summary>
-##	The types to be excluded.  Each type or attribute
-##	must be negated by the caller.
-##	</summary>
-## </param>
+## <rolecap/>
 #
-interface(`files_read_all_dirs_except',`
+interface(`files_rw_inherited_non_security_files',`
 	gen_require(`
-		attribute file_type;
+		attribute non_security_file_type;
 	')
 
-	allow $1 { file_type $2 }:dir list_dir_perms;
+	allow $1 non_security_file_type:file { read write };
 ')
 
 ########################################
 ## <summary>
-##	Read all files on the filesystem, except
-##	the listed exceptions.
+##	Manage all non-security files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="exception_types" optional="true">
-##	<summary>
-##	The types to be excluded.  Each type or attribute
-##	must be negated by the caller.
-##	</summary>
-## </param>
+## <rolecap/>
 #
-interface(`files_read_all_files_except',`
+interface(`files_manage_non_security_files',`
 	gen_require(`
-		attribute file_type;
+		attribute non_security_file_type;
 	')
 
-	read_files_pattern($1, { file_type $2 }, { file_type $2 })
+	manage_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
 ########################################
 ## <summary>
-##	Read all symbolic links on the filesystem, except
-##	the listed exceptions.
+##	Relabel all non-security files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="exception_types" optional="true">
-##	<summary>
-##	The types to be excluded.  Each type or attribute
-##	must be negated by the caller.
-##	</summary>
-## </param>
+## <rolecap/>
 #
-interface(`files_read_all_symlinks_except',`
+interface(`files_relabel_non_security_files',`
 	gen_require(`
-		attribute file_type;
+		attribute non_security_file_type;
 	')
 
-	read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+	allow $1 { non_security_file_type }:dir list_dir_perms;
+	relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+
+	# satisfy the assertions:
+	seutil_relabelto_bin_policy($1)
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of all symbolic links.
+##	Search all base file dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -772,40 +1044,158 @@ interface(`files_read_all_symlinks_except',`
 ##	</summary>
 ## </param>
 #
-interface(`files_getattr_all_symlinks',`
+interface(`files_search_base_file_types',`
 	gen_require(`
-		attribute file_type;
+		attribute base_file_type;
 	')
 
-	getattr_lnk_files_pattern($1, file_type, file_type)
+	allow $1 base_file_type:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes
-##	of all symbolic links.
+##	Relabel all base file types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_getattr_all_symlinks',`
+interface(`files_relabel_base_file_types',`
 	gen_require(`
-		attribute file_type;
+		attribute base_file_type;
 	')
 
-	dontaudit $1 file_type:lnk_file getattr;
+	allow $1 base_file_type:dir list_dir_perms;
+	relabel_dirs_pattern($1, base_file_type , base_file_type )
+	relabel_files_pattern($1, base_file_type , base_file_type )
+	relabel_lnk_files_pattern($1, base_file_type , base_file_type )
+	relabel_fifo_files_pattern($1, base_file_type , base_file_type )
+	relabel_sock_files_pattern($1, base_file_type , base_file_type )
+	relabel_blk_files_pattern($1, base_file_type , base_file_type )
+	relabel_chr_files_pattern($1, base_file_type , base_file_type )
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read all symbolic links.
+##	Read all directories on the filesystem, except
+##	the listed exceptions.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_dirs_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_files_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	read_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+##	Read all symbolic links on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_symlinks_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+##	Get the attributes of all symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	getattr_lnk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read all symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -951,6 +1341,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
 	dontaudit $1 non_security_file_type:fifo_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read/write
+##	of non security named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_inherited_pipes',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all named sockets.
@@ -989,6 +1398,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
 	dontaudit $1 file_type:sock_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	of all named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_all_sockets',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:sock_file read;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	of all security file types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_all_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	dontaudit $1 non_security_file_type:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -1073,13 +1520,12 @@ interface(`files_relabel_all_files',`
 	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
-	# this is only relabelfrom since there should be no
-	# device nodes with file types.
-	relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-	relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
 
 	# satisfy the assertions:
 	seutil_relabelto_bin_policy($1)
+    auth_relabelto_shadow($1)
 ')
 
 ########################################
@@ -1140,6 +1586,8 @@ interface(`files_manage_all_files',`
 	# satisfy the assertions:
 	seutil_create_bin_policy($1)
 	files_manage_kernel_modules($1)
+    auth_reader_shadow($1)
+    auth_writer_shadow($1)
 ')
 
 ########################################
@@ -1180,24 +1628,6 @@ interface(`files_list_all',`
 	allow $1 file_type:dir list_dir_perms;
 ')
 
-########################################
-## <summary>
-##	Create all files as is.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_all_files_as',`
-	gen_require(`
-		attribute file_type;
-	')
-
-	allow $1 file_type:kernel_service create_files_as;
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to search the
@@ -1444,8 +1874,8 @@ interface(`files_relabel_non_auth_files',`
 	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
 	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
 
-	# satisfy the assertions:
-	seutil_relabelto_bin_policy($1)
+    # satisfy the assertions:
+    seutil_relabelto_bin_policy($1)
 ')
 
 #############################################
@@ -1599,6 +2029,24 @@ interface(`files_setattr_all_mountpoints',`
 	allow $1 mountpoint:dir setattr;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the attributes on all mount points.
@@ -1689,6 +2137,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
 	dontaudit $1 mountpoint:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Write all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_all_mountpoints',`
+    gen_require(`
+        attribute mountpoint;
+    ')
+
+	allow $1 mountpoint:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to write to mount points.
@@ -1703,104 +2169,233 @@ interface(`files_dontaudit_write_all_mountpoints',`
 	gen_require(`
 		attribute mountpoint;
 	')
+    dontaudit $1 self:capability  { dac_read_search dac_override };
 
 	dontaudit $1 mountpoint:dir write;
 ')
 
 ########################################
 ## <summary>
-##	List the contents of the root directory.
+##	Do not audit attempts to unmount all mount points.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_list_root',`
+interface(`files_dontaudit_unmount_all_mountpoints',`
 	gen_require(`
-		type root_t;
+		attribute mountpoint;
 	')
 
-	allow $1 root_t:dir list_dir_perms;
-	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+	dontaudit $1 mountpoint:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write to / dirs.
+##	Read  all mountpoint symbolic links.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_write_root_dirs',`
+interface(`files_read_all_mountpoint_symlinks',`
 	gen_require(`
-		type root_t;
+		attribute mountpoint;
 	')
 
-	dontaudit $1 root_t:dir write;
+    allow $1 mountpoint:lnk_file read_lnk_file_perms;
 ')
 
-###################
+
+########################################
 ## <summary>
-##	Do not audit attempts to write
-##	files in the root directory.
+##	Make all mountpoint as entrypoint.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_rw_root_dir',`
+interface(`files_entrypoint_all_mountpoint',`
 	gen_require(`
-		type root_t;
+		attribute mountpoint;
 	')
 
-	dontaudit $1 root_t:dir rw_dir_perms;
+    allow $1 mountpoint:file entrypoint;
 ')
 
 ########################################
 ## <summary>
-##	Create an object in the root directory, with a private
-##	type using a type transition.
+##	Remove all file type directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`files_root_filetrans',`
+interface(`files_rmdir_all_dirs',`
 	gen_require(`
-		type root_t;
+		attribute file_type;
 	')
 
-	filetrans_pattern($1, root_t, $2, $3, $4)
+	allow $1 file_type:dir rmdir;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read files in
-##	the root directory.
+##	Write all file type directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_all_dirs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir write;
+')
+
+########################################
+## <summary>
+##	List the contents of the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_root',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir list_dir_perms;
+	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+')
+########################################
+## <summary>
+##	Do not audit attempts to write to / dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_write_root_dirs',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to / dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_root_dirs',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir write;
+')
+
+###################
+## <summary>
+##	Do not audit attempts to write
+##	files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_dir',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to check the 
+##	access on root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_access_check_root',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir_file_class_set audit_access;
+')
+
+
+########################################
+## <summary>
+##	Create an object in the root directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_root_filetrans',`
+	gen_require(`
+		type root_t;
+	')
+
+	filetrans_pattern($1, root_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files in
+##	the root directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1892,25 +2487,25 @@ interface(`files_delete_root_dir_entry',`
 
 ########################################
 ## <summary>
-##	Associate to root file system.
+##	Set attributes of the root directory.
 ## </summary>
-## <param name="file_type">
+## <param name="domain">
 ##	<summary>
-##	Type of the file to associate.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_associate_rootfs',`
+interface(`files_setattr_root_dirs',`
 	gen_require(`
 		type root_t;
 	')
 
-	allow $1 root_t:filesystem associate;
+	allow $1 root_t:dir setattr_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel to and from rootfs file system.
+##	Relabel a rootfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1923,7 +2518,7 @@ interface(`files_relabel_rootfs',`
 		type root_t;
 	')
 
-	allow $1 root_t:filesystem { relabelto relabelfrom };
+	allow $1 root_t:filesystem relabel_file_perms;
 ')
 
 ########################################
@@ -1944,6 +2539,42 @@ interface(`files_unmount_rootfs',`
 	allow $1 root_t:filesystem unmount;
 ')
 
+########################################
+## <summary>
+##	Mount a filesystem on the root file system
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_rootfs',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on the root file system
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_mounton_rootfs',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Get attributes of the /boot directory.
@@ -2181,6 +2812,24 @@ interface(`files_relabelfrom_boot_files',`
 	relabelfrom_files_pattern($1, boot_t, boot_t)
 ')
 
+########################################
+## <summary>
+##	Relabel to files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	relabelto_files_pattern($1, boot_t, boot_t)
+')
+
 ######################################
 ## <summary>
 ##	Read symbolic links in the /boot directory.
@@ -2555,6 +3204,24 @@ interface(`files_read_default_pipes',`
 	allow $1 default_t:fifo_file read_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##	Mounton directories on filesystem /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_etc',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Search the contents of /etc directories.
@@ -2645,6 +3312,24 @@ interface(`files_rw_etc_dirs',`
 	allow $1 etc_t:dir rw_dir_perms;
 ')
 
+#######################################
+## <summary>
+##      Dontaudit remove dir /etc directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##	Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`files_dontaudit_remove_etc_dir',`
+        gen_require(`
+                type etc_t;
+        ')
+
+        dontaudit $1 etc_t:dir rmdir;
+')
+
 ##########################################
 ## <summary>
 ## 	Manage generic directories in /etc
@@ -2716,6 +3401,7 @@ interface(`files_read_etc_files',`
 	allow $1 etc_t:dir list_dir_perms;
 	read_files_pattern($1, etc_t, etc_t)
 	read_lnk_files_pattern($1, etc_t, etc_t)
+	files_read_etc_runtime_files($1)
 ')
 
 ########################################
@@ -2724,7 +3410,7 @@ interface(`files_read_etc_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -2778,6 +3464,25 @@ interface(`files_manage_etc_files',`
 	read_lnk_files_pattern($1, etc_t, etc_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to check the 
+##	access on etc files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_access_check_etc',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:dir_file_class_set audit_access;
+')
+
 ########################################
 ## <summary>
 ##	Delete system configuration files in /etc.
@@ -2796,6 +3501,24 @@ interface(`files_delete_etc_files',`
 	delete_files_pattern($1, etc_t, etc_t)
 ')
 
+########################################
+## <summary>
+##	Remove entries from the etc directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_etc_dir_entry',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir del_entry_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute generic files in /etc.
@@ -2963,26 +3686,8 @@ interface(`files_delete_boot_flag',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to set the attributes of the etc_runtime files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_setattr_etc_runtime_files',`
-	gen_require(`
-		type etc_runtime_t;
-	')
-
-	dontaudit $1 etc_runtime_t:file setattr;
-')
-
-########################################
-## <summary>
-##	Read files in /etc that are dynamically
-##	created on boot, such as mtab.
+##	Read files in /etc that are dynamically
+##	created on boot, such as mtab.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -3021,9 +3726,7 @@ interface(`files_read_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read files
-##	in /etc that are dynamically
-##	created on boot, such as mtab.
+##	Do not audit attempts to set the attributes of the etc_runtime files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3031,18 +3734,17 @@ interface(`files_read_etc_runtime_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_read_etc_runtime_files',`
+interface(`files_dontaudit_setattr_etc_runtime_files',`
 	gen_require(`
 		type etc_runtime_t;
 	')
 
-	dontaudit $1 etc_runtime_t:file { getattr read };
+	dontaudit $1 etc_runtime_t:file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	etc runtime files.
+##	Do not audit attempts to write etc_runtime files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3058,6 +3760,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
 	dontaudit $1 etc_runtime_t:file write;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Read and write files in /etc that are dynamically
@@ -3077,6 +3799,7 @@ interface(`files_rw_etc_runtime_files',`
 
 	allow $1 etc_t:dir list_dir_perms;
 	rw_files_pattern($1, etc_t, etc_runtime_t)
+	read_lnk_files_pattern($1, etc_t, etc_t)
 ')
 
 ########################################
@@ -3098,6 +3821,7 @@ interface(`files_manage_etc_runtime_files',`
 	')
 
 	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+	read_lnk_files_pattern($1, etc_t, etc_runtime_t)
 ')
 
 ########################################
@@ -3142,10 +3866,48 @@ interface(`files_etc_filetrans_etc_runtime',`
 #
 interface(`files_getattr_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Getattr all file opbjects on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_isid_type',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir_file_class_set getattr;
+')
+
+########################################
+## <summary>
+##	Setattr of directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_isid_type_dirs',`
+	gen_require(`
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir getattr;
+	allow $1 unlabeled_t:dir setattr;
 ')
 
 ########################################
@@ -3161,10 +3923,10 @@ interface(`files_getattr_isid_type_dirs',`
 #
 interface(`files_dontaudit_search_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	dontaudit $1 file_t:dir search_dir_perms;
+	dontaudit $1 unlabeled_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -3180,10 +3942,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
 #
 interface(`files_list_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir list_dir_perms;
+	allow $1 unlabeled_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -3199,10 +3961,10 @@ interface(`files_list_isid_type_dirs',`
 #
 interface(`files_rw_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir rw_dir_perms;
+	allow $1 unlabeled_t:dir rw_dir_perms;
 ')
 
 ########################################
@@ -3218,10 +3980,66 @@ interface(`files_rw_isid_type_dirs',`
 #
 interface(`files_delete_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
+	')
+
+	delete_dirs_pattern($1, unlabeled_t, unlabeled_t)
+')
+########################################
+## <summary>
+##	Execute files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_exec_isid_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	can_exec($1, unlabeled_t)
+')
+
+########################################
+## <summary>
+##	Moundon directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_isid',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Relabelfrom all file opbjects on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_isid_type',`
+	gen_require(`
+		type unlabeled_t;
 	')
 
-	delete_dirs_pattern($1, file_t, file_t)
+	dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
 ')
 
 ########################################
@@ -3237,10 +4055,10 @@ interface(`files_delete_isid_type_dirs',`
 #
 interface(`files_manage_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir manage_dir_perms;
+	allow $1 unlabeled_t:dir manage_dir_perms;
 ')
 
 ########################################
@@ -3256,10 +4074,29 @@ interface(`files_manage_isid_type_dirs',`
 #
 interface(`files_mounton_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on a new chr_file 
+##	that has not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_isid_type_chr_file',`
+	gen_require(`
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir { search_dir_perms mounton };
+	allow $1 unlabeled_t:chr_file mounton;
 ')
 
 ########################################
@@ -3275,10 +4112,10 @@ interface(`files_mounton_isid_type_dirs',`
 #
 interface(`files_read_isid_type_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:file read_file_perms;
+	allow $1 unlabeled_t:file read_file_perms;
 ')
 
 ########################################
@@ -3294,10 +4131,10 @@ interface(`files_read_isid_type_files',`
 #
 interface(`files_delete_isid_type_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_files_pattern($1, file_t, file_t)
+	delete_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -3313,10 +4150,10 @@ interface(`files_delete_isid_type_files',`
 #
 interface(`files_delete_isid_type_symlinks',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_lnk_files_pattern($1, file_t, file_t)
+	delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -3332,10 +4169,10 @@ interface(`files_delete_isid_type_symlinks',`
 #
 interface(`files_delete_isid_type_fifo_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_fifo_files_pattern($1, file_t, file_t)
+	delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -3351,10 +4188,10 @@ interface(`files_delete_isid_type_fifo_files',`
 #
 interface(`files_delete_isid_type_sock_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_sock_files_pattern($1, file_t, file_t)
+	delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -3370,10 +4207,10 @@ interface(`files_delete_isid_type_sock_files',`
 #
 interface(`files_delete_isid_type_blk_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_blk_files_pattern($1, file_t, file_t)
+	delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -3389,10 +4226,10 @@ interface(`files_delete_isid_type_blk_files',`
 #
 interface(`files_dontaudit_write_isid_chr_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	dontaudit $1 file_t:chr_file write;
+	dontaudit $1 unlabeled_t:chr_file write;
 ')
 
 ########################################
@@ -3408,10 +4245,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
 #
 interface(`files_delete_isid_type_chr_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_chr_files_pattern($1, file_t, file_t)
+	delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -3427,10 +4264,10 @@ interface(`files_delete_isid_type_chr_files',`
 #
 interface(`files_manage_isid_type_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:file manage_file_perms;
+	allow $1 unlabeled_t:file manage_file_perms;
 ')
 
 ########################################
@@ -3446,10 +4283,10 @@ interface(`files_manage_isid_type_files',`
 #
 interface(`files_manage_isid_type_symlinks',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:lnk_file manage_lnk_file_perms;
+	allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
 ')
 
 ########################################
@@ -3465,10 +4302,29 @@ interface(`files_manage_isid_type_symlinks',`
 #
 interface(`files_rw_isid_type_blk_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:blk_file rw_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	rw any files inherited from another process
+##	on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_inherited_isid_type_files',`
+	gen_require(`
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:blk_file rw_blk_file_perms;
+	allow $1 unlabeled_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -3484,10 +4340,10 @@ interface(`files_rw_isid_type_blk_files',`
 #
 interface(`files_manage_isid_type_blk_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:blk_file manage_blk_file_perms;
+	allow $1 unlabeled_t:blk_file manage_blk_file_perms;
 ')
 
 ########################################
@@ -3503,10 +4359,29 @@ interface(`files_manage_isid_type_blk_files',`
 #
 interface(`files_manage_isid_type_chr_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit Moundon directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_mounton_isid',`
+	gen_require(`
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:chr_file manage_chr_file_perms;
+	dontaudit $1 unlabeled_t:dir mounton;
 ')
 
 ########################################
@@ -3550,6 +4425,27 @@ interface(`files_dontaudit_getattr_home_dir',`
 	dontaudit $1 home_root_t:lnk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to check the 
+##	access on home root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_access_check_home_dir',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	dontaudit $1 home_root_t:dir_file_class_set audit_access;
+')
+
+
+
 ########################################
 ## <summary>
 ##	Search home directories root (/home).
@@ -3814,20 +4710,38 @@ interface(`files_list_mnt',`
 
 ######################################
 ## <summary>
-##	Do not audit attempts to list the contents of /mnt.
+##  dontaudit List the contents of /mnt.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`files_dontaudit_list_mnt',`
+    gen_require(`
+        type mnt_t;
+    ')
+
+    dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to check the 
+##	write access on mnt files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_list_mnt',`
+interface(`files_dontaudit_access_check_mnt',`
 	gen_require(`
 		type mnt_t;
 	')
-
-	dontaudit $1 mnt_t:dir list_dir_perms;
+	dontaudit $1 mnt_t:dir_file_class_set audit_access;
 ')
 
 ########################################
@@ -3921,6 +4835,26 @@ interface(`files_read_mnt_symlinks',`
 	read_lnk_files_pattern($1, mnt_t, mnt_t)
 ')
 
+
+########################################
+## <summary>
+##	Load kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_load_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	files_read_kernel_modules($1)
+	allow $1 modules_object_t:system module_load;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic links in /mnt.
@@ -4012,6 +4946,7 @@ interface(`files_read_kernel_modules',`
 	allow $1 modules_object_t:dir list_dir_perms;
 	read_files_pattern($1, modules_object_t, modules_object_t)
 	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
+
 ')
 
 ########################################
@@ -4217,174 +5152,275 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file read_sock_file_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Allow the specified type to associate
-##	to a filesystem with the type of the
-##	temporary directory (/tmp).
+##  Read manageable system configuration files in /etc
 ## </summary>
-## <param name="file_type">
-##	<summary>
-##	Type of the file to associate.
-##	</summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`files_associate_tmp',`
-	gen_require(`
-		type tmp_t;
-	')
+interface(`files_read_system_conf_files',`
+    gen_require(`
+        type etc_t, system_conf_t;
+    ')
 
-	allow $1 tmp_t:filesystem associate;
+    allow $1 etc_t:dir list_dir_perms;
+    read_files_pattern($1, etc_t, system_conf_t)
+    read_lnk_files_pattern($1, etc_t, system_conf_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Get the	attributes of the tmp directory (/tmp).
+##  Manage manageable system configuration files in /etc.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`files_getattr_tmp_dirs',`
-	gen_require(`
-		type tmp_t;
-	')
+interface(`files_manage_system_conf_files',`
+    gen_require(`
+        type etc_t, system_conf_t;
+    ')
 
-	allow $1 tmp_t:dir getattr;
+    manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+    files_filetrans_system_conf_named_files($1)
 ')
 
-########################################
+#####################################
 ## <summary>
-##	Do not audit attempts to get the
-##	attributes of the tmp directory (/tmp).
+##  File name transition for system configuration files in /etc.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`files_dontaudit_getattr_tmp_dirs',`
-	gen_require(`
-		type tmp_t;
-	')
+interface(`files_filetrans_system_conf_named_files',`
+    gen_require(`
+        type etc_t, system_conf_t, usr_t;
+    ')
 
-	dontaudit $1 tmp_t:dir getattr;
+	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "iptables")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
+    filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
+	filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
+	filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
+	filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
 ')
 
-########################################
+######################################
 ## <summary>
-##	Search the tmp directory (/tmp).
+##  Relabel manageable system configuration files in /etc.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`files_search_tmp',`
-	gen_require(`
-		type tmp_t;
-	')
+interface(`files_relabelto_system_conf_files',`
+    gen_require(`
+        type usr_t;
+    ')
 
-	allow $1 tmp_t:dir search_dir_perms;
+    relabelto_files_pattern($1, system_conf_t, system_conf_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Do not audit attempts to search the tmp directory (/tmp).
+##  Relabel manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_relabelfrom_system_conf_files',`
+    gen_require(`
+        type usr_t;
+    ')
+
+    relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+###################################
+## <summary>
+##  Create files in /etc with the type used for
+##  the manageable system config files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The type of the process performing this action.
+##  </summary>
+## </param>
+#
+interface(`files_etc_filetrans_system_conf',`
+    gen_require(`
+        type etc_t, system_conf_t;
+    ')
+
+    filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
+######################################
+## <summary>
+##  Manage manageable system db files in /var/lib.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_manage_system_db_files',`
+     gen_require(`
+         type var_lib_t, system_db_t;
+    ')
+
+     manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+     files_filetrans_system_db_named_files($1)
+')
+
+#####################################
+## <summary>
+##  File name transition for system db files in /var/lib.
 ## </summary>
 ## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_filetrans_system_db_named_files',`
+    gen_require(`
+        type var_lib_t, system_db_t;
+    ')
+
+    filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
+    filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
+')
+
+########################################
+## <summary>
+##	Allow the specified type to associate
+##	to a filesystem with the type of the
+##	temporary directory (/tmp).
+## </summary>
+## <param name="file_type">
 ##	<summary>
-##	Domain to not audit.
+##	Type of the file to associate.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_search_tmp',`
+interface(`files_associate_tmp',`
 	gen_require(`
 		type tmp_t;
 	')
 
-	dontaudit $1 tmp_t:dir search_dir_perms;
+	allow $1 tmp_t:filesystem associate;
 ')
 
 ########################################
 ## <summary>
-##	Read the tmp directory (/tmp).
+##	Allow the specified type to associate
+##	to a filesystem with the type of the
+##	/ file system
 ## </summary>
-## <param name="domain">
+## <param name="file_type">
 ##	<summary>
-##	Domain allowed access.
+##	Type of the file to associate.
 ##	</summary>
 ## </param>
 #
-interface(`files_list_tmp',`
+interface(`files_associate_rootfs',`
 	gen_require(`
-		type tmp_t;
+		type root_t;
 	')
 
-	allow $1 tmp_t:dir list_dir_perms;
+	allow $1 root_t:filesystem associate;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit listing of the tmp directory (/tmp).
+##	Get the	attributes of the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain not to audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_list_tmp',`
+interface(`files_getattr_tmp_dirs',`
 	gen_require(`
 		type tmp_t;
 	')
 
-	dontaudit $1 tmp_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:dir getattr;
 ')
 
 ########################################
 ## <summary>
-##	Remove entries from the tmp directory.
+##	Do not audit attempts to check the 
+##	access on tmp files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_delete_tmp_dir_entry',`
+interface(`files_dontaudit_access_check_tmp',`
 	gen_require(`
-		type tmp_t;
+		type etc_t;
 	')
 
-	allow $1 tmp_t:dir del_entry_dir_perms;
+	dontaudit $1 tmp_t:dir_file_class_set audit_access;
 ')
 
 ########################################
 ## <summary>
-##	Read files in the tmp directory (/tmp).
+##	Do not audit attempts to get the
+##	attributes of the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_read_generic_tmp_files',`
+interface(`files_dontaudit_getattr_tmp_dirs',`
 	gen_require(`
 		type tmp_t;
 	')
 
-	read_files_pattern($1, tmp_t, tmp_t)
+	dontaudit $1 tmp_t:dir getattr;
 ')
 
 ########################################
 ## <summary>
-##	Manage temporary directories in /tmp.
+##	Search the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4392,35 +5428,37 @@ interface(`files_read_generic_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_generic_tmp_dirs',`
+interface(`files_search_tmp',`
 	gen_require(`
 		type tmp_t;
 	')
 
-	manage_dirs_pattern($1, tmp_t, tmp_t)
+    fs_search_tmpfs($1)
+	read_lnk_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Manage temporary files and directories in /tmp.
+##	Do not audit attempts to search the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_generic_tmp_files',`
+interface(`files_dontaudit_search_tmp',`
 	gen_require(`
 		type tmp_t;
 	')
 
-	manage_files_pattern($1, tmp_t, tmp_t)
+	dontaudit $1 tmp_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read symbolic links in the tmp directory (/tmp).
+##	Read the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4428,53 +5466,55 @@ interface(`files_manage_generic_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_read_generic_tmp_symlinks',`
+interface(`files_list_tmp',`
 	gen_require(`
 		type tmp_t;
 	')
 
 	read_lnk_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write generic named sockets in the tmp directory (/tmp).
+##	Do not audit listing of the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_rw_generic_tmp_sockets',`
+interface(`files_dontaudit_list_tmp',`
 	gen_require(`
 		type tmp_t;
 	')
 
-	rw_sock_files_pattern($1, tmp_t, tmp_t)
+	dontaudit $1 tmp_t:dir list_dir_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Set the attributes of all tmp directories.
+##  Allow read and write to the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain not to audit.
+##  </summary>
 ## </param>
 #
-interface(`files_setattr_all_tmp_dirs',`
-	gen_require(`
-		attribute tmpfile;
-	')
+interface(`files_rw_generic_tmp_dir',`
+    gen_require(`
+        type tmp_t;
+    ')
 
-	allow $1 tmpfile:dir { search_dir_perms setattr };
+    files_search_tmp($1)
+    allow $1 tmp_t:dir rw_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	List all tmp directories.
+##	Remove entries from the tmp directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4482,118 +5522,116 @@ interface(`files_setattr_all_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_list_all_tmp',`
+interface(`files_delete_tmp_dir_entry',`
 	gen_require(`
-		attribute tmpfile;
+		type tmp_t;
 	')
 
-	allow $1 tmpfile:dir list_dir_perms;
+	files_search_tmp($1)
+	allow $1 tmp_t:dir del_entry_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel to and from all temporary
-##	directory types.
+##	Read files in the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`files_relabel_all_tmp_dirs',`
+interface(`files_read_generic_tmp_files',`
 	gen_require(`
-		attribute tmpfile;
-		type var_t;
+		type tmp_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	relabel_dirs_pattern($1, tmpfile, tmpfile)
+	read_files_pattern($1, tmp_t, tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes
-##	of all tmp files.
+##	Manage temporary directories in /tmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain not to audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_getattr_all_tmp_files',`
+interface(`files_manage_generic_tmp_dirs',`
 	gen_require(`
-		attribute tmpfile;
+		type tmp_t;
 	')
 
-	dontaudit $1 tmpfile:file getattr;
+	manage_dirs_pattern($1, tmp_t, tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Allow attempts to get the attributes
-##	of all tmp files.
+##	Allow shared library text relocations in tmp files.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow shared library text relocations in tmp files.
+##	</p>
+##	<p>
+##	This is added to support java policy.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_getattr_all_tmp_files',`
+interface(`files_execmod_tmp',`
 	gen_require(`
 		attribute tmpfile;
 	')
 
-	allow $1 tmpfile:file getattr;
+	allow $1 tmpfile:file execmod;
 ')
 
 ########################################
 ## <summary>
-##	Relabel to and from all temporary
-##	file types.
+##	Manage temporary files and directories in /tmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`files_relabel_all_tmp_files',`
+interface(`files_manage_generic_tmp_files',`
 	gen_require(`
-		attribute tmpfile;
-		type var_t;
+		type tmp_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	relabel_files_pattern($1, tmpfile, tmpfile)
+	manage_files_pattern($1, tmp_t, tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes
-##	of all tmp sock_file.
+##	Read symbolic links in the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain not to audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_getattr_all_tmp_sockets',`
+interface(`files_read_generic_tmp_symlinks',`
 	gen_require(`
-		attribute tmpfile;
+		type tmp_t;
 	')
 
-	dontaudit $1 tmpfile:sock_file getattr;
+	read_lnk_files_pattern($1, tmp_t, tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Read all tmp files.
+##	Read and write generic named sockets in the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4601,51 +5639,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`files_read_all_tmp_files',`
+interface(`files_rw_generic_tmp_sockets',`
 	gen_require(`
-		attribute tmpfile;
+		type tmp_t;
 	')
 
-	read_files_pattern($1, tmpfile, tmpfile)
+	rw_sock_files_pattern($1, tmp_t, tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Create an object in the tmp directories, with a private
-##	type using a type transition.
+##	Relabel a dir from the type used in /tmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`files_tmp_filetrans',`
+interface(`files_relabelfrom_tmp_dirs',`
 	gen_require(`
 		type tmp_t;
 	')
 
-	filetrans_pattern($1, tmp_t, $2, $3, $4)
+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Delete the contents of /tmp.
+##	Relabel a file from the type used in /tmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4653,22 +5675,17 @@ interface(`files_tmp_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`files_purge_tmp',`
+interface(`files_relabelfrom_tmp_files',`
 	gen_require(`
-		attribute tmpfile;
+		type tmp_t;
 	')
 
-	allow $1 tmpfile:dir list_dir_perms;
-	delete_dirs_pattern($1, tmpfile, tmpfile)
-	delete_files_pattern($1, tmpfile, tmpfile)
-	delete_lnk_files_pattern($1, tmpfile, tmpfile)
-	delete_fifo_files_pattern($1, tmpfile, tmpfile)
-	delete_sock_files_pattern($1, tmpfile, tmpfile)
+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the /usr directory.
+##	Set the attributes of all tmp directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4676,17 +5693,17 @@ interface(`files_purge_tmp',`
 ##	</summary>
 ## </param>
 #
-interface(`files_setattr_usr_dirs',`
+interface(`files_setattr_all_tmp_dirs',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	allow $1 usr_t:dir setattr;
+	allow $1 tmpfile:dir { search_dir_perms setattr };
 ')
 
 ########################################
 ## <summary>
-##	Search the content of /usr.
+##	Allow caller to read inherited tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4694,18 +5711,17 @@ interface(`files_setattr_usr_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_search_usr',`
+interface(`files_read_inherited_tmp_files',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	allow $1 usr_t:dir search_dir_perms;
+	allow $1 tmpfile:file { append open read_inherited_file_perms };
 ')
 
 ########################################
 ## <summary>
-##	List the contents of generic
-##	directories in /usr.
+##	Allow caller to append inherited tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4713,35 +5729,35 @@ interface(`files_search_usr',`
 ##	</summary>
 ## </param>
 #
-interface(`files_list_usr',`
+interface(`files_append_inherited_tmp_files',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	allow $1 usr_t:dir list_dir_perms;
+	allow $1 tmpfile:file append_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit write of /usr dirs
+##	Allow caller to read and write inherited tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_write_usr_dirs',`
+interface(`files_rw_inherited_tmp_file',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	dontaudit $1 usr_t:dir write;
+	allow $1 tmpfile:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Add and remove entries from /usr directories.
+##	List all tmp directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4749,54 +5765,59 @@ interface(`files_dontaudit_write_usr_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_rw_usr_dirs',`
+interface(`files_list_all_tmp',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	allow $1 usr_t:dir rw_dir_perms;
+	allow $1 tmpfile:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to add and remove
-##	entries from /usr directories.
+##	Relabel to and from all temporary
+##	directory types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`files_dontaudit_rw_usr_dirs',`
+interface(`files_relabel_all_tmp_dirs',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
+		type var_t;
 	')
 
-	dontaudit $1 usr_t:dir rw_dir_perms;
+	allow $1 var_t:dir search_dir_perms;
+	relabel_dirs_pattern($1, tmpfile, tmpfile)
 ')
 
 ########################################
 ## <summary>
-##	Delete generic directories in /usr in the caller domain.
+##	Do not audit attempts to get the attributes
+##	of all tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_delete_usr_dirs',`
+interface(`files_dontaudit_getattr_all_tmp_files',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	delete_dirs_pattern($1, usr_t, usr_t)
+	dontaudit $1 tmpfile:file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Delete generic files in /usr in the caller domain.
+##	Allow attempts to get the attributes
+##	of all tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4804,73 +5825,58 @@ interface(`files_delete_usr_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_delete_usr_files',`
+interface(`files_getattr_all_tmp_files',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	delete_files_pattern($1, usr_t, usr_t)
+	allow $1 tmpfile:file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of files in /usr.
+##	Relabel to and from all temporary
+##	file types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`files_getattr_usr_files',`
+interface(`files_relabel_all_tmp_files',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
+		type var_t;
 	')
 
-	getattr_files_pattern($1, usr_t, usr_t)
+	allow $1 var_t:dir search_dir_perms;
+	relabel_files_pattern($1, tmpfile, tmpfile)
 ')
 
 ########################################
 ## <summary>
-##	Read generic files in /usr.
+##	Do not audit attempts to get the attributes
+##	of all tmp sock_file.
 ## </summary>
-## <desc>
-##	<p>
-##	Allow the specified domain to read generic
-##	files in /usr. These files are various program
-##	files that do not have more specific SELinux types.
-##	Some examples of these files are:
-##	</p>
-##	<ul>
-##		<li>/usr/include/*</li>
-##		<li>/usr/share/doc/*</li>
-##		<li>/usr/share/info/*</li>
-##	</ul>
-##	<p>
-##	Generally, it is safe for many domains to have
-##	this access.
-##	</p>
-## </desc>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
-## <infoflow type="read" weight="10"/>
 #
-interface(`files_read_usr_files',`
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	allow $1 usr_t:dir list_dir_perms;
-	read_files_pattern($1, usr_t, usr_t)
-	read_lnk_files_pattern($1, usr_t, usr_t)
+	dontaudit $1 tmpfile:sock_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Execute generic programs in /usr in the caller domain.
+##	Read all tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4878,19 +5884,18 @@ interface(`files_read_usr_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_exec_usr_files',`
+interface(`files_read_all_tmp_files',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	allow $1 usr_t:dir list_dir_perms;
-	exec_files_pattern($1, usr_t, usr_t)
-	read_lnk_files_pattern($1, usr_t, usr_t)
+	read_files_pattern($1, tmpfile, tmpfile)
 ')
 
 ########################################
 ## <summary>
-##	dontaudit write of /usr files
+##	Do not audit attempts to read or write
+##	all leaked tmpfiles files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4898,71 +5903,70 @@ interface(`files_exec_usr_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_write_usr_files',`
+interface(`files_dontaudit_tmp_file_leaks',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	dontaudit $1 usr_t:file write;
+	dontaudit $1 tmpfile:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete files in the /usr directory.
+##	Do allow attempts to read or write
+##	all leaked tmpfiles files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_usr_files',`
+interface(`files_rw_tmp_file_leaks',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	manage_files_pattern($1, usr_t, usr_t)
+	allow $1 tmpfile:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel a file to the type used in /usr.
+##	Create an object in the tmp directories, with a private
+##	type using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-#
-interface(`files_relabelto_usr_files',`
-	gen_require(`
-		type usr_t;
-	')
-
-	relabelto_files_pattern($1, usr_t, usr_t)
-')
-
-########################################
-## <summary>
-##	Relabel a file from the type used in /usr.
-## </summary>
-## <param name="domain">
+## <param name="private type">
 ##	<summary>
-##	Domain allowed access.
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
 ##	</summary>
 ## </param>
 #
-interface(`files_relabelfrom_usr_files',`
+interface(`files_tmp_filetrans',`
 	gen_require(`
-		type usr_t;
+		type tmp_t;
 	')
 
-	relabelfrom_files_pattern($1, usr_t, usr_t)
+	filetrans_pattern($1, tmp_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Read symbolic links in /usr.
+##	Delete the contents of /tmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4970,68 +5974,69 @@ interface(`files_relabelfrom_usr_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_read_usr_symlinks',`
+interface(`files_purge_tmp',`
 	gen_require(`
-		type usr_t;
+		attribute tmpfile;
 	')
 
-	read_lnk_files_pattern($1, usr_t, usr_t)
+	allow $1 tmpfile:dir list_dir_perms;
+	delete_dirs_pattern($1, tmpfile, tmpfile)
+	delete_files_pattern($1, tmpfile, tmpfile)
+	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+	delete_sock_files_pattern($1, tmpfile, tmpfile)
+	delete_chr_files_pattern($1, tmpfile, tmpfile)
+	delete_blk_files_pattern($1, tmpfile, tmpfile)
+	files_list_isid_type_dirs($1)
+	files_delete_isid_type_dirs($1)
+	files_delete_isid_type_files($1)
+	files_delete_isid_type_symlinks($1)
+	files_delete_isid_type_fifo_files($1)
+	files_delete_isid_type_sock_files($1)
+	files_delete_isid_type_blk_files($1)
+	files_delete_isid_type_chr_files($1)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in the /usr directory
+##	Set the attributes of the /usr directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	The type of the object to be created
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The object class.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`files_usr_filetrans',`
+interface(`files_setattr_usr_dirs',`
 	gen_require(`
 		type usr_t;
 	')
 
-	filetrans_pattern($1, usr_t, $2, $3, $4)
+	allow $1 usr_t:dir setattr;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search /usr/src.
+##	Search the content of /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_search_src',`
+interface(`files_search_usr',`
 	gen_require(`
-		type src_t;
+		type usr_t;
 	')
 
-	dontaudit $1 src_t:dir search_dir_perms;
+	allow $1 usr_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of files in /usr/src.
+##	List the contents of generic
+##	directories in /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5039,41 +6044,35 @@ interface(`files_dontaudit_search_src',`
 ##	</summary>
 ## </param>
 #
-interface(`files_getattr_usr_src_files',`
+interface(`files_list_usr',`
 	gen_require(`
-		type usr_t, src_t;
+		type usr_t;
 	')
 
-	getattr_files_pattern($1, src_t, src_t)
-
-	# /usr/src/linux symlink:
-	read_lnk_files_pattern($1, usr_t, src_t)
+	allow $1 usr_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read files in /usr/src.
+##	Do not audit write of /usr dirs
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_read_usr_src_files',`
+interface(`files_dontaudit_write_usr_dirs',`
 	gen_require(`
-		type usr_t, src_t;
+		type usr_t;
 	')
 
-	allow $1 usr_t:dir search_dir_perms;
-	read_files_pattern($1, { usr_t src_t }, src_t)
-	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-	allow $1 src_t:dir list_dir_perms;
+	dontaudit $1 usr_t:dir write;
 ')
 
 ########################################
 ## <summary>
-##	Execute programs in /usr/src in the caller domain.
+##	Add and remove entries from /usr directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5081,38 +6080,36 @@ interface(`files_read_usr_src_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_exec_usr_src_files',`
+interface(`files_rw_usr_dirs',`
 	gen_require(`
-		type usr_t, src_t;
+		type usr_t;
 	')
 
-	list_dirs_pattern($1, usr_t, src_t)
-	exec_files_pattern($1, src_t, src_t)
-	read_lnk_files_pattern($1, src_t, src_t)
+	allow $1 usr_t:dir rw_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Install a system.map into the /boot directory.
+##	Do not audit attempts to add and remove
+##	entries from /usr directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_create_kernel_symbol_table',`
+interface(`files_dontaudit_rw_usr_dirs',`
 	gen_require(`
-		type boot_t, system_map_t;
+		type usr_t;
 	')
 
-	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-	allow $1 system_map_t:file { create_file_perms rw_file_perms };
+	dontaudit $1 usr_t:dir rw_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read system.map in the /boot directory.
+##	Delete generic directories in /usr in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5120,18 +6117,17 @@ interface(`files_create_kernel_symbol_table',`
 ##	</summary>
 ## </param>
 #
-interface(`files_read_kernel_symbol_table',`
+interface(`files_delete_usr_dirs',`
 	gen_require(`
-		type boot_t, system_map_t;
+		type usr_t;
 	')
 
-	allow $1 boot_t:dir list_dir_perms;
-	read_files_pattern($1, boot_t, system_map_t)
+	delete_dirs_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Delete a system.map in the /boot directory.
+##	Delete generic files in /usr in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5139,18 +6135,17 @@ interface(`files_read_kernel_symbol_table',`
 ##	</summary>
 ## </param>
 #
-interface(`files_delete_kernel_symbol_table',`
+interface(`files_delete_usr_files',`
 	gen_require(`
-		type boot_t, system_map_t;
+		type usr_t;
 	')
 
-	allow $1 boot_t:dir list_dir_perms;
-	delete_files_pattern($1, boot_t, system_map_t)
+	delete_files_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Search the contents of /var.
+##	Get the attributes of files in /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5158,35 +6153,55 @@ interface(`files_delete_kernel_symbol_table',`
 ##	</summary>
 ## </param>
 #
-interface(`files_search_var',`
+interface(`files_getattr_usr_files',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
+	getattr_files_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write to /var.
+##	Read generic files in /usr.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read generic
+##	files in /usr. These files are various program
+##	files that do not have more specific SELinux types.
+##	Some examples of these files are:
+##	</p>
+##	<ul>
+##		<li>/usr/include/*</li>
+##		<li>/usr/share/doc/*</li>
+##		<li>/usr/share/info/*</li>
+##	</ul>
+##	<p>
+##	Generally, it is safe for many domains to have
+##	this access.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <infoflow type="read" weight="10"/>
 #
-interface(`files_dontaudit_write_var_dirs',`
+interface(`files_read_usr_files',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	dontaudit $1 var_t:dir write;
+	allow $1 usr_t:dir list_dir_perms;
+	read_files_pattern($1, usr_t, usr_t)
+	read_lnk_files_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Allow attempts to write to /var.dirs
+##	Execute generic programs in /usr in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5194,18 +6209,19 @@ interface(`files_dontaudit_write_var_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_write_var_dirs',`
+interface(`files_exec_usr_files',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	allow $1 var_t:dir write;
+	allow $1 usr_t:dir list_dir_perms;
+	exec_files_pattern($1, usr_t, usr_t)
+	read_lnk_files_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search
-##	the contents of /var.
+##	dontaudit write of /usr files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5213,17 +6229,17 @@ interface(`files_write_var_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_search_var',`
+interface(`files_dontaudit_write_usr_files',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	dontaudit $1 var_t:dir search_dir_perms;
+	dontaudit $1 usr_t:file write;
 ')
 
 ########################################
 ## <summary>
-##	List the contents of /var.
+##	Create, read, write, and delete files in the /usr directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5231,18 +6247,17 @@ interface(`files_dontaudit_search_var',`
 ##	</summary>
 ## </param>
 #
-interface(`files_list_var',`
+interface(`files_manage_usr_files',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	allow $1 var_t:dir list_dir_perms;
+	manage_files_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete directories
-##	in the /var directory.
+##	Relabel a file to the type used in /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5250,17 +6265,17 @@ interface(`files_list_var',`
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_var_dirs',`
+interface(`files_relabelto_usr_files',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	allow $1 var_t:dir manage_dir_perms;
+	relabelto_files_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Read files in the /var directory.
+##	Relabel a file from the type used in /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5268,17 +6283,17 @@ interface(`files_manage_var_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_read_var_files',`
+interface(`files_relabelfrom_usr_files',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	read_files_pattern($1, var_t, var_t)
+	relabelfrom_files_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Append files in the /var directory.
+##	Read symbolic links in /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5286,36 +6301,50 @@ interface(`files_read_var_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_append_var_files',`
+interface(`files_read_usr_symlinks',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	append_files_pattern($1, var_t, var_t)
+	read_lnk_files_pattern($1, usr_t, usr_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write files in the /var directory.
+##	Create objects in the /usr directory
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`files_rw_var_files',`
+interface(`files_usr_filetrans',`
 	gen_require(`
-		type var_t;
+		type usr_t;
 	')
 
-	rw_files_pattern($1, var_t, var_t)
+	filetrans_pattern($1, usr_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and write
-##	files in the /var directory.
+##	Do not audit attempts to search /usr/src.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5323,17 +6352,17 @@ interface(`files_rw_var_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_rw_var_files',`
+interface(`files_dontaudit_search_src',`
 	gen_require(`
-		type var_t;
+		type src_t;
 	')
 
-	dontaudit $1 var_t:file rw_file_perms;
+	dontaudit $1 src_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete files in the /var directory.
+##	Get the attributes of files in /usr/src.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5341,17 +6370,20 @@ interface(`files_dontaudit_rw_var_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_var_files',`
+interface(`files_getattr_usr_src_files',`
 	gen_require(`
-		type var_t;
+		type usr_t, src_t;
 	')
 
-	manage_files_pattern($1, var_t, var_t)
+	getattr_files_pattern($1, src_t, src_t)
+
+	# /usr/src/linux symlink:
+	read_lnk_files_pattern($1, usr_t, src_t)
 ')
 
 ########################################
 ## <summary>
-##	Read symbolic links in the /var directory.
+##	Read files in /usr/src.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5359,18 +6391,20 @@ interface(`files_manage_var_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_read_var_symlinks',`
+interface(`files_read_usr_src_files',`
 	gen_require(`
-		type var_t;
+		type usr_t, src_t;
 	')
 
-	read_lnk_files_pattern($1, var_t, var_t)
+	allow $1 usr_t:dir search_dir_perms;
+	read_files_pattern($1, { usr_t src_t }, src_t)
+	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+	allow $1 src_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete symbolic
-##	links in the /var directory.
+##	Execute programs in /usr/src in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5378,120 +6412,94 @@ interface(`files_read_var_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_var_symlinks',`
+interface(`files_exec_usr_src_files',`
 	gen_require(`
-		type var_t;
+		type usr_t, src_t;
 	')
 
-	manage_lnk_files_pattern($1, var_t, var_t)
+	list_dirs_pattern($1, usr_t, src_t)
+	exec_files_pattern($1, src_t, src_t)
+	read_lnk_files_pattern($1, src_t, src_t)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in the /var directory
+##	Install a system.map into the /boot directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	The type of the object to be created
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The object class.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`files_var_filetrans',`
+interface(`files_create_kernel_symbol_table',`
 	gen_require(`
-		type var_t;
+		type boot_t, system_map_t;
 	')
 
-	filetrans_pattern($1, var_t, $2, $3, $4)
+	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+	allow $1 system_map_t:file { create_file_perms rw_file_perms };
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of the /var/lib directory.
+##	Dontaudit getattr attempts on the system.map file
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_getattr_var_lib_dirs',`
+interface(`files_dontaduit_getattr_kernel_symbol_table',`
 	gen_require(`
-		type var_t, var_lib_t;
+		type system_map_t;
 	')
 
-	getattr_dirs_pattern($1, var_t, var_lib_t)
+	dontaudit $1 system_map_t:file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Search the /var/lib directory.
+##	Read system.map in the /boot directory.
 ## </summary>
-## <desc>
-##	<p>
-##	Search the /var/lib directory.  This is
-##	necessary to access files or directories under
-##	/var/lib that have a private type.  For example, a
-##	domain accessing a private library file in the
-##	/var/lib directory:
-##	</p>
-##	<p>
-##	allow mydomain_t mylibfile_t:file read_file_perms;
-##	files_search_var_lib(mydomain_t)
-##	</p>
-## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <infoflow type="read" weight="5"/>
 #
-interface(`files_search_var_lib',`
+interface(`files_read_kernel_symbol_table',`
 	gen_require(`
-		type var_t, var_lib_t;
+		type boot_t, system_map_t;
 	')
 
-	search_dirs_pattern($1, var_t, var_lib_t)
+	allow $1 boot_t:dir list_dir_perms;
+	read_files_pattern($1, boot_t, system_map_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search the
-##	contents of /var/lib.
+##	Delete a system.map in the /boot directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <infoflow type="read" weight="5"/>
 #
-interface(`files_dontaudit_search_var_lib',`
+interface(`files_delete_kernel_symbol_table',`
 	gen_require(`
-		type var_lib_t;
+		type boot_t, system_map_t;
 	')
 
-	dontaudit $1 var_lib_t:dir search_dir_perms;
+	allow $1 boot_t:dir list_dir_perms;
+	delete_files_pattern($1, boot_t, system_map_t)
 ')
 
 ########################################
 ## <summary>
-##	List the contents of the /var/lib directory.
+##	Search the contents of /var.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5499,88 +6507,72 @@ interface(`files_dontaudit_search_var_lib',`
 ##	</summary>
 ## </param>
 #
-interface(`files_list_var_lib',`
+interface(`files_search_var',`
 	gen_require(`
-		type var_t, var_lib_t;
+		type var_t;
 	')
 
-	list_dirs_pattern($1, var_t, var_lib_t)
+	allow $1 var_t:dir search_dir_perms;
 ')
 
-###########################################
+########################################
 ## <summary>
-##	Read-write /var/lib directories
+##	Do not audit attempts to write to /var.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_rw_var_lib_dirs',`
+interface(`files_dontaudit_write_var_dirs',`
 	gen_require(`
-		type var_lib_t;
+		type var_t;
 	')
 
-	rw_dirs_pattern($1, var_lib_t, var_lib_t)
+	dontaudit $1 var_t:dir write;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in the /var/lib directory
+##	Allow attempts to write to /var.dirs
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	The type of the object to be created
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The object class.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`files_var_lib_filetrans',`
+interface(`files_write_var_dirs',`
 	gen_require(`
-		type var_t, var_lib_t;
+		type var_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	filetrans_pattern($1, var_lib_t, $2, $3, $4)
+	allow $1 var_t:dir write;
 ')
 
 ########################################
 ## <summary>
-##	Read generic files in /var/lib.
+##	Do not audit attempts to search
+##	the contents of /var.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_read_var_lib_files',`
+interface(`files_dontaudit_search_var',`
 	gen_require(`
-		type var_t, var_lib_t;
+		type var_t;
 	')
 
-	allow $1 var_lib_t:dir list_dir_perms;
-	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+	dontaudit $1 var_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read generic symbolic links in /var/lib
+##	List the contents of /var.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5588,41 +6580,36 @@ interface(`files_read_var_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_read_var_lib_symlinks',`
+interface(`files_list_var',`
 	gen_require(`
-		type var_t, var_lib_t;
+		type var_t;
 	')
 
-	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+	allow $1 var_t:dir list_dir_perms;
 ')
 
-# cjp: the next two interfaces really need to be fixed
-# in some way.  They really neeed their own types.
-
 ########################################
 ## <summary>
-##	Create, read, write, and delete the
-##	pseudorandom number generator seed.
+##	Do not audit listing of the var directory (/var).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_urandom_seed',`
+interface(`files_dontaudit_list_var',`
 	gen_require(`
-		type var_t, var_lib_t;
+		type var_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	manage_files_pattern($1, var_lib_t, var_lib_t)
+	dontaudit $1 var_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Allow domain to manage mount tables
-##	necessary for rpcd, nfsd, etc.
+##	Create, read, write, and delete directories
+##	in the /var directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5630,18 +6617,17 @@ interface(`files_manage_urandom_seed',`
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_mounttab',`
+interface(`files_manage_var_dirs',`
 	gen_require(`
-		type var_t, var_lib_t;
+		type var_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	manage_files_pattern($1, var_lib_t, var_lib_t)
+	allow $1 var_t:dir manage_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the generic lock directories.
+##	Read files in the /var directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5649,17 +6635,17 @@ interface(`files_manage_mounttab',`
 ##	</summary>
 ## </param>
 #
-interface(`files_setattr_lock_dirs',`
+interface(`files_read_var_files',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_t;
 	')
 
-	setattr_dirs_pattern($1, var_t, var_lock_t)
+	read_files_pattern($1, var_t, var_t)
 ')
 
 ########################################
 ## <summary>
-##	Search the locks directory (/var/lock).
+##	Append files in the /var directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5667,58 +6653,54 @@ interface(`files_setattr_lock_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_search_locks',`
+interface(`files_append_var_files',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_t;
 	')
 
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	search_dirs_pattern($1, var_t, var_lock_t)
+	append_files_pattern($1, var_t, var_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search the
-##	locks directory (/var/lock).
+##	Read and write files in the /var directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_search_locks',`
+interface(`files_rw_var_files',`
 	gen_require(`
-		type var_lock_t;
+		type var_t;
 	')
 
-	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-	dontaudit $1 var_lock_t:dir search_dir_perms;
+	rw_files_pattern($1, var_t, var_t)
 ')
 
 ########################################
 ## <summary>
-##	List generic lock directories.
+##	Do not audit attempts to read and write
+##	files in the /var directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_list_locks',`
+interface(`files_dontaudit_rw_var_files',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_t;
 	')
 
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	list_dirs_pattern($1, var_t, var_lock_t)
+	dontaudit $1 var_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Add and remove entries in the /var/lock
-##	directories.
+##	Create, read, write, and delete files in the /var directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5726,81 +6708,88 @@ interface(`files_list_locks',`
 ##	</summary>
 ## </param>
 #
-interface(`files_rw_lock_dirs',`
+interface(`files_manage_var_files',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_t;
 	')
 
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	rw_dirs_pattern($1, var_t, var_lock_t)
+	manage_files_pattern($1, var_t, var_t)
 ')
 
 ########################################
 ## <summary>
-## 	Create lock directories
+##	Read symbolic links in the /var directory.
 ## </summary>
 ## <param name="domain">
-## 	<summary>
-##	Domain allowed access
+##	<summary>
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_create_lock_dirs',`
+interface(`files_read_var_symlinks',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	create_dirs_pattern($1, var_lock_t, var_lock_t)
+	read_lnk_files_pattern($1, var_t, var_t)
 ')
 
 ########################################
 ## <summary>
-##	Relabel to and from all lock directory types.
+##	Create, read, write, and delete symbolic
+##	links in the /var directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`files_relabel_all_lock_dirs',`
+interface(`files_manage_var_symlinks',`
 	gen_require(`
-		attribute lockfile;
-		type var_t, var_lock_t;
+		type var_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	relabel_dirs_pattern($1, lockfile, lockfile)
+	manage_lnk_files_pattern($1, var_t, var_t)
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of generic lock files.
+##	Create objects in the /var directory
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`files_getattr_generic_locks',`
+interface(`files_var_filetrans',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	allow $1 var_lock_t:dir list_dir_perms;
-	getattr_files_pattern($1, var_lock_t, var_lock_t)
+	filetrans_pattern($1, var_t, $2, $3, $4)
 ')
 
+
 ########################################
 ## <summary>
-##	Delete generic lock files.
+## Relabel dirs in the /var directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5808,20 +6797,16 @@ interface(`files_getattr_generic_locks',`
 ##	</summary>
 ## </param>
 #
-interface(`files_delete_generic_locks',`
+interface(`files_relabel_var_dirs',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_t;
 	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	delete_files_pattern($1, var_lock_t, var_lock_t)
+    allow $1 var_t:dir relabel_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete generic
-##	lock files.
+##	Get the attributes of the /var/lib directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5829,65 +6814,69 @@ interface(`files_delete_generic_locks',`
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_generic_locks',`
+interface(`files_getattr_var_lib_dirs',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_t, var_lib_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	manage_dirs_pattern($1, var_lock_t, var_lock_t)
-	manage_files_pattern($1, var_lock_t, var_lock_t)
+	getattr_dirs_pattern($1, var_t, var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Delete all lock files.
+##	Search the /var/lib directory.
 ## </summary>
+## <desc>
+##	<p>
+##	Search the /var/lib directory.  This is
+##	necessary to access files or directories under
+##	/var/lib that have a private type.  For example, a
+##	domain accessing a private library file in the
+##	/var/lib directory:
+##	</p>
+##	<p>
+##	allow mydomain_t mylibfile_t:file read_file_perms;
+##	files_search_var_lib(mydomain_t)
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
+## <infoflow type="read" weight="5"/>
 #
-interface(`files_delete_all_locks',`
+interface(`files_search_var_lib',`
 	gen_require(`
-		attribute lockfile;
-		type var_t, var_lock_t;
+		type var_t, var_lib_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	delete_files_pattern($1, lockfile, lockfile)
+	search_dirs_pattern($1, var_t, var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Read all lock files.
+##	Do not audit attempts to search the
+##	contents of /var/lib.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
+## <infoflow type="read" weight="5"/>
 #
-interface(`files_read_all_locks',`
+interface(`files_dontaudit_search_var_lib',`
 	gen_require(`
-		attribute lockfile;
-		type var_t, var_lock_t;
+		type var_lib_t;
 	')
 
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-	allow $1 lockfile:dir list_dir_perms;
-	read_files_pattern($1, lockfile, lockfile)
-	read_lnk_files_pattern($1, lockfile, lockfile)
+	dontaudit $1 var_lib_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	manage all lock files.
+##	List the contents of the /var/lib directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5895,78 +6884,1372 @@ interface(`files_read_all_locks',`
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_all_locks',`
+interface(`files_list_var_lib',`
 	gen_require(`
-		attribute lockfile;
-		type var_t, var_lock_t;
+		type var_t, var_lib_t;
 	')
 
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-	manage_dirs_pattern($1, lockfile, lockfile)
-	manage_files_pattern($1, lockfile, lockfile)
-	manage_lnk_files_pattern($1, lockfile, lockfile)
+	list_dirs_pattern($1, var_t, var_lib_t)
 ')
 
-########################################
+###########################################
 ## <summary>
-##	Create an object in the locks directory, with a private
-##	type using a type transition.
+##	Read-write /var/lib directories
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`files_lock_filetrans',`
+interface(`files_rw_var_lib_dirs',`
 	gen_require(`
-		type var_t, var_lock_t;
+		type var_lib_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-	filetrans_pattern($1, var_lock_t, $2, $3, $4)
+	rw_dirs_pattern($1, var_lib_t, var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes
-##	of the /var/run directory.
+##	Create directories in /var/lib
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_getattr_pid_dirs',`
+interface(`files_create_var_lib_dirs',`
 	gen_require(`
-		type var_run_t;
+		type var_lib_t;
 	')
 
-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-	dontaudit $1 var_run_t:dir getattr;
+	allow $1 var_lib_t:dir { create rw_dir_perms };
 ')
 
+
 ########################################
 ## <summary>
-##	Set the attributes of the /var/run directory.
+##	Create objects in the /var/lib directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_var_lib_filetrans',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	filetrans_pattern($1, var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Read generic files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_var_lib_files',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read generic symbolic links in /var/lib
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_var_lib_symlinks',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+')
+
+########################################
+## <summary>
+##	manage generic symbolic links
+##	in the /var/lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_var_lib_symlinks',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+')
+
+# cjp: the next two interfaces really need to be fixed
+# in some way.  They really neeed their own types.
+
+########################################
+## <summary>
+##	Create, read, write, and delete the
+##	pseudorandom number generator seed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_urandom_seed',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	manage_files_pattern($1, var_lib_t, var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Relabel to dirs in the /var/lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_var_lib_dirs',`
+	gen_require(`
+		type var_lib_t;
+	')
+    allow $1 var_lib_t:dir relabelto;
+')
+
+
+########################################
+## <summary>
+## Relabel dirs in the /var/lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_var_lib_dirs',`
+	gen_require(`
+		type var_lib_t;
+	')
+    allow $1 var_lib_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to manage mount tables
+##	necessary for rpcd, nfsd, etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_mounttab',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	manage_files_pattern($1, var_lib_t, var_lib_t)
+')
+
+########################################
+## <summary>
+##	List generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	files_search_locks($1)
+	list_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Search the locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	files_search_pids($1)
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	search_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_locks',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 var_lock_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read/write inherited
+##	locks (/var/lock).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_inherited_locks',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the /var/lock directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	allow $1 var_lock_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Add and remove entries in the /var/lock
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	files_search_locks($1)
+	rw_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+## 	Create lock directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`files_create_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	create_dirs_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Relabel to and from all lock directory types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_lock_dirs',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	relabel_dirs_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	Relabel to and from all lock file types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_lock_files',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	relabel_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	Get the attributes of generic lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_generic_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	files_search_locks($1)
+	allow $1 var_lock_t:dir list_dir_perms;
+	getattr_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Delete generic lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_generic_locks',`
+       gen_require(`
+		type var_t, var_lock_t;
+       ')
+
+       files_search_locks($1)
+       delete_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete generic
+##	lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	files_search_locks($1)
+	manage_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+##	Delete all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	delete_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	Read all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	files_search_locks($1)
+	allow $1 lockfile:dir list_dir_perms;
+	read_files_pattern($1, lockfile, lockfile)
+	read_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	manage all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	files_search_locks($1)
+	manage_dirs_pattern($1, lockfile, lockfile)
+	manage_files_pattern($1, lockfile, lockfile)
+	manage_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+##	Create an object in the locks directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_lock_filetrans',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	files_search_locks($1)
+	filetrans_pattern($1, var_lock_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 var_run_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 var_run_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Search the contents of runtime process
+##	ID directories (/var/run).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	search_dirs_pattern($1, var_t, var_run_t)
+')
+
+######################################
+## <summary>
+## Add and remove entries from pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_pid_dirs',`
+    gen_require(`
+        type var_run_t;
+    ')
+
+    allow $1 var_run_t:dir rw_dir_perms;
+')
+
+#######################################
+## <summary>
+##      Create generic pid directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_create_var_run_dirs',`
+        gen_require(`
+                type var_t, var_run_t;
+        ')
+
+        allow $1 var_t:dir search_dir_perms;
+        allow $1 var_run_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_pids',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search
+##	the all /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow search the all /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_search_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of the runtime process
+##	ID directories (/var/run).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Read generic process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_generic_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, var_t, var_run_t)
+	read_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Write named generic process ID pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_generic_pid_pipes',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 var_run_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Create an object in the process ID directory, with a private type.
+## </summary>
+## <desc>
+##	<p>
+##	Create an object in the process ID directory (e.g., /var/run)
+##	with a private type.  Typically this is used for creating
+##	private PID files in /var/run with the private type instead
+##	of the general PID file type. To accomplish this goal,
+##	either the program must be SELinux-aware, or use this interface.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_pid_file()</li>
+##	</ul>
+##	<p>
+##	Example usage with a domain that can create and
+##	write its PID file with a private PID file type in the
+##	/var/run directory:
+##	</p>
+##	<p>
+##	type mypidfile_t;
+##	files_pid_file(mypidfile_t)
+##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`files_pid_filetrans',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	filetrans_pattern($1, var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## 	Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_pid_filetrans_lock_dir',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
+########################################
+## <summary>
+##	rw generic pid files inherited from another process
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_inherited_generic_pid_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write generic process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_generic_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, var_t, var_run_t)
+	rw_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 pidfile:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 pidfile:file write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to ioctl daemon runtime data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_ioctl_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 pidfile:file ioctl;
+')
+
+########################################
+## <summary>
+##	Relable all pid directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##	Delete all pid sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_all_pid_sockets',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create all pid sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Create all pid named pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete all pid named pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_all_pid_pipes',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	manage all pidfile directories
+##	in the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+
+########################################
+## <summary>
+##	Read all process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_t;
+	')
+
+	list_dirs_pattern($1, var_t, pidfile)
+	read_files_pattern($1, pidfile, pidfile)
+	read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##	Relable all pid files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##	Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Write all sockets
+##	in the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_all_pid_sockets',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:sock_file write_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	manage all pidfiles 
+##	in the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	manage_files_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
+##	Mount filesystems on all polyinstantiation
+##	member directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_all_poly_members',`
+	gen_require(`
+		attribute polymember;
+	')
+
+	allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
+##	Delete all process IDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_all_pids',`
+	gen_require(`
+		attribute pidfile;
+		type var_t, var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:dir rmdir;
+	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+	delete_files_pattern($1, pidfile, pidfile)
+	delete_fifo_files_pattern($1, pidfile, pidfile)
+	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+')
+
+########################################
+## <summary>
+##	Delete all process ID directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+		type var_t, var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 var_t:dir search_dir_perms;
+	delete_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##	Make the specified type a file
+##	used for spool files.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for spool files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a spool file may result in problems with
+##	purging spool files.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_spool_filetrans()</li>
+##	</ul>
+##	<p>
+##	Example usage with a domain that can create and
+##	write its spool file in the system spool file
+##	directories (/var/spool):
+##	</p>
+##	<p>
+##	type myspoolfile_t;
+##	files_spool_file(myfile_spool_t)
+##	allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
+##	files_spool_filetrans(mydomain_t, myfile_spool_t, file)
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to be used as a
+##	spool file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_spool_file',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	files_type($1)
+	typeattribute $1 spoolfile;
+')
+
+########################################
+## <summary>
+##	Create all spool sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete all spool sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to and from all spool
+##	directory types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_spool_dirs',`
+	gen_require(`
+		attribute spoolfile;
+		type var_t;
+	')
+
+	relabel_dirs_pattern($1, spoolfile, spoolfile)
+')
+
+########################################
+## <summary>
+##	Search the contents of generic spool
+##	directories (/var/spool).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_spool',`
+	gen_require(`
+		type var_t, var_spool_t;
+	')
+
+	search_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search generic
+##	spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_spool',`
+	gen_require(`
+		type var_spool_t;
+	')
+
+	dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the contents of generic spool
+##	(/var/spool) directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5974,19 +8257,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_setattr_pid_dirs',`
+interface(`files_list_spool',`
 	gen_require(`
-		type var_run_t;
+		type var_t, var_spool_t;
 	')
 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	allow $1 var_run_t:dir setattr;
+	list_dirs_pattern($1, var_t, var_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Search the contents of runtime process
-##	ID directories (/var/run).
+##	Create, read, write, and delete generic
+##	spool directories (/var/spool).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5994,39 +8276,38 @@ interface(`files_setattr_pid_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`files_search_pids',`
+interface(`files_manage_generic_spool_dirs',`
 	gen_require(`
-		type var_t, var_run_t;
+		type var_t, var_spool_t;
 	')
 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	search_dirs_pattern($1, var_t, var_run_t)
+	allow $1 var_t:dir search_dir_perms;
+	manage_dirs_pattern($1, var_spool_t, var_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search
-##	the /var/run directory.
+##	Read generic spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_search_pids',`
+interface(`files_read_generic_spool',`
 	gen_require(`
-		type var_run_t;
+		type var_t, var_spool_t;
 	')
 
-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-	dontaudit $1 var_run_t:dir search_dir_perms;
+	list_dirs_pattern($1, var_t, var_spool_t)
+	read_files_pattern($1, var_spool_t, var_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	List the contents of the runtime process
-##	ID directories (/var/run).
+##	Create, read, write, and delete generic
+##	spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6034,38 +8315,55 @@ interface(`files_dontaudit_search_pids',`
 ##	</summary>
 ## </param>
 #
-interface(`files_list_pids',`
+interface(`files_manage_generic_spool',`
 	gen_require(`
-		type var_t, var_run_t;
+		type var_t, var_spool_t;
 	')
 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	list_dirs_pattern($1, var_t, var_run_t)
+	allow $1 var_t:dir search_dir_perms;
+	manage_files_pattern($1, var_spool_t, var_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Read generic process ID files.
+##	Create objects in the spool directory
+##	with a private type with a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="file">
+##	<summary>
+##	Type to which the created node will be transitioned.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object class(es) (single or set including {}) for which this
+##	the transition will occur.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`files_read_generic_pids',`
+interface(`files_spool_filetrans',`
 	gen_require(`
-		type var_t, var_run_t;
+		type var_t, var_spool_t;
 	')
 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	list_dirs_pattern($1, var_t, var_run_t)
-	read_files_pattern($1, var_run_t, var_run_t)
+	allow $1 var_t:dir search_dir_perms;
+	filetrans_pattern($1, var_spool_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Write named generic process ID pipes
+##	Allow access to manage all polyinstantiated
+##	directories on the system.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6073,43 +8371,75 @@ interface(`files_read_generic_pids',`
 ##	</summary>
 ## </param>
 #
-interface(`files_write_generic_pid_pipes',`
+interface(`files_polyinstantiate_all',`
 	gen_require(`
-		type var_run_t;
+		attribute polydir, polymember, polyparent;
+		type poly_t;
 	')
 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	allow $1 var_run_t:fifo_file write;
+	# Need to give access to /selinux/member
+	selinux_compute_member($1)
+
+	# Need sys_admin capability for mounting
+	allow $1 self:capability { chown fsetid sys_admin fowner };
+
+	# Need to give access to the directories to be polyinstantiated
+	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+
+	# Need to give access to the polyinstantiated subdirectories
+	allow $1 polymember:dir search_dir_perms;
+
+	# Need to give access to parent directories where original
+	# is remounted for polyinstantiation aware programs (like gdm)
+	allow $1 polyparent:dir { getattr mounton };
+
+	# Need to give permission to create directories where applicable
+	allow $1 self:process setfscreate;
+	allow $1 polymember: dir { create setattr relabelto };
+	allow $1 polydir: dir { write add_name open };
+	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+
+	# Default type for mountpoints
+	allow $1 poly_t:dir { create mounton };
+	fs_unmount_xattr_fs($1)
+
+	fs_mount_tmpfs($1)
+	fs_unmount_tmpfs($1)
+
+	ifdef(`distro_redhat',`
+		# namespace.init
+		files_search_tmp($1)
+		files_search_home($1)
+		corecmd_exec_bin($1)
+		seutil_domtrans_setfiles($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Create an object in the process ID directory, with a private type.
+##	Unconfined access to files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_unconfined',`
+	gen_require(`
+		attribute files_unconfined_type;
+	')
+
+	typeattribute $1 files_unconfined_type;
+')
+
+########################################
+## <summary>
+##	Create a core files in /
 ## </summary>
 ## <desc>
 ##	<p>
-##	Create an object in the process ID directory (e.g., /var/run)
-##	with a private type.  Typically this is used for creating
-##	private PID files in /var/run with the private type instead
-##	of the general PID file type. To accomplish this goal,
-##	either the program must be SELinux-aware, or use this interface.
-##	</p>
-##	<p>
-##	Related interfaces:
-##	</p>
-##	<ul>
-##		<li>files_pid_file()</li>
-##	</ul>
-##	<p>
-##	Example usage with a domain that can create and
-##	write its PID file with a private PID file type in the
-##	/var/run directory:
-##	</p>
-##	<p>
-##	type mypidfile_t;
-##	files_pid_file(mypidfile_t)
-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
+##	Create a core file in /,
 ##	</p>
 ## </desc>
 ## <param name="domain">
@@ -6117,14 +8447,82 @@ interface(`files_write_generic_pid_pipes',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private type">
+## <rolecap/>
+#
+interface(`files_manage_root_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+##     Create a default directory
+## </summary>
+## <desc>
+##     <p>
+##     Create a default_t direcrory
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+       gen_require(`
+               type default_t;
+       ')
+
+       allow $1 default_t:dir create;
+')
+
+########################################
+## <summary>
+##	Create, default_t objects with an automatic
+##	type transition.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The type of the object to be created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="object">
 ##	<summary>
-##	The object class of the object being created.
+##	The class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_root_filetrans_default',`
+       gen_require(`
+               type root_t, default_t;
+       ')
+
+       filetrans_pattern($1, root_t, default_t, $2)
+')
+
+########################################
+## <summary>
+##	Create, lib_t objects with an automatic
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="directory_type">
+##	<summary>
+##	Type of the directory to be transitioned from
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The class of the object being created.
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
@@ -6132,65 +8530,92 @@ interface(`files_write_generic_pid_pipes',`
 ##	The name of the object being created.
 ##	</summary>
 ## </param>
-## <infoflow type="write" weight="10"/>
 #
-interface(`files_pid_filetrans',`
+interface(`files_filetrans_lib',`
+       gen_require(`
+               type lib_t, lib_t;
+       ')
+
+       filetrans_pattern($1, $2, lib_t, $3, $4)
+')
+
+########################################
+## <summary>
+##	manage generic symbolic links
+##	in the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_pids_symlinks',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to getattr
+##	all tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmpfs_files',`
 	gen_require(`
-		type var_t, var_run_t;
+		attribute tmpfsfile;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	filetrans_pattern($1, var_run_t, $2, $3, $4)
+	allow $1 tmpfsfile:file getattr;
 ')
 
 ########################################
 ## <summary>
-## 	Create a generic lock directory within the run directories
+##	Allow delete all tmpfs files.
 ## </summary>
 ## <param name="domain">
-## 	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="name" optional="true">
 ##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_pid_filetrans_lock_dir',`
+interface(`files_delete_tmpfs_files',`
 	gen_require(`
-		type var_lock_t;
+		attribute tmpfsfile;
 	')
 
-	files_pid_filetrans($1, var_lock_t, dir, $2)
+	allow $1 tmpfsfile:file delete_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write generic process ID files.
+##	Allow read write all tmpfs files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_rw_generic_pids',`
+interface(`files_rw_tmpfs_files',`
 	gen_require(`
-		type var_t, var_run_t;
+		attribute tmpfsfile;
 	')
 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	list_dirs_pattern($1, var_t, var_run_t)
-	rw_files_pattern($1, var_run_t, var_run_t)
+	allow $1 tmpfsfile:file { read write };
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes of
-##	daemon runtime data files.
+##	Do not audit attempts to read security files 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6198,19 +8623,17 @@ interface(`files_rw_generic_pids',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_getattr_all_pids',`
+interface(`files_dontaudit_read_security_files',`
 	gen_require(`
-		attribute pidfile;
-		type var_run_t;
+		attribute security_file_type;
 	')
 
-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-	dontaudit $1 pidfile:file getattr;
+	dontaudit $1 security_file_type:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write to daemon runtime data files.
+##	Do not audit attempts to search security files 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6218,18 +8641,17 @@ interface(`files_dontaudit_getattr_all_pids',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_write_all_pids',`
+interface(`files_dontaudit_search_security_files',`
 	gen_require(`
-		attribute pidfile;
+		attribute security_file_type;
 	')
 
-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-	dontaudit $1 pidfile:file write;
+	dontaudit $1 security_file_type:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to ioctl daemon runtime data files.
+##	Do not audit attempts to read security dirs 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6237,41 +8659,43 @@ interface(`files_dontaudit_write_all_pids',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_ioctl_all_pids',`
+interface(`files_dontaudit_list_security_dirs',`
 	gen_require(`
-		attribute pidfile;
-		type var_run_t;
+		attribute security_file_type;
 	')
 
-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-	dontaudit $1 pidfile:file ioctl;
+	dontaudit $1 security_file_type:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read all process ID files.
+##	rw any files inherited from another process
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
+## <param name="object_type">
+##  <summary>
+##  Object type.
+##  </summary>
+## </param>
 #
-interface(`files_read_all_pids',`
+interface(`files_rw_all_inherited_files',`
 	gen_require(`
-		attribute pidfile;
-		type var_t, var_run_t;
+		attribute file_type;
 	')
 
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	list_dirs_pattern($1, var_t, pidfile)
-	read_files_pattern($1, pidfile, pidfile)
+	allow $1 { file_type $2 }:file rw_inherited_file_perms;
+	allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+	allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+	allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Delete all process IDs.
+##	Allow any file point to be the entrypoint of this domain
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6280,67 +8704,56 @@ interface(`files_read_all_pids',`
 ## </param>
 ## <rolecap/>
 #
-interface(`files_delete_all_pids',`
+interface(`files_entrypoint_all_files',`
 	gen_require(`
-		attribute pidfile;
-		type var_t, var_run_t;
+		attribute file_type;
+		type unlabeled_t;
 	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	allow $1 var_run_t:dir rmdir;
-	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-	delete_files_pattern($1, pidfile, pidfile)
-	delete_fifo_files_pattern($1, pidfile, pidfile)
-	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+	allow $1 {file_type -unlabeled_t} :file entrypoint;
 ')
 
 ########################################
 ## <summary>
-##	Delete all process ID directories.
+##	Do not audit attempts to rw inherited file perms
+##	of non security files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_delete_all_pid_dirs',`
+interface(`files_dontaudit_all_non_security_leaks',`
 	gen_require(`
-		attribute pidfile;
-		type var_t, var_run_t;
+		attribute non_security_file_type;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	delete_dirs_pattern($1, pidfile, pidfile)
+	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write and delete all
-##	var_run (pid) content
+##	Do not audit attempts to read or write
+##	all leaked files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain alloed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_all_pids',`
+interface(`files_dontaudit_leaks',`
 	gen_require(`
-		attribute pidfile;
+		attribute file_type;
 	')
 
-	manage_dirs_pattern($1, pidfile, pidfile)
-	manage_files_pattern($1, pidfile, pidfile)
-	manage_lnk_files_pattern($1, pidfile, pidfile)
+	dontaudit $1 file_type:file rw_inherited_file_perms;
+	dontaudit $1 file_type:lnk_file { read };
 ')
 
 ########################################
 ## <summary>
-##	Mount filesystems on all polyinstantiation
-##	member directories.
+##	Allow domain to create_file_ass all types
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6348,37 +8761,37 @@ interface(`files_manage_all_pids',`
 ##	</summary>
 ## </param>
 #
-interface(`files_mounton_all_poly_members',`
+interface(`files_create_as_is_all_files',`
 	gen_require(`
-		attribute polymember;
+		attribute file_type;
+		class kernel_service create_files_as;
 	')
 
-	allow $1 polymember:dir mounton;
+	allow $1 file_type:kernel_service create_files_as;
 ')
 
 ########################################
 ## <summary>
-##	Search the contents of generic spool
-##	directories (/var/spool).
+##	Do not audit attempts to check the 
+##	access on all files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_search_spool',`
+interface(`files_dontaudit_all_access_check',`
 	gen_require(`
-		type var_t, var_spool_t;
+		attribute file_type;
 	')
 
-	search_dirs_pattern($1, var_t, var_spool_t)
+	dontaudit $1 file_type:dir_file_class_set audit_access;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search generic
-##	spool directories.
+##	Do not audit attempts to write to all files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6386,132 +8799,227 @@ interface(`files_search_spool',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_search_spool',`
+interface(`files_dontaudit_write_all_files',`
 	gen_require(`
-		type var_spool_t;
+		attribute file_type;
 	')
 
-	dontaudit $1 var_spool_t:dir search_dir_perms;
+	dontaudit $1 file_type:dir_file_class_set write;
 ')
 
 ########################################
 ## <summary>
-##	List the contents of generic spool
-##	(/var/spool) directories.
+##	Allow domain to delete to all files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_list_spool',`
+interface(`files_delete_all_non_security_files',`
 	gen_require(`
-		type var_t, var_spool_t;
+		attribute non_security_file_type;
 	')
 
-	list_dirs_pattern($1, var_t, var_spool_t)
+	allow $1 non_security_file_type:dir del_entry_dir_perms;
+	allow $1 non_security_file_type:file_class_set delete_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete generic
-##	spool directories (/var/spool).
+##	Allow domain to delete to all dirs
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`files_manage_generic_spool_dirs',`
+interface(`files_delete_all_non_security_dirs',`
 	gen_require(`
-		type var_t, var_spool_t;
+		attribute non_security_file_type;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	manage_dirs_pattern($1, var_spool_t, var_spool_t)
+	allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
 ')
 
 ########################################
 ## <summary>
-##	Read generic spool files.
+##	Transition named content in the var_run_t directory
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_read_generic_spool',`
+interface(`files_filetrans_named_content',`
 	gen_require(`
-		type var_t, var_spool_t;
+        type etc_t;
+		type mnt_t;
+		type usr_t;
+		type tmp_t;
+		type var_t;
+		type var_run_t;
+        type var_lock_t;
+		type tmp_t;
 	')
 
-	list_dirs_pattern($1, var_t, var_spool_t)
-	read_files_pattern($1, var_spool_t, var_spool_t)
+	files_pid_filetrans($1, mnt_t, dir, "media")
+	files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+	files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
+	files_root_filetrans($1, mnt_t, dir, "afs")
+	files_root_filetrans($1, mnt_t, dir, "misc")
+	files_root_filetrans($1, mnt_t, dir, "net")
+	files_root_filetrans($1, usr_t, dir, "export")
+	files_root_filetrans($1, usr_t, dir, "opt")
+	files_root_filetrans($1, usr_t, dir, "ostree")
+	files_root_filetrans($1, usr_t, dir, "emul")
+	files_root_filetrans($1, var_t, dir, "srv")
+	files_root_filetrans($1, var_run_t, dir, "run")
+	files_root_filetrans($1, var_run_t, lnk_file, "run")
+	files_root_filetrans($1, var_lock_t, lnk_file, "lock")
+	files_root_filetrans($1, tmp_t, dir, "sandbox")
+	files_root_filetrans($1, tmp_t, dir, "tmp")
+	files_root_filetrans($1, var_t, dir, "nsr")
+    files_etc_filetrans($1, etc_t, file, "system-auth-ac")
+    files_etc_filetrans($1, etc_t, file, "postlogin-ac")
+    files_etc_filetrans($1, etc_t, file, "password-auth-ac")
+    files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
+    files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
+    files_etc_filetrans($1, etc_t, file, "hwdb.bin")
+	files_etc_filetrans_etc_runtime($1, file, ".updated")
+	files_etc_filetrans_etc_runtime($1, file, "runtime")
+	files_etc_filetrans_etc_runtime($1, dir, "blkid")
+	files_etc_filetrans_etc_runtime($1, dir, "cmtab")
+	files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
+	files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
+	files_etc_filetrans_etc_runtime($1, file, "nologin")
+	files_etc_filetrans_etc_runtime($1, file, "securetty")
+	files_etc_filetrans_etc_runtime($1, file, "ifstate")
+	files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
+	files_etc_filetrans_etc_runtime($1, file, "hwconf")
+	files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+	files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+	files_var_filetrans($1, tmp_t, dir, "tmp")
+	files_var_filetrans($1, var_run_t, dir, "run")
+	files_var_filetrans($1, etc_runtime_t, file, ".updated")
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete generic
-##	spool files.
+##	Make the specified type a
+##	base file.
 ## </summary>
-## <param name="domain">
+## <desc>
+##	<p>
+##	Identify file type as base file type.  Tools will use this attribute,
+##      to help users diagnose problems.
+##	</p>
+## </desc>
+## <param name="file_type">
 ##	<summary>
-##	Domain allowed access.
+##	Type to be used as a base files.
 ##	</summary>
 ## </param>
+## <infoflow type="none"/>
 #
-interface(`files_manage_generic_spool',`
+interface(`files_base_file',`
 	gen_require(`
-		type var_t, var_spool_t;
+		attribute base_file_type;
 	')
-
-	allow $1 var_t:dir search_dir_perms;
-	manage_files_pattern($1, var_spool_t, var_spool_t)
+	files_type($1)
+	typeattribute $1 base_file_type;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in the spool directory
-##	with a private type with a type transition.
+##	Make the specified type a
+##	base read only file.
 ## </summary>
-## <param name="domain">
+## <desc>
+##	<p>
+##	Make the specified type readable for all domains.
+##	</p>
+## </desc>
+## <param name="file_type">
 ##	<summary>
-##	Domain allowed access.
+##	Type to be used as a base read only files.
 ##	</summary>
 ## </param>
-## <param name="file">
+## <infoflow type="none"/>
+#
+interface(`files_ro_base_file',`
+	gen_require(`
+		attribute base_ro_file_type;
+	')
+	files_base_file($1)
+	typeattribute $1 base_ro_file_type;
+')
+
+########################################
+## <summary>
+##	Read all ro base files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Type to which the created node will be transitioned.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="class">
+## <rolecap/>
+#
+interface(`files_read_all_base_ro_files',`
+	gen_require(`
+		attribute base_ro_file_type;
+	')
+
+	list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
+	read_files_pattern($1, base_ro_file_type, base_ro_file_type)
+	read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
+')
+
+########################################
+## <summary>
+##	Execute all base ro files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Object class(es) (single or set including {}) for which this
-##	the transition will occur.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+## <rolecap/>
+#
+interface(`files_exec_all_base_ro_files',`
+	gen_require(`
+		attribute base_ro_file_type;
+	')
+
+	can_exec($1, base_ro_file_type)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to modify the systemd configuration of 
+##	any file.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`files_spool_filetrans',`
+interface(`files_config_all_files',`
 	gen_require(`
-		type var_t, var_spool_t;
+		attribute file_type;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
+	allow $1 file_type:service all_service_perms;
 ')
 
 ########################################
 ## <summary>
-##	Allow access to manage all polyinstantiated
-##	directories on the system.
+##	Get the status of etc_t files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6519,53 +9027,17 @@ interface(`files_spool_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`files_polyinstantiate_all',`
+interface(`files_status_etc',`
 	gen_require(`
-		attribute polydir, polymember, polyparent;
-		type poly_t;
+		type etc_t;
 	')
 
-	# Need to give access to /selinux/member
-	selinux_compute_member($1)
-
-	# Need sys_admin capability for mounting
-	allow $1 self:capability { chown fsetid sys_admin fowner };
-
-	# Need to give access to the directories to be polyinstantiated
-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-
-	# Need to give access to the polyinstantiated subdirectories
-	allow $1 polymember:dir search_dir_perms;
-
-	# Need to give access to parent directories where original
-	# is remounted for polyinstantiation aware programs (like gdm)
-	allow $1 polyparent:dir { getattr mounton };
-
-	# Need to give permission to create directories where applicable
-	allow $1 self:process setfscreate;
-	allow $1 polymember: dir { create setattr relabelto };
-	allow $1 polydir: dir { write add_name open };
-	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-
-	# Default type for mountpoints
-	allow $1 poly_t:dir { create mounton };
-	fs_unmount_xattr_fs($1)
-
-	fs_mount_tmpfs($1)
-	fs_unmount_tmpfs($1)
-
-	ifdef(`distro_redhat',`
-		# namespace.init
-		files_search_tmp($1)
-		files_search_home($1)
-		corecmd_exec_bin($1)
-		seutil_domtrans_setfiles($1)
-	')
+	allow $1 etc_t:service status;
 ')
 
 ########################################
 ## <summary>
-##	Unconfined access to files.
+##	Dontaudit Mount a modules_object_t
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6573,10 +9045,10 @@ interface(`files_polyinstantiate_all',`
 ##	</summary>
 ## </param>
 #
-interface(`files_unconfined',`
+interface(`files_dontaudit_mounton_modules_object',`
 	gen_require(`
-		attribute files_unconfined_type;
+		type modules_object_t;
 	')
 
-	typeattribute $1 files_unconfined_type;
+	allow $1 modules_object_t:dir mounton;
 ')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abdd7..3221f8018 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
 # Declarations
 #
 
+attribute base_file_type;
+attribute base_ro_file_type;
 attribute file_type;
 attribute files_unconfined_type;
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
+attribute spoolfile;
 attribute configfile;
+attribute etcfile;
 
 # For labeling types that are to be polyinstantiated
 attribute polydir;
@@ -48,47 +52,53 @@ attribute usercanread;
 #
 type boot_t;
 files_mountpoint(boot_t)
+files_ro_base_file(boot_t)
 
 # default_t is the default type for files that do not
 # match any specification in the file_contexts configuration
 # other than the generic /.* specification.
 type default_t;
 files_mountpoint(default_t)
+files_base_file(default_t)
 
 #
 # etc_t is the type of the system etc directories.
 #
 type etc_t, configfile;
-files_type(etc_t)
+files_ro_base_file(etc_t)
+
 # compatibility aliases for removed types:
 typealias etc_t alias automount_etc_t;
 typealias etc_t alias snmpd_etc_t;
 
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+# 
+type system_conf_t, configfile;
+files_ro_base_file(system_conf_t)
+# compatibility aliases for removed type:
+typealias system_conf_t alias iptables_conf_t;
+
+# system_db_t is a new type of various
+# db files.
+type system_db_t;
+files_ro_base_file(system_db_t)
+
 #
 # etc_runtime_t is the type of various
 # files in /etc that are automatically
 # generated during initialization.
 #
-type etc_runtime_t;
-files_type(etc_runtime_t)
-#Temporarily in policy until FC5 dissappears
-typealias etc_runtime_t alias firstboot_rw_t;
-
-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t;
-files_mountpoint(file_t)
-kernel_rootfs_mountpoint(file_t)
-sid file gen_context(system_u:object_r:file_t,s0)
+type etc_runtime_t, configfile;
+files_ro_base_file(etc_runtime_t)
 
 #
 # home_root_t is the type for the directory where user home directories
 # are created
 #
 type home_root_t;
+files_base_file(home_root_t)
 files_mountpoint(home_root_t)
 files_poly_parent(home_root_t)
 
@@ -96,12 +106,13 @@ files_poly_parent(home_root_t)
 # lost_found_t is the type for the lost+found directories.
 #
 type lost_found_t;
-files_type(lost_found_t)
+files_base_file(lost_found_t)
 
 #
 # mnt_t is the type for mount points such as /mnt/cdrom
 #
 type mnt_t;
+files_base_file(mnt_t)
 files_mountpoint(mnt_t)
 
 #
@@ -123,6 +134,7 @@ files_type(readable_t)
 # root_t is the type for rootfs and the root directory.
 #
 type root_t;
+files_base_file(root_t)
 files_mountpoint(root_t)
 files_poly_parent(root_t)
 kernel_rootfs_mountpoint(root_t)
@@ -133,45 +145,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
 #
 type src_t;
 files_mountpoint(src_t)
+files_ro_base_file(src_t)
 
 #
 # system_map_t is for the system.map files in /boot
 #
 type system_map_t;
 files_type(system_map_t)
+kernel_proc_type(system_map_t)
 genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
 
 #
 # tmp_t is the type of the temporary directories
 #
 type tmp_t;
+files_base_file(tmp_t)
 files_tmp_file(tmp_t)
 files_mountpoint(tmp_t)
 files_poly(tmp_t)
 files_poly_parent(tmp_t)
+typealias tmp_t alias firstboot_tmp_t;
 
 #
 # usr_t is the type for /usr.
 #
 type usr_t;
+files_ro_base_file(usr_t)
 files_mountpoint(usr_t)
 
 #
 # var_t is the type of /var
 #
 type var_t;
+files_base_file(var_t)
 files_mountpoint(var_t)
 
 #
 # var_lib_t is the type of /var/lib
 #
 type var_lib_t;
+files_base_file(var_lib_t)
 files_mountpoint(var_lib_t)
+files_poly(var_lib_t)
 
 #
 # var_lock_t is tye type of /var/lock
 #
 type var_lock_t;
+files_base_file(var_lock_t)
 files_lock_file(var_lock_t)
 files_mountpoint(var_lock_t)
 
@@ -180,6 +201,7 @@ files_mountpoint(var_lock_t)
 # used for pid and other runtime files.
 #
 type var_run_t;
+files_base_file(var_run_t)
 files_pid_file(var_run_t)
 files_mountpoint(var_run_t)
 
@@ -187,7 +209,9 @@ files_mountpoint(var_run_t)
 # var_spool_t is the type of /var/spool
 #
 type var_spool_t;
+files_base_file(var_spool_t)
 files_tmp_file(var_spool_t)
+files_spool_file(var_spool_t)
 
 ########################################
 #
@@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile)
 #
 
 # Create/access any file in a labeled filesystem;
-allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+allow files_unconfined_type file_type:{ file chr_file } ~{ execmod entrypoint };
 allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+allow files_unconfined_type file_type:service *;
 
 # Mount/unmount any filesystem with the context= option.
-allow files_unconfined_type file_type:filesystem *;
+allow files_unconfined_type file_type:filesystem all_filesystem_perms;
 
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
 	allow files_unconfined_type file_type:file execmod;
 ')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index d7c11a0b3..f521a50f8 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1,23 +1,28 @@
-/cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
-/cgroup/.*			<<none>>
+# ecryptfs does not support xattr
+HOME_DIR/\.ecryptfs(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
+HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
 
 /dev/hugepages		-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 /dev/hugepages(/.*)?		<<none>>
-/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
-/dev/shm/.*			<<none>>
 
-/lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
-/lib/udev/devices/hugepages/.*	<<none>>
-/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
-/lib/udev/devices/shm/.*	<<none>>
+/dev/shm                -d      gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
+/dev/shm/.*                     <<none>>
 
+/dev/oracleasm(/.*)?			gen_context(system_u:object_r:oracleasmfs_t,s0)
+
+/usr/lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
+/usr/lib/udev/devices/hugepages/.*	<<none>>
+/usr/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.*	<<none>>
+/var/run/user/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
+/var/run/user/[^/]*/gvfs/.*	<<none>>
+
+# for systemd systems:
 /sys/fs/cgroup	-d	gen_context(system_u:object_r:cgroup_t,s0)
 /sys/fs/cgroup/.*	<<none>>
 
 /sys/fs/pstore	-d	gen_context(system_u:object_r:pstore_t,s0)
 /sys/fs/pstore/.*	<<none>>
 
-ifdef(`distro_debian',`
 /var/run/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
 /var/run/shm/.*			<<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb43..b5b7a0ae8 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -575,6 +575,24 @@ interface(`fs_mount_cgroup', `
 	allow $1 cgroup_t:filesystem mount;
 ')
 
+########################################
+## <summary>
+##	Allow the type to associate to cgroup filesystems.
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the object to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_cgroupfs',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem associate;
+')
+
 ########################################
 ## <summary>
 ##	Remount cgroup filesystems.
@@ -629,6 +647,27 @@ interface(`fs_getattr_cgroup',`
 	allow $1 cgroup_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	getattr_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Search cgroup directories.
@@ -646,9 +685,29 @@ interface(`fs_search_cgroup_dirs',`
 	')
 
 	search_dirs_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
 ########################################
 ## <summary>
 ##	list cgroup directories.
@@ -659,15 +718,35 @@ interface(`fs_search_cgroup_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_list_cgroup_dirs', `
+interface(`fs_list_cgroup_dirs',`
 	gen_require(`
 		type cgroup_t;
 	')
 
 	list_dirs_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
 
+#######################################
+## <summary>
+##  Do not audit attempts to search cgroup directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fs_dontaudit_search_cgroup_dirs', `
+    gen_require(`
+        type cgroup_t;
+    ')
+
+	dontaudit $1 cgroup_t:dir search_dir_perms;
+	dev_dontaudit_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Delete cgroup directories.
@@ -684,6 +763,7 @@ interface(`fs_delete_cgroup_dirs', `
 	')
 
 	delete_dirs_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
 
@@ -704,6 +784,7 @@ interface(`fs_manage_cgroup_dirs',`
 	')
 
 	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
 
@@ -724,6 +805,8 @@ interface(`fs_read_cgroup_files',`
 	')
 
 	read_files_pattern($1, cgroup_t, cgroup_t)
+	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
 
@@ -743,6 +826,7 @@ interface(`fs_write_cgroup_files', `
 	')
 
 	write_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
 
@@ -762,7 +846,9 @@ interface(`fs_rw_cgroup_files',`
 
 	')
 
+	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
 	rw_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
 
@@ -786,6 +872,25 @@ interface(`fs_dontaudit_rw_cgroup_files',`
 	dontaudit $1 cgroup_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	relabel_files_pattern($1, cgroup_t, cgroup_t)
+')
+
 ########################################
 ## <summary>
 ##	Manage cgroup files.
@@ -803,6 +908,8 @@ interface(`fs_manage_cgroup_files',`
 	')
 
 	manage_files_pattern($1, cgroup_t, cgroup_t)
+	manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
 
@@ -824,6 +931,25 @@ interface(`fs_mounton_cgroup', `
 	allow $1 cgroup_t:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Read and write ceph files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_cephfs_files',`
+	gen_require(`
+		type cephfs_t;
+
+	')
+
+	rw_files_pattern($1, cephfs_t, cephfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
@@ -918,6 +1044,24 @@ interface(`fs_getattr_cifs',`
 	allow $1 cifs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of cifs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Search directories on a CIFS or SMB filesystem.
@@ -1105,6 +1249,24 @@ interface(`fs_read_noxattr_fs_files',`
 	read_files_pattern($1, noxattrfs, noxattrfs)
 ')
 
+########################################
+## <summary>
+##	Read/Write all inherited noxattrfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_inherited_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:file rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read all
@@ -1245,7 +1407,7 @@ interface(`fs_append_cifs_files',`
 
 ########################################
 ## <summary>
-##	dontaudit Append files
+##	Do not audit attempts to append files
 ##	on a CIFS filesystem.
 ## </summary>
 ## <param name="domain">
@@ -1263,6 +1425,42 @@ interface(`fs_dontaudit_append_cifs_files',`
 	dontaudit $1 cifs_t:file append_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read inherited files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_inherited_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/Write inherited files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_inherited_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:file rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or
@@ -1279,7 +1477,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
 		type cifs_t;
 	')
 
-	dontaudit $1 cifs_t:file rw_file_perms;
+	dontaudit $1 cifs_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -1542,48 +1740,48 @@ interface(`fs_cifs_domtrans',`
 	domain_auto_transition_pattern($1, cifs_t, $2)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Create, read, write, and delete dirs
-##	on a configfs filesystem.
+##	Make general progams in cifs an entrypoint for
+##	the specified domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	The domain for which cifs_t is an entrypoint.
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_configfs_dirs',`
+interface(`fs_cifs_entry_type',`
 	gen_require(`
-		type configfs_t;
+		type cifs_t;
 	')
 
-	manage_dirs_pattern($1, configfs_t, configfs_t)
+	domain_entry_file($1, cifs_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Create, read, write, and delete files
-##	on a configfs filesystem.
+##	Make general progams in CIFS an entrypoint for
+##	the specified domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	The domain for which cifs_t is an entrypoint.
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_configfs_files',`
+interface(`fs_cifs_entrypoint',`
 	gen_require(`
-		type configfs_t;
+		type cifs_t;
 	')
 
-	manage_files_pattern($1, configfs_t, configfs_t)
+    allow $1 cifs_t:file entrypoint;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Mount a DOS filesystem, such as
-##	FAT32 or NTFS.
+##	dontaudit write dirs
+##	on a configfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1591,19 +1789,18 @@ interface(`fs_manage_configfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_mount_dos_fs',`
+interface(`fs_dontaudit_write_configfs_dirs',`
 	gen_require(`
-		type dosfs_t;
+		type configfs_t;
 	')
 
-	allow $1 dosfs_t:filesystem mount;
+	dontaudit $1 configfs_t:dir write;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Remount a DOS filesystem, such as
-##	FAT32 or NTFS.  This allows
-##	some mount options to be changed.
+##	Read dirs
+##	on a configfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1611,18 +1808,18 @@ interface(`fs_mount_dos_fs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_remount_dos_fs',`
+interface(`fs_read_configfs_dirs',`
 	gen_require(`
-		type dosfs_t;
+		type configfs_t;
 	')
 
-	allow $1 dosfs_t:filesystem remount;
+	list_dirs_pattern($1, configfs_t, configfs_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Unmount a DOS filesystem, such as
-##	FAT32 or NTFS.
+##	Create, read, write, and delete dirs
+##	on a configfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1630,38 +1827,37 @@ interface(`fs_remount_dos_fs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_unmount_dos_fs',`
+interface(`fs_manage_configfs_dirs',`
 	gen_require(`
-		type dosfs_t;
+		type configfs_t;
 	')
 
-	allow $1 dosfs_t:filesystem unmount;
+	manage_dirs_pattern($1, configfs_t, configfs_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Get the attributes of a DOS
-##	filesystem, such as FAT32 or NTFS.
+##	Read files
+##	on a configfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_getattr_dos_fs',`
+interface(`fs_read_configfs_files',`
 	gen_require(`
-		type dosfs_t;
+		type configfs_t;
 	')
 
-	allow $1 dosfs_t:filesystem getattr;
+	read_files_pattern($1, configfs_t, configfs_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Allow changing of the label of a
-##	DOS filesystem using the context= mount option.
+##	Create, read, write, and delete files
+##	on a configfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1669,17 +1865,18 @@ interface(`fs_getattr_dos_fs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_relabelfrom_dos_fs',`
+interface(`fs_manage_configfs_files',`
 	gen_require(`
-		type dosfs_t;
+		type configfs_t;
 	')
 
-	allow $1 dosfs_t:filesystem relabelfrom;
+	manage_files_pattern($1, configfs_t, configfs_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Search dosfs filesystem.
+##	Create, read, write, and delete files
+##	on a configfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1687,17 +1884,17 @@ interface(`fs_relabelfrom_dos_fs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_search_dos',`
+interface(`fs_manage_configfs_lnk_files',`
 	gen_require(`
-		type dosfs_t;
+		type configfs_t;
 	')
 
-	allow $1 dosfs_t:dir search_dir_perms;
+	manage_lnk_files_pattern($1, configfs_t, configfs_t)
 ')
 
 ########################################
 ## <summary>
-##	List dirs DOS filesystem.
+##	Unmount a configfs filesystem
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1705,18 +1902,18 @@ interface(`fs_search_dos',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_list_dos',`
+interface(`fs_unmount_configfs',`
 	gen_require(`
-		type dosfs_t;
+		type configfs_t;
 	')
 
-	list_dirs_pattern($1, dosfs_t, dosfs_t)
+	allow $1 configfs_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete dirs
-##	on a DOS filesystem.
+##	Mount a DOS filesystem, such as
+##	FAT32 or NTFS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1724,17 +1921,19 @@ interface(`fs_list_dos',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_dos_dirs',`
+interface(`fs_mount_dos_fs',`
 	gen_require(`
 		type dosfs_t;
 	')
 
-	manage_dirs_pattern($1, dosfs_t, dosfs_t)
+	allow $1 dosfs_t:filesystem mount;
 ')
 
 ########################################
 ## <summary>
-##	Read files on a DOS filesystem.
+##	Remount a DOS filesystem, such as
+##	FAT32 or NTFS.  This allows
+##	some mount options to be changed.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1742,18 +1941,18 @@ interface(`fs_manage_dos_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_read_dos_files',`
+interface(`fs_remount_dos_fs',`
 	gen_require(`
 		type dosfs_t;
 	')
 
-	read_files_pattern($1, dosfs_t, dosfs_t)
+	allow $1 dosfs_t:filesystem remount;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete files
-##	on a DOS filesystem.
+##	Unmount a DOS filesystem, such as
+##	FAT32 or NTFS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1761,7 +1960,138 @@ interface(`fs_read_dos_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_dos_files',`
+interface(`fs_unmount_dos_fs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a DOS
+##	filesystem, such as FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_dos_fs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Allow changing of the label of a
+##	DOS filesystem using the context= mount option.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_dos_fs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+##	Search dosfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_dos',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List dirs DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_dos',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	list_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete dirs
+##	on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_dos_dirs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	manage_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+##	Read files on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_dos_files',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	read_files_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_dos_files',`
 	gen_require(`
 		type dosfs_t;
 	')
@@ -1793,45 +2123,110 @@ interface(`fs_read_eventpollfs',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+
+#######################################
+## <summary>
+##      Search directories
+##      on a ecrypt filesystem.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_search_ecryptfs',`
+        gen_require(`
+                type ecryptfs_t;
+        ')
+
+        allow $1 ecryptfs_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
-##	Mount a FUSE filesystem.
+##	Create, read, write, and delete directories
+##	on a FUSEFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`fs_mount_fusefs',`
+interface(`fs_manage_ecryptfs_dirs',`
 	gen_require(`
-		type fusefs_t;
+		type ecryptfs_t;
 	')
 
-	allow $1 fusefs_t:filesystem mount;
+	manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
+	allow $1 ecryptfs_t:dir manage_dir_perms;
+')
+
+#######################################
+## <summary>
+##      Create, read, write, and delete files
+##      on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_ecryptfs_files',`
+        gen_require(`
+                type ecryptfs_t;
+        ')
+
+        read_files_pattern($1, ecryptfs_t, ecryptfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Unmount a FUSE filesystem.
+##	Create, read, write, and delete files
+##	on a FUSEFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`fs_unmount_fusefs',`
+interface(`fs_manage_ecryptfs_files',`
 	gen_require(`
-		type fusefs_t;
+		type ecryptfs_t;
 	')
 
-	allow $1 fusefs_t:filesystem unmount;
+	manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Mounton a FUSEFS filesystem.
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_ecryptfs_files',`
+	gen_require(`
+		type ecryptfs_t;
+	')
+
+	dontaudit $1 ecryptfs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links on a FUSEFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1839,174 +2234,988 @@ interface(`fs_unmount_fusefs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_mounton_fusefs',`
+interface(`fs_read_ecryptfs_symlinks',`
 	gen_require(`
-		type fusefs_t;
+		type ecryptfs_t;
 	')
 
-	allow $1 fusefs_t:dir mounton;
+	allow $1 ecryptfs_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+')
+
+#######################################
+## <summary>
+##  Dontaudit append files on  ecrypt filesystem.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`fs_dontaudit_append_ecryptfs_files',`
+	gen_require(`
+		type ecryptfs_t;
+	')
+	dontaudit $1 ecryptfs_t:file append;
 ')
 
 ########################################
 ## <summary>
-##	Search directories
-##	on a FUSEFS filesystem.
+##	Manage symbolic links on a FUSEFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_search_fusefs',`
+interface(`fs_manage_ecryptfs_symlinks',`
 	gen_require(`
-		type fusefs_t;
+		type ecryptfs_t;
 	')
 
-	allow $1 fusefs_t:dir search_dir_perms;
+	manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to list the contents
-##	of directories on a FUSEFS filesystem.
+##	Execute a file on a FUSE filesystem
+##	in the specified domain.
 ## </summary>
+## <desc>
+##	<p>
+##	Execute a file on a FUSE filesystem
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	home directories on FUSE filesystems,
+##	in particular used by the ssh-agent policy.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_list_fusefs',`
+interface(`fs_ecryptfs_domtrans',`
+	gen_require(`
+		type ecryptfs_t;
+	')
+
+	allow $1 ecryptfs_t:dir search_dir_perms;
+	domain_auto_transition_pattern($1, ecryptfs_t, $2)
+')
+
+########################################
+## <summary>
+##	Mount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_fusefs',`
 	gen_require(`
 		type fusefs_t;
 	')
 
-	dontaudit $1 fusefs_t:dir list_dir_perms;
+	allow $1 fusefs_t:filesystem mount;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete directories
-##	on a FUSEFS filesystem.
+##	Unmount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Mounton a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Search directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_search_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the contents
+##	of directories on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_dirs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_dirs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read, a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	read_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Execute files on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	exec_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Make general progams in FUSEFS an entrypoint for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which fusefs_t is an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`fs_fusefs_entry_type',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	domain_entry_file($1, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Make general progams in FUSEFS an entrypoint for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which fusefs_t is an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`fs_fusefs_entrypoint',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+    allow $1 fusefs_t:file entrypoint;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	manage_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_fusefs_symlinks',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_fusefs_symlinks',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Execute a file on a FUSE filesystem
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file on a FUSE filesystem
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	home directories on FUSE filesystems,
+##	in particular used by the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`fs_fusefs_domtrans',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir search_dir_perms;
+	domain_auto_transition_pattern($1, fusefs_t, $2)
+')
+
+########################################
+## <summary>
+##	Get the attributes of a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an hugetlbfs
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	List hugetlbfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Manage hugetlbfs dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_hugetlbfs_dirs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+##	Read hugetlbfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_hugetlbfs_files',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write hugetlbfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_hugetlbfs_files',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+##	Manage  hugetlbfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_hugetlbfs_files',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+##	Execute hugetlbfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_exec_hugetlbfs_files',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+    allow $1 hugetlbfs_t:dir list_dir_perms;
+	exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+##	Allow the type to associate to hugetlbfs filesystems.
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the object to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	List oracleasmfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_oracleasmfs',`
+	gen_require(`
+		type oracleasmfs_t;
+	')
+
+	allow $1 oracleasmfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an oracleasmfs
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_oracleasmfs_fs',`
+	gen_require(`
+		type oracleasmfs_t;
+	')
+
+	allow $1 oracleasmfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an oracleasmfs
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_oracleasmfs',`
+	gen_require(`
+		type oracleasmfs_t;
+	')
+
+	allow $1 oracleasmfs_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an oracleasmfs
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_oracleasmfs',`
+	gen_require(`
+		type oracleasmfs_t;
+	')
+
+	allow $1 oracleasmfs_t:file setattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an oracleasmfs
+##	filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_oracleasmfs_dirs',`
+	gen_require(`
+		type oracleasmfs_t;
+	')
+
+	allow $1 oracleasmfs_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the oracleasm device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_oracleasm',`
+	gen_require(`
+		type oracleasmfs_t;
+	')
+
+	manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t)
+	manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t)
+	dev_filetrans($1, oracleasmfs_t, dir, "oracleasm")
+')
+
+########################################
+## <summary>
+##	Search inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	allow $1 inotifyfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	allow $1 inotifyfs_t:dir list_dir_perms;
+	fs_read_anon_inodefs_files($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	dontaudit $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create an object in a hugetlbfs filesystem, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_hugetlbfs_filetrans',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $2 hugetlbfs_t:filesystem associate;
+	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Mount an iso9660 filesystem, which
+##	is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_iso9660_fs',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount an iso9660 filesystem, which
+##	is usually used on CDs.  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_iso9660_fs',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount an iso9660 filesystem, which
+##	is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_iso9660_fs',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of an iso9660
+##	filesystem, which is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_iso9660_fs',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Read files on an iso9660 filesystem, which
+##	is usually used on CDs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_manage_fusefs_dirs',`
+interface(`fs_getattr_iso9660_files',`
 	gen_require(`
-		type fusefs_t;
+		type iso9660_t;
 	')
 
-	allow $1 fusefs_t:dir manage_dir_perms;
+	allow $1 iso9660_t:dir list_dir_perms;
+	allow $1 iso9660_t:file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to create, read,
-##	write, and delete directories
-##	on a FUSEFS filesystem.
+##	Read files on an iso9660 filesystem, which
+##	is usually used on CDs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_manage_fusefs_dirs',`
+interface(`fs_read_iso9660_files',`
 	gen_require(`
-		type fusefs_t;
+		type iso9660_t;
 	')
 
-	dontaudit $1 fusefs_t:dir manage_dir_perms;
+	allow $1 iso9660_t:dir list_dir_perms;
+	read_files_pattern($1, iso9660_t, iso9660_t)
+	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
 ')
 
+
 ########################################
 ## <summary>
-##	Read, a FUSEFS filesystem.
+##	Mount kdbus filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_read_fusefs_files',`
+interface(`fs_mount_kdbus', `
 	gen_require(`
-		type fusefs_t;
+		type kdbusfs_t;
 	')
 
-	read_files_pattern($1, fusefs_t, fusefs_t)
+	allow $1 kdbusfs_t:filesystem mount;
 ')
 
 ########################################
 ## <summary>
-##	Execute files on a FUSEFS filesystem.
+##	Remount kdbus filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_exec_fusefs_files',`
+interface(`fs_remount_kdbus', `
 	gen_require(`
-		type fusefs_t;
+		type kdbusfs_t;
 	')
 
-	exec_files_pattern($1, fusefs_t, fusefs_t)
+	allow $1 kdbusfs_t:filesystem remount;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete files
-##	on a FUSEFS filesystem.
+##	Unmount kdbus filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_manage_fusefs_files',`
+interface(`fs_unmount_kdbus', `
 	gen_require(`
-		type fusefs_t;
+		type kdbusfs_t;
 	')
 
-	manage_files_pattern($1, fusefs_t, fusefs_t)
+	allow $1 kdbusfs_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to create,
-##	read, write, and delete files
-##	on a FUSEFS filesystem.
+##	Get attributes of kdbus filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_manage_fusefs_files',`
+interface(`fs_getattr_kdbus',`
 	gen_require(`
-		type fusefs_t;
+		type kdbusfs_t;
 	')
 
-	dontaudit $1 fusefs_t:file manage_file_perms;
+	allow $1 kdbusfs_t:filesystem getattr;
 ')
 
 ########################################
 ## <summary>
-##	Read symbolic links on a FUSEFS filesystem.
+##	Search kdbusfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2014,19 +3223,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_search_kdbus_dirs',`
 	gen_require(`
-		type fusefs_t;
+		type kdbusfs_t;
+
 	')
 
-	allow $1 fusefs_t:dir list_dir_perms;
-	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+	search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of an hugetlbfs
-##	filesystem.
+##	Relabel kdbusfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2034,17 +3244,18 @@ interface(`fs_read_fusefs_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_relabel_kdbus_dirs',`
 	gen_require(`
-		type hugetlbfs_t;
+		type kdbusfs_t;
+
 	')
 
-	allow $1 hugetlbfs_t:filesystem getattr;
+	relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 ')
 
 ########################################
 ## <summary>
-##	List hugetlbfs.
+##	List kdbusfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2052,17 +3263,38 @@ interface(`fs_getattr_hugetlbfs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_list_hugetlbfs',`
+interface(`fs_list_kdbus_dirs',`
 	gen_require(`
-		type hugetlbfs_t;
+		type kdbusfs_t;
 	')
 
-	allow $1 hugetlbfs_t:dir list_dir_perms;
+	list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to search kdbusfs directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fs_dontaudit_search_kdbus_dirs', `
+    gen_require(`
+        type kdbusfs_t;
+    ')
+
+	dontaudit $1 kdbusfs_t:dir search_dir_perms;
+	dev_dontaudit_search_sysfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Manage hugetlbfs dirs.
+##	Delete kdbusfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2070,17 +3302,19 @@ interface(`fs_list_hugetlbfs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_delete_kdbus_dirs', `
 	gen_require(`
-		type hugetlbfs_t;
+		type kdbusfs_t;
 	')
 
-	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+	delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Read and write hugetlbfs files.
+##	Manage kdbusfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2088,35 +3322,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_rw_hugetlbfs_files',`
+interface(`fs_manage_kdbus_dirs',`
 	gen_require(`
-		type hugetlbfs_t;
-	')
+		type kdbusfs_t;
 
-	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+	')
+	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Allow the type to associate to hugetlbfs filesystems.
+##	Read kdbusfs files.
 ## </summary>
-## <param name="type">
+## <param name="domain">
 ##	<summary>
-##	The type of the object to be associated.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_associate_hugetlbfs',`
+interface(`fs_read_kdbus_files',`
 	gen_require(`
-		type hugetlbfs_t;
+		type kdbusfs_t;
+
 	')
 
-	allow $1 hugetlbfs_t:filesystem associate;
+	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
+	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Search inotifyfs filesystem.
+##	Write kdbusfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2124,17 +3364,19 @@ interface(`fs_associate_hugetlbfs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_search_inotifyfs',`
+interface(`fs_write_kdbus_files', `
 	gen_require(`
-		type inotifyfs_t;
+		type kdbusfs_t;
 	')
 
-	allow $1 inotifyfs_t:dir search_dir_perms;
+	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
 ')
 
 ########################################
 ## <summary>
-##	List inotifyfs filesystem.
+##	Read and write kdbusfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2142,17 +3384,23 @@ interface(`fs_search_inotifyfs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_list_inotifyfs',`
+interface(`fs_rw_kdbus_files',`
 	gen_require(`
-		type inotifyfs_t;
+		type kdbusfs_t;
+
 	')
 
-	allow $1 inotifyfs_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+	rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Dontaudit List inotifyfs filesystem.
+##	Do not audit attempts to open,
+##	get attributes, read and write
+##	cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2160,53 +3408,39 @@ interface(`fs_list_inotifyfs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_list_inotifyfs',`
+interface(`fs_dontaudit_rw_kdbus_files',`
 	gen_require(`
-		type inotifyfs_t;
+		type kdbusfs_t;
 	')
 
-	dontaudit $1 inotifyfs_t:dir list_dir_perms;
+	dontaudit $1 kdbusfs_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create an object in a hugetlbfs filesystem, with a private
-##	type using a type transition.
+##	Manage kdbusfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`fs_hugetlbfs_filetrans',`
+interface(`fs_manage_kdbus_files',`
 	gen_require(`
-		type hugetlbfs_t;
+		type kdbusfs_t;
+
 	')
 
-	allow $2 hugetlbfs_t:filesystem associate;
-	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+	manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
+	manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Mount an iso9660 filesystem, which
-##	is usually used on CDs.
+##	Mount on kdbusfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2214,19 +3448,18 @@ interface(`fs_hugetlbfs_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_mount_iso9660_fs',`
+interface(`fs_mounton_kdbus', `
 	gen_require(`
-		type iso9660_t;
+		type kdbusfs_t;
 	')
 
-	allow $1 iso9660_t:filesystem mount;
+	allow $1 kdbusfs_t:dir mounton;
 ')
 
+
 ########################################
 ## <summary>
-##	Remount an iso9660 filesystem, which
-##	is usually used on CDs.  This allows
-##	some mount options to be changed.
+##	Mount a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2234,18 +3467,18 @@ interface(`fs_mount_iso9660_fs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_remount_iso9660_fs',`
+interface(`fs_mount_nfs',`
 	gen_require(`
-		type iso9660_t;
+		type nfs_t;
 	')
 
-	allow $1 iso9660_t:filesystem remount;
+	allow $1 nfs_t:filesystem mount;
 ')
 
 ########################################
 ## <summary>
-##	Unmount an iso9660 filesystem, which
-##	is usually used on CDs.
+##	Remount a NFS filesystem.  This allows
+##	some mount options to be changed.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2253,58 +3486,54 @@ interface(`fs_remount_iso9660_fs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_unmount_iso9660_fs',`
+interface(`fs_remount_nfs',`
 	gen_require(`
-		type iso9660_t;
+		type nfs_t;
 	')
 
-	allow $1 iso9660_t:filesystem unmount;
+	allow $1 nfs_t:filesystem remount;
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of an iso9660
-##	filesystem, which is usually used on CDs.
+##	Unmount a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_getattr_iso9660_fs',`
+interface(`fs_unmount_nfs',`
 	gen_require(`
-		type iso9660_t;
+		type nfs_t;
 	')
 
-	allow $1 iso9660_t:filesystem getattr;
+	allow $1 nfs_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
-##	Read files on an iso9660 filesystem, which
-##	is usually used on CDs.
+##	Get the attributes of a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`fs_getattr_iso9660_files',`
+interface(`fs_getattr_nfs',`
 	gen_require(`
-		type iso9660_t;
+		type nfs_t;
 	')
 
-	allow $1 iso9660_t:dir list_dir_perms;
-	allow $1 iso9660_t:file getattr;
+	allow $1 nfs_t:filesystem getattr;
 ')
 
 ########################################
 ## <summary>
-##	Read files on an iso9660 filesystem, which
-##	is usually used on CDs.
+##	Set the attributes of nfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2312,19 +3541,17 @@ interface(`fs_getattr_iso9660_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_read_iso9660_files',`
+interface(`fs_setattr_nfs_dirs',`
 	gen_require(`
-		type iso9660_t;
+		type nfs_t;
 	')
 
-	allow $1 iso9660_t:dir list_dir_perms;
-	read_files_pattern($1, iso9660_t, iso9660_t)
-	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
+	allow $1 nfs_t:dir setattr;
 ')
 
 ########################################
 ## <summary>
-##	Mount a NFS filesystem.
+##	Search directories on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2332,18 +3559,17 @@ interface(`fs_read_iso9660_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_mount_nfs',`
+interface(`fs_search_nfs',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:filesystem mount;
+	allow $1 nfs_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Remount a NFS filesystem.  This allows
-##	some mount options to be changed.
+##	List NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2351,240 +3577,243 @@ interface(`fs_mount_nfs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_remount_nfs',`
+interface(`fs_list_nfs',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:filesystem remount;
+	allow $1 nfs_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Unmount a NFS filesystem.
+##	Do not audit attempts to list the contents
+##	of directories on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`fs_unmount_nfs',`
+interface(`fs_dontaudit_list_nfs',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:filesystem unmount;
+	dontaudit $1 nfs_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of a NFS filesystem.
+##	Mounton a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_getattr_nfs',`
+interface(`fs_mounton_nfs',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:filesystem getattr;
+	allow $1 nfs_t:dir mounton;
 ')
 
 ########################################
 ## <summary>
-##	Search directories on a NFS filesystem.
+##	Read files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`fs_search_nfs',`
+interface(`fs_read_nfs_files',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:dir search_dir_perms;
+	fs_search_auto_mountpoints($1)
+	allow $1 nfs_t:dir list_dir_perms;
+	read_files_pattern($1, nfs_t, nfs_t)
 ')
 
 ########################################
 ## <summary>
-##	List NFS filesystem.
+##	Do not audit attempts to read
+##	files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`fs_list_nfs',`
+interface(`fs_dontaudit_read_nfs_files',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:dir list_dir_perms;
+	dontaudit $1 nfs_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to list the contents
-##	of directories on a NFS filesystem.
+##	Read files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_list_nfs',`
+interface(`fs_write_nfs_files',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	dontaudit $1 nfs_t:dir list_dir_perms;
+	fs_search_auto_mountpoints($1)
+	allow $1 nfs_t:dir list_dir_perms;
+	write_files_pattern($1, nfs_t, nfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Mounton a NFS filesystem.
+##	Execute files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`fs_mounton_nfs',`
+interface(`fs_exec_nfs_files',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:dir mounton;
+	allow $1 nfs_t:dir list_dir_perms;
+	exec_files_pattern($1, nfs_t, nfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read files on a NFS filesystem.
+##	Make general progams in nfs an entrypoint for
+##	the specified domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	The domain for which nfs_t is an entrypoint.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_read_nfs_files',`
+interface(`fs_nfs_entry_type',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:dir list_dir_perms;
-	read_files_pattern($1, nfs_t, nfs_t)
+	domain_entry_file($1, nfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read
-##	files on a NFS filesystem.
+##	Make general progams in NFS an entrypoint for
+##	the specified domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	The domain for which nfs_t is an entrypoint.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_read_nfs_files',`
+interface(`fs_nfs_entrypoint',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	dontaudit $1 nfs_t:file read_file_perms;
+    allow $1 nfs_t:file entrypoint;
 ')
 
 ########################################
 ## <summary>
-##	Read files on a NFS filesystem.
+##	Append files
+##	on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`fs_write_nfs_files',`
+interface(`fs_append_nfs_files',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:dir list_dir_perms;
-	write_files_pattern($1, nfs_t, nfs_t)
+	append_files_pattern($1, nfs_t, nfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute files on a NFS filesystem.
+##	Do not audit attempts to append files
+##	on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-interface(`fs_exec_nfs_files',`
+interface(`fs_dontaudit_append_nfs_files',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:dir list_dir_perms;
-	exec_files_pattern($1, nfs_t, nfs_t)
+	dontaudit $1 nfs_t:file append_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Append files
-##	on a NFS filesystem.
+##	Read inherited files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_append_nfs_files',`
+interface(`fs_read_inherited_nfs_files',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	append_files_pattern($1, nfs_t, nfs_t)
+	allow $1 nfs_t:file read_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	dontaudit Append files
-##	on a NFS filesystem.
+##	Read/write inherited files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_dontaudit_append_nfs_files',`
+interface(`fs_rw_inherited_nfs_files',`
 	gen_require(`
 		type nfs_t;
 	')
 
-	dontaudit $1 nfs_t:file append_file_perms;
+	allow $1 nfs_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -2603,7 +3832,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 		type nfs_t;
 	')
 
-	dontaudit $1 nfs_t:file rw_file_perms;
+	dontaudit $1 nfs_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -2627,7 +3856,7 @@ interface(`fs_read_nfs_symlinks',`
 
 ########################################
 ## <summary>
-##	Dontaudit read symbolic links on a NFS filesystem.
+##	Do not audit attempts to read symbolic links on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2717,6 +3946,65 @@ interface(`fs_search_rpc',`
 	allow $1 rpc_pipefs_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list removable storage directories.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to list removable storage directories
+##	</p>
+##	<p>
+##	This interface has been deprecated, and will
+##	be removed in the future.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_pstorefs',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list removable storage directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_list_pstore',`
+	gen_require(`
+		type pstore_t;
+	')
+
+	allow $1 pstore_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel directory on removable storage.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_pstore_dirs',`
+	gen_require(`
+		type pstore_t;
+	')
+
+	relabel_dirs_pattern($1, pstore_t, pstore_t)
+')
+
 ########################################
 ## <summary>
 ##	Search removable storage directories.
@@ -2741,7 +4029,7 @@ interface(`fs_search_removable',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain not to audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -2777,7 +4065,7 @@ interface(`fs_read_removable_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain not to audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -2970,6 +4258,7 @@ interface(`fs_manage_nfs_dirs',`
 		type nfs_t;
 	')
 
+	fs_search_auto_mountpoints($1)
 	allow $1 nfs_t:dir manage_dir_perms;
 ')
 
@@ -3010,6 +4299,7 @@ interface(`fs_manage_nfs_files',`
 		type nfs_t;
 	')
 
+	fs_search_auto_mountpoints($1)
 	manage_files_pattern($1, nfs_t, nfs_t)
 ')
 
@@ -3050,6 +4340,7 @@ interface(`fs_manage_nfs_symlinks',`
 		type nfs_t;
 	')
 
+	fs_search_auto_mountpoints($1)
 	manage_lnk_files_pattern($1, nfs_t, nfs_t)
 ')
 
@@ -3135,6 +4426,24 @@ interface(`fs_nfs_domtrans',`
 	domain_auto_transition_pattern($1, nfs_t, $2)
 ')
 
+########################################
+## <summary>
+##	Mount on nfsd_fs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_nfsd_fs', `
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Mount a NFS server pseudo filesystem.
@@ -3239,15 +4548,198 @@ interface(`fs_search_nfsd_fs',`
 #
 interface(`fs_list_nfsd_fs',`
 	gen_require(`
-		type nfsd_fs_t;
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Getattr files on an nfsd filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_files',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+#######################################
+## <summary>
+##  read files on an nfsd filesystem
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`fs_read_nfsd_files',`
+    gen_require(`
+        type nfsd_fs_t;
+    ')
+
+    read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+#######################################
+## <summary>
+##	Read and write NFS server files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+########################################
+## <summary>
+##	Getattr files on an nsfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_nsfs_files',`
+	gen_require(`
+		type nsfs_t;
+	')
+
+	dontaudit $1 nsfs_t:file getattr;
+')
+
+
+########################################
+## <summary>
+##	Getattr files on an nsfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_nsfs_files',`
+	gen_require(`
+		type nsfs_t;
+	')
+
+	getattr_files_pattern($1, nsfs_t, nsfs_t)
+')
+
+#######################################
+## <summary>
+##  Read nsfs inodes (e.g. /proc/pid/ns/uts)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`fs_read_nsfs_files',`
+	gen_require(`
+    	type nsfs_t;
+    ')
+
+    allow $1 nsfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Read and write nsfs inodes (e.g. /proc/pid/ns/uts)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_nsfs_files',`
+	gen_require(`
+		type nsfs_t;
+	')
+
+	rw_files_pattern($1, nsfs_t, nsfs_t)
+')
+
+
+########################################
+## <summary>
+##	Mount a nsfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_nsfs',`
+	gen_require(`
+		type nsfs_t;
+	')
+
+	allow $1 nsfs_t:filesystem mount;
+')
+
+
+########################################
+## <summary>
+##	Remount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_nsfs',`
+	gen_require(`
+		type nsfs_t;
+	')
+
+	allow $1 nsfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_nsfs',`
+	gen_require(`
+		type nsfs_t;
 	')
 
-	allow $1 nfsd_fs_t:dir list_dir_perms;
+	allow $1 nsfs_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
-##	Getattr files on an nfsd filesystem
+##	Manage NFS server files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3255,35 +4747,35 @@ interface(`fs_list_nfsd_fs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_getattr_nfsd_files',`
+interface(`fs_manage_nfsd_fs',`
 	gen_require(`
 		type nfsd_fs_t;
 	')
 
-	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+	manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write NFS server files.
+##	Allow the type to associate to ramfs filesystems.
 ## </summary>
-## <param name="domain">
+## <param name="type">
 ##	<summary>
-##	Domain allowed access.
+##	The type of the object to be associated.
 ##	</summary>
 ## </param>
 #
-interface(`fs_rw_nfsd_fs',`
+interface(`fs_associate_ramfs',`
 	gen_require(`
-		type nfsd_fs_t;
+		type ramfs_t;
 	')
 
-	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+	allow $1 ramfs_t:filesystem associate;
 ')
 
 ########################################
 ## <summary>
-##	Allow the type to associate to ramfs filesystems.
+##	Allow the type to associate to proc filesystems.
 ## </summary>
 ## <param name="type">
 ##	<summary>
@@ -3291,12 +4783,12 @@ interface(`fs_rw_nfsd_fs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_associate_ramfs',`
+interface(`fs_associate_proc',`
 	gen_require(`
-		type ramfs_t;
+		type proc_t;
 	')
 
-	allow $1 ramfs_t:filesystem associate;
+	allow $1 proc_t:filesystem associate;
 ')
 
 ########################################
@@ -3392,7 +4884,7 @@ interface(`fs_search_ramfs',`
 
 ########################################
 ## <summary>
-##	Dontaudit Search directories on a ramfs
+##	Do not audit attempts to search directories on a ramfs
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3429,7 +4921,7 @@ interface(`fs_manage_ramfs_dirs',`
 
 ########################################
 ## <summary>
-##	Dontaudit read on a ramfs files.
+##	Do not audit attempts to read on a ramfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3447,7 +4939,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
 
 ########################################
 ## <summary>
-##	Dontaudit read on a ramfs fifo_files.
+##	Do not audit attempts to read on a ramfs fifo_files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3777,6 +5269,24 @@ interface(`fs_mount_tmpfs',`
 	allow $1 tmpfs_t:filesystem mount;
 ')
 
+########################################
+## <summary>
+##	Dontaudit remount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_remount_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:filesystem remount;
+')
+
 ########################################
 ## <summary>
 ##	Remount a tmpfs filesystem.
@@ -3813,6 +5323,24 @@ interface(`fs_unmount_tmpfs',`
 	allow $1 tmpfs_t:filesystem unmount;
 ')
 
+########################################
+## <summary>
+##	Mount on tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_tmpfs', `
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of a tmpfs
@@ -3908,7 +5436,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 
 ########################################
 ## <summary>
-##	Mount on tmpfs directories.
+##	Set the attributes of tmpfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3916,17 +5444,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_mounton_tmpfs',`
+interface(`fs_setattr_tmpfs_dirs',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:dir mounton;
+	allow $1 tmpfs_t:dir setattr;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of tmpfs directories.
+##	Search tmpfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3934,17 +5462,17 @@ interface(`fs_mounton_tmpfs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_setattr_tmpfs_dirs',`
+interface(`fs_search_tmpfs',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:dir setattr;
+	allow $1 tmpfs_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search tmpfs directories.
+##	List the contents of generic tmpfs directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3952,17 +5480,36 @@ interface(`fs_setattr_tmpfs_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_search_tmpfs',`
+interface(`fs_list_tmpfs',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:dir search_dir_perms;
+	allow $1 tmpfs_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	List the contents of generic tmpfs directories.
+##	Do not audit attempts to list the
+##	contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel directory  on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3970,31 +5517,48 @@ interface(`fs_search_tmpfs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_list_tmpfs',`
+interface(`fs_relabel_tmpfs_dirs',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:dir list_dir_perms;
+	relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to list the
-##	contents of generic tmpfs directories.
+##	Relabel fifo_file  on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_list_tmpfs',`
+interface(`fs_relabel_tmpfs_fifo_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	dontaudit $1 tmpfs_t:dir list_dir_perms;
+	relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Relabel files  on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	relabel_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
@@ -4057,23 +5621,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
 ## </param>
 ## <param name="name" optional="true">
 ##	<summary>
-##	The name of the object being created.
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_tmpfs_filetrans',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $2 tmpfs_t:filesystem associate;
+	filetrans_pattern($1, tmpfs_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to getattr
+##	generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	auto moutpoints.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_auto_mountpoints',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	rw_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_inherited_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:file { read write };
+')
+
+########################################
+## <summary>
+##	Read tmpfs link files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_tmpfs_filetrans',`
+interface(`fs_rw_tmpfs_chr_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	allow $2 tmpfs_t:filesystem associate;
-	filetrans_pattern($1, tmpfs_t, $2, $3, $4)
+	allow $1 tmpfs_t:dir list_dir_perms;
+	rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to getattr
-##	generic tmpfs files.
+##	Do not audit attempts to read and write character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4081,18 +5792,18 @@ interface(`fs_tmpfs_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_getattr_tmpfs_files',`
+interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	dontaudit $1 tmpfs_t:file getattr;
+	dontaudit $1 tmpfs_t:dir list_dir_perms;
+	dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read or write
-##	generic tmpfs files.
+##	Do not audit attempts to create character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4100,54 +5811,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_rw_tmpfs_files',`
+interface(`fs_dontaudit_create_tmpfs_chr_dev',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	dontaudit $1 tmpfs_t:file rw_file_perms;
+	dontaudit $1 tmpfs_t:chr_file create;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	auto moutpoints.
+##	Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_auto_mountpoints',`
+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
 	gen_require(`
-		type autofs_t;
+		type tmpfs_t;
 	')
 
-	allow $1 autofs_t:dir manage_dir_perms;
+	dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read generic tmpfs files.
+##	Do not audit attempts to read files on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`fs_read_tmpfs_files',`
+interface(`fs_dontaudit_read_tmpfs_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	read_files_pattern($1, tmpfs_t, tmpfs_t)
+	dontaudit $1 tmpfs_t:blk_file read;
 ')
 
 ########################################
 ## <summary>
-##	Read and write generic tmpfs files.
+##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4155,17 +5865,18 @@ interface(`fs_read_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_rw_tmpfs_files',`
+interface(`fs_relabel_tmpfs_chr_file',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	rw_files_pattern($1, tmpfs_t, tmpfs_t)
+	allow $1 tmpfs_t:dir list_dir_perms;
+	relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read tmpfs link files.
+##	Read and write block nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4173,17 +5884,18 @@ interface(`fs_rw_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_read_tmpfs_symlinks',`
+interface(`fs_rw_tmpfs_blk_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+	allow $1 tmpfs_t:dir list_dir_perms;
+	rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write character nodes on tmpfs filesystems.
+##	Relabel block nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4191,37 +5903,36 @@ interface(`fs_read_tmpfs_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_rw_tmpfs_chr_files',`
+interface(`fs_getattr_tmpfs_blk_file',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:dir list_dir_perms;
-	rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+	allow $1 tmpfs_t:blk_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	dontaudit Read and write character nodes on tmpfs filesystems.
+##	Relabel block nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+interface(`fs_relabel_tmpfs_blk_file',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	dontaudit $1 tmpfs_t:dir list_dir_perms;
-	dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
+	allow $1 tmpfs_t:dir list_dir_perms;
+	relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Relabel character nodes on tmpfs filesystems.
+##	Relabel sock nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4229,18 +5940,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_relabel_tmpfs_chr_file',`
+interface(`fs_relabel_tmpfs_sock_file',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
 	allow $1 tmpfs_t:dir list_dir_perms;
-	relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+	relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write block nodes on tmpfs filesystems.
+##	Delete generic files in tmpfs directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4248,18 +5959,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_rw_tmpfs_blk_files',`
+interface(`fs_delete_tmpfs_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:dir list_dir_perms;
-	rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+	allow $1 tmpfs_t:dir del_entry_dir_perms;
+	allow $1 tmpfs_t:file_class_set delete_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel block nodes on tmpfs filesystems.
+##	Read and write, create and delete generic
+##	files on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4267,32 +5979,31 @@ interface(`fs_rw_tmpfs_blk_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_relabel_tmpfs_blk_file',`
+interface(`fs_manage_tmpfs_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:dir list_dir_perms;
-	relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+	manage_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write, create and delete generic
-##	files on tmpfs filesystems.
+##	Execute files on a tmpfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`fs_manage_tmpfs_files',`
+interface(`fs_exec_tmpfs_files',`
 	gen_require(`
 		type tmpfs_t;
 	')
 
-	manage_files_pattern($1, tmpfs_t, tmpfs_t)
+	exec_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
 ########################################
@@ -4407,6 +6118,25 @@ interface(`fs_search_xenfs',`
 	allow $1 xenfs_t:dir search_dir_perms;
 ')
 
+
+########################################
+## <summary>
+##	Read files on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
@@ -4503,6 +6233,8 @@ interface(`fs_mount_all_fs',`
 	')
 
 	allow $1 filesystem_type:filesystem mount;
+# Mount checks write access on the dir
+	allow $1 filesystem_type:dir write;
 ')
 
 ########################################
@@ -4549,7 +6281,7 @@ interface(`fs_unmount_all_fs',`
 ## <desc>
 ##	<p>
 ##	Allow the specified domain to
-##	et the attributes of all filesystems.
+##	get the attributes of all filesystems.
 ##	Example attributes:
 ##	</p>
 ##	<ul>
@@ -4594,6 +6326,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
 	dontaudit $1 filesystem_type:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to check the 
+##	access on all filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_all_access_check',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:dir_file_class_set audit_access;
+')
+
+
 ########################################
 ## <summary>
 ##	Get the quotas of all filesystems.
@@ -4669,6 +6421,25 @@ interface(`fs_getattr_all_dirs',`
 	allow $1 filesystem_type:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Dontaudit Get the attributes of all directories
+##	with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_dirs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search all directories with a filesystem type.
@@ -4912,3 +6683,176 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all leaked filesystems files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_leaks',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+	dontaudit $1 filesystem_type:lnk_file { read };
+')
+
+
+########################################
+## <summary>
+##	Transition named content in tmpfs_t directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_tmpfs_filetrans_named_content',`
+	gen_require(`
+		type cgroup_t;
+		type devlog_t;
+	')
+
+	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
+	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+	fs_tmpfs_filetrans($1, devlog_t, lnk_file, "log")
+')
+
+#######################################
+## <summary>
+##      Read files in efivarfs
+##      - contains Linux Kernel configuration options for UEFI systems
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_efivarfs_files',`
+        gen_require(`
+                type efivarfs_t;
+        ')
+
+        read_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write sockets of ONLOAD file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_onload_sockets',`
+	gen_require(`
+		type onload_fs_t;
+	')
+
+	rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
+    allow $1 onload_fs_t:sock_file ioctl;
+')
+
+########################################
+## <summary>
+##	Read and write tracefs_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_tracefs_files',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+	rw_files_pattern($1, tracefs_t, tracefs_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete dirs
+##	labeled as tracefs_t.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_tracefs_dirs',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+	manage_dirs_pattern($1, tracefs_t, tracefs_t)
+')
+
+########################################
+## <summary>
+##	Mount tracefs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_tracefs', `
+	gen_require(`
+		type tracefs_t;
+	')
+
+	allow $1 tracefs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount tracefs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_tracefs', `
+	gen_require(`
+		type tracefs_t;
+	')
+
+	allow $1 tracefs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount tracefs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_tracefs', `
+	gen_require(`
+		type tracefs_t;
+	')
+
+	allow $1 tracefs_t:filesystem unmount;
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e7d173844..b10afaff0 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,20 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr shiftfs gen_context(system_u:object_r:fs_t,s0);
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.
@@ -43,6 +49,7 @@ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_task nsfs gen_context(system_u:object_r:fs_t,s0);
 
 ##############################
 #
@@ -53,6 +60,7 @@ type anon_inodefs_t;
 fs_type(anon_inodefs_t)
 files_mountpoint(anon_inodefs_t)
 genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+mls_trusted_object(anon_inodefs_t)
 
 type bdev_t;
 fs_type(bdev_t)
@@ -63,16 +71,28 @@ fs_type(binfmt_misc_fs_t)
 files_mountpoint(binfmt_misc_fs_t)
 genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
 
+type oracleasmfs_t;
+fs_type(oracleasmfs_t)
+dev_node(oracleasmfs_t)
+files_mountpoint(oracleasmfs_t)
+genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
+
 type capifs_t;
 fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
-type cgroup_t;
+type cephfs_t;
+fs_type(cephfs_t)
+files_mountpoint(cephfs_t)
+genfscon ceph / gen_context(system_u:object_r:cephfs_t,s0)
+
+type cgroup_t alias cgroupfs_t;
 fs_type(cgroup_t)
 files_mountpoint(cgroup_t)
 dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
 fs_type(configfs_t)
@@ -88,6 +108,11 @@ fs_noxattr_type(ecryptfs_t)
 files_mountpoint(ecryptfs_t)
 genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
 
+type efivarfs_t;
+fs_noxattr_type(efivarfs_t)
+files_mountpoint(efivarfs_t)
+genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
+
 type futexfs_t;
 fs_type(futexfs_t)
 genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
@@ -96,6 +121,7 @@ type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+dev_associate(hugetlbfs_t)
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
@@ -111,6 +137,12 @@ type inotifyfs_t;
 fs_type(inotifyfs_t)
 genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
 
+type kdbusfs_t;
+fs_type(kdbusfs_t)
+files_mountpoint(kdbusfs_t)
+dev_associate_sysfs(kdbusfs_t)
+genfscon kdbusfs / gen_context(system_u:object_r:kdbusfs_t,s0)
+
 type mvfs_t;
 fs_noxattr_type(mvfs_t)
 allow mvfs_t self:filesystem associate;
@@ -118,13 +150,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
 
 type nfsd_fs_t;
 fs_type(nfsd_fs_t)
+files_mountpoint(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
 
+type nsfs_t;
+fs_type(nsfs_t)
+genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
+
+type onload_fs_t;
+fs_type(onload_fs_t)
+files_mountpoint(onload_fs_t)
+genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0)
+
 type oprofilefs_t;
 fs_type(oprofilefs_t)
 genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
 
-type pstore_t;
+type pstore_t alias pstorefs_t;
 fs_type(pstore_t)
 files_mountpoint(pstore_t)
 dev_associate_sysfs(pstore_t)
@@ -150,17 +192,16 @@ fs_type(spufs_t)
 genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
 files_mountpoint(spufs_t)
 
-type squash_t;
-fs_type(squash_t)
-genfscon squash / gen_context(system_u:object_r:squash_t,s0)
-files_mountpoint(squash_t)
-
 type sysv_t;
 fs_noxattr_type(sysv_t)
 files_mountpoint(sysv_t)
 genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
 genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
 
+type tracefs_t;
+fs_type(tracefs_t)
+genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0)
+
 type vmblock_t;
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)
@@ -172,6 +213,8 @@ type vxfs_t;
 fs_noxattr_type(vxfs_t)
 files_mountpoint(vxfs_t)
 genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+genfscon odmfs / gen_context(system_u:object_r:vxfs_t,s0)
+genfscon vxclonefs / gen_context(system_u:object_r:vxfs_t,s0)
 
 #
 # tmpfs_t is the type for tmpfs filesystems
@@ -182,6 +225,8 @@ fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)
+mls_trusted_object(tmpfs_t)
 
 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
@@ -261,6 +306,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
+files_type(removable_t)
+dev_node(removable_t)
 files_mountpoint(removable_t)
 
 #
@@ -280,6 +327,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
 #
@@ -301,9 +349,10 @@ fs_associate_noxattr(noxattrfs)
 # Unconfined access to this module
 #
 
-allow filesystem_unconfined_type filesystem_type:filesystem *;
+allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
 
 # Create/access other files. fs_type is to pick up various
 # pseudo filesystem types that are applied to both the filesystem
 # and its files.
-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
+allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
+allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
index 7be4ddf74..9710b3336 100644
--- a/policy/modules/kernel/kernel.fc
+++ b/policy/modules/kernel/kernel.fc
@@ -1 +1,5 @@
-# This module currently does not have any file contexts.
+
+/sys/class/net/ib.* 	  --	gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
+/sys/kernel/debug -d	gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.*	<<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d886b..5113b226d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -124,6 +124,24 @@ interface(`kernel_setsched',`
 	allow $1 kernel_t:process setsched;
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to set the priority of kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_setsched',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:process setsched;
+')
+
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to kernel threads.
@@ -178,6 +196,24 @@ interface(`kernel_signal',`
 	allow $1 kernel_t:process signal;
 ')
 
+########################################
+## <summary>
+##	Send signull to kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_signull',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process signull;
+')
+
 ########################################
 ## <summary>
 ##	Allows the kernel to share state information with
@@ -268,7 +304,7 @@ interface(`kernel_stream_connect',`
 		type kernel_t;
 	')
 
-	allow $1 kernel_t:unix_stream_socket connectto;
+	allow $1 kernel_t:unix_stream_socket { getattr connectto };
 ')
 
 ########################################
@@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
 		type kernel_t;
 	')
 
-	allow $1 kernel_t:unix_dgram_socket { read write ioctl };
+	allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl };
 ')
 
 ########################################
@@ -439,6 +475,41 @@ interface(`kernel_dontaudit_link_key',`
 	dontaudit $1 kernel_t:key link;
 ')
 
+########################################
+## <summary>
+##	Allow view the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_view_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
+##	dontaudit view the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_view_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:key view;
+')
 ########################################
 ## <summary>
 ##	Allows caller to read the ring buffer.
@@ -762,8 +833,8 @@ interface(`kernel_manage_debugfs',`
 	')
 
 	manage_files_pattern($1, debugfs_t, debugfs_t)
+    manage_dirs_pattern($1,debugfs_t, debugfs_t)
 	read_lnk_files_pattern($1, debugfs_t, debugfs_t)
-	list_dirs_pattern($1, debugfs_t, debugfs_t)
 ')
 
 ########################################
@@ -784,6 +855,24 @@ interface(`kernel_mount_kvmfs',`
 	allow $1 kvmfs_t:filesystem mount;
 ')
 
+########################################
+## <summary>
+##	Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
 ########################################
 ## <summary>
 ##	Unmount the proc filesystem.
@@ -802,6 +891,24 @@ interface(`kernel_unmount_proc',`
 	allow $1 proc_t:filesystem unmount;
 ')
 
+########################################
+## <summary>
+##	Mounton a proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the proc filesystem.
@@ -839,6 +946,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',`
 	dontaudit $1 proc_t:dir setattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to set the
+##	attributes of files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_setattr_proc_files',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Search directories in /proc.
@@ -991,13 +1117,10 @@ interface(`kernel_read_proc_symlinks',`
 #
 interface(`kernel_read_system_state',`
 	gen_require(`
-		type proc_t;
+		attribute kernel_system_state_reader;
 	')
 
-	read_files_pattern($1, proc_t, proc_t)
-	read_lnk_files_pattern($1, proc_t, proc_t)
-
-	list_dirs_pattern($1, proc_t, proc_t)
+	typeattribute $1 kernel_system_state_reader;
 ')
 
 ########################################
@@ -1023,6 +1146,44 @@ interface(`kernel_write_proc_files',`
 	write_files_pattern($1, proc_t, proc_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write the
+##	file in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_proc_files',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:file write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to check the 
+##	access on generic proc entries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_access_check_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:dir_file_class_set audit_access;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to
@@ -1206,6 +1367,24 @@ interface(`kernel_read_messages',`
 	typeattribute $1 can_receive_kernel_messages;
 ')
 
+########################################
+## <summary>
+##	Allow caller to mounton the kernel messages file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_messages',`
+	gen_require(`
+		type proc_kmsg_t;
+	')
+
+	allow $1 proc_kmsg_t:file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to get the attributes of kernel message
@@ -1456,6 +1635,25 @@ interface(`kernel_list_all_proc',`
 	allow $1 proc_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Allow attempts to mounton all proc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	allow $1 proc_type:dir mounton;
+	allow $1 proc_type:file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to list all proc directories.
@@ -1475,6 +1673,28 @@ interface(`kernel_dontaudit_list_all_proc',`
 	dontaudit $1 proc_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Allow attempts to read all proc types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_all_proc',`
+	gen_require(`
+		attribute proc_type;
+        attribute can_dump_kernel;
+        attribute can_receive_kernel_messages;
+	')
+
+	read_files_pattern($1, proc_type, proc_type)
+    typeattribute $1 can_dump_kernel;
+    typeattribute $1 can_receive_kernel_messages;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to search
@@ -1672,7 +1892,7 @@ interface(`kernel_read_net_sysctls',`
 	')
 
 	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
-
+	read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
@@ -1693,7 +1913,7 @@ interface(`kernel_rw_net_sysctls',`
 	')
 
 	rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
-
+	read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
@@ -1715,7 +1935,6 @@ interface(`kernel_read_unix_sysctls',`
 	')
 
 	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
-
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
@@ -1750,16 +1969,9 @@ interface(`kernel_rw_unix_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`kernel_read_hotplug_sysctls',`
-	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-	')
-
-	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
-
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -1771,16 +1983,9 @@ interface(`kernel_read_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`kernel_rw_hotplug_sysctls',`
-	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-	')
-
-	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
-
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -1792,16 +1997,9 @@ interface(`kernel_rw_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`kernel_read_modprobe_sysctls',`
-	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-	')
-
-	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
-
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -1813,16 +2011,9 @@ interface(`kernel_read_modprobe_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`kernel_rw_modprobe_sysctls',`
-	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-	')
-
-	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
-
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -2048,9 +2239,10 @@ interface(`kernel_read_rpc_sysctls',`
 	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
 ')
 
+
 ########################################
 ## <summary>
-##	Read and write RPC sysctls.
+##	Read RPC sysctls.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2059,38 +2251,38 @@ interface(`kernel_read_rpc_sysctls',`
 ## </param>
 ## <rolecap/>
 #
-interface(`kernel_rw_rpc_sysctls',`
+interface(`kernel_rw_rpc_sysctls_dirs',`
 	gen_require(`
 		type proc_t, proc_net_t, sysctl_rpc_t;
 	')
 
-	rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
-
-	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+	rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to list all sysctl directories.
+##	Read and write RPC sysctls.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`kernel_dontaudit_list_all_sysctls',`
+interface(`kernel_rw_rpc_sysctls',`
 	gen_require(`
-		attribute sysctl_type;
+		type proc_t, proc_net_t, sysctl_rpc_t;
 	')
 
-	dontaudit $1 sysctl_type:dir list_dir_perms;
-	dontaudit $1 sysctl_type:file getattr;
+	rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
 ')
 
 ########################################
 ## <summary>
-##	Allow caller to read all sysctls.
+##	Read and write RPC sysctls.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2099,40 +2291,126 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 ## </param>
 ## <rolecap/>
 #
-interface(`kernel_read_all_sysctls',`
+interface(`kernel_create_rpc_sysctls',`
 	gen_require(`
-		attribute sysctl_type;
-		type proc_t, proc_net_t;
+		type proc_t, proc_net_t, sysctl_rpc_t;
 	')
 
-	# proc_net_t for /proc/net/rpc sysctls
-	read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+	create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
 
-	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
 ')
 
 ########################################
 ## <summary>
-##	Read and write all sysctls.
+##	Do not audit attempts to list all sysctl directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`kernel_rw_all_sysctls',`
+interface(`kernel_dontaudit_list_all_sysctls',`
 	gen_require(`
 		attribute sysctl_type;
-		type proc_t, proc_net_t;
 	')
 
-	# proc_net_t for /proc/net/rpc sysctls
-	rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+	dontaudit $1 sysctl_type:dir list_dir_perms;
+	dontaudit $1 sysctl_type:file read_file_perms;
+')
 
-	allow $1 sysctl_type:dir list_dir_perms;
-	# why is setattr needed?
+########################################
+## <summary>
+##	Allow attempts to mounton all sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+	')
+
+	allow $1 sysctl_type:dir mounton;
+')
+
+########################################
+## <summary>
+##	Allow attempts to mounton all filesystems used by ProtectKernelTunables systemd feature.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_systemd_ProtectKernelTunables',`
+	gen_require(`
+		type sysctl_t;
+        type sysctl_irq_t;
+        type proc_t;
+        type mtrr_device_t;
+        type debugfs_t;
+        type cgroup_t;
+	')
+
+	allow $1 sysctl_t:dir mounton;
+	allow $1 sysctl_irq_t:dir mounton;
+	allow $1 proc_t:dir mounton;
+	allow $1 mtrr_device_t:dir mounton;
+	allow $1 debugfs_t:dir mounton;
+	allow $1 cgroup_t:dir mounton;
+
+')
+
+########################################
+## <summary>
+##	Allow caller to read all sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+		type proc_t, proc_net_t;
+	')
+
+	# proc_net_t for /proc/net/rpc sysctls
+	read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
+	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
+')
+
+########################################
+## <summary>
+##	Read and write all sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+		type proc_t, proc_net_t;
+	')
+
+	# proc_net_t for /proc/net/rpc sysctls
+	rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
+	allow $1 sysctl_type:dir list_dir_perms;
+	# why is setattr needed?
 	allow $1 sysctl_type:file setattr;
 ')
 
@@ -2280,6 +2558,25 @@ interface(`kernel_list_unlabeled',`
 	allow $1 unlabeled_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Delete unlabeled files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir delete_dir_perms;
+	allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of all unlabeled_t.
@@ -2306,7 +2603,7 @@ interface(`kernel_read_unlabeled_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -2486,6 +2783,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 	allow $1 unlabeled_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Read and write unlabeled sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_socket',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get attributes for
@@ -2523,6 +2838,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 	allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
 ')
 
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_fs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:filesystem relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to relabel unlabeled files.
@@ -2665,6 +2998,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 	dontaudit $1 unlabeled_t:association { sendto recvfrom };
 ')
 
+########################################
+## <summary>
+##	Receive DCCP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dccp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dccp_socket recvfrom;
+')
+
 ########################################
 ## <summary>
 ##	Receive TCP packets from an unlabeled connection.
@@ -2692,6 +3043,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 	allow $1 unlabeled_t:tcp_socket recvfrom;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to receive DCCP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:dccp_socket recvfrom;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to receive TCP packets from an unlabeled
@@ -2803,6 +3173,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
+########################################
+## <summary>
+##	Read/Write Raw IP packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##	Receive Raw IP packets from an unlabeled connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_raw_recv_unlabeled() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_rawip_socket',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:rawip_socket rw_socket_perms;
+')
+
 
 ########################################
 ## <summary>
@@ -2956,6 +3353,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 	allow $1 unlabeled_t:db_blob { setattr relabelfrom };
 ')
 
+########################################
+## <summary>
+##      Relabel to unlabeled context .
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelto_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to kernel module resources.
@@ -2972,5 +3387,649 @@ interface(`kernel_unconfined',`
 	')
 
 	typeattribute $1 kern_unconfined;
-	kernel_load_module($1)
+	kernel_load_module($1)	
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to getattr on 
+##	the kernel with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_stream_read',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_stream_socket { read getattr };
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to write on 
+##  the kernel with a unix socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`kernel_stream_write',`
+    gen_require(`
+        type kernel_t;
+    ')
+
+    allow $1 kernel_t:unix_stream_socket { write getattr };
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to read/write on 
+##  the kernel with a unix stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`kernel_rw_stream_socket_perms',`
+    gen_require(`
+        type kernel_t;
+    ')
+
+    allow $1 kernel_t:unix_stream_socket rw_socket_perms;
+    allow $1 kernel_t:fd use;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for regular entries in proc
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for /proc entries.
+##	</summary>
+## </param>
+#
+interface(`kernel_proc_type',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	typeattribute $1 proc_type;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to get attributes on all sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+	')
+
+	dontaudit $1 sysctl_type:file getattr;
 ')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of the kernel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_state',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:dir search_dir_perms;
+	allow $1 kernel_t:file read_file_perms;
+	allow $1 kernel_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to read the process state (/proc/pid) of the kernel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_state',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:dir search_dir_perms;
+	dontaudit $1 kernel_t:file read_file_perms;
+	dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow searching of numa state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_search_numa_state',`
+	gen_require(`
+		type proc_t, proc_numa_t;
+	')
+
+	search_dirs_pattern($1, proc_t, proc_numa_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the numa
+##	state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_numa_state',`
+	gen_require(`
+		type proc_numa_t;
+	')
+
+	dontaudit $1 proc_numa_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow caller to read the numa state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_read_numa_state',`
+	gen_require(`
+		type proc_t, proc_numa_t;
+	')
+
+	read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
+	read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
+
+	list_dirs_pattern($1, proc_t, proc_numa_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the numa state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_read_numa_state_symlinks',`
+	gen_require(`
+		type proc_t, proc_numa_t;
+	')
+
+	read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
+
+	list_dirs_pattern($1, proc_t, proc_numa_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to write numa state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_write_numa_state',`
+	gen_require(`
+		type proc_t, proc_numa_t;
+	')
+
+	write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to search virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_search_vm_overcommit_sysctl',`
+	gen_require(`
+		type sysctl_vm_overcommit_t;
+	')
+
+	kernel_search_vm_sysctl($1)
+	search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_vm_overcommit_sysctls',`
+	gen_require(`
+		type sysctl_vm_overcommit_t;
+	')
+
+	kernel_search_vm_sysctl($1)
+	read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+##	Read and write virtual memory overcommit sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_vm_overcommit_sysctls',`
+	gen_require(`
+		type sysctl_vm_overcommit_t;
+	')
+
+	kernel_search_vm_sysctl($1)
+	rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the security
+##	state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_security_state',`
+	gen_require(`
+		type proc_security_t;
+	')
+
+	dontaudit $1 proc_security_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow searching of security state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_search_security_state',`
+	gen_require(`
+		type proc_security_t;
+	')
+
+	search_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Read the security state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the security
+##	state information. 
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_read_security_state',`
+	gen_require(`
+		type proc_t, proc_security_t;
+        attribute sysctl_type;
+	')
+
+	read_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+	read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+	list_dirs_pattern($1, proc_t, proc_security_t)
+    allow $1 sysctl_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Write the security state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to write the security
+##	state information. 
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_write_security_state',`
+	gen_require(`
+		type proc_t, proc_security_t;
+	')
+
+	write_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the security state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_security_state_symlinks',`
+	gen_require(`
+		type proc_t, proc_security_t;
+	')
+
+	read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+	list_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the security state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_security_state',`
+	gen_require(`
+		type proc_t, proc_security_t;
+	')
+
+	rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+	list_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the usermodehelper
+##	state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_usermodehelper_state',`
+	gen_require(`
+		type usermodehelper_t;
+	')
+
+	dontaudit $1 usermodehelper_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow searching of usermodehelper state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_search_usermodehelper_state',`
+	gen_require(`
+		type usermodehelper_t;
+	')
+
+	search_dirs_pattern($1, proc_t, usermodehelper_t)
+')
+
+########################################
+## <summary>
+##	Read the usermodehelper state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the usermodehelpering
+##	state information. This includes several pieces
+##	of usermodehelpering information, such as usermodehelper interface
+##	names, usermodehelperfilter (iptables) statistics, protocol
+##	information, routes, and remote procedure call (RPC)
+##	information.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_read_usermodehelper_state',`
+	gen_require(`
+		type proc_t, usermodehelper_t;
+	')
+
+	read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
+	read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
+
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the usermodehelper state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_usermodehelper_state_symlinks',`
+	gen_require(`
+		type proc_t, usermodehelper_t;
+	')
+
+	read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
+
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
+')
+
+########################################
+## <summary>
+##	Read and write usermodehelper state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_usermodehelper_state',`
+	gen_require(`
+		type proc_t, usermodehelper_t;
+	')
+
+	dev_search_sysfs($1)
+	rw_files_pattern($1, proc_t, usermodehelper_t)
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit write usermodehelper state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_dontaudit_write_usermodehelper_state',`
+	gen_require(`
+		type usermodehelper_t;
+	')
+
+	dontaudit $1 usermodehelper_t:file write;
+')
+
+########################################
+## <summary>
+##      Relabel to usermodehelper context .
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelto_usermodehelper',`
+	gen_require(`
+		type usermodehelper_t;
+	')
+
+	allow $1 usermodehelper_t:file relabelto;
+')
+
+########################################
+## <summary>
+##      Read netlink audit socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_read_netlink_audit_socket',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
+')
+
+########################################
+## <summary>
+##	Execute an unlabeled file in the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`kernel_unlabeled_domtrans',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+	domain_transition_pattern($1, unlabeled_t, $2)
+	type_transition $1 unlabeled_t:process $2;
+')
+
+########################################
+## <summary>
+##	Make general progams without labeles an entrypoint for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which unlabeled_t is an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`kernel_unlabeled_entry_type',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	domain_entry_file($1, unlabeled_t)
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c5e..2a10c3350 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
 # regular entries in proc
 attribute proc_type;
 
+# attribute for domains which read proc_t
+attribute kernel_system_state_reader;
+
 # sysctls
 attribute sysctl_type;
 
@@ -48,6 +51,7 @@ ifdef(`enable_mls',`
 type kernel_t, can_load_kernmodule;
 domain_base_type(kernel_t)
 mls_rangetrans_source(kernel_t)
+mls_trusted_object(kernel_t)
 role system_r types kernel_t;
 sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 
@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 type debugfs_t;
 files_mountpoint(debugfs_t)
 fs_type(debugfs_t)
+dev_associate_sysfs(debugfs_t)
+
 allow debugfs_t self:filesystem associate;
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
 
@@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 type proc_mdstat_t, proc_type;
 genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
 
+type proc_numa_t, proc_type;
+genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0)
+mls_trusted_object(proc_numa_t)
+
 type proc_net_t, proc_type;
 genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
 
+type proc_security_t, proc_type;
+genfscon proc /sys/fs/protected_hardlinks gen_context(system_u:object_r:proc_security_t,s0)
+genfscon proc /sys/fs/protected_symlinks gen_context(system_u:object_r:proc_security_t,s0)
+genfscon proc /sys/fs/suid_dumpable gen_context(system_u:object_r:proc_security_t,s0)
+genfscon proc /sys/kernel/dmesg_restrict gen_context(system_u:object_r:proc_security_t,s0)
+genfscon proc /sys/kernel/kptr_restrict gen_context(system_u:object_r:proc_security_t,s0)
+genfscon proc /sys/kernel/modules_disabled gen_context(system_u:object_r:proc_security_t,s0)
+genfscon proc /sys/kernel/randomize_va_space gen_context(system_u:object_r:proc_security_t,s0)
+
+type usermodehelper_t, proc_type, sysctl_type;
+typealias usermodehelper_t alias sysctl_hotplug_t;
+typealias usermodehelper_t alias sysctl_modprobe_t;
+dev_associate_sysfs(usermodehelper_t)
+genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0)
+genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0)
+genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0)
+genfscon proc /sys/kernel/poweroff_cmd gen_context(system_u:object_r:usermodehelper_t,s0)
+genfscon proc /sys/kernel/usermodehelper gen_context(system_u:object_r:usermodehelper_t,s0)
+
 type proc_xen_t, proc_type;
 files_mountpoint(proc_xen_t)
 genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
@@ -114,10 +143,12 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
 
 # /proc/irq directory and files
 type sysctl_irq_t, sysctl_type;
+fs_associate_proc(sysctl_irq_t)
 genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
 
 # /proc/net/rpc directory and files
 type sysctl_rpc_t, sysctl_type;
+fs_associate_proc(sysctl_rpc_t)
 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
 
 # /proc/sys/crypto directory and files
@@ -133,14 +164,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
 type sysctl_kernel_t, sysctl_type;
 genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
 
-# /proc/sys/kernel/modprobe file
-type sysctl_modprobe_t, sysctl_type;
-genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
-
-# /proc/sys/kernel/hotplug file
-type sysctl_hotplug_t, sysctl_type;
-genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
-
 # /proc/sys/net directory and files
 type sysctl_net_t, sysctl_type;
 genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
@@ -151,8 +174,13 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
 
 # /proc/sys/vm directory and files
 type sysctl_vm_t, sysctl_type;
+fs_associate(sysctl_vm_t)
 genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
 
+# /proc/sys/vm/overcommit_memory
+type sysctl_vm_overcommit_t, sysctl_type;
+genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
+
 # /proc/sys/dev directory and files
 type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -165,6 +193,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 type unlabeled_t;
 fs_associate(unlabeled_t)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+allow unlabeled_t self:filesystem associate;
+
+# Need the following because we are type alias of file_t.
+files_type(unlabeled_t)
+kernel_rootfs_mountpoint(unlabeled_t)
+sid file gen_context(system_u:object_r:unlabeled_t,s0)
+typealias unlabeled_t alias file_t;
+neverallow * unlabeled_t:file entrypoint;
 
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -189,6 +225,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #
 
+allow kernel_t self:capability2 mac_admin;
 allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
@@ -233,7 +270,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
 corenet_in_generic_if(unlabeled_t)
 corenet_in_generic_node(unlabeled_t)
 
-corenet_all_recvfrom_unlabeled(kernel_t)
 corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
@@ -244,17 +280,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
+corenet_filetrans_all_named_dev(kernel_t)
 
 dev_read_sysfs(kernel_t)
 dev_search_usbfs(kernel_t)
 # devtmpfs handling:
 dev_create_generic_dirs(kernel_t)
 dev_delete_generic_dirs(kernel_t)
-dev_create_generic_blk_files(kernel_t)
-dev_delete_generic_blk_files(kernel_t)
-dev_create_generic_chr_files(kernel_t)
-dev_delete_generic_chr_files(kernel_t)
+dev_create_all_blk_files(kernel_t)
+dev_delete_all_blk_files(kernel_t)
+dev_create_all_chr_files(kernel_t)
+dev_delete_all_chr_files(kernel_t)
 dev_mounton(kernel_t)
+dev_filetrans_all_named_dev(kernel_t)
+storage_filetrans_all_named_dev(kernel_t)
+term_filetrans_all_named_dev(kernel_t)
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
@@ -263,7 +303,8 @@ fs_unmount_all_fs(kernel_t)
 
 selinux_load_policy(kernel_t)
 
-term_use_console(kernel_t)
+term_use_all_terms(kernel_t)
+term_use_ptmx(kernel_t)
 
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
@@ -277,25 +318,53 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
+files_manage_mounttab(kernel_t)
+files_manage_generic_spool_dirs(kernel_t)
 
 mcs_process_set_categories(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+mcs_socket_write_all_levels(kernel_t)
 
 mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
+mls_file_downgrade(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t) 
+mls_fd_share_all_levels(kernel_t) 
+mls_fd_use_all_levels(kernel_t)
+mls_process_set_level(kernel_t)
 
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
 	fs_rw_tmpfs_chr_files(kernel_t)
 ')
 
+optional_policy(`
+    abrt_filetrans_named_content(kernel_t)
+    abrt_dump_oops_domtrans(kernel_t)
+')
+
+optional_policy(`
+	apache_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+	gnome_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+	kerberos_filetrans_home_content(kernel_t)
+')
+
 optional_policy(`
 	hotplug_search_config(kernel_t)
 ')
 
 optional_policy(`
 	init_sigchld(kernel_t)
+	init_dyntrans(kernel_t)
 ')
 
 optional_policy(`
@@ -305,12 +374,30 @@ optional_policy(`
 
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
+	logging_manage_generic_logs(kernel_t)
+')
+
+optional_policy(`
+	mta_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+	ssh_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+	userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
 ')
 
 optional_policy(`
 	nis_use_ypbind(kernel_t)
 ')
 
+optional_policy(`
+    plymouthd_create_log(kernel_t)
+    plymouthd_filetrans_named_content(kernel_t)
+')
+
 optional_policy(`
 	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
@@ -332,9 +419,6 @@ optional_policy(`
 
 	sysnet_read_config(kernel_t)
 
-	rpc_manage_nfs_ro_content(kernel_t)
-	rpc_manage_nfs_rw_content(kernel_t)
-	rpc_tcp_rw_nfs_sockets(kernel_t)
 	rpc_udp_rw_nfs_sockets(kernel_t)
 
 	tunable_policy(`nfs_export_all_ro',`
@@ -343,9 +427,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
 
-		files_list_non_auth_dirs(kernel_t)
-		files_read_non_auth_files(kernel_t)
-		files_read_non_auth_symlinks(kernel_t)
+		files_read_non_security_files(kernel_t)
 	')
 
 	tunable_policy(`nfs_export_all_rw',`
@@ -354,7 +436,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
 
-		files_manage_non_auth_files(kernel_t)
+		files_manage_non_security_files(kernel_t)
 	')
 ')
 
@@ -363,10 +445,23 @@ optional_policy(`
 	seutil_read_bin_policy(kernel_t)
 ')
 
+optional_policy(`
+	systemd_coredump_domtrans(kernel_t)
+')
+
 optional_policy(`
 	unconfined_domain_noaudit(kernel_t)
 ')
 
+optional_policy(`
+	virt_filetrans_home_content(kernel_t)
+')
+
+optional_policy(`
+	xserver_xdm_manage_spool(kernel_t)
+	xserver_filetrans_home_content(kernel_t)
+')
+
 ########################################
 #
 # Unlabeled process local policy
@@ -388,6 +483,8 @@ optional_policy(`
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
 
+    files_load_kernel_modules(can_load_kernmodule)
+
 	# load_module() calls stop_machine() which
 	# calls sched_setscheduler()
 	allow can_load_kernmodule self:capability sys_nice;
@@ -399,14 +496,38 @@ if( ! secure_mode_insmod ) {
 # Rules for unconfined acccess to this module
 #
 
-allow kern_unconfined proc_type:{ dir file lnk_file } *;
+allow kern_unconfined proc_type:{ file } ~entrypoint;
+allow kern_unconfined proc_type:{ dir lnk_file } *;
 
-allow kern_unconfined sysctl_type:{ dir file } *;
+allow kern_unconfined sysctl_type:{ file } ~entrypoint;
+allow kern_unconfined sysctl_type:{ dir lnk_file } *;
 
 allow kern_unconfined kernel_t:system *;
 
-allow kern_unconfined unlabeled_t:dir_file_class_set *;
+allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
+allow kern_unconfined unlabeled_t:file ~entrypoint;
 allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
+
+gen_require(`
+	bool secure_mode_insmod;
+')
+
+if( ! secure_mode_insmod ) {
+    allow can_load_kernmodule self:capability sys_module;
+    # load_module() calls stop_machine() which
+    # calls sched_setscheduler()
+    allow can_load_kernmodule self:capability sys_nice;
+    kernel_setsched(can_load_kernmodule)
+}
+
+#######################################
+#
+# Kernel system state reader policy
+#
+
+read_files_pattern(kernel_system_state_reader, proc_t, proc_t)
+read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t)
+list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t)
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index b08a6e849..43d504b88 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
 ## <rolecap/>
 #
 interface(`mcs_file_read_all',`
-	gen_require(`
-		attribute mcsreadall;
-	')
-
-	typeattribute $1 mcsreadall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
 ## <rolecap/>
 #
 interface(`mcs_file_write_all',`
-	gen_require(`
-		attribute mcswriteall;
-	')
-
-	typeattribute $1 mcswriteall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
 ## <rolecap/>
 #
 interface(`mcs_killall',`
-	gen_require(`
-		attribute mcskillall;
-	')
-
-	typeattribute $1 mcskillall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -104,11 +92,7 @@ interface(`mcs_killall',`
 ## </param>
 #
 interface(`mcs_ptrace_all',`
-	gen_require(`
-		attribute mcsptraceall;
-	')
-
-	typeattribute $1 mcsptraceall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',`
 
 	typeattribute $1 mcssetcats;
 ')
+
+########################################
+## <summary>
+##	Make specified domain MCS trusted
+##	for writing to sockets at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_socket_write_all_levels',`
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 2da98c257..31bed0a7c 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -11,3 +11,4 @@ attribute mcssetcats;
 attribute mcswriteall;
 attribute mcsreadall;
 attribute mcs_constrained_type;
+attribute mcsnetwrite;
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index d178478da..42bf05bcd 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -97,6 +97,26 @@ interface(`mls_file_write_to_clearance',`
 	typeattribute $1 mlsfilewritetoclr;
 ')
 
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for relabelto to files up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_relabel_to_clearance',`
+	gen_require(`
+		attribute mlsfilerelabeltoclr;
+	')
+
+	typeattribute $1 mlsfilerelabeltoclr;
+')
+
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 8c7bd90d2..66ee5b9a1 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
 attribute mlsfilewriteinrange;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
+attribute mlsfilerelabeltoclr;
 
 attribute mlsnetread;
 attribute mlsnetreadtoclr;
diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
index 7be4ddf74..4d4c577ad 100644
--- a/policy/modules/kernel/selinux.fc
+++ b/policy/modules/kernel/selinux.fc
@@ -1 +1 @@
-# This module currently does not have any file contexts.
+/selinux    -l	gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6d0811da3..708f07490 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
 
 	# because of this statement, any module which
 	# calls this interface must be in the base module:
-	genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+#	genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
 ')
 
 ########################################
@@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',`
 		type security_t;
 	')
 
+	allow $1 security_t:lnk_file read_lnk_file_perms;
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
 	# starting in libselinux 2.0.5, init_selinuxmnt() will
 	# attempt to short circuit by checking if SELINUXMNT
 	# (/selinux) is already a selinuxfs
@@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
 	# starting in libselinux 2.0.5, init_selinuxmnt() will
 	# attempt to short circuit by checking if SELINUXMNT
 	# (/selinux) is already a selinuxfs
+	dev_dontaudit_search_sysfs($1)
 	dontaudit $1 security_t:filesystem getattr;
 
 	# read /proc/filesystems to see if selinuxfs is supported
@@ -109,6 +113,9 @@ interface(`selinux_mount_fs',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:filesystem mount;
 ')
 
@@ -128,6 +135,9 @@ interface(`selinux_remount_fs',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:filesystem remount;
 ')
 
@@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:filesystem unmount;
 ')
 
@@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',`
 		type security_t;
 	')
 
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:filesystem getattr;
 ')
 
@@ -221,7 +235,12 @@ interface(`selinux_search_fs',`
 	')
 
 	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir search_dir_perms;
+
+    optional_policy(`
+        seutil_search_config($1)
+    ')
 ')
 
 ########################################
@@ -242,6 +261,28 @@ interface(`selinux_dontaudit_search_fs',`
 	dontaudit $1 security_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Mount on selinuxfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_mounton_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
+	allow $1 security_t:dir mounton;
+')
+
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
@@ -258,6 +299,7 @@ interface(`selinux_dontaudit_read_fs',`
 		type security_t;
 	')
 
+	selinux_dontaudit_getattr_fs($1)
 	dontaudit $1 security_t:dir search_dir_perms;
 	dontaudit $1 security_t:file read_file_perms;
 ')
@@ -280,8 +322,10 @@ interface(`selinux_get_enforce_mode',`
 	')
 
 	dev_search_sysfs($1)
+	selinux_get_fs_mount($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file read_file_perms;
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -310,22 +354,12 @@ interface(`selinux_set_enforce_mode',`
 	gen_require(`
 		type security_t;
 		attribute can_setenforce;
-		bool secure_mode_policyload;
 	')
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	typeattribute $1 can_setenforce;
-
-	if(!secure_mode_policyload) {
-		allow $1 security_t:security setenforce;
-
-		ifdef(`distro_rhel4',`
-			# needed for systems without audit support
-			auditallow $1 security_t:security setenforce;
-		')
-	}
 ')
 
 ########################################
@@ -342,22 +376,13 @@ interface(`selinux_load_policy',`
 	gen_require(`
 		type security_t;
 		attribute can_load_policy;
-		bool secure_mode_policyload;
 	')
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	typeattribute $1 can_load_policy;
-
-	if(!secure_mode_policyload) {
-		allow $1 security_t:security load_policy;
-
-		ifdef(`distro_rhel4',`
-			# needed for systems without audit support
-			auditallow $1 security_t:security load_policy;
-		')
-	}
 ')
 
 ########################################
@@ -378,6 +403,7 @@ interface(`selinux_read_policy',`
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file read_file_perms;
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:security read_policy;
 ')
 
@@ -438,19 +464,15 @@ interface(`selinux_set_boolean',`
 interface(`selinux_set_generic_booleans',`
 	gen_require(`
 		type security_t;
+		attribute can_setbool;
 	')
 
+	typeattribute $1 can_setbool;
 	dev_search_sysfs($1)
-
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 
-	allow $1 security_t:security setbool;
-
-	ifdef(`distro_rhel4',`
-		# needed for systems without audit support
-		auditallow $1 security_t:security setbool;
-	')
 ')
 
 ########################################
@@ -479,25 +501,16 @@ interface(`selinux_set_all_booleans',`
 	gen_require(`
 		type security_t, secure_mode_policyload_t;
 		attribute boolean_type;
-		bool secure_mode_policyload;
+		attribute can_setbool;
 	')
 
+	typeattribute $1 can_setbool;
+	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
-
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
-	allow $1 secure_mode_policyload_t:file read_file_perms;
-
-	allow $1 security_t:security setbool;
-
-	ifdef(`distro_rhel4',`
-		# needed for systems without audit support
-		auditallow $1 security_t:security setbool;
-	')
-
-	if(!secure_mode_policyload) {
-		allow $1 secure_mode_policyload_t:file write_file_perms;
-	}
+	allow $1 boolean_type:dir list_dir_perms;
+	allow $1 boolean_type:file rw_file_perms;
 ')
 
 ########################################
@@ -528,7 +541,9 @@ interface(`selinux_set_parameters',`
 		attribute can_setsecparam;
 	')
 
+	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security setsecparam;
@@ -552,7 +567,9 @@ interface(`selinux_validate_context',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security check_context;
@@ -595,7 +612,9 @@ interface(`selinux_compute_access_vector',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_av;
@@ -617,7 +636,9 @@ interface(`selinux_compute_create_context',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_create;
@@ -639,7 +660,9 @@ interface(`selinux_compute_member',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_member;
@@ -669,12 +692,37 @@ interface(`selinux_compute_relabel_context',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_relabel;
 ')
 
+########################################
+## <summary>
+##	Allows caller to setcheckreqprot
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_setcheckreqprot',`
+	gen_require(`
+		type security_t;
+	')
+
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security setcheckreqprot;
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to compute possible contexts for a user.
@@ -690,7 +738,9 @@ interface(`selinux_compute_user_contexts',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_user;
@@ -712,4 +762,28 @@ interface(`selinux_unconfined',`
 	')
 
 	typeattribute $1 selinux_unconfined_type;
+	selinux_set_all_booleans($1)
+	selinux_load_policy($1)
+	selinux_set_parameters($1)
+	selinux_set_enforce_mode($1)
+')
+
+########################################
+## <summary>
+##	Generate a file context for a boolean type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_genbool',`
+	gen_require(`
+		attribute boolean_type;
+	')
+
+	type $1, boolean_type;
+	fs_type($1)
+	mls_trusted_object($1)
 ')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index e0a973ba1..7d3e431ee 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
 attribute boolean_type;
 attribute can_load_policy;
 attribute can_setenforce;
+attribute can_setbool;
 attribute can_setsecparam;
 attribute selinux_unconfined_type;
 
@@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
 genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
 genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
 
-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
-neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
-neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+neverallow ~{ can_load_policy } security_t:security load_policy;
+neverallow ~{ can_setenforce } security_t:security setenforce;
+neverallow ~{ can_setsecparam } security_t:security setsecparam;
 
 ########################################
 #
@@ -52,7 +53,7 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
 allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms;
 
 # Access the security API.
-allow selinux_unconfined_type security_t:security ~{ load_policy setenforce };
+allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
 
 ifdef(`distro_rhel4',`
 	# needed for systems without audit support
@@ -60,11 +61,28 @@ ifdef(`distro_rhel4',`
 ')
 
 if(!secure_mode_policyload) {
-	allow selinux_unconfined_type security_t:security { load_policy setenforce };
-	allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
+	allow can_setenforce security_t:security setenforce;
+	dev_getattr_sysfs_fs(can_setenforce)
+	dev_search_sysfs(can_setenforce)
+	allow can_setenforce security_t:dir list_dir_perms;
+	allow can_setenforce security_t:file rw_file_perms;
 
 	ifdef(`distro_rhel4',`
 		# needed for systems without audit support
-		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
+		auditallow can_setenforce security_t:security setenforce;
+	')
+
+	allow can_load_policy security_t:security load_policy;
+
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow can_load_policy security_t:security load_policy;
+	')
+
+	allow can_setbool boolean_type:security setbool;
+
+	ifdef(`distro_rhel4',`
+		# needed for systems without audit support
+		auditallow can_setbool boolean_type:security setbool;
 	')
 }
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 54f182702..6910c8869 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -7,6 +7,7 @@
 /dev/n?tpqic[12].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
 /dev/[shmxv]d[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/aztcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bcache[0-9]+	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/bpcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/bsg/.+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
 /dev/cdu.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
@@ -28,7 +29,8 @@
 /dev/loop.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
-/dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid_sas_ioctl_node -c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/megadev.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -51,7 +53,8 @@ ifdef(`distro_redhat', `
 /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/tape.*		-c	gen_context(system_u:object_r:tape_device_t,s0)
-/dev/tw[a-z][^/]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/tgt        -c  gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/tw[a-z][^/]*	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/ub[a-z][^/]+	-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
 /dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/vd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
 
 /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
+
+/usr/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse   -c	gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 64c4cd01c..52070af0b 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -20,6 +20,30 @@ interface(`storage_getattr_fixed_disk_dev',`
 	allow $1 fixed_disk_device_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to read/write inherited fixed disk
+##	device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_rw_inherited_fixed_disk_dev',`
+	gen_require(`
+        type fixed_disk_device_t;
+        attribute fixed_disk_raw_read;
+        attribute fixed_disk_raw_write;
+	')
+
+    allow $1 fixed_disk_device_t:chr_file  { read write };
+    allow $1 fixed_disk_device_t:blk_file  { read write };
+    typeattribute $1 fixed_disk_raw_read;
+    typeattribute $1 fixed_disk_raw_write;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts made by the caller to get
@@ -101,6 +125,8 @@ interface(`storage_raw_read_fixed_disk',`
 	dev_list_all_dev_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
 	allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+	#577012
+	allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
 	typeattribute $1 fixed_disk_raw_read;
 ')
 
@@ -186,6 +212,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
 interface(`storage_raw_rw_fixed_disk',`
 	storage_raw_read_fixed_disk($1)
 	storage_raw_write_fixed_disk($1)
+	dev_rw_generic_blk_files($1)
 ')
 
 ########################################
@@ -205,6 +232,7 @@ interface(`storage_create_fixed_disk_dev',`
 
 	allow $1 self:capability mknod;
 	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+	allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
 	dev_add_entry_generic_dirs($1)
 ')
 
@@ -274,6 +302,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
 	dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
 ')
 
+#######################################
+## <summary>
+##  Create block devices in /dev with the fixed disk type
+##  via an automatic type transition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`storage_dev_filetrans_named_fixed_disk',`
+    gen_require(`
+        type fixed_disk_device_t;
+    ')
+
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
+')
+
 ########################################
 ## <summary>
 ##	Create block devices in on a tmpfs filesystem with the
@@ -293,6 +363,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
 	fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
 ')
 
+########################################
+## <summary>
+##	Create block devices in on a tmp filesystem with the
+##	fixed disk type via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_tmp_filetrans_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	files_tmp_filetrans($1, fixed_disk_device_t, blk_file)
+')
+
 ########################################
 ## <summary>
 ##	Relabel fixed disk device nodes.
@@ -478,6 +567,35 @@ interface(`storage_write_scsi_generic',`
 	typeattribute $1 scsi_generic_write;
 ')
 
+
+########################################
+## <summary>
+##	Allow the caller to directly read and write, in a
+##	generic fashion, from any SCSI device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_rw_inherited_scsi_generic',`
+	gen_require(`
+        attribute scsi_generic_read;
+		attribute scsi_generic_write;
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file rw_inherited_chr_file_perms;
+	allow $1 scsi_generic_device_t:chr_file rw_inherited_blk_file_perms;
+	typeattribute $1 scsi_generic_write;
+    typeattribute $1 scsi_generic_read;
+')
+
 ########################################
 ## <summary>
 ##	Set attributes of the device nodes
@@ -716,6 +834,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
 	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
 ')
 
+#######################################
+## <summary>
+##  Alow read and write inherited removable devices.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`storage_rw_inherited_removable_device',`
+    gen_require(`
+        type removable_device_t;
+    ')
+
+    dontaudit $1 removable_device_t:blk_file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to directly read
@@ -813,3 +949,452 @@ interface(`storage_unconfined',`
 
 	typeattribute $1 storage_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Create all named devices with the correct label
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_filetrans_all_named_dev',`
+
+	gen_require(`
+		type tape_device_t;
+		type fixed_disk_device_t;
+		type removable_device_t;
+		type scsi_generic_device_t;
+		type fuse_device_t;
+	')
+
+	dev_filetrans($1, tape_device_t, chr_file, "ht00")
+	dev_filetrans($1, tape_device_t, chr_file, "ht01")
+	dev_filetrans($1, tape_device_t, chr_file, "ht02")
+	dev_filetrans($1, tape_device_t, chr_file, "ht03")
+	dev_filetrans($1, tape_device_t, chr_file, "ht04")
+	dev_filetrans($1, tape_device_t, chr_file, "ht05")
+	dev_filetrans($1, tape_device_t, chr_file, "ht06")
+	dev_filetrans($1, tape_device_t, chr_file, "ht07")
+	dev_filetrans($1, tape_device_t, chr_file, "ht08")
+	dev_filetrans($1, tape_device_t, chr_file, "ht09")
+	dev_filetrans($1, tape_device_t, chr_file, "st00")
+	dev_filetrans($1, tape_device_t, chr_file, "st01")
+	dev_filetrans($1, tape_device_t, chr_file, "st02")
+	dev_filetrans($1, tape_device_t, chr_file, "st03")
+	dev_filetrans($1, tape_device_t, chr_file, "st04")
+	dev_filetrans($1, tape_device_t, chr_file, "st05")
+	dev_filetrans($1, tape_device_t, chr_file, "st06")
+	dev_filetrans($1, tape_device_t, chr_file, "st07")
+	dev_filetrans($1, tape_device_t, chr_file, "st08")
+	dev_filetrans($1, tape_device_t, chr_file, "st09")
+	dev_filetrans($1, tape_device_t, chr_file, "qft0")
+	dev_filetrans($1, tape_device_t, chr_file, "qft1")
+	dev_filetrans($1, tape_device_t, chr_file, "qft2")
+	dev_filetrans($1, tape_device_t, chr_file, "qft3")
+	dev_filetrans($1, tape_device_t, chr_file, "osst00")
+	dev_filetrans($1, tape_device_t, chr_file, "osst01")
+	dev_filetrans($1, tape_device_t, chr_file, "osst02")
+	dev_filetrans($1, tape_device_t, chr_file, "osst03")
+	dev_filetrans($1, tape_device_t, chr_file, "osst04")
+	dev_filetrans($1, tape_device_t, chr_file, "osst05")
+	dev_filetrans($1, tape_device_t, chr_file, "osst06")
+	dev_filetrans($1, tape_device_t, chr_file, "osst07")
+	dev_filetrans($1, tape_device_t, chr_file, "osst08")
+	dev_filetrans($1, tape_device_t, chr_file, "osst09")
+	dev_filetrans($1, tape_device_t, chr_file, "pt0")
+	dev_filetrans($1, tape_device_t, chr_file, "pt1")
+	dev_filetrans($1, tape_device_t, chr_file, "pt2")
+	dev_filetrans($1, tape_device_t, chr_file, "pt3")
+	dev_filetrans($1, tape_device_t, chr_file, "pt4")
+	dev_filetrans($1, tape_device_t, chr_file, "pt5")
+	dev_filetrans($1, tape_device_t, chr_file, "pt6")
+	dev_filetrans($1, tape_device_t, chr_file, "pt7")
+	dev_filetrans($1, tape_device_t, chr_file, "pt8")
+	dev_filetrans($1, tape_device_t, chr_file, "pt9")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic0")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic1")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic2")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic3")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic4")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic5")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic6")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic7")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic8")
+	dev_filetrans($1, tape_device_t, chr_file, "tpqic9")
+	dev_filetrans($1, removable_device_t, blk_file, "aztcd")
+	dev_filetrans($1, removable_device_t, blk_file, "bpcd")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu0")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu1")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu2")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu3")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu4")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu5")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu6")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu7")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu8")
+	dev_filetrans($1, removable_device_t, blk_file, "cdu9")
+	dev_filetrans($1, removable_device_t, blk_file, "cm200")
+	dev_filetrans($1, removable_device_t, blk_file, "cm201")
+	dev_filetrans($1, removable_device_t, blk_file, "cm202")
+	dev_filetrans($1, removable_device_t, blk_file, "cm203")
+	dev_filetrans($1, removable_device_t, blk_file, "cm204")
+	dev_filetrans($1, removable_device_t, blk_file, "cm205")
+	dev_filetrans($1, removable_device_t, blk_file, "cm206")
+	dev_filetrans($1, removable_device_t, blk_file, "cm207")
+	dev_filetrans($1, removable_device_t, blk_file, "cm208")
+	dev_filetrans($1, removable_device_t, blk_file, "cm209")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9")
+	dev_filetrans($1, removable_device_t, blk_file, "gscd")
+	dev_filetrans($1, removable_device_t, blk_file, "hitcd")
+	dev_filetrans($1, tape_device_t, blk_file, "ht0")
+	dev_filetrans($1, tape_device_t, blk_file, "ht1")
+	dev_filetrans($1, removable_device_t, blk_file, "hwcdrom")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
+	dev_filetrans($1, removable_device_t, blk_file, "mcd")
+	dev_filetrans($1, removable_device_t, blk_file, "mcdx")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk0")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk1")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk2")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk3")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk4")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk5")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk6")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk7")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk8")
+	dev_filetrans($1, removable_device_t, blk_file, "mmcblk9")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk0")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk1")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk2")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk3")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk4")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk5")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk6")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk7")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk8")
+	dev_filetrans($1, removable_device_t, blk_file, "mspblk9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9")
+	dev_filetrans($1, removable_device_t, blk_file, "optcd")
+	dev_filetrans($1, removable_device_t, blk_file, "pf0")
+	dev_filetrans($1, removable_device_t, blk_file, "pf1")
+	dev_filetrans($1, removable_device_t, blk_file, "pf2")
+	dev_filetrans($1, removable_device_t, blk_file, "pf3")
+	dev_filetrans($1, removable_device_t, blk_file, "pg0")
+	dev_filetrans($1, removable_device_t, blk_file, "pg1")
+	dev_filetrans($1, removable_device_t, blk_file, "pg2")
+	dev_filetrans($1, removable_device_t, blk_file, "pg3")
+	dev_filetrans($1, removable_device_t, blk_file, "pcd0")
+	dev_filetrans($1, removable_device_t, blk_file, "pcd1")
+	dev_filetrans($1, removable_device_t, blk_file, "pcd2")
+	dev_filetrans($1, removable_device_t, blk_file, "pcd3")
+	dev_filetrans($1, removable_device_t, chr_file, "pg0")
+	dev_filetrans($1, removable_device_t, chr_file, "pg1")
+	dev_filetrans($1, removable_device_t, chr_file, "pg2")
+	dev_filetrans($1, removable_device_t, chr_file, "pg3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9")
+	dev_filetrans($1, fixed_disk_device_t, blk_file, "root")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd0")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd1")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd2")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd3")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd4")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd5")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd6")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd7")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd8")
+	dev_filetrans($1, removable_device_t, blk_file, "sbpcd9")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
+	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
+	dev_filetrans($1, removable_device_t, blk_file, "sr0")
+	dev_filetrans($1, removable_device_t, blk_file, "sr1")
+	dev_filetrans($1, removable_device_t, blk_file, "sr2")
+	dev_filetrans($1, removable_device_t, blk_file, "sr3")
+	dev_filetrans($1, removable_device_t, blk_file, "sr4")
+	dev_filetrans($1, removable_device_t, blk_file, "sr5")
+	dev_filetrans($1, removable_device_t, blk_file, "sr6")
+	dev_filetrans($1, removable_device_t, blk_file, "sr7")
+	dev_filetrans($1, removable_device_t, blk_file, "sr8")
+	dev_filetrans($1, removable_device_t, blk_file, "sr9")
+	dev_filetrans($1, removable_device_t, blk_file, "sjcd")
+	dev_filetrans($1, removable_device_t, blk_file, "sonycd")
+	dev_filetrans($1, tape_device_t, chr_file, "tape0")
+	dev_filetrans($1, tape_device_t, chr_file, "tape1")
+	dev_filetrans($1, tape_device_t, chr_file, "tape2")
+	dev_filetrans($1, tape_device_t, chr_file, "tape3")
+	dev_filetrans($1, tape_device_t, chr_file, "tape4")
+	dev_filetrans($1, tape_device_t, chr_file, "tape5")
+	dev_filetrans($1, tape_device_t, chr_file, "tape6")
+	dev_filetrans($1, tape_device_t, chr_file, "tape7")
+	dev_filetrans($1, tape_device_t, chr_file, "tape8")
+	dev_filetrans($1, tape_device_t, chr_file, "tape9")
+	dev_filetrans($1, fuse_device_t, chr_file, "fuse")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
+	dev_filetrans($1, removable_device_t, chr_file, "rio500")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18")
+	dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19")
+
+')
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 156c33310..02f5a3c91 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -57,3 +57,9 @@ dev_node(tape_device_t)
 
 allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
 allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
+
+# Since block devices are some times used before being labeled correctly
+ifdef(`hide_broken_symptoms',`
+	dev_read_generic_blk_files(fixed_disk_raw_read)
+	dev_manage_generic_blk_files(fixed_disk_raw_write)
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 0ea25b653..37069ae93 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -14,12 +14,13 @@
 /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
-/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
 /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/sclp_line[0-9]+    -c  gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
 /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
-/dev/vport[0-9]p[0-9]+	-c	gen_context(system_u:object_r:virtio_device_t,s0)
+/dev/ttyUSB[0-9]+	-c	gen_context(system_u:object_r:usbtty_device_t,s0)
+/dev/vport.*		-c	gen_context(system_u:object_r:virtio_device_t,s0)
 /dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',`
 # used by init scripts to initally populate udev /dev
 /lib/udev/devices/console -c	gen_context(system_u:object_r:console_device_t,s0)
 ')
+
+/lib/udev/devices/pts	-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
+
+/usr/lib/udev/devices/pts -d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b66..ce0291ec6 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,13 +124,32 @@ interface(`term_user_tty',`
 		type_change $1 ttynode:chr_file $2;
 	')
 
-	tunable_policy(`console_login',`
+	tunable_policy(`login_console_enabled',`
 		# When user logs in from /dev/console, relabel it
 		# to user tty type as well.
 		type_change $1 console_device_t:chr_file $2;
 	')
 ')
 
+########################################
+## <summary>
+##	Create the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_create_pty_dir',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:dir create_dir_perms;
+	dev_filetrans($1, devpts_t, dir, "devpts")
+')
+
 ########################################
 ## <summary>
 ##	Create a pty in the /dev/pts directory.
@@ -206,6 +225,27 @@ interface(`term_use_all_terms',`
 	allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write the inherited console, all inherited 
+##	ttys and ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_terms',`
+	gen_require(`
+		attribute ttynode, ptynode;
+		type console_device_t, devpts_t, tty_device_t;
+	')
+
+	allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
+')
+
 ########################################
 ## <summary>
 ##	Write to the console.
@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`term_use_console',`
 	gen_require(`
@@ -299,9 +338,12 @@ interface(`term_use_console',`
 interface(`term_dontaudit_use_console',`
 	gen_require(`
 		type console_device_t;
+		type tty_device_t;
 	')
 
-	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+	init_dontaudit_use_fds($1)
+	dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
+	dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
 ')
 
 ########################################
@@ -382,6 +424,42 @@ interface(`term_getattr_pty_fs',`
 	allow $1 devpts_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Mount a pty filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_mount_pty_fs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Unmount a pty filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_unmount_pty_fs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:filesystem unmount;
+')
+
 ########################################
 ## <summary>
 ##	Relabel from and to pty filesystem.
@@ -479,6 +557,24 @@ interface(`term_list_ptys',`
 	allow $1 devpts_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel the /dev/pts directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_ptys_dirs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:dir relabel_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read the
@@ -517,6 +613,23 @@ interface(`term_dontaudit_manage_pty_dirs',`
 	dontaudit $1 devpts_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`term_getattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:chr_file getattr;
+')
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -620,7 +733,7 @@ interface(`term_use_generic_ptys',`
 
 ########################################
 ## <summary>
-##	Dot not audit attempts to read and
+##	Do not audit attempts to read and
 ##	write the generic pty type.  This is
 ##	generally only used in the targeted policy.
 ## </summary>
@@ -635,6 +748,7 @@ interface(`term_dontaudit_use_generic_ptys',`
 		type devpts_t;
 	')
 
+	init_dontaudit_use_fds($1)
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 
@@ -877,6 +991,26 @@ interface(`term_use_all_ptys',`
 	allow $1 ptynode:chr_file { rw_term_perms lock append };
 ')
 
+########################################
+## <summary>
+##	Read and write all inherited ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_ptys',`
+	gen_require(`
+		attribute ptynode;
+		type devpts_t;
+	')
+
+	allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or write any ptys.
@@ -892,7 +1026,7 @@ interface(`term_dontaudit_use_all_ptys',`
 		attribute ptynode;
 	')
 
-	dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+	dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
 ')
 
 ########################################
@@ -912,7 +1046,7 @@ interface(`term_relabel_all_ptys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	relabel_chr_files_pattern($1, devpts_t, ptynode)
+	relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } )
 ')
 
 ########################################
@@ -940,7 +1074,7 @@ interface(`term_getattr_all_user_ptys',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1065,6 +1199,28 @@ interface(`term_getattr_unallocated_ttys',`
 	allow $1 tty_device_t:chr_file getattr;
 ')
 
+########################################
+## <summary>
+##	Allow open access for all unallocated
+##	tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_open_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file open;
+')
+
+
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -1163,6 +1319,25 @@ interface(`term_relabel_unallocated_ttys',`
 	allow $1 tty_device_t:chr_file relabel_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Mounton unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_mounton_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	allow $1 tty_device_t:chr_file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Relabel from all user tty types to
@@ -1259,7 +1434,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 		type tty_device_t;
 	')
 
-	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+	init_dontaudit_use_fds($1)
+	dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write USB tty character
+##	device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_use_usb_ttys',`
+	gen_require(`
+		type usbtty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
+')
+
+#######################################
+## <summary>
+##  Setattr on USB tty character
+##  device nodes.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`term_setattr_usb_ttys',`
+    gen_require(`
+        type usbtty_device_t;
+    ')
+
+    allow $1 usbtty_device_t:chr_file setattr;
 ')
 
 ########################################
@@ -1275,11 +1490,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 #
 interface(`term_getattr_all_ttys',`
 	gen_require(`
+		type tty_device_t;
 		attribute ttynode;
 	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 ttynode:chr_file getattr;
+	allow $1 tty_device_t:chr_file getattr;
 ')
 
 ########################################
@@ -1296,10 +1513,12 @@ interface(`term_getattr_all_ttys',`
 interface(`term_dontaudit_getattr_all_ttys',`
 	gen_require(`
 		attribute ttynode;
+		type tty_device_t;
 	')
 
 	dev_list_all_dev_nodes($1)
 	dontaudit $1 ttynode:chr_file getattr;
+	dontaudit $1 tty_device_t:chr_file getattr;
 ')
 
 ########################################
@@ -1377,7 +1596,27 @@ interface(`term_use_all_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 ttynode:chr_file rw_chr_file_perms;
+	allow $1 ttynode:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Read and write all inherited ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_ttys',`
+	gen_require(`
+		attribute ttynode;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 ttynode:chr_file rw_inherited_term_perms;
 ')
 
 ########################################
@@ -1396,7 +1635,7 @@ interface(`term_dontaudit_use_all_ttys',`
 		attribute ttynode;
 	')
 
-	dontaudit $1 ttynode:chr_file rw_chr_file_perms;
+	dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
 ')
 
 ########################################
@@ -1504,7 +1743,7 @@ interface(`term_use_all_user_ttys',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1513,21 +1752,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
 	term_dontaudit_use_all_ttys($1)
 ')
 
+####################################
+## <summary>
+##      Getattr on the virtio console.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`term_getattr_virtio_console',`
+        gen_require(`
+                type virtio_device_t;
+        ')
+
+        allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
+')
+
 #####################################
 ## <summary>
-##	Read from and write virtio console.
+##      Read from and write to the virtio console.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##      <summary>
+##      Domain allowed access.
+##      </summary>
 ## </param>
 #
 interface(`term_use_virtio_console',`
-	gen_require(`
-		type virtio_device_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	allow $1 virtio_device_t:chr_file rw_term_perms;
+        gen_require(`
+                type virtio_device_t;
+        ')
+
+        dev_list_all_dev_nodes($1)
+        allow $1 virtio_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create all named term devices with the correct label
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_filetrans_all_named_dev',`
+
+    gen_require(`
+	    type tty_device_t;
+	    type bsdpty_device_t;
+	    type console_device_t;
+	    type ptmx_t;
+    	type devtty_t;
+	    type virtio_device_t;
+	    type devpts_t;
+	    type usbtty_device_t;
+    ')
+
+	dev_filetrans($1, devtty_t, chr_file, "tty")
+	dev_filetrans($1, tty_device_t, chr_file, "tty0")
+	dev_filetrans($1, tty_device_t, chr_file, "tty1")
+	dev_filetrans($1, tty_device_t, chr_file, "tty2")
+	dev_filetrans($1, tty_device_t, chr_file, "tty3")
+	dev_filetrans($1, tty_device_t, chr_file, "tty4")
+	dev_filetrans($1, tty_device_t, chr_file, "tty5")
+	dev_filetrans($1, tty_device_t, chr_file, "tty6")
+	dev_filetrans($1, tty_device_t, chr_file, "tty7")
+	dev_filetrans($1, tty_device_t, chr_file, "tty8")
+	dev_filetrans($1, tty_device_t, chr_file, "tty9")
+	dev_filetrans($1, tty_device_t, chr_file, "tty10")
+	dev_filetrans($1, tty_device_t, chr_file, "tty11")
+	dev_filetrans($1, tty_device_t, chr_file, "tty12")
+	dev_filetrans($1, tty_device_t, chr_file, "tty13")
+	dev_filetrans($1, tty_device_t, chr_file, "tty14")
+	dev_filetrans($1, tty_device_t, chr_file, "tty15")
+	dev_filetrans($1, tty_device_t, chr_file, "tty16")
+	dev_filetrans($1, tty_device_t, chr_file, "tty17")
+	dev_filetrans($1, tty_device_t, chr_file, "tty18")
+	dev_filetrans($1, tty_device_t, chr_file, "tty19")
+	dev_filetrans($1, tty_device_t, chr_file, "tty20")
+	dev_filetrans($1, tty_device_t, chr_file, "tty21")
+	dev_filetrans($1, tty_device_t, chr_file, "tty22")
+	dev_filetrans($1, tty_device_t, chr_file, "tty23")
+	dev_filetrans($1, tty_device_t, chr_file, "tty24")
+	dev_filetrans($1, tty_device_t, chr_file, "tty25")
+	dev_filetrans($1, tty_device_t, chr_file, "tty26")
+	dev_filetrans($1, tty_device_t, chr_file, "tty27")
+	dev_filetrans($1, tty_device_t, chr_file, "tty28")
+	dev_filetrans($1, tty_device_t, chr_file, "tty29")
+	dev_filetrans($1, tty_device_t, chr_file, "tty30")
+	dev_filetrans($1, tty_device_t, chr_file, "tty31")
+	dev_filetrans($1, tty_device_t, chr_file, "tty32")
+	dev_filetrans($1, tty_device_t, chr_file, "tty33")
+	dev_filetrans($1, tty_device_t, chr_file, "tty34")
+	dev_filetrans($1, tty_device_t, chr_file, "tty35")
+	dev_filetrans($1, tty_device_t, chr_file, "tty36")
+	dev_filetrans($1, tty_device_t, chr_file, "tty37")
+	dev_filetrans($1, tty_device_t, chr_file, "tty38")
+	dev_filetrans($1, tty_device_t, chr_file, "tty39")
+	dev_filetrans($1, tty_device_t, chr_file, "tty40")
+	dev_filetrans($1, tty_device_t, chr_file, "tty41")
+	dev_filetrans($1, tty_device_t, chr_file, "tty42")
+	dev_filetrans($1, tty_device_t, chr_file, "tty43")
+	dev_filetrans($1, tty_device_t, chr_file, "tty44")
+	dev_filetrans($1, tty_device_t, chr_file, "tty45")
+	dev_filetrans($1, tty_device_t, chr_file, "tty46")
+	dev_filetrans($1, tty_device_t, chr_file, "tty47")
+	dev_filetrans($1, tty_device_t, chr_file, "tty48")
+	dev_filetrans($1, tty_device_t, chr_file, "tty49")
+	dev_filetrans($1, tty_device_t, chr_file, "tty50")
+	dev_filetrans($1, tty_device_t, chr_file, "tty51")
+	dev_filetrans($1, tty_device_t, chr_file, "tty52")
+	dev_filetrans($1, tty_device_t, chr_file, "tty53")
+	dev_filetrans($1, tty_device_t, chr_file, "tty54")
+	dev_filetrans($1, tty_device_t, chr_file, "tty55")
+	dev_filetrans($1, tty_device_t, chr_file, "tty56")
+	dev_filetrans($1, tty_device_t, chr_file, "tty57")
+	dev_filetrans($1, tty_device_t, chr_file, "tty58")
+	dev_filetrans($1, tty_device_t, chr_file, "tty59")
+	dev_filetrans($1, tty_device_t, chr_file, "tty60")
+	dev_filetrans($1, tty_device_t, chr_file, "tty61")
+	dev_filetrans($1, tty_device_t, chr_file, "tty62")
+	dev_filetrans($1, tty_device_t, chr_file, "tty63")
+	dev_filetrans($1, tty_device_t, chr_file, "tty64")
+	dev_filetrans($1, tty_device_t, chr_file, "tty65")
+	dev_filetrans($1, tty_device_t, chr_file, "tty66")
+	dev_filetrans($1, tty_device_t, chr_file, "tty67")
+	dev_filetrans($1, tty_device_t, chr_file, "tty68")
+	dev_filetrans($1, tty_device_t, chr_file, "tty69")
+	dev_filetrans($1, tty_device_t, chr_file, "tty70")
+	dev_filetrans($1, tty_device_t, chr_file, "tty71")
+	dev_filetrans($1, tty_device_t, chr_file, "tty72")
+	dev_filetrans($1, tty_device_t, chr_file, "tty73")
+	dev_filetrans($1, tty_device_t, chr_file, "tty74")
+	dev_filetrans($1, tty_device_t, chr_file, "tty75")
+	dev_filetrans($1, tty_device_t, chr_file, "tty76")
+	dev_filetrans($1, tty_device_t, chr_file, "tty77")
+	dev_filetrans($1, tty_device_t, chr_file, "tty78")
+	dev_filetrans($1, tty_device_t, chr_file, "tty79")
+	dev_filetrans($1, tty_device_t, chr_file, "tty80")
+	dev_filetrans($1, tty_device_t, chr_file, "tty81")
+	dev_filetrans($1, tty_device_t, chr_file, "tty82")
+	dev_filetrans($1, tty_device_t, chr_file, "tty83")
+	dev_filetrans($1, tty_device_t, chr_file, "tty84")
+	dev_filetrans($1, tty_device_t, chr_file, "tty85")
+	dev_filetrans($1, tty_device_t, chr_file, "tty86")
+	dev_filetrans($1, tty_device_t, chr_file, "tty87")
+	dev_filetrans($1, tty_device_t, chr_file, "tty88")
+	dev_filetrans($1, tty_device_t, chr_file, "tty89")
+	dev_filetrans($1, tty_device_t, chr_file, "tty90")
+	dev_filetrans($1, tty_device_t, chr_file, "tty91")
+	dev_filetrans($1, tty_device_t, chr_file, "tty92")
+	dev_filetrans($1, tty_device_t, chr_file, "tty93")
+	dev_filetrans($1, tty_device_t, chr_file, "tty94")
+	dev_filetrans($1, tty_device_t, chr_file, "tty95")
+	dev_filetrans($1, tty_device_t, chr_file, "tty96")
+	dev_filetrans($1, tty_device_t, chr_file, "tty97")
+	dev_filetrans($1, tty_device_t, chr_file, "tty98")
+	dev_filetrans($1, tty_device_t, chr_file, "tty99")
+	dev_filetrans($1, tty_device_t, chr_file, "pty")
+	dev_filetrans($1, tty_device_t, chr_file, "pty0")
+	dev_filetrans($1, tty_device_t, chr_file, "pty1")
+	dev_filetrans($1, tty_device_t, chr_file, "pty2")
+	dev_filetrans($1, tty_device_t, chr_file, "pty3")
+	dev_filetrans($1, tty_device_t, chr_file, "pty4")
+	dev_filetrans($1, tty_device_t, chr_file, "pty5")
+	dev_filetrans($1, tty_device_t, chr_file, "pty6")
+	dev_filetrans($1, tty_device_t, chr_file, "pty7")
+	dev_filetrans($1, tty_device_t, chr_file, "pty8")
+	dev_filetrans($1, tty_device_t, chr_file, "pty9")
+	dev_filetrans($1, tty_device_t, chr_file, "pty10")
+	dev_filetrans($1, tty_device_t, chr_file, "pty11")
+	dev_filetrans($1, tty_device_t, chr_file, "pty12")
+	dev_filetrans($1, tty_device_t, chr_file, "pty13")
+	dev_filetrans($1, tty_device_t, chr_file, "pty14")
+	dev_filetrans($1, tty_device_t, chr_file, "pty15")
+	dev_filetrans($1, tty_device_t, chr_file, "pty16")
+	dev_filetrans($1, tty_device_t, chr_file, "pty17")
+	dev_filetrans($1, tty_device_t, chr_file, "pty18")
+	dev_filetrans($1, tty_device_t, chr_file, "pty19")
+	dev_filetrans($1, tty_device_t, chr_file, "pty20")
+	dev_filetrans($1, tty_device_t, chr_file, "pty21")
+	dev_filetrans($1, tty_device_t, chr_file, "pty22")
+	dev_filetrans($1, tty_device_t, chr_file, "pty23")
+	dev_filetrans($1, tty_device_t, chr_file, "pty24")
+	dev_filetrans($1, tty_device_t, chr_file, "pty25")
+	dev_filetrans($1, tty_device_t, chr_file, "pty26")
+	dev_filetrans($1, tty_device_t, chr_file, "pty27")
+	dev_filetrans($1, tty_device_t, chr_file, "pty28")
+	dev_filetrans($1, tty_device_t, chr_file, "pty29")
+	dev_filetrans($1, tty_device_t, chr_file, "pty30")
+	dev_filetrans($1, tty_device_t, chr_file, "pty31")
+	dev_filetrans($1, tty_device_t, chr_file, "pty32")
+	dev_filetrans($1, tty_device_t, chr_file, "pty33")
+	dev_filetrans($1, tty_device_t, chr_file, "pty34")
+	dev_filetrans($1, tty_device_t, chr_file, "pty35")
+	dev_filetrans($1, tty_device_t, chr_file, "pty36")
+	dev_filetrans($1, tty_device_t, chr_file, "pty37")
+	dev_filetrans($1, tty_device_t, chr_file, "pty38")
+	dev_filetrans($1, tty_device_t, chr_file, "pty39")
+	dev_filetrans($1, tty_device_t, chr_file, "pty40")
+	dev_filetrans($1, tty_device_t, chr_file, "pty41")
+	dev_filetrans($1, tty_device_t, chr_file, "pty42")
+	dev_filetrans($1, tty_device_t, chr_file, "pty43")
+	dev_filetrans($1, tty_device_t, chr_file, "pty44")
+	dev_filetrans($1, tty_device_t, chr_file, "pty45")
+	dev_filetrans($1, tty_device_t, chr_file, "pty46")
+	dev_filetrans($1, tty_device_t, chr_file, "pty47")
+	dev_filetrans($1, tty_device_t, chr_file, "pty48")
+	dev_filetrans($1, tty_device_t, chr_file, "pty49")
+	dev_filetrans($1, tty_device_t, chr_file, "pty50")
+	dev_filetrans($1, tty_device_t, chr_file, "pty51")
+	dev_filetrans($1, tty_device_t, chr_file, "pty52")
+	dev_filetrans($1, tty_device_t, chr_file, "pty53")
+	dev_filetrans($1, tty_device_t, chr_file, "pty54")
+	dev_filetrans($1, tty_device_t, chr_file, "pty55")
+	dev_filetrans($1, tty_device_t, chr_file, "pty56")
+	dev_filetrans($1, tty_device_t, chr_file, "pty57")
+	dev_filetrans($1, tty_device_t, chr_file, "pty58")
+	dev_filetrans($1, tty_device_t, chr_file, "pty59")
+	dev_filetrans($1, tty_device_t, chr_file, "pty60")
+	dev_filetrans($1, tty_device_t, chr_file, "pty61")
+	dev_filetrans($1, tty_device_t, chr_file, "pty62")
+	dev_filetrans($1, tty_device_t, chr_file, "pty63")
+	dev_filetrans($1, tty_device_t, chr_file, "pty64")
+	dev_filetrans($1, tty_device_t, chr_file, "pty65")
+	dev_filetrans($1, tty_device_t, chr_file, "pty66")
+	dev_filetrans($1, tty_device_t, chr_file, "pty67")
+	dev_filetrans($1, tty_device_t, chr_file, "pty68")
+	dev_filetrans($1, tty_device_t, chr_file, "pty69")
+	dev_filetrans($1, tty_device_t, chr_file, "pty70")
+	dev_filetrans($1, tty_device_t, chr_file, "pty71")
+	dev_filetrans($1, tty_device_t, chr_file, "pty72")
+	dev_filetrans($1, tty_device_t, chr_file, "pty73")
+	dev_filetrans($1, tty_device_t, chr_file, "pty74")
+	dev_filetrans($1, tty_device_t, chr_file, "pty75")
+	dev_filetrans($1, tty_device_t, chr_file, "pty76")
+	dev_filetrans($1, tty_device_t, chr_file, "pty77")
+	dev_filetrans($1, tty_device_t, chr_file, "pty78")
+	dev_filetrans($1, tty_device_t, chr_file, "pty79")
+	dev_filetrans($1, tty_device_t, chr_file, "pty80")
+	dev_filetrans($1, tty_device_t, chr_file, "pty81")
+	dev_filetrans($1, tty_device_t, chr_file, "pty82")
+	dev_filetrans($1, tty_device_t, chr_file, "pty83")
+	dev_filetrans($1, tty_device_t, chr_file, "pty84")
+	dev_filetrans($1, tty_device_t, chr_file, "pty85")
+	dev_filetrans($1, tty_device_t, chr_file, "pty86")
+	dev_filetrans($1, tty_device_t, chr_file, "pty87")
+	dev_filetrans($1, tty_device_t, chr_file, "pty88")
+	dev_filetrans($1, tty_device_t, chr_file, "pty89")
+	dev_filetrans($1, tty_device_t, chr_file, "pty90")
+	dev_filetrans($1, tty_device_t, chr_file, "pty91")
+	dev_filetrans($1, tty_device_t, chr_file, "pty92")
+	dev_filetrans($1, tty_device_t, chr_file, "pty93")
+	dev_filetrans($1, tty_device_t, chr_file, "pty94")
+	dev_filetrans($1, tty_device_t, chr_file, "pty95")
+	dev_filetrans($1, tty_device_t, chr_file, "pty96")
+	dev_filetrans($1, tty_device_t, chr_file, "pty97")
+	dev_filetrans($1, tty_device_t, chr_file, "pty98")
+	dev_filetrans($1, tty_device_t, chr_file, "pty99")
+	dev_filetrans($1, tty_device_t, chr_file, "adb0")
+	dev_filetrans($1, tty_device_t, chr_file, "adb1")
+	dev_filetrans($1, tty_device_t, chr_file, "adb2")
+	dev_filetrans($1, tty_device_t, chr_file, "adb3")
+	dev_filetrans($1, tty_device_t, chr_file, "adb4")
+	dev_filetrans($1, tty_device_t, chr_file, "adb5")
+	dev_filetrans($1, tty_device_t, chr_file, "adb6")
+	dev_filetrans($1, tty_device_t, chr_file, "adb7")
+	dev_filetrans($1, tty_device_t, chr_file, "adb8")
+	dev_filetrans($1, tty_device_t, chr_file, "adb9")
+	dev_filetrans($1, tty_device_t, chr_file, "capi0")
+	dev_filetrans($1, tty_device_t, chr_file, "capi1")
+	dev_filetrans($1, tty_device_t, chr_file, "capi2")
+	dev_filetrans($1, tty_device_t, chr_file, "capi3")
+	dev_filetrans($1, tty_device_t, chr_file, "capi4")
+	dev_filetrans($1, tty_device_t, chr_file, "capi5")
+	dev_filetrans($1, tty_device_t, chr_file, "capi6")
+	dev_filetrans($1, tty_device_t, chr_file, "capi7")
+	dev_filetrans($1, tty_device_t, chr_file, "capi8")
+	dev_filetrans($1, tty_device_t, chr_file, "capi9")
+	dev_filetrans($1, console_device_t, chr_file, "console")
+	dev_filetrans($1, tty_device_t, chr_file, "cu0")
+	dev_filetrans($1, tty_device_t, chr_file, "cu1")
+	dev_filetrans($1, tty_device_t, chr_file, "cu2")
+	dev_filetrans($1, tty_device_t, chr_file, "cu3")
+	dev_filetrans($1, tty_device_t, chr_file, "cu4")
+	dev_filetrans($1, tty_device_t, chr_file, "cu5")
+	dev_filetrans($1, tty_device_t, chr_file, "cu6")
+	dev_filetrans($1, tty_device_t, chr_file, "cu7")
+	dev_filetrans($1, tty_device_t, chr_file, "cu8")
+	dev_filetrans($1, tty_device_t, chr_file, "cu9")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri0")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri1")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri2")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri3")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri4")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri5")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri6")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri7")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri8")
+	dev_filetrans($1, tty_device_t, chr_file, "dcbri9")
+	dev_filetrans($1, tty_device_t, chr_file, "vcsa")
+	dev_filetrans($1, tty_device_t, chr_file, "vcsb")
+	dev_filetrans($1, tty_device_t, chr_file, "vcsc")
+	dev_filetrans($1, tty_device_t, chr_file, "vcsd")
+	dev_filetrans($1, tty_device_t, chr_file, "vcse")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc0")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc1")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc2")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc3")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc4")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc5")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc6")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc7")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc8")
+	dev_filetrans($1, tty_device_t, chr_file, "hvc9")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi0")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi1")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi2")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi3")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi4")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi5")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi6")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi7")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi8")
+	dev_filetrans($1, tty_device_t, chr_file, "hvsi9")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm0")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm1")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm2")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm3")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm4")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm5")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm6")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm7")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm8")
+	dev_filetrans($1, tty_device_t, chr_file, "ircomm9")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn0")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn1")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn2")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn3")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn4")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn5")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn6")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn7")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn8")
+	dev_filetrans($1, tty_device_t, chr_file, "isdn9")
+	filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx")
+	dev_filetrans($1, ptmx_t, chr_file, "ptmx")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm2")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm3")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm4")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm5")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm6")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm7")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm8")
+	dev_filetrans($1, tty_device_t, chr_file, "rfcomm9")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr0")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr1")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr2")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr3")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr4")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr5")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr6")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr7")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr8")
+	dev_filetrans($1, tty_device_t, chr_file, "slamr9")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM0")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM1")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM2")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM3")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM4")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM5")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM6")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM7")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM8")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyACM9")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS0")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS1")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS2")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS3")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS4")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS5")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS6")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS7")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS8")
+	dev_filetrans($1, tty_device_t, chr_file, "ttyS9")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG0")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG1")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG2")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG3")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG4")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG5")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG6")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
+	dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
+	dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p3")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p4")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p5")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p6")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p7")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p8")
+	dev_filetrans($1, virtio_device_t, chr_file, "vport0p9")
+	dev_filetrans($1, devpts_t, dir, "pts")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc0")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc1")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc2")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc3")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc4")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc5")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc6")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc7")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc8")
+	dev_filetrans($1, tty_device_t, chr_file, "xvc9")
 ')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 66e116a3f..a0a5d90fe 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
 fs_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+dev_associate(devpts_t)
 
 #
 # devtty_t is the type of /dev/tty.
@@ -57,5 +58,8 @@ dev_node(tty_device_t)
 type usbtty_device_t, serial_device;
 dev_node(usbtty_device_t)
 
+#
+# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
+#
 type virtio_device_t, serial_device;
 dev_node(virtio_device_t)
diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
new file mode 100644
index 000000000..f310b9d55
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.fc
@@ -0,0 +1 @@
+# No unlabelednet file contexts.
diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
new file mode 100644
index 000000000..0ce04703a
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.if
@@ -0,0 +1 @@
+## <summary> Policy for allowing confined domains to use unlabeled_t packets</summary>
diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
new file mode 100644
index 000000000..48caabc7e
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.te
@@ -0,0 +1,12 @@
+policy_module(unlabelednet, 1.0.0)
+
+corenet_enable_unlabeled_packets()
+
+gen_require(`
+    type unlabeled_t;
+    attribute domain;
+')
+
+# temporary hack until labeling on packets is supported
+allow domain unlabeled_t:packet { send recv };
+
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 834a065de..ff9369756 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
 
 role auditadm_r;
 role system_r;
-userdom_unpriv_user_template(auditadm)
+userdom_confined_admin_template(auditadm)
 
 ########################################
 #
@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
 
 domain_kill_all_domains(auditadm_t)
 
+mls_file_read_all_levels(auditadm_t)
+
+selinux_read_policy(auditadm_t)
+
 logging_send_syslog_msg(auditadm_t)
 logging_read_generic_logs(auditadm_t)
 logging_manage_audit_log(auditadm_t)
 logging_manage_audit_config(auditadm_t)
 logging_run_auditctl(auditadm_t, auditadm_r)
 logging_run_auditd(auditadm_t, auditadm_r)
+logging_stream_connect_syslog(auditadm_t)
 
 seutil_run_runinit(auditadm_t, auditadm_r)
 seutil_read_bin_policy(auditadm_t)
 
+userdom_dontaudit_search_admin_dir(auditadm_t)
+
 optional_policy(`
 	consoletype_exec(auditadm_t)
 ')
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
index 3a45a3ef0..7499f24b5 100644
--- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te
@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0)
 
 role logadm_r;
 
-userdom_base_user_template(logadm)
+userdom_confined_admin_template(logadm)
 
 ########################################
 #
 # logadmin local policy
 #
 
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
-
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
 logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index da111206f..621ec5afc 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
 
 role secadm_r;
 
-userdom_unpriv_user_template(secadm)
-userdom_security_admin_template(secadm_t, secadm_r)
+userdom_confined_admin_template(secadm)
+userdom_security_admin(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
+userdom_manage_tmp_role(secadm_r, secadm_t)
 
 ########################################
 #
@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
 
 allow secadm_t self:capability { dac_read_search dac_override };
 
+kernel_read_system_state(secadm_t)
+
 corecmd_exec_shell(secadm_t)
 
 dev_relabel_all_dev_nodes(secadm_t)
+dev_read_urand(secadm_t)
 
 domain_obj_id_change_exemption(secadm_t)
 
@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t)
 mls_file_downgrade(secadm_t)
 
 auth_role(secadm_r, secadm_t)
-files_relabel_non_auth_files(secadm_t)
-auth_relabel_shadow(secadm_t)
+files_relabel_all_files(secadm_t)
 
 init_exec(secadm_t)
 
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
index 234a940f9..a92415a9d 100644
--- a/policy/modules/roles/staff.if
+++ b/policy/modules/roles/staff.if
@@ -1,4 +1,20 @@
-## <summary>Administrator's unprivileged user role</summary>
+## <summary>Administrator's unprivileged user</summary>
+
+#####################################
+## <summary>
+##  staff stub userdomain interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`staff_stub',`
+    gen_require(`
+        type staff_t;
+    ')
+')
 
 ########################################
 ## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0fef1fca2..25e60c8d3 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
 role staff_r;
 
 userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
+
+## <desc>
+## <p>
+## allow staff user to create and transition to svirt domains.
+## </p>
+## </desc>
+gen_tunable(staff_use_svirt, false)
 
 ########################################
 #
 # Local policy
 #
 
+kernel_read_ring_buffer(staff_t)
+kernel_getattr_core_if(staff_t)
+kernel_getattr_message_if(staff_t)
+kernel_read_software_raid_state(staff_t)
+kernel_read_fs_sysctls(staff_t)
+kernel_read_numa_state(staff_t)
+kernel_write_numa_state(staff_t)
+
+fs_read_hugetlbfs_files(staff_t)
+files_dontaudit_read_all_symlinks(staff_t)
+fs_read_tmpfs_files(staff_t)
+
+dev_read_cpuid(staff_t)
+dev_read_kmsg(staff_t)
+
+domain_read_all_domains_state(staff_t)
+domain_getcap_all_domains(staff_t)
+domain_getsched_all_domains(staff_t)
+domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
+
+files_read_kernel_modules(staff_t)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+seutil_dbus_chat_semanage(staff_t)
+seutil_read_login_config(staff_t)
+
+storage_read_scsi_generic(staff_t)
+storage_write_scsi_generic(staff_t)
+
+term_use_unallocated_ttys(staff_t)
+
+auth_domtrans_pam_console(staff_t)
+
+init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
+init_status(staff_t)
+
+miscfiles_read_hwdata(staff_t)
+
+ifndef(`enable_mls',`
+	selinux_read_policy(staff_t)
+')
+
+optional_policy(`
+	abrt_read_cache(staff_t)
+')
+
+optional_policy(`
+	accountsd_read_lib_files(staff_t)
+')
+
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
@@ -22,33 +83,204 @@ optional_policy(`
 	auditadm_role_change(staff_r)
 ')
 
+optional_policy(`
+	blueman_dbus_chat(staff_t)
+')
+
+optional_policy(`
+	kdumpgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+	bluetooth_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	chrome_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	colord_dbus_chat(staff_t)
+')
+
 optional_policy(`
 	dbadm_role_change(staff_r)
 ')
 
 optional_policy(`
-	git_role(staff_r, staff_t)
+    container_stream_connect(staff_t)
+    container_runtime_exec(staff_t)
+')
+
+optional_policy(`
+    dirsrv_stream_connect(staff_t)
+    dirsrv_manage_log(staff_t)
+    dirsrv_manage_var_lib(staff_t)
+    dirsrv_manage_var_run(staff_t)
+    dirsrv_manage_config(staff_t)
+')
+
+optional_policy(`
+	dnsmasq_read_pid_files(staff_t)
+')
+
+optional_policy(`
+	dmesg_exec(staff_t)
+')
+
+optional_policy(`
+	firewalld_dbus_chat(staff_t)
+')
+
+optional_policy(`
+	firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+	freqset_run(staff_t, staff_r)
+')
+
+optional_policy(`
+    fwupd_dbus_chat(staff_t)
+    fwupd_read_cache_files(staff_t)
+')
+
+optional_policy(`
+	irc_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	journalctl_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	kerneloops_dbus_chat(staff_t)
+')
+
+optional_policy(`
+	logadm_role_change(staff_r)
+')
+
+optional_policy(`
+	lpd_list_spool(staff_t)
+')
+
+optional_policy(`
+	mock_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	mozilla_run_plugin(staff_t, staff_r)
+')
+
+optional_policy(`
+	modutils_read_module_config(staff_t)
+	modutils_read_module_deps(staff_t)
+')
+
+optional_policy(`
+	netutils_run_ping(staff_t, staff_r)
+	netutils_run_traceroute(staff_t, staff_r)
+	netutils_signal_ping(staff_t)
+	netutils_kill_ping(staff_t)
+')
+
+optional_policy(`
+	oident_manage_user_content(staff_t)
+	oident_relabel_user_content(staff_t)
+')
+
+optional_policy(`
+	mta_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	mysql_exec(staff_t)
+')
+
+optional_policy(`
+	polipo_role(staff_r, staff_t)
+	polipo_named_filetrans_cache_home_dirs(staff_t)
+	polipo_named_filetrans_config_home_files(staff_t)
+')
+
+optional_policy(`
+    openvpn_exec(staff_t)
 ')
 
 optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 
+optional_policy(`
+	rtkit_scheduled(staff_t)
+')
+
+optional_policy(`
+	rpm_dbus_chat(staff_t)
+')
+
+optional_policy(`
+	rwho_read_spool_files(staff_t)
+')
+
 optional_policy(`
 	secadm_role_change(staff_r)
 ')
 
 optional_policy(`
-	ssh_role_template(staff, staff_r, staff_t)
+	sandbox_transition(staff_t, staff_r)
 ')
 
 optional_policy(`
-	sudo_role_template(staff, staff_r, staff_t)
+	sandbox_x_transition(staff_t, staff_r)
+')
+
+optional_policy(`
+	screen_role_template(staff, staff_r, staff_t)
 ')
 
 optional_policy(`
 	sysadm_role_change(staff_r)
 	userdom_dontaudit_use_user_terminals(staff_t)
+    userdom_dontaudit_read_admin_home_files(staff_t)
+')
+
+optional_policy(`
+	systemd_read_unit_files(staff_t)
+	systemd_exec_systemctl(staff_t)
+')
+
+optional_policy(`
+	setroubleshoot_stream_connect(staff_t)
+	setroubleshoot_dbus_chat(staff_t)
+	setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
+optional_policy(`
+	ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	sudo_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	userhelper_console_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	unconfined_role_change(staff_r)
+')
+
+optional_policy(`
+	usbmuxd_stream_connect(staff_t)
+')
+
+optional_policy(`
+	virt_getattr_exec(staff_t)
+	virt_search_images(staff_t)
+	virt_stream_connect(staff_t)
 ')
 
 optional_policy(`
@@ -56,7 +288,20 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xserver_role(staff_r, staff_t)
+    vmtools_run_helper(staff_t, staff_r)
+')
+
+optional_policy(`
+	vnstatd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+	webadm_role_change(staff_r)
+')
+
+optional_policy(`
+	xserver_read_log(staff_t)
+	xserver_run(staff_t, staff_r)
 ')
 
 ifndef(`distro_redhat',`
@@ -64,10 +309,6 @@ ifndef(`distro_redhat',`
 		auth_role(staff_r, staff_t)
 	')
 
-	optional_policy(`
-		bluetooth_role(staff_r, staff_t)
-	')
-
 	optional_policy(`
 		cdrecord_role(staff_r, staff_t)
 	')
@@ -78,10 +319,6 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
-
-		optional_policy(`
-			gnome_role_template(staff, staff_r, staff_t)
-		')
 	')
 
 	optional_policy(`
@@ -100,10 +337,6 @@ ifndef(`distro_redhat',`
 		gpg_role(staff_r, staff_t)
 	')
 
-	optional_policy(`
-		irc_role(staff_r, staff_t)
-	')
-
 	optional_policy(`
 		java_role(staff_r, staff_t)
 	')
@@ -124,10 +357,6 @@ ifndef(`distro_redhat',`
 		mplayer_role(staff_r, staff_t)
 	')
 
-	optional_policy(`
-		mta_role(staff_r, staff_t)
-	')
-
 	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')
@@ -140,10 +369,6 @@ ifndef(`distro_redhat',`
 		rssh_role(staff_r, staff_t)
 	')
 
-	optional_policy(`
-		screen_role_template(staff, staff_r, staff_t)
-	')
-
 	optional_policy(`
 		spamassassin_role(staff_r, staff_t)
 	')
@@ -176,3 +401,24 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
+
+tunable_policy(`selinuxuser_execmod',`
+	userdom_execmod_user_home_files(staff_t)
+')
+
+optional_policy(`
+	virt_transition_svirt(staff_t, staff_r)
+	virt_filetrans_home_content(staff_t)
+')
+
+optional_policy(`
+	tunable_policy(`staff_use_svirt',`
+		allow staff_t self:fifo_file relabelfrom;
+		dev_rw_kvm(staff_t)
+		virt_manage_images(staff_t)
+		virt_stream_connect_svirt(staff_t)
+		virt_systemctl(staff_t)
+		virt_rw_stream_sockets_svirt(staff_t)
+		virt_exec(staff_t)
+	')
+')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
index ff9243078..36740eab3 100644
--- a/policy/modules/roles/sysadm.if
+++ b/policy/modules/roles/sysadm.if
@@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',`
 	allow sysadm_t $1:process sigchld;
 ')
 
+#######################################
+## <summary>
+##  sysadm stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`sysadm_stub',`
+	gen_require(`
+		type sysadm_t;
+		role sysadm_r;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2522ca6c0..893235199 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,102 @@ policy_module(sysadm, 2.6.1)
 # Declarations
 #
 
-## <desc>
-## <p>
-## Allow sysadm to debug or ptrace all processes.
-## </p>
-## </desc>
-gen_tunable(allow_ptrace, false)
-
 role sysadm_r;
 
 userdom_admin_user_template(sysadm)
+allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 
-ifndef(`enable_mls',`
-	userdom_security_admin_template(sysadm_t, sysadm_r)
-')
 
 ########################################
 #
 # Local policy
 #
+kernel_read_fs_sysctls(sysadm_t)
+kernel_read_all_proc(sysadm_t)
 
 corecmd_exec_shell(sysadm_t)
 
+dev_filetrans_all_named_dev(sysadm_t)
+
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
+files_read_kernel_modules(sysadm_t)
+files_filetrans_named_content(sysadm_t)
+files_status_etc(sysadm_t)
+
+fs_mount_fusefs(sysadm_t)
+
+storage_filetrans_all_named_dev(sysadm_t)
+
+term_filetrans_all_named_dev(sysadm_t)
+
 mls_process_read_up(sysadm_t)
+mls_file_read_all_levels(sysadm_t)
+mls_file_write_all_levels(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
+
+storage_setattr_fixed_disk_dev(sysadm_t)
 
 ubac_process_exempt(sysadm_t)
 ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
+application_exec(sysadm_t)
+
+init_filetrans_named_content(sysadm_t)
+init_disable_services(sysadm_t)
+init_enable_services(sysadm_t)
+init_reload_services(sysadm_t)
 init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+init_status(sysadm_t)
+init_reboot(sysadm_t)
+init_halt(sysadm_t)
+init_undefined(sysadm_t)
+
+logging_filetrans_named_content(sysadm_t)
+
+miscfiles_filetrans_named_content(sysadm_t)
+miscfiles_read_hwdata(sysadm_t)
+
+sysnet_filetrans_named_content(sysadm_t)
 
 # Add/remove user home directories
+userdom_manage_user_tmp_chr_files(sysadm_t)
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_tmp_role(sysadm_r, sysadm_t)
+userdom_exec_admin_home_files(sysadm_t)
+
+optional_policy(`
+	abrt_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
+	alsa_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
+	container_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+    dirsrv_domtrans(sysadm_t)
+    dirsrv_stream_connect(sysadm_t)
+    dirsrv_manage_log(sysadm_t)
+    dirsrv_manage_var_lib(sysadm_t)
+    dirsrv_manage_var_run(sysadm_t)
+    dirsrv_manage_config(sysadm_t)
+    dirsrv_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ssh_filetrans_admin_home_content(sysadm_t)
+	ssh_filetrans_keys(sysadm_t)
+')
 
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
@@ -55,13 +118,7 @@ ifdef(`distro_gentoo',`
 	init_exec_rc(sysadm_t)
 ')
 
-ifndef(`enable_mls',`
-	logging_manage_audit_log(sysadm_t)
-	logging_manage_audit_config(sysadm_t)
-	logging_run_auditctl(sysadm_t, sysadm_r)
-')
-
-tunable_policy(`allow_ptrace',`
+tunable_policy(`deny_ptrace',`',`
 	domain_ptrace_all_domains(sysadm_t)
 ')
 
@@ -71,9 +128,9 @@ optional_policy(`
 
 optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
+	apache_filetrans_named_content(sysadm_t)
 	#apache_run_all_scripts(sysadm_t, sysadm_r)
 	#apache_domtrans_sys_script(sysadm_t)
-	apache_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
@@ -87,6 +144,7 @@ optional_policy(`
 
 optional_policy(`
 	asterisk_stream_connect(sysadm_t)
+	asterisk_exec(sysadm_t)
 ')
 
 optional_policy(`
@@ -109,12 +167,18 @@ optional_policy(`
 	bootloader_run(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	certmonger_dbus_chat(sysadm_t)
+')
+
 optional_policy(`
 	certwatch_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
 	clock_run(sysadm_t, sysadm_r)
+	clock_manage_adjtime(sysadm_t)
+	clock_filetrans_named_content(sysadm_t)
 ')
 
 optional_policy(`
@@ -122,11 +186,27 @@ optional_policy(`
 ')
 
 optional_policy(`
-	consoletype_run(sysadm_t, sysadm_r)
+	cron_admin_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	cvs_exec(sysadm_t)
+	consoletype_exec(sysadm_t)
+')
+
+optional_policy(`
+    daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dbus_role_template(sysadm, sysadm_r, sysadm_t)
+
+	dontaudit sysadm_dbusd_t self:capability net_admin;
+
+    optional_policy(`
+        systemd_dbus_chat_timedated(sysadm_t)
+        systemd_dbus_chat_hostnamed(sysadm_t)
+        systemd_dbus_chat_localed(sysadm_t)
+    ')
 ')
 
 optional_policy(`
@@ -139,6 +219,10 @@ optional_policy(`
 	ddcprobe_run(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	devicekit_filetrans_named_content(sysadm_t)
+')
+
 optional_policy(`
 	dmesg_exec(sysadm_t)
 ')
@@ -155,6 +239,10 @@ optional_policy(`
 	firstboot_run(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	firewalld_dbus_chat(sysadm_t)
+')
+
 optional_policy(`
 	fstools_run(sysadm_t, sysadm_r)
 ')
@@ -163,6 +251,11 @@ optional_policy(`
 	hostname_run(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	hwloc_admin(sysadm_t)
+	hwloc_run_dhwd(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	hadoop_role(sysadm_r, sysadm_t)
 ')
@@ -172,13 +265,31 @@ optional_policy(`
 	# at things (e.g., ipsec auto --status)
 	# probably should create an ipsec_admin role for this kind of thing
 	ipsec_exec_mgmt(sysadm_t)
+    ipsec_read_pid(sysadm_t)
 	ipsec_stream_connect(sysadm_t)
 	# for lsof
 	ipsec_getattr_key_sockets(sysadm_t)
+	ipsec_run_setkey(sysadm_t, sysadm_r)
+	ipsec_run_racoon(sysadm_t, sysadm_r)
+	ipsec_stream_connect_racoon(sysadm_t)
+
+	optional_policy(`
+		ipsec_mgmt_dbus_chat(sysadm_t)
+	')
 ')
 
 optional_policy(`
 	iptables_run(sysadm_t, sysadm_r)
+    iptables_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
+	irc_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	kerberos_exec_kadmind(sysadm_t)
+	kerberos_filetrans_named_content(sysadm_t)
 ')
 
 optional_policy(`
@@ -190,11 +301,12 @@ optional_policy(`
 ')
 
 optional_policy(`
-	lockdev_role(sysadm_r, sysadm_t)
+	logrotate_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	logrotate_run(sysadm_t, sysadm_r)
+    corenet_tcp_bind_ldap_port(sysadm_t)
+    ldap_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -210,22 +322,21 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
+	modutils_read_module_deps(sysadm_t)
+	modules_filetrans_named_content(sysadm_t)
 ')
 
 optional_policy(`
 	mount_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	mozilla_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
-	mplayer_role(sysadm_r, sysadm_t)
+	mount_run_showmount(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
 	mta_role(sysadm_r, sysadm_t)
+	# this is defined in userdom_common_user_template
+	#mta_filetrans_home_content(sysadm_t)
+	mta_filetrans_admin_home_content(sysadm_t)
+	mta_rw_aliases(sysadm_t)
 ')
 
 optional_policy(`
@@ -236,25 +347,53 @@ optional_policy(`
 	mysql_stream_connect(sysadm_t)
 ')
 
+optional_policy(`
+	ncftool_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	netutils_run(sysadm_t, sysadm_r)
 	netutils_run_ping(sysadm_t, sysadm_r)
 	netutils_run_traceroute(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	networkmanager_filetrans_named_content(sysadm_t)
+	networkmanager_stream_connect(sysadm_t)
+')
+
 optional_policy(`
 	ntp_stub()
 	corenet_udp_bind_ntp_port(sysadm_t)
+	ntp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	nx_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
+	oddjob_dbus_chat(sysadm_t)
 ')
 
 optional_policy(`
 	oav_run_update(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	openvpn_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	pcmcia_run_cardctl(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	polipo_role(sysadm_r, sysadm_t)
+	polipo_named_filetrans_admin_cache_home_dirs(sysadm_t)
+	polipo_named_filetrans_admin_config_home_files(sysadm_t)
+')
+
 optional_policy(`
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_fetch(sysadm_t, sysadm_r)
@@ -266,35 +405,46 @@ optional_policy(`
 ')
 
 optional_policy(`
-	pyzor_role(sysadm_r, sysadm_t)
+	postfix_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	quota_run(sysadm_t, sysadm_r)
+	postgresql_admin(sysadm_t, sysadm_r)
+	postgresql_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	raid_run_mdadm(sysadm_r, sysadm_t)
+	journalctl_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	razor_role(sysadm_r, sysadm_t)
+	prelink_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	rpc_domtrans_nfsd(sysadm_t)
+	puppet_run_puppetca(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	rpm_run(sysadm_t, sysadm_r)
+	quota_filetrans_named_content(sysadm_t)
 ')
 
 optional_policy(`
-	rssh_role(sysadm_r, sysadm_t)
+	raid_domtrans_mdadm(sysadm_t)
+')
+
+optional_policy(`
+	rpc_domtrans_nfsd(sysadm_t)
+')
+
+optional_policy(`
+	rpm_run(sysadm_t, sysadm_r)
+	rpm_dbus_chat(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
 	rsync_exec(sysadm_t)
+	rsync_filetrans_named_content(sysadm_t)
 ')
 
 optional_policy(`
@@ -308,19 +458,28 @@ optional_policy(`
 
 optional_policy(`
 	screen_role_template(sysadm, sysadm_r, sysadm_t)
+    allow sysadm_screen_t self:capability { dac_read_search dac_override };
 ')
 
 optional_policy(`
 	secadm_role_change(sysadm_r)
 ')
 
+optional_policy(`
+	setroubleshoot_stream_connect(sysadm_t)
+	setroubleshoot_dbus_chat(sysadm_t)
+	setroubleshoot_dbus_chat_fixit(sysadm_t)
+')
+
 optional_policy(`
 	seutil_run_setfiles(sysadm_t, sysadm_r)
 	seutil_run_runinit(sysadm_t, sysadm_r)
+	seutil_dbus_chat_semanage(sysadm_t)
+	seutil_read_login_config(sysadm_t)
 ')
 
 optional_policy(`
-	spamassassin_role(sysadm_r, sysadm_t)
+	shutdown_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -345,30 +504,38 @@ optional_policy(`
 ')
 
 optional_policy(`
-	thunderbird_role(sysadm_r, sysadm_t)
+	systemd_passwd_agent_run(sysadm_t, sysadm_r)
+	systemd_config_all_services(sysadm_t)
+	systemd_manage_all_unit_files(sysadm_t)
+	systemd_manage_all_unit_lnk_files(sysadm_t)
+	systemd_login_status(sysadm_t)
+	systemd_login_reboot(sysadm_t)
+	systemd_login_halt(sysadm_t)
+	systemd_login_undefined(sysadm_t)
+	systemd_tmpfiles_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	tripwire_run_siggen(sysadm_t, sysadm_r)
-	tripwire_run_tripwire(sysadm_t, sysadm_r)
-	tripwire_run_twadmin(sysadm_t, sysadm_r)
-	tripwire_run_twprint(sysadm_t, sysadm_r)
+    systemd_exec_sysctl(sysadm_t)
 ')
 
 optional_policy(`
-	tvtime_role(sysadm_r, sysadm_t)
+	tftp_filetrans_named_content(sysadm_t)
 ')
 
 optional_policy(`
-	tzdata_domtrans(sysadm_t)
+	tripwire_run_siggen(sysadm_t, sysadm_r)
+	tripwire_run_tripwire(sysadm_t, sysadm_r)
+	tripwire_run_twadmin(sysadm_t, sysadm_r)
+	tripwire_run_twprint(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	uml_role(sysadm_r, sysadm_t)
+	tzdata_domtrans(sysadm_t)
 ')
 
 optional_policy(`
-	unconfined_domtrans(sysadm_t)
+	udev_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -379,10 +546,6 @@ optional_policy(`
 	usbmodules_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-	userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
 optional_policy(`
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
@@ -391,6 +554,9 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(sysadm_t)
+	virt_filetrans_home_content(sysadm_t)
+	virt_manage_pid_dirs(sysadm_t)
+	virt_transition_svirt_sandbox(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -398,30 +564,33 @@ optional_policy(`
 ')
 
 optional_policy(`
-	vpn_run(sysadm_t, sysadm_r)
+	vlock_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	webalizer_run(sysadm_t, sysadm_r)
+	vpn_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	wireshark_role(sysadm_r, sysadm_t)
+	webalizer_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	vlock_run(sysadm_t, sysadm_r)
+	xserver_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	xserver_role(sysadm_r, sysadm_t)
+	yam_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	yam_run(sysadm_t, sysadm_r)
+	zebra_stream_connect(sysadm_t)
 ')
 
 ifndef(`distro_redhat',`
+	optional_policy(`
+		apache_role(sysadm_r, sysadm_t)
+	')
 	optional_policy(`
 		auth_role(sysadm_r, sysadm_t)
 	')
@@ -434,10 +603,6 @@ ifndef(`distro_redhat',`
 		cdrecord_role(sysadm_r, sysadm_t)
 	')
 
-	optional_policy(`
-		cron_admin_role(sysadm_r, sysadm_t)
-	')
-
 	optional_policy(`
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 
@@ -459,15 +624,79 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gpg_role(sysadm_r, sysadm_t)
+		gnome_role_template(sysadm, sysadm_r, sysadm_t)
+		gnome_filetrans_admin_home_content(sysadm_t)
 	')
 
 	optional_policy(`
-		irc_role(sysadm_r, sysadm_t)
+		gpg_role(sysadm_r, sysadm_t)
 	')
 
 	optional_policy(`
 		java_role(sysadm_r, sysadm_t)
 	')
-')
 
+	optional_policy(`
+		lockdev_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		mock_admin(sysadm_t)
+	')
+
+	optional_policy(`
+		mozilla_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		mplayer_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		pyzor_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		razor_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		rssh_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		spamassassin_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		thunderbird_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		tvtime_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		uml_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+	')
+
+    optional_policy(`
+        vmtools_run_helper(sysadm_t, sysadm_r)
+    ')
+
+	optional_policy(`
+		vmware_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		wireshark_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		xserver_role(sysadm_r, sysadm_t)
+	')
+')
diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc
new file mode 100644
index 000000000..ae3b6db92
--- /dev/null
+++ b/policy/modules/roles/sysadm_secadm.fc
@@ -0,0 +1 @@
+# No context
diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if
new file mode 100644
index 000000000..bd83148e1
--- /dev/null
+++ b/policy/modules/roles/sysadm_secadm.if
@@ -0,0 +1 @@
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te
new file mode 100644
index 000000000..63bc79792
--- /dev/null
+++ b/policy/modules/roles/sysadm_secadm.te
@@ -0,0 +1,25 @@
+policy_module(sysadm_secadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+	type sysadm_t;
+	role sysadm_r;
+')
+
+userdom_security_admin_template(sysadm_t, sysadm_r)
+
+#######################################
+#
+# Local policy
+#
+
+mls_file_write_all_levels(sysadm_t)
+
+logging_manage_audit_log(sysadm_t)
+logging_manage_audit_config(sysadm_t)
+logging_run_auditctl(sysadm_t, sysadm_r)
+logging_stream_connect_syslog(sysadm_t)
diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
new file mode 100644
index 000000000..d9efb902a
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+#/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+#/usr/sbin/xrdp   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
+#/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
index 000000000..ecc53819c
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
@@ -0,0 +1,764 @@
+## <summary>Unconfined user role</summary>
+
+########################################
+## <summary>
+##	Change from the unconfineduser role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the unconfineduser role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change_to',`
+	gen_require(`
+		role unconfined_r;
+	')
+
+	allow unconfined_r $1;
+')
+
+########################################
+## <summary>
+##	Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_domtrans',`
+	gen_require(`
+		type unconfined_t, unconfined_exec_t;
+	')
+
+	domtrans_pattern($1,unconfined_exec_t,unconfined_t)
+')
+
+########################################
+## <summary>
+##	Execute specified programs in the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the unconfined domain.
+##	</summary>
+## </param>
+#
+interface(`unconfined_run',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	unconfined_domtrans($1)
+	role $2 types unconfined_t;
+')
+
+########################################
+## <summary>
+##	Transition to the unconfined domain by executing a shell.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_shell_domtrans',`
+	gen_require(`
+		attribute unconfined_login_domain;
+	')
+	typeattribute $1 unconfined_login_domain;
+')
+
+########################################
+## <summary>
+##	Allow unconfined to execute the specified program in
+##	the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Allow unconfined to execute the specified program in
+##	the specified domain.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+## <param name="entry_file">
+##	<summary>
+##	Domain entry point file.
+##	</summary>
+## </param>
+#
+interface(`unconfined_domtrans_to',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	domtrans_pattern(unconfined_t,$2,$1)
+')
+
+########################################
+## <summary>
+##	Allow unconfined to execute the specified program in
+##	the specified domain.  Allow the specified domain the
+##	unconfined role and use of unconfined user terminals.
+## </summary>
+## <desc>
+##	<p>
+##	Allow unconfined to execute the specified program in
+##	the specified domain.  Allow the specified domain the
+##	unconfined role and use of unconfined user terminals.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+## <param name="entry_file">
+##	<summary>
+##	Domain entry point file.
+##	</summary>
+## </param>
+#
+interface(`unconfined_run_to',`
+	gen_require(`
+		type unconfined_t;
+		role unconfined_r;
+	')
+
+	domtrans_pattern(unconfined_t,$2,$1)
+	role unconfined_r types $1;
+	userdom_use_user_terminals($1)
+')
+
+######################################
+## <summary>
+##      Stub unconfined role.
+## </summary>
+## <param name="domain_prefix">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`unconfined_stub_role',`
+        gen_require(`
+                role unconfined_r;
+        ')
+')
+
+########################################
+## <summary>
+##	Inherit file descriptors from the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_use_fds',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fd use;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_sigchld',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_signull',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_signal',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_read_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+## <summary>
+##	Read and write unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	unconfined domain stream.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Connect to the unconfined domain using
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_stream_connect',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	unconfined domain tcp sockets.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to read or write
+##	unconfined domain tcp sockets.
+##	</p>
+##	<p>
+##	This interface was added due to a broken
+##	symptom in ldconfig.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	unconfined domain packet sockets.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to read or write
+##	unconfined domain packet sockets.
+##	</p>
+##	<p>
+##	This interface was added due to a broken
+##	symptom.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_packet_sockets',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+##	Create keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_create_keys',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:key create;
+')
+
+########################################
+## <summary>
+##	Dontaudit write process information for unconfined process.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_write_state',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:file write;
+')
+
+########################################
+## <summary>
+##	Dontaudit read process information for unconfined process.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_read_state',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:dir list_dir_perms;
+	dontaudit $1 unconfined_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Write keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_write_keys',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:key write;
+')
+
+########################################
+## <summary>
+##	Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_send',`
+	gen_require(`
+		type unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Create communication channel with unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_acquire_svc',`
+	gen_require(`
+		type unconfined_t;
+		class dbus acquire_svc;
+	')
+
+	allow $1 unconfined_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+	gen_require(`
+		type unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 unconfined_t:dbus send_msg;
+	allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Connect to the the unconfined DBUS
+##	for service (acquire_svc).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_connect',`
+	gen_require(`
+		type unconfined_t;
+		class dbus acquire_svc;
+	')
+
+	allow $1 unconfined_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+##	Allow ptrace of unconfined domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_ptrace',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+## <summary>
+##	Read and write to unconfined shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_shm',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Allow apps to set rlimits on unconfined user
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_set_rlimitnh',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+##	Allow apps to setsched on unconfined user
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_setsched',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process setsched;
+')
+
+########################################
+## <summary>
+##	Get the process group of unconfined.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_getpgid',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+## <summary>
+##	Change to the unconfined role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change',`
+	gen_require(`
+		role unconfined_r;
+	')
+
+	allow $1 unconfined_r;
+')
+
+########################################
+## <summary>
+##	Allow domain to attach to TUN devices created by unconfined_t users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_attach_tun_iface',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+##	Allow domain to transition to unconfined_t user
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_transition',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	domtrans_pattern($1,$2,unconfined_t)
+	allow unconfined_t $2:file entrypoint;
+	allow $1 unconfined_t:process signal_perms;
+')
+
+########################################
+## <summary>
+##	unconfined_t domain typebounds calling domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain to be typebound.
+## </summary>
+## </param>
+#
+interface(`unconfined_typebounds',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	typebounds unconfined_t $1;
+')
+
+########################################
+## <summary>
+##	unconfined_exec_t domain typebounds file_type.
+## </summary>
+## <param name="domain">
+## <summary>
+##	File type to be typebound.
+## </summary>
+## </param>
+#
+interface(`unconfined_exec_typebounds',`
+	gen_require(`
+		type unconfined_exec_t;
+	')
+
+	typebounds unconfined_exec_t $1;
+')
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 000000000..883d9eaa3
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,362 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+attribute unconfined_login_domain;
+
+## <desc>
+## <p>
+## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
+## </p>
+## </desc>
+gen_tunable(unconfined_chrome_sandbox_transition, false)
+
+## <desc>
+## <p>
+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+## </p>
+## </desc>
+gen_tunable(unconfined_mozilla_plugin_transition, false)
+
+## <desc>
+## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
+gen_tunable(unconfined_login, true)
+
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_unpriv_type(unconfined_t)
+userdom_login_userdomain(unconfined_t)
+
+type unconfined_exec_t;
+application_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
+typealias unconfined_t alias unconfined_crontab_t;
+
+########################################
+#
+# Local policy
+#
+
+dontaudit unconfined_t self:dir write;
+dontaudit unconfined_t self:file setattr;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
+allow unconfined_t file_type:system module_load;
+
+allow unconfined_t self:cap_userns all_cap_userns_perms;
+
+kernel_rw_unlabeled_socket(unconfined_t)
+kernel_rw_unlabeled_rawip_socket(unconfined_t)
+
+files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
+logging_send_syslog_msg(unconfined_t)
+
+systemd_config_all_services(unconfined_t)
+
+unconfined_domain_noaudit(unconfined_t)
+domain_named_filetrans(unconfined_t)
+domain_transition_all(unconfined_t)
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+
+tunable_policy(`deny_execmem',`',`
+	allow unconfined_t self:process execmem;
+')
+
+tunable_policy(`selinuxuser_execstack',`
+	allow unconfined_t self:process execstack;
+')
+
+tunable_policy(`selinuxuser_execmod',`
+	userdom_execmod_user_home_files(unconfined_t)
+')
+
+tunable_policy(`unconfined_login',`
+	corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+	allow unconfined_t unconfined_login_domain:fd use;
+	allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+	allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
+optional_policy(`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	optional_policy(`
+		abrt_dbus_chat(unconfined_t)
+		abrt_run_helper(unconfined_t, unconfined_r)
+	')
+
+	optional_policy(`
+		avahi_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		blueman_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		certmonger_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		devicekit_dbus_chat(unconfined_t)
+		devicekit_dbus_chat_disk(unconfined_t)
+		devicekit_dbus_chat_power(unconfined_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		rtkit_scheduled(unconfined_t)
+	')
+
+	# Might remove later if this proves to be problematic, but would like to gather AVCs
+	optional_policy(`
+		thumb_role(unconfined_r, unconfined_t)
+	')
+
+	optional_policy(`
+		setroubleshoot_dbus_chat(unconfined_t)
+		setroubleshoot_dbus_chat_fixit(unconfined_t)
+	')
+
+	optional_policy(`
+		sandbox_transition(unconfined_t, unconfined_r)
+	')
+
+	optional_policy(`
+		sandbox_x_transition(unconfined_t, unconfined_r)
+	')
+
+    optional_policy(`
+        vmtools_run_helper(unconfined_t, unconfined_r)
+    ')
+
+	optional_policy(`
+		gen_require(`
+			type user_tmpfs_t;
+		')
+	
+		xserver_rw_session(unconfined_t, user_tmpfs_t)
+		xserver_dbus_chat_xdm(unconfined_t)
+	')
+')
+
+ifdef(`distro_gentoo',`
+	seutil_run_runinit(unconfined_t, unconfined_r)
+	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	accountsd_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+    cron_unconfined_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+	chrome_role_notrans(unconfined_r, unconfined_t)
+
+	tunable_policy(`unconfined_chrome_sandbox_transition',`
+		chrome_domtrans_sandbox(unconfined_t)
+	')
+')
+
+optional_policy(`
+	container_runtime_entrypoint(unconfined_t)
+')
+
+optional_policy(`
+	oddjob_mkhomedir_entrypoint(unconfined_t)
+')
+
+optional_policy(`
+	dbus_role_template(unconfined, unconfined_r, unconfined_t)
+	role system_r types unconfined_dbusd_t;
+
+	optional_policy(`
+		unconfined_domain_noaudit(unconfined_dbusd_t)
+
+		optional_policy(`
+			xserver_rw_shm(unconfined_dbusd_t)
+		')
+	')
+
+	init_dbus_chat(unconfined_t)
+	init_dbus_chat_script(unconfined_t)
+
+	dbus_stub(unconfined_t)
+
+	optional_policy(`
+		bluetooth_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		consolekit_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		cups_dbus_chat_config(unconfined_t)
+	')
+
+	optional_policy(`
+		fprintd_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		systemd_dbus_chat_timedated(unconfined_t)
+		gnome_dbus_chat_gconfdefault(unconfined_t)
+		gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+	')
+
+    optional_policy(`
+        gnome_filetrans_cert_home_content(unconfined_t)
+    ')
+
+	optional_policy(`
+		ipsec_mgmt_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		kerneloops_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+	        telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
+	')
+
+	optional_policy(`
+		oddjob_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		vpn_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		firewalld_dbus_chat(unconfined_t)
+	')
+
+	optional_policy(`
+		firewallgui_dbus_chat(unconfined_t)
+	')
+')
+
+optional_policy(`
+	firstboot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	fsadm_manage_pid(unconfined_t)
+')
+
+optional_policy(`
+        gpsd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+    anaconda_run_install(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	java_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	livecd_run(unconfined_t, unconfined_r)
+')
+
+#optional_policy(`
+#	mock_role(unconfined_r, unconfined_t)
+#')
+
+optional_policy(`
+	mozilla_role_plugin(unconfined_r)
+
+	tunable_policy(`unconfined_mozilla_plugin_transition', `
+			mozilla_domtrans_plugin(unconfined_t)
+	')
+')
+
+optional_policy(`
+	ipa_run_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+	oddjob_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	# Allow SELinux aware applications to request rpm_script execution
+	rpm_transition_script(unconfined_t, unconfined_r)
+	rpm_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+	optional_policy(`
+		samba_run_unconfined_net(unconfined_t, unconfined_r)
+	')
+
+	samba_role_notrans(unconfined_r)
+	samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+	sysnet_run_dhcpc(unconfined_t, unconfined_r)
+	sysnet_dbus_chat_dhcpc(unconfined_t)
+	sysnet_role_transition_dhcpc(unconfined_r)
+')
+
+optional_policy(`
+	openshift_run(unconfined_usertype, unconfined_r)
+')
+
+optional_policy(`
+	virt_transition_svirt(unconfined_t, unconfined_r)
+	virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
+	virt_sandbox_entrypoint(unconfined_t)
+')
+
+optional_policy(`
+	xserver_run(unconfined_t, unconfined_r)
+	xserver_manage_home_fonts(unconfined_t)
+	xserver_xsession_entry_type(unconfined_t)
+')
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
index 383559646..fbca2be81 100644
--- a/policy/modules/roles/unprivuser.if
+++ b/policy/modules/roles/unprivuser.if
@@ -1,4 +1,4 @@
-## <summary>Generic unprivileged user role</summary>
+## <summary>Generic unprivileged user</summary>
 
 ########################################
 ## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6d77e81c5..74de33345 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
 policy_module(unprivuser, 2.4.0)
 
+## <desc>
+## <p>
+## Allow unprivileged user to create and transition to svirt domains.
+## </p>
+## </desc>
+gen_tunable(unprivuser_use_svirt, false)
+
 # this module should be named user, but that is
 # a compile error since user is a keyword.
 
@@ -12,12 +19,107 @@ role user_r;
 
 userdom_unpriv_user_template(user)
 
+kernel_read_numa_state(user_t)
+kernel_write_numa_state(user_t)
+
+fs_exec_noxattr(user_t)
+fs_read_hugetlbfs_files(user_t)
+
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
+
+seutil_read_module_store(user_t)
+
+init_dbus_chat(user_t)
+init_status(user_t)
+
+tunable_policy(`selinuxuser_execmod',`
+	userdom_execmod_user_home_files(user_t)
+')
+
+optional_policy(`
+	abrt_read_cache(user_t)
+')
+
 optional_policy(`
 	apache_role(user_r, user_t)
 ')
 
 optional_policy(`
-	git_role(user_r, user_t)
+	blueman_dbus_chat(user_t)
+')
+
+optional_policy(`
+	bluetooth_role(user_r, user_t)
+')
+
+optional_policy(`
+	colord_dbus_chat(user_t)
+')
+
+optional_policy(`
+	chrome_role(user_r, user_t)
+')
+
+optional_policy(`
+    dirsrv_stream_connect(user_t)
+')
+
+optional_policy(`
+	journalctl_role(user_r, user_t)
+')
+
+optional_policy(`
+	irc_role(user_r, user_t)
+')
+
+optional_policy(`
+	oident_manage_user_content(user_t)
+	oident_relabel_user_content(user_t)
+')
+
+optional_policy(`
+	mozilla_run_plugin(user_t, user_r)
+')
+
+optional_policy(`
+	mta_role(user_r, user_t)
+')
+
+optional_policy(`
+	netutils_run_ping_cond(user_t, user_r)
+	netutils_run_traceroute_cond(user_t, user_r)
+')
+
+optional_policy(`
+	polipo_role(user_r, user_t)
+	polipo_named_filetrans_cache_home_dirs(user_t)
+	polipo_named_filetrans_config_home_files(user_t)
+')
+
+optional_policy(`
+	rpm_dontaudit_dbus_chat(user_t)
+')
+
+optional_policy(`
+	rtkit_scheduled(user_t)
+')
+
+optional_policy(`
+	systemd_read_unit_files(user_t)
+	systemd_exec_systemctl(user_t)
+')
+
+optional_policy(`
+	sandbox_transition(user_t, user_r)
+')
+
+optional_policy(`
+	sandbox_x_transition(user_t, user_r)
+')
+
+optional_policy(`
+	ssh_role_template(user, user_r, user_t)
 ')
 
 optional_policy(`
@@ -25,11 +127,19 @@ optional_policy(`
 ')
 
 optional_policy(`
-	vlock_run(user_t, user_r)
+	setroubleshoot_dontaudit_stream_connect(user_t)
 ')
 
+#optional_policy(`
+#	telepathy_dbus_session_role(user_r, user_t)
+#')
+
 optional_policy(`
-	xserver_role(user_r, user_t)
+	usbmuxd_stream_connect(user_t)
+')
+
+optional_policy(`
+	vlock_run(user_t, user_r)
 ')
 
 ifndef(`distro_redhat',`
@@ -101,10 +211,6 @@ ifndef(`distro_redhat',`
 		mplayer_role(user_r, user_t)
 	')
 
-	optional_policy(`
-		mta_role(user_r, user_t)
-	')
-
 	optional_policy(`
 		postgresql_role(user_r, user_t)
 	')
@@ -128,7 +234,6 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		ssh_role_template(user, user_r, user_t)
 	')
-
 	optional_policy(`
 		su_role_template(user, user_r, user_t)
 	')
@@ -160,4 +265,24 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		wireshark_role(user_r, user_t)
 	')
+
+	optional_policy(`
+		xserver_run(user_t, user_r)
+	')
+')
+
+optional_policy(`
+    vmtools_run_helper(user_t, user_r)
+')
+
+
+optional_policy(`
+	virt_transition_svirt(user_t, user_r)
+	virt_filetrans_home_content(user_t)
+')
+
+optional_policy(`
+	tunable_policy(`unprivuser_use_svirt',`
+		virt_manage_images(user_t)
+	')
 ')
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f40..225d6961d 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -10,11 +10,17 @@
 #
 /usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 /usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/pg_ctl				--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/postgresql-check-db-dir				--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/libexec/postgresql-ctl     --  gen_context(system_u:object_r:postgresql_exec_t,s0)
 
 /usr/lib/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
 /usr/lib/postgresql/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
+/usr/lib/systemd/system/postgresql.*    --  gen_context(system_u:object_r:postgresql_unit_file_t,s0)
+
 ifdef(`distro_debian', `
 /usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 ')
@@ -28,9 +34,10 @@ ifdef(`distro_redhat', `
 #
 /var/lib/postgres(ql)?(/.*)? 		gen_context(system_u:object_r:postgresql_db_t,s0)
 
-/var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/pgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/pgsql/logfile(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
-/var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/.*\.log			gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/data/pg_log(/.*)?	gen_context(system_u:object_r:postgresql_log_t,s0)
 
 /var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
@@ -45,4 +52,4 @@ ifdef(`distro_redhat', `
 
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
 
-/var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
+#/var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 9d2f31168..2d782e051 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,90 +10,46 @@
 ##	</summary>
 ## </param>
 ## <param name="user_domain">
-## 	<summary>
+##	<summary>
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
 interface(`postgresql_role',`
 	gen_require(`
-		class db_database all_db_database_perms;
-		class db_schema all_db_schema_perms;
-		class db_table all_db_table_perms;
-		class db_sequence all_db_sequence_perms;
-		class db_view all_db_view_perms;
-		class db_procedure all_db_procedure_perms;
-		class db_language all_db_language_perms;
-		class db_column all_db_column_perms;
-		class db_tuple all_db_tuple_perms;
-		class db_blob all_db_blob_perms;
-
-		attribute sepgsql_client_type, sepgsql_database_type;
-		attribute sepgsql_schema_type, sepgsql_sysobj_table_type;
-
-		type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
-		type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t;
-		type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
-		type user_sepgsql_schema_t, user_sepgsql_seq_t;
-		type user_sepgsql_sysobj_t, user_sepgsql_table_t;
-		type user_sepgsql_view_t;
-		type sepgsql_temp_object_t;
+		attribute sepgsql_client_type;
+		type sepgsql_trusted_proc_t;
+		type sepgsql_ranged_proc_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
 	typeattribute $2 sepgsql_client_type;
 	role $1 types sepgsql_trusted_proc_t;
 	role $1 types sepgsql_ranged_proc_t;
+')
 
-	##############################
-	#
-	# Client local policy
-	#
-
-	tunable_policy(`sepgsql_enable_users_ddl',`
-		allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
-		allow $2 user_sepgsql_table_t:db_table { create drop setattr };
-		allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-		allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
-		allow $2 user_sepgsql_view_t:db_view { create drop setattr };
-		allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+########################################
+## <summary>
+##	Execute the postgresql program in the postgresql domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the postgresql domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_run',`
+	gen_require(`
+		type postgresql_t;
 	')
 
-	allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
-	type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
-	type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
-
-	allow $2 user_sepgsql_table_t:db_table	{ getattr select update insert delete lock };
-	allow $2 user_sepgsql_table_t:db_column { getattr select update insert };
-	allow $2 user_sepgsql_table_t:db_tuple	{ select update insert delete };
-	type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
-
-	allow $2 user_sepgsql_sysobj_t:db_tuple	{ use select };
-	type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
-
-	allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
-	type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
-
-	allow $2 user_sepgsql_view_t:db_view { getattr expand };
-	type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
-
-	allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
-	type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
-
-	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
-	type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
-
-	allow $2 sepgsql_ranged_proc_t:process transition;
-	type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
-	allow sepgsql_ranged_proc_t $2:process dyntransition;
-
-	allow $2 sepgsql_trusted_proc_t:process transition;
-	type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+	postgresql_domtrans($1)
+	role $2 types postgresql_t;
 ')
 
 ########################################
@@ -312,7 +268,7 @@ interface(`postgresql_search_db',`
 		type postgresql_db_t;
 	')
 
-	allow $1 postgresql_db_t:dir search;
+	allow $1 postgresql_db_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -324,14 +280,16 @@ interface(`postgresql_search_db',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+#
 interface(`postgresql_manage_db',`
 	gen_require(`
 		type postgresql_db_t;
 	')
 
-	allow $1 postgresql_db_t:dir rw_dir_perms;
-	allow $1 postgresql_db_t:file rw_file_perms;
-	allow $1 postgresql_db_t:lnk_file { getattr read };
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
+	manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
+	manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
 ')
 
 ########################################
@@ -352,6 +310,24 @@ interface(`postgresql_domtrans',`
 	domtrans_pattern($1, postgresql_exec_t, postgresql_t)
 ')
 
+######################################
+## <summary>
+##	Execute Postgresql in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgresql_exec',`
+	gen_require(`
+		type  postgresql_exec_t;
+	')
+
+	can_exec($1, postgresql_exec_t)
+')
+
 ######################################
 ## <summary>
 ##	Allow domain to signal postgresql
@@ -421,7 +397,6 @@ interface(`postgresql_tcp_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`postgresql_stream_connect',`
 	gen_require(`
@@ -432,6 +407,7 @@ interface(`postgresql_stream_connect',`
 
 	files_search_pids($1)
 	files_search_tmp($1)
+	stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
 ')
 
 ########################################
@@ -447,83 +423,10 @@ interface(`postgresql_stream_connect',`
 #
 interface(`postgresql_unpriv_client',`
 	gen_require(`
-		class db_database all_db_database_perms;
-		class db_schema all_db_schema_perms;
-		class db_table all_db_table_perms;
-		class db_sequence all_db_sequence_perms;
-		class db_view all_db_view_perms;
-		class db_procedure all_db_procedure_perms;
-		class db_language all_db_language_perms;
-		class db_column all_db_column_perms;
-		class db_tuple all_db_tuple_perms;
-		class db_blob all_db_blob_perms;
-
 		attribute sepgsql_client_type;
-		attribute sepgsql_database_type, sepgsql_schema_type;
-		attribute sepgsql_sysobj_table_type;
-
-		type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t;
-		type sepgsql_temp_object_t;
-		type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
-		type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
-		type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
-		type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
-		type unpriv_sepgsql_view_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
 	typeattribute $1 sepgsql_client_type;
-
-	########################################
-	#
-	# Client local policy
-	#
-
-	type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
-	allow $1 sepgsql_ranged_proc_t:process transition;
-	allow sepgsql_ranged_proc_t $1:process dyntransition;
-
-	type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
-	allow $1 sepgsql_trusted_proc_t:process transition;
-
-	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
-	type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
-
-	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
-	type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
-
-	allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
-	type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
-	type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
-
-	allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock };
-	allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert };
-	allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete };
-	type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
-
-	allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };
-	type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
-
-	allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
-	type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
-
-	allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
-	type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
-
-
-	tunable_policy(`sepgsql_enable_users_ddl',`
-		allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
-		allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-		allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
-		allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
-		allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };
-		allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
-		allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
-	')
 ')
 
 ########################################
@@ -545,6 +448,29 @@ interface(`postgresql_unconfined',`
 	typeattribute $1 sepgsql_unconfined_type;
 ')
 
+########################################
+## <summary>
+##	Transition to postgresql named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postgresql_filetrans_named_content',`
+	gen_require(`
+		type postgresql_db_t;
+		type postgresql_log_t;
+	')
+
+	files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql")
+	files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres")
+	files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql")
+	filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile")
+	filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log")
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate an postgresql environment
@@ -563,35 +489,41 @@ interface(`postgresql_unconfined',`
 #
 interface(`postgresql_admin',`
 	gen_require(`
-		attribute sepgsql_admin_type;
-		attribute sepgsql_client_type;
-
-		type postgresql_t, postgresql_var_run_t;
-		type postgresql_tmp_t, postgresql_db_t;
-		type postgresql_etc_t, postgresql_log_t;
-		type postgresql_initrc_exec_t;
+		attribute sepgsql_admin_type, sepgsql_client_type;
+		type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
+		type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
+		type postgresql_etc_t;
 	')
 
 	typeattribute $1 sepgsql_admin_type;
 
-	allow $1 postgresql_t:process { ptrace signal_perms };
+	allow $1 postgresql_t:process signal_perms;
 	ps_process_pattern($1, postgresql_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 postgresql_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 postgresql_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_list_pids($1)
 	admin_pattern($1, postgresql_var_run_t)
 
+	files_list_var_lib($1)
 	admin_pattern($1, postgresql_db_t)
 
+	files_list_etc($1)
 	admin_pattern($1, postgresql_etc_t)
 
+	logging_list_logs($1)
 	admin_pattern($1, postgresql_log_t)
 
+	files_list_tmp($1)
 	admin_pattern($1, postgresql_tmp_t)
 
 	postgresql_tcp_connect($1)
 	postgresql_stream_connect($1)
+	postgresql_filetrans_named_content($1)
 ')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 03061349c..bb5f3dd51 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
 #
 
 ## <desc>
-## <p>
-## Allow unprived users to execute DDL statement
-## </p>
+##	<p>
+##	Allow postgresql to use ssh and rsync for point-in-time recovery
+##	</p>
+## </desc>
+gen_tunable(postgresql_can_rsync, false)
+
+## <desc>
+##	<p>
+##	Allow unprivileged users to execute DDL statement
+##	</p>
 ## </desc>
-gen_tunable(sepgsql_enable_users_ddl, false)
+gen_tunable(postgresql_selinux_users_ddl, true)
 
 ## <desc>
 ## <p>
 ## Allow transmit client label to foreign database
 ## </p>
 ## </desc>
-gen_tunable(sepgsql_transmit_client_label, false)
+gen_tunable(postgresql_selinux_transmit_client_label, false)
 
 ## <desc>
 ## <p>
 ## Allow database admins to execute DML statement
 ## </p>
 ## </desc>
-gen_tunable(sepgsql_unconfined_dbadm, false)
+gen_tunable(postgresql_selinux_unconfined_dbadm, true)
 
 type postgresql_t;
 type postgresql_exec_t;
@@ -52,6 +59,9 @@ files_config_file(postgresql_etc_t)
 type postgresql_initrc_exec_t;
 init_script_file(postgresql_initrc_exec_t)
 
+type postgresql_unit_file_t;
+systemd_unit_file(postgresql_unit_file_t)
+
 type postgresql_lock_t;
 files_lock_file(postgresql_lock_t)
 
@@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
 allow postgresql_t self:unix_dgram_socket create_socket_perms;
 allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow postgresql_t self:netlink_selinux_socket create_socket_perms;
-tunable_policy(`sepgsql_transmit_client_label',`
+
+tunable_policy(`postgresql_selinux_transmit_client_label',`
 	allow postgresql_t self:process { setsockcreate };
 ')
 
@@ -270,18 +281,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
 manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
 manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
 manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
+postgresql_filetrans_named_content(postgresql_t)
 
 allow postgresql_t postgresql_etc_t:dir list_dir_perms;
 read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
 read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
 
-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
 can_exec(postgresql_t, postgresql_exec_t )
 
 allow postgresql_t postgresql_lock_t:file manage_file_perms;
 files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
 
+manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
 manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
 logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
 
@@ -299,12 +311,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
 files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(postgresql_t)
+kernel_read_network_state(postgresql_t)
 kernel_read_system_state(postgresql_t)
 kernel_list_proc(postgresql_t)
 kernel_read_all_sysctls(postgresql_t)
 kernel_read_proc_symlinks(postgresql_t)
 
-corenet_all_recvfrom_unlabeled(postgresql_t)
 corenet_all_recvfrom_netlabel(postgresql_t)
 corenet_tcp_sendrecv_generic_if(postgresql_t)
 corenet_udp_sendrecv_generic_if(postgresql_t)
@@ -342,8 +354,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
 domain_use_interactive_fds(postgresql_t)
 
 files_dontaudit_search_home(postgresql_t)
-files_manage_etc_files(postgresql_t)
-files_search_etc(postgresql_t)
+files_read_etc_files(postgresql_t)
 files_read_etc_runtime_files(postgresql_t)
 files_read_usr_files(postgresql_t)
 
@@ -354,20 +365,28 @@ init_read_utmp(postgresql_t)
 logging_send_syslog_msg(postgresql_t)
 logging_send_audit_msgs(postgresql_t)
 
-miscfiles_read_localization(postgresql_t)
-
 seutil_libselinux_linked(postgresql_t)
 seutil_read_default_contexts(postgresql_t)
 
+sysnet_use_ldap(postgresql_t)
+
 userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
 userdom_dontaudit_search_user_home_dirs(postgresql_t)
 userdom_dontaudit_use_user_terminals(postgresql_t)
 
+optional_policy(`
+	ccs_read_config(postgresql_t)
+')
+
 optional_policy(`
 	mta_getattr_spool(postgresql_t)
 ')
 
-tunable_policy(`allow_execmem',`
+optional_policy(`
+	rhcs_manage_cluster_pid_files(postgresql_t)
+')
+
+tunable_policy(`deny_execmem',`',`
 	allow postgresql_t self:process execmem;
 ')
 
@@ -485,10 +504,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
 # It is always allowed to operate temporary objects for any database client.
 allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
 
-# Note that permission of creation/deletion are eventually controlled by
-# create or drop permission of individual objects within shared schemas.
-# So, it just allows to create/drop user specific types.
-tunable_policy(`sepgsql_enable_users_ddl',`
+##############################
+#
+# Client local policy
+#
+allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
+type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t;
+type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
+
+allow sepgsql_client_type user_sepgsql_table_t:db_table	{ getattr select update insert delete lock };
+allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert };
+allow sepgsql_client_type user_sepgsql_table_t:db_tuple	{ select update insert delete };
+type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t;
+
+allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple	{ use select };
+type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
+
+allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
+type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
+
+allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand };
+type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t;
+
+allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
+
+allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t;
+
+allow sepgsql_client_type sepgsql_ranged_proc_t:process transition;
+type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t;
+allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition;
+
+allow sepgsql_client_type sepgsql_trusted_proc_t:process transition;
+type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+
+tunable_policy(`postgresql_selinux_users_ddl',`
+	allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr };
+	allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr };
+	allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr };
+	allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete };
+	allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
+	allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr };
+	allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+	# Note that permission of creation/deletion are eventually controlled by
+	# create or drop permission of individual objects within shared schemas.
+	# So, it just allows to create/drop user specific types.
 	allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
 ')
 
@@ -536,7 +597,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
 
 kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
 
-tunable_policy(`sepgsql_unconfined_dbadm',`
+tunable_policy(`postgresql_selinux_unconfined_dbadm',`
 	allow sepgsql_admin_type sepgsql_database_type:db_database *;
 
 	allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
@@ -589,3 +650,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
 allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
 
 kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
+
+optional_policy(`
+	tunable_policy(`postgresql_can_rsync',`
+		rsync_exec(postgresql_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`postgresql_can_rsync',`
+		ssh_exec(postgresql_t)
+		ssh_read_user_home_files(postgresql_t)
+		corenet_tcp_connect_ssh_port(postgresql_t)
+	')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66ec..7528851ad 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,16 +1,42 @@
 HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.ansible/cp/.*	-s	gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts			gen_context(system_u:object_r:ssh_home_t,s0)
 
-/etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
+/var/lib/[^/]+/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/amanda/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/gitolite/\.ssh(/.*)?	gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/gitolite3/\.ssh(/.*)?	gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/nocpulse/\.ssh(/.*)?	gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/one/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/openshift/[^/]+/\.ssh(/.*)?        gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/openshift/gear/[^/]+/\.ssh(/.*)?        gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/pgsql/\.ssh(/.*)?		gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/stickshift/[^/]+/\.ssh(/.*)?        gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd        --  gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
+
+/etc/ssh/primes			        --	gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key		    --	gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key\.pub    --	gen_context(system_u:object_r:sshd_key_t,s0)
 
 /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
 /usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/systemd/system/sshd.*	--	gen_context(system_u:object_r:sshd_unit_file_t,s0)
+/usr/lib/systemd/system/sshd-keygen.*     --  gen_context(system_u:object_r:sshd_keygen_unit_file_t,s0)
 
+/usr/libexec/nm-ssh-service     --  gen_context(system_u:object_r:ssh_exec_t,s0)
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/libexec/openssh/sshd-keygen   --	gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
 
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
+/usr/sbin/sshd-keygen   --	gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
+/usr/sbin/gsisshd		--	gen_context(system_u:object_r:sshd_exec_t,s0)
 
 /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid		--	gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c68272..79d568a54 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
 ## </param>
 #
 template(`ssh_basic_client_template',`
-
 	gen_require(`
 		attribute ssh_server;
 		type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+		type ssh_keysign_exec_t, ssh_keysign_t;
+		type ssh_home_t;
 	')
 
 	##############################
@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',`
 	application_domain($1_ssh_t, ssh_exec_t)
 	role $3 types $1_ssh_t;
 
-	type $1_ssh_home_t;
-	files_type($1_ssh_home_t)
-	typealias $1_ssh_home_t alias $1_home_ssh_t;
-
 	##############################
 	#
 	# Client local policy
@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',`
 	# or "regular" (not special like sshd_extern_t) servers
 	allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
 
+	# derived domain can execute ssh-keysign
+	domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+	role $3 types ssh_keysign_t;
+
 	# allow ps to show ssh
 	ps_process_pattern($2, $1_ssh_t)
 
 	# user can manage the keys and config
-	manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-	manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-	manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+	manage_files_pattern($2, ssh_home_t, ssh_home_t)
+	manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
+	manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
 
 	# ssh client can manage the keys and config
-	manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
-	read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
+	manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+	read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
 
 	# ssh servers can read the user keys and config
-	allow ssh_server $1_ssh_home_t:dir list_dir_perms;
-	read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
-	read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
+	allow ssh_server ssh_home_t:dir list_dir_perms;
+	read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+	read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
 
 	kernel_read_kernel_sysctls($1_ssh_t)
 	kernel_read_system_state($1_ssh_t)
 
-	corenet_all_recvfrom_unlabeled($1_ssh_t)
 	corenet_all_recvfrom_netlabel($1_ssh_t)
 	corenet_tcp_sendrecv_generic_if($1_ssh_t)
 	corenet_tcp_sendrecv_generic_node($1_ssh_t)
 	corenet_tcp_sendrecv_all_ports($1_ssh_t)
 	corenet_tcp_connect_ssh_port($1_ssh_t)
 	corenet_sendrecv_ssh_client_packets($1_ssh_t)
+	corenet_tcp_bind_generic_node($1_ssh_t)
+	corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
 
 	dev_read_urand($1_ssh_t)
 
@@ -139,7 +141,6 @@ template(`ssh_basic_client_template',`
 	logging_send_syslog_msg($1_ssh_t)
 	logging_read_generic_logs($1_ssh_t)
 
-	miscfiles_read_localization($1_ssh_t)
 
 	seutil_read_config($1_ssh_t)
 
@@ -148,6 +149,29 @@ template(`ssh_basic_client_template',`
 	')
 ')
 
+######################################
+## <summary>
+##  The template to define a domain to which sshd dyntransition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The prefix of the dyntransition domain
+##  </summary>
+## </param>
+#
+template(`ssh_dyntransition_domain_template',`
+	gen_require(`
+		attribute ssh_dyntransition_domain;
+	')
+
+	type $1, ssh_dyntransition_domain;
+	domain_type($1)
+	role system_r types $1;
+	
+	optional_policy(`
+		ssh_dyntransition_to($1)
+	')
+')
 #######################################
 ## <summary>
 ##	The template to define a ssh server.
@@ -168,7 +192,11 @@ template(`ssh_basic_client_template',`
 ##	</summary>
 ## </param>
 #
-template(`ssh_server_template', `
+template(`ssh_server_template',`
+    gen_require(`
+        type sshd_t;
+    ')
+
 	type $1_t, ssh_server;
 	auth_login_pgm_domain($1_t)
 
@@ -181,20 +209,23 @@ template(`ssh_server_template', `
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
 
-	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+	allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
-	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+	allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
+	allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
+	allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 	# ssh agent connections:
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_t self:shm create_shm_perms;
 
-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
 	term_create_pty($1_t, $1_devpts_t)
 
-	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+	#manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	#fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+    userdom_manage_tmp_role(system_r, sshd_t)
 
 	allow $1_t $1_var_run_t:file manage_file_perms;
 	files_pid_filetrans($1_t, $1_var_run_t, file)
@@ -206,6 +237,7 @@ template(`ssh_server_template', `
 
 	kernel_read_kernel_sysctls($1_t)
 	kernel_read_network_state($1_t)
+	kernel_request_load_module($1_t)
 
 	corenet_all_recvfrom_unlabeled($1_t)
 	corenet_all_recvfrom_netlabel($1_t)
@@ -220,10 +252,13 @@ template(`ssh_server_template', `
 	corenet_tcp_bind_generic_node($1_t)
 	corenet_udp_bind_generic_node($1_t)
 	corenet_tcp_bind_ssh_port($1_t)
-	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_ssh_server_packets($1_t)
+	# -R qualifier
+	corenet_sendrecv_ssh_server_packets($1_t)
+	# tunnel feature and -w (net_admin capability also)
+	corenet_rw_tun_tap_dev($1_t)
 
-	fs_dontaudit_getattr_all_fs($1_t)
+	fs_getattr_all_fs($1_t)
 
 	auth_rw_login_records($1_t)
 	auth_rw_faillog($1_t)
@@ -233,7 +268,10 @@ template(`ssh_server_template', `
 	# for sshd subsystems, such as sftp-server.
 	corecmd_getattr_bin_files($1_t)
 
+	dev_rw_crypto($1_t)
+
 	domain_interactive_fd($1_t)
+	domain_dyntrans_type($1_t)
 
 	files_read_etc_files($1_t)
 	files_read_etc_runtime_files($1_t)
@@ -241,35 +279,33 @@ template(`ssh_server_template', `
 
 	logging_search_logs($1_t)
 
-	miscfiles_read_localization($1_t)
-
-	userdom_create_all_users_keys($1_t)
 	userdom_dontaudit_relabelfrom_user_ptys($1_t)
-	userdom_search_user_home_dirs($1_t)
+	userdom_read_user_home_content_files($1_t)
 
 	# Allow checking users mail at login
 	optional_policy(`
 		mta_getattr_spool($1_t)
 	')
 
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_read_nfs_files($1_t)
-		fs_read_nfs_symlinks($1_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_read_cifs_files($1_t)
-	')
+	userdom_home_manager($1_t)
 
 	optional_policy(`
 		kerberos_use($1_t)
-		kerberos_manage_host_rcache($1_t)
+		#kerberos_manage_host_rcache($1_t)
 	')
 
 	optional_policy(`
 		files_read_var_lib_symlinks($1_t)
 		nx_spec_domtrans_server($1_t)
 	')
+
+	optional_policy(`
+		rlogin_read_home_content($1_t)
+	')
+
+	optional_policy(`
+		shutdown_getattr_exec_files($1_t)
+	')
 ')
 
 ########################################
@@ -292,14 +328,15 @@ template(`ssh_server_template', `
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`ssh_role_template',`
 	gen_require(`
 		attribute ssh_server, ssh_agent_type;
-
 		type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
 		type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
 		type ssh_agent_tmp_t;
+		type cache_home_t;
 	')
 
 	##############################
@@ -328,103 +365,56 @@ template(`ssh_role_template',`
 
 	# allow ps to show ssh
 	ps_process_pattern($3, ssh_t)
-	allow $3 ssh_t:process signal;
+	allow $3 ssh_t:process signal_perms;
 
 	# for rsync
 	allow ssh_t $3:unix_stream_socket rw_socket_perms;
 	allow ssh_t $3:unix_stream_socket connectto;
+	allow ssh_t $3:key manage_key_perms;
+	allow $3 ssh_t:key { write search read view };
 
 	# user can manage the keys and config
 	manage_files_pattern($3, ssh_home_t, ssh_home_t)
 	manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
 	manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
 	userdom_search_user_home_dirs($1_t)
+	userdom_manage_tmp_role($2, ssh_t)
 
 	##############################
 	#
 	# SSH agent local policy
 	#
 
-	allow $1_ssh_agent_t self:process setrlimit;
-	allow $1_ssh_agent_t self:capability setgid;
-
 	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
 
 	allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
-	manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
-	manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
-	files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
-
 	# for ssh-add
 	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
+	stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
 
 	# Allow the user shell to signal the ssh program.
-	allow $3 $1_ssh_agent_t:process signal;
+	allow $3 $1_ssh_agent_t:process signal_perms;
 
 	# allow ps to show ssh
 	ps_process_pattern($3, $1_ssh_agent_t)
 
 	domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
 
-	kernel_read_kernel_sysctls($1_ssh_agent_t)
-
-	dev_read_urand($1_ssh_agent_t)
-	dev_read_rand($1_ssh_agent_t)
-
-	fs_search_auto_mountpoints($1_ssh_agent_t)
+	kernel_read_system_state($1_ssh_agent_t)
 
 	# transition back to normal privs upon exec
 	corecmd_shell_domtrans($1_ssh_agent_t, $3)
 	corecmd_bin_domtrans($1_ssh_agent_t, $3)
 
-	domain_use_interactive_fds($1_ssh_agent_t)
-
-	files_read_etc_files($1_ssh_agent_t)
-	files_read_etc_runtime_files($1_ssh_agent_t)
-	files_search_home($1_ssh_agent_t)
-
-	libs_read_lib_files($1_ssh_agent_t)
+	auth_use_nsswitch($1_ssh_agent_t)
 
 	logging_send_syslog_msg($1_ssh_agent_t)
 
-	miscfiles_read_localization($1_ssh_agent_t)
-	miscfiles_read_generic_certs($1_ssh_agent_t)
-
-	seutil_dontaudit_read_config($1_ssh_agent_t)
-
-	# Write to the user domain tty.
-	userdom_use_user_terminals($1_ssh_agent_t)
-
-	# for the transition back to normal privs upon exec
-	userdom_search_user_home_content($1_ssh_agent_t)
 	userdom_user_home_domtrans($1_ssh_agent_t, $3)
-	allow $3 $1_ssh_agent_t:fd use;
-	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-	allow $3 $1_ssh_agent_t:process sigchld;
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_ssh_agent_t)
-
-		# transition back to normal privs upon exec
-		fs_nfs_domtrans($1_ssh_agent_t, $3)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_ssh_agent_t)
-
-		# transition back to normal privs upon exec
-		fs_cifs_domtrans($1_ssh_agent_t, $3)
-	')
-
-	optional_policy(`
-		nis_use_ypbind($1_ssh_agent_t)
-	')
+	userdom_home_manager($1_ssh_agent_t)
 
-	optional_policy(`
-		xserver_use_xdm_fds($1_ssh_agent_t)
-		xserver_rw_xdm_pipes($1_ssh_agent_t)
-	')
+	ssh_exec_keygen($3)
 ')
 
 ########################################
@@ -496,8 +486,27 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')
 
-	allow $1 sshd_t:fifo_file { getattr read };
+	allow $1 sshd_t:fifo_file read_fifo_file_perms;
+')
+
+######################################
+## <summary>
+##      Read and write ssh server unix dgram sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ssh_rw_dgram_sockets',`
+    gen_require(`
+        type sshd_t;
+    ')
+
+    allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
 ')
+
 ########################################
 ## <summary>
 ##	Read and write a ssh server unnamed pipe.
@@ -513,7 +522,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')
 
-	allow $1 sshd_t:fifo_file { write read getattr ioctl };
+	allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -603,6 +612,24 @@ interface(`ssh_domtrans',`
 	domtrans_pattern($1, sshd_exec_t, sshd_t)
 ')
 
+########################################
+## <summary>
+##	Execute sshd server in the sshd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_initrc_domtrans',`
+	gen_require(`
+		type sshd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, sshd_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute the ssh client in the caller domain.
@@ -637,7 +664,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')
 
-	allow $1 sshd_key_t:file setattr;
+	allow $1 sshd_key_t:file setattr_file_perms;
 	files_search_pids($1)
 ')
 
@@ -660,6 +687,42 @@ interface(`ssh_agent_exec',`
 	can_exec($1, ssh_agent_exec_t)
 ')
 
+########################################
+## <summary>
+##	Getattr ssh home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_getattr_user_home_dir',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	allow $1 ssh_home_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Dontaudit search ssh home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_search_user_home_dir',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	dontaudit $1 ssh_home_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read ssh home directory content
@@ -699,6 +762,68 @@ interface(`ssh_domtrans_keygen',`
 	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
 ')
 
+########################################
+## <summary>
+##	Execute the ssh key generator in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ssh_exec_keygen',`
+	gen_require(`
+		type ssh_keygen_exec_t;
+	')
+
+	can_exec($1, ssh_keygen_exec_t)
+')
+
+#######################################
+## <summary>
+##  Execute ssh-keygen in the iptables domain, and
+##  allow the specified role the ssh-keygen domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ssh_run_keygen',`
+    gen_require(`
+        type ssh_keygen_t;
+    ')
+
+	role $2 types ssh_keygen_t;
+	ssh_domtrans_keygen($1)
+')
+
+########################################
+## <summary>
+##	Getattr ssh server keys
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_getattr_server_keys',`
+	gen_require(`
+		type sshd_key_t;
+	')
+
+	allow $1 sshd_key_t:file getattr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read ssh server keys
@@ -714,7 +839,26 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
 
-	dontaudit $1 sshd_key_t:file { getattr read };
+	dontaudit $1 sshd_key_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+##	Append ssh home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_append_home_files',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	append_files_pattern($1, ssh_home_t, ssh_home_t)
+	userdom_search_user_home_dirs($1)
 ')
 
 ######################################
@@ -754,3 +898,151 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
+
+#####################################
+## <summary>
+##  Allow domain dyntransition to chroot_user_t domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ssh_dyntransition_to',`
+    gen_require(`
+        type sshd_t;
+    ')
+
+    allow sshd_t $1:process dyntransition;
+    allow $1 sshd_t:process sigchld;
+    allow sshd_t $1:process { getattr sigkill sigstop signull signal };
+')
+
+########################################
+## <summary>
+##	Create .ssh directory in the /root directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_filetrans_admin_home_content',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
+	userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
+
+########################################
+## <summary>
+##	Create .ssh directory in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_filetrans_home_content',`
+	
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
+	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+	files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh")
+')
+
+########################################
+## <summary>
+##	Create .ssh directory in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_filetrans_keys',`
+	
+	gen_require(`
+		type sshd_key_t;
+	')
+
+    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key")
+    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key")
+    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key")
+    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub")
+    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub")
+    files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub")
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write the sshd pty type.  
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_use_ptys',`
+	gen_require(`
+		type sshd_devpts_t;
+	')
+
+	dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+##	Read and write inherited sshd pty type.  
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_use_ptys',`
+	gen_require(`
+		type sshd_devpts_t;
+	')
+
+	allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute sshd server in the sshd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ssh_systemctl',`
+	gen_require(`
+		type sshd_t;
+		type sshd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+    init_reload_services($1)
+	allow $1 sshd_unit_file_t:file manage_file_perms;
+	allow $1 sshd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7b0..b14a28d5c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
 #
 
 ## <desc>
-## <p>
-## allow host key based authentication
-## </p>
+##      <p>
+##      allow host key based authentication
+##      </p>
+## </desc>
+gen_tunable(ssh_keysign, false)
+
+## <desc>
+##	<p>
+##	Allow ssh logins as sysadm_r:sysadm_t
+##	</p>
 ## </desc>
-gen_tunable(allow_ssh_keysign, false)
+gen_tunable(ssh_sysadm_login, false)
 
 ## <desc>
 ## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
+## Allow ssh with chroot env to read and write files 
+## in the user home directories
 ## </p>
 ## </desc>
-gen_tunable(ssh_sysadm_login, false)
+gen_tunable(ssh_chroot_rw_homedirs, false)
 
+attribute ssh_dyntransition_domain;
 attribute ssh_server;
 attribute ssh_agent_type;
 
+ssh_dyntransition_domain_template(chroot_user_t)
+ssh_dyntransition_domain_template(sshd_sandbox_t)
+ssh_dyntransition_domain_template(sshd_net_t)
+
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
 init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
-role system_r types ssh_keygen_t;
+
+type ssh_keygen_tmp_t;
+files_tmp_file(ssh_keygen_tmp_t)
+
+type sshd_keygen_t;
+type sshd_keygen_exec_t;
+init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
+
+type sshd_keygen_unit_file_t;
+systemd_unit_file(sshd_keygen_unit_file_t)
 
 type sshd_exec_t;
 corecmd_executable_file(sshd_exec_t)
 
 ssh_server_template(sshd)
 init_daemon_domain(sshd_t, sshd_exec_t)
+mls_trusted_object(sshd_t)
+mls_process_write_all_levels(sshd_t)
+mls_dbus_send_all_levels(sshd_t)
+
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
+
+type sshd_unit_file_t;
+systemd_unit_file(sshd_unit_file_t)
 
 type sshd_key_t;
 files_type(sshd_key_t)
 
-type sshd_tmp_t;
-files_tmp_file(sshd_tmp_t)
-files_poly_parent(sshd_tmp_t)
-
-ifdef(`enable_mcs',`
-	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
-')
+type sshd_keytab_t;
+files_type(sshd_keytab_t)
 
 type ssh_t;
 type ssh_exec_t;
@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
 type ssh_tmpfs_t;
 typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
 typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
-userdom_user_tmpfs_file(ssh_tmpfs_t)
+userdom_user_tmp_file(ssh_tmpfs_t)
 
 type ssh_home_t;
 typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 userdom_user_home_content(ssh_home_t)
+files_poly_parent(ssh_home_t)
 
-type sshd_keytab_t;
-files_type(sshd_keytab_t)
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
 
 ##############################
 #
@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
 allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow ssh_t self:fd use;
 allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:key manage_key_perms;
 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
 allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow ssh_t self:shm create_shm_perms;
@@ -93,50 +122,55 @@ allow ssh_t self:sem create_sem_perms;
 allow ssh_t self:msgq create_msgq_perms;
 allow ssh_t self:msg { send receive };
 allow ssh_t self:tcp_socket create_stream_socket_perms;
+can_exec(ssh_t, ssh_exec_t)
 
 # Read the ssh key file.
 allow ssh_t sshd_key_t:file read_file_perms;
 
-# Access the ssh temporary files.
-allow ssh_t sshd_tmp_t:dir manage_dir_perms;
-allow ssh_t sshd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
-
 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
 manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
 manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file)
+userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file)
+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh")
+userdom_read_all_users_keys(ssh_t)
+userdom_stream_connect(ssh_t)
+userdom_search_admin_dir(sshd_t)
 
 # Allow the ssh program to communicate with ssh-agent.
 stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
 
 allow ssh_t sshd_t:unix_stream_socket connectto;
+allow ssh_t sshd_t:peer recv;
 
 # ssh client can manage the keys and config
 manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 
 # ssh servers can read the user keys and config
-allow ssh_server ssh_home_t:dir list_dir_perms;
-read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
 
 kernel_read_kernel_sysctls(ssh_t)
 kernel_read_system_state(ssh_t)
 
-corenet_all_recvfrom_unlabeled(ssh_t)
 corenet_all_recvfrom_netlabel(ssh_t)
 corenet_tcp_sendrecv_generic_if(ssh_t)
 corenet_tcp_sendrecv_generic_node(ssh_t)
 corenet_tcp_sendrecv_all_ports(ssh_t)
 corenet_tcp_connect_ssh_port(ssh_t)
+corenet_tcp_connect_all_unreserved_ports(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
+#corenet_tcp_bind_all_unreserved_ports(ssh_t)
+corenet_rw_tun_tap_dev(ssh_t)
 
+dev_read_rand(ssh_t)
 dev_read_urand(ssh_t)
 
 fs_getattr_all_fs(ssh_t)
@@ -157,40 +191,46 @@ files_read_var_files(ssh_t)
 logging_send_syslog_msg(ssh_t)
 logging_read_generic_logs(ssh_t)
 
+term_use_ptmx(ssh_t)
+
 auth_use_nsswitch(ssh_t)
 
-miscfiles_read_localization(ssh_t)
+miscfiles_read_generic_certs(ssh_t)
 
 seutil_read_config(ssh_t)
 
 userdom_dontaudit_list_user_home_dirs(ssh_t)
 userdom_search_user_home_dirs(ssh_t)
+userdom_search_admin_dir(ssh_t)
 # Write to the user domain tty.
-userdom_use_user_terminals(ssh_t)
-# needs to read krb tgt
+userdom_use_inherited_user_terminals(ssh_t)
+# needs to read krb/write tgt
 userdom_read_user_tmp_files(ssh_t)
-
-tunable_policy(`allow_ssh_keysign',`
-	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-	allow ssh_keysign_t ssh_t:fd use;
-	allow ssh_keysign_t ssh_t:process sigchld;
-	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
+userdom_rw_inherited_user_home_content_files(ssh_t)
+userdom_read_home_certs(ssh_t)
+userdom_home_manager(ssh_t)
+
+tunable_policy(`ssh_keysign',`
+	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(ssh_t)
-	fs_manage_nfs_files(ssh_t)
+# for port forwarding
+tunable_policy(`selinuxuser_tcp_server',`
+	corenet_tcp_bind_ssh_port(ssh_t)
+	corenet_tcp_bind_generic_node(ssh_t)
+	corenet_tcp_bind_all_unreserved_ports(ssh_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(ssh_t)
-	fs_manage_cifs_files(ssh_t)
+ifdef(`enable_mcs',`
+    optional_policy(`
+        condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh)
+    ')
 ')
 
-# for port forwarding
-tunable_policy(`user_tcp_server',`
-	corenet_tcp_bind_ssh_port(ssh_t)
-	corenet_tcp_bind_generic_node(ssh_t)
+optional_policy(`
+	gnome_stream_connect_gkeyringd(ssh_t)
 ')
 
 optional_policy(`
@@ -198,6 +238,7 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
 
+
 ##############################
 #
 # ssh_keysign_t local policy
@@ -209,6 +250,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
 allow ssh_keysign_t sshd_key_t:file { getattr read };
 
 dev_read_urand(ssh_keysign_t)
+dev_read_rand(ssh_keysign_t)
 
 files_read_etc_files(ssh_keysign_t)
 
@@ -226,45 +268,77 @@ optional_policy(`
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
+allow sshd_t self:process setcurrent;
 
 allow sshd_t sshd_keytab_t:file read_file_perms;
 
-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
-
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
+kernel_read_net_sysctls(sshd_t)
+
+files_search_all(sshd_t)
+
+fs_search_cgroup_dirs(sshd_t)
+fs_rw_cgroup_files(sshd_t)
 
 term_use_all_ptys(sshd_t)
 term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
 term_relabelto_all_ptys(sshd_t)
+term_use_ptmx(sshd_t)
 
 # for X forwarding
 corenet_tcp_bind_xserver_port(sshd_t)
+corenet_tcp_bind_vnc_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
-ifdef(`distro_debian',`
-	allow sshd_t self:process { getcap setcap };
-')
+auth_exec_login_program(sshd_t)
+auth_signal_chk_passwd(sshd_t)
+
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
+#userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+userdom_dyntransition_unpriv_users(sshd_t)
 
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to
 	# display the tty.
 	# some versions of sshd on the new SE Linux require setattr
-	userdom_spec_domtrans_all_users(sshd_t)
 	userdom_signal_all_users(sshd_t)
-',`
-	userdom_spec_domtrans_unpriv_users(sshd_t)
-	userdom_signal_unpriv_users(sshd_t)
+	userdom_spec_domtrans_all_users(sshd_t)
+	userdom_dyntransition_admin_users(sshd_t)
+')
+
+optional_policy(`
+	amanda_search_var_lib(sshd_t)
+')
+
+optional_policy(`
+	condor_rw_lib_files(sshd_t)
+	condor_rw_tcp_sockets_startd(sshd_t)
+	condor_rw_tcp_sockets_schedd(sshd_t)
 ')
 
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
+optional_policy(`
+	ftp_dyntrans_sftpd(sshd_t)
+	ftp_dyntrans_anon_sftpd(sshd_t)
+')
+
+optional_policy(`
+	gitosis_manage_lib_files(sshd_t)
+')
+
+optional_policy(`
+    gnome_exec_keyringd(sshd_t)
+')
+
 optional_policy(`
 	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
 ')
@@ -274,10 +348,26 @@ optional_policy(`
 	kerberos_use(sshd_t)
 ')
 
+optional_policy(`
+    lvm_domtrans(sshd_t)
+')
+
+optional_policy(`
+	munin_read_var_lib_files(sshd_t)
+')
+
+optional_policy(`
+	nx_read_home_files(sshd_t)
+')
+
 optional_policy(`
 	oddjob_domtrans_mkhomedir(sshd_t)
 ')
 
+optional_policy(`
+	rpc_rw_gssd_keys(sshd_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(sshd_t)
 ')
@@ -288,14 +378,95 @@ optional_policy(`
 	rssh_read_ro_content(sshd_t)
 ')
 
+optional_policy(`
+	rsync_read_data(sshd_t)
+')
+
+optional_policy(`
+	systemd_exec_systemctl(sshd_t)
+')
+
+optional_policy(`
+	usermanage_domtrans_passwd(sshd_t)
+	usermanage_read_crack_db(sshd_t)
+')
+
+optional_policy(`
+	openshift_dyntransition(sshd_t)
+	openshift_transition(sshd_t)
+	openshift_manage_tmp_files(sshd_t)
+	openshift_manage_tmp_sockets(sshd_t)
+	openshift_mounton_tmp(sshd_t)
+	openshift_read_lib_files(sshd_t)
+')
+
+optional_policy(`
+	postgresql_search_db(sshd_t)
+')
+
 optional_policy(`
 	unconfined_shell_domtrans(sshd_t)
 ')
 
+optional_policy(`
+	kernel_write_proc_files(sshd_t)
+	virt_transition_svirt_sandbox(sshd_t, system_r)
+	virt_stream_connect_sandbox(sshd_t)
+	virt_stream_connect(sshd_t)
+')
+
 optional_policy(`
 	xserver_domtrans_xauth(sshd_t)
+    xserver_xdm_signull(sshd_t)
 ')
 
+ifdef(`TODO',`
+	tunable_policy(`ssh_sysadm_login',`
+		# Relabel and access ptys created by sshd
+		# ioctl is necessary for logout() processing for utmp entry and for w to
+		# display the tty.
+		# some versions of sshd on the new SE Linux require setattr
+		allow sshd_t ptyfile:chr_file relabelto;
+
+			optional_policy(`
+				domain_trans(sshd_t, xauth_exec_t, userdomain)
+			')
+	',`
+		optional_policy(`
+			domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+		')
+		# Relabel and access ptys created by sshd
+		# ioctl is necessary for logout() processing for utmp entry and for w to
+		# display the tty.
+		# some versions of sshd on the new SE Linux require setattr
+		allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
+	')
+') dnl endif TODO
+
+########################################
+#
+# sshd-keygen local policy
+#
+
+allow sshd_keygen_t self:capability { chown fsetid };
+allow sshd_keygen_t self:fifo_file rw_fifo_file_perms;
+allow sshd_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+allow sshd_keygen_t sshd_key_t:file manage_file_perms;
+
+kernel_read_system_state(sshd_keygen_t)
+
+corecmd_exec_bin(sshd_keygen_t)
+
+auth_use_nsswitch(sshd_keygen_t)
+
+files_rw_etc_dirs(sshd_keygen_t)
+
+#run restorecon
+seutil_domtrans_setfiles(sshd_keygen_t)
+
+ssh_domtrans_keygen(sshd_keygen_t)
+
 ########################################
 #
 # ssh_keygen local policy
@@ -304,19 +475,33 @@ optional_policy(`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
 
+allow ssh_keygen_t self:capability { dac_read_search dac_override };
 dontaudit ssh_keygen_t self:capability sys_tty_config;
 allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 
 allow ssh_keygen_t sshd_key_t:file manage_file_perms;
 files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
 
+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
+manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
+manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
+files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
+
+kernel_read_system_state(ssh_keygen_t)
 kernel_read_kernel_sysctls(ssh_keygen_t)
 
+corecmd_exec_shell(ssh_keygen_t)
+corecmd_exec_bin(ssh_keygen_t)
+
 fs_search_auto_mountpoints(ssh_keygen_t)
 
 dev_read_sysfs(ssh_keygen_t)
+dev_read_rand(ssh_keygen_t)
 dev_read_urand(ssh_keygen_t)
 
 term_dontaudit_use_console(ssh_keygen_t)
@@ -332,7 +517,9 @@ auth_use_nsswitch(ssh_keygen_t)
 
 logging_send_syslog_msg(ssh_keygen_t)
 
+userdom_home_manager(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_use_user_terminals(ssh_keygen_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
@@ -341,3 +528,150 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
+
+####################################
+#
+# ssh_dyntransition domain local policy
+#
+
+allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid };
+allow ssh_dyntransition_domain  self:unix_dgram_socket create_socket_perms;
+
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
+allow ssh_dyntransition_domain sshd_t:fd use;
+
+optional_policy(`
+    ssh_rw_stream_sockets(ssh_dyntransition_domain)
+    ssh_rw_tcp_sockets(ssh_dyntransition_domain)
+')
+
+#####################################
+#
+# ssh_sandbox local policy
+#
+
+allow sshd_t sshd_sandbox_t:process signal;
+
+init_ioctl_stream_sockets(sshd_sandbox_t)
+
+logging_send_audit_msgs(sshd_sandbox_t)
+
+#####################################
+#
+#  sshd [net] child local policy
+#
+
+allow sshd_t sshd_net_t:process signal;
+
+allow sshd_net_t self:process setrlimit;
+
+dev_rw_crypto(sshd_net_t)
+
+init_ioctl_stream_sockets(sshd_net_t)
+init_rw_tcp_sockets(sshd_net_t)
+
+logging_send_audit_msgs(sshd_net_t)
+
+
+######################################
+#
+# chroot_user_t local policy
+#
+allow chroot_user_t self:fifo_file rw_fifo_file_perms;
+allow chroot_user_t self:unix_dgram_socket create_socket_perms;
+
+corecmd_exec_shell(chroot_user_t)
+
+domain_subj_id_change_exemption(chroot_user_t)
+domain_role_change_exemption(chroot_user_t)
+
+term_search_ptys(chroot_user_t)
+term_use_ptmx(chroot_user_t)
+
+fs_getattr_all_fs(chroot_user_t)
+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
+userdom_exec_user_home_content_files(chroot_user_t)
+userdom_use_inherited_user_ptys(chroot_user_t)
+
+tunable_policy(`ssh_chroot_rw_homedirs',`
+        files_list_home(chroot_user_t)
+		userdom_manage_user_home_content_files(chroot_user_t)
+		userdom_manage_user_home_content_symlinks(chroot_user_t)
+		userdom_manage_user_home_content_pipes(chroot_user_t)
+		userdom_manage_user_home_content_sockets(chroot_user_t)
+		userdom_manage_user_home_content_dirs(chroot_user_t)
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',`
+    fs_manage_nfs_dirs(chroot_user_t)
+    fs_manage_nfs_files(chroot_user_t)
+    fs_manage_nfs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',`
+    fs_manage_cifs_dirs(chroot_user_t)
+    fs_manage_cifs_files(chroot_user_t)
+    fs_manage_cifs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
+    fs_manage_fusefs_dirs(chroot_user_t)
+    fs_manage_fusefs_files(chroot_user_t)
+    fs_manage_fusefs_symlinks(chroot_user_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+    fs_read_cifs_files(chroot_user_t)
+    fs_read_cifs_symlinks(chroot_user_t)
+')
+
+userdom_home_manager(chroot_user_t)
+
+optional_policy(`
+    ssh_rw_dgram_sockets(chroot_user_t)
+')
+
+optional_policy(`
+    unconfined_shell_domtrans(chroot_user_t)
+')
+
+######################################
+#
+# ssh_agent_type common policy local policy
+#
+allow ssh_agent_type self:process setrlimit;
+allow ssh_agent_type self:capability setgid;
+
+manage_dirs_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
+manage_sock_files_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t)
+files_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, { dir sock_file })
+
+kernel_read_kernel_sysctls(ssh_agent_type)
+
+dev_read_urand(ssh_agent_type)
+dev_read_rand(ssh_agent_type)
+
+fs_search_auto_mountpoints(ssh_agent_type)
+
+domain_use_interactive_fds(ssh_agent_type)
+
+files_read_etc_files(ssh_agent_type)
+files_read_etc_runtime_files(ssh_agent_type)
+
+libs_read_lib_files(ssh_agent_type)
+
+miscfiles_read_generic_certs(ssh_agent_type)
+
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(ssh_agent_type)
+
+# for the transition back to normal privs upon exec
+userdom_search_user_home_content(ssh_agent_type)
+
+optional_policy(`
+	xserver_use_xdm_fds(ssh_agent_type)
+	xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 8274418c6..a47fd0b4d 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,39 @@
 # HOME_DIR
 #
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts\.d(/.*)?	gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.local/share/fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.local/share/xorg(/.*)?	gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.DCOP.* 	   --	gen_context(system_u:object_r:iceauth_home_t,s0)
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
 HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.cache/gdm(/.*)?	gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.wayland-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
+
+/root/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
+/root/\.fonts\.d(/.*)?	gen_context(system_u:object_r:user_fonts_config_t,s0)
+/root/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
+/root/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+/root/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+/root/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+/root/\.DCOP.* 	   --	gen_context(system_u:object_r:iceauth_home_t,s0)
+/root/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
+/root/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.wayland-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 
 #
 # /dev
@@ -22,13 +48,21 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
+/etc/X11/xorg\.conf\.d(/.*)?	gen_context(system_u:object_r:xserver_etc_t,s0)
+/etc/[mg]dm(/.*)?		  	gen_context(system_u:object_r:xdm_etc_t,s0)
+/etc/[mg]dm/Init(/.*)?	  	gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
+/etc/[mg]dm/PostLogin(/.*)?  	gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
+/etc/[mg]dm/PostSession(/.*)?  	gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
+/etc/[mg]dm/PreSession(/.*)?  	gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
+
 /etc/kde[34]?/kdm/Xstartup --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/Xreset --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
-/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/opt/VirtualGL(/.*)?	gen_context(system_u:object_r:xdm_rw_etc_t,s0)
 
+/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
@@ -46,26 +80,37 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 # /tmp
 #
 
-/tmp/\.ICE-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.ICE-unix/.*	-s	<<none>>
-/tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.X11-unix/.*	-s	<<none>>
+/tmp/\.font-unix(/.*)?      gen_context(system_u:object_r:user_fonts_t,s0)
 
 #
 # /usr
 #
 
+/usr/sbin/mdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/s?bin/gdm(3)?	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/s?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/lightdm*	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/s?bin/lxdm(-binary)?	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/s?bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/[mxgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+
+/usr/bin/sddm         	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm-greeter  	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/razor-lightdm-.*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xvnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/x11vnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/nvidia.*	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+
+/usr/libexec/Xorg\.bin  --  gen_context(system_u:object_r:xserver_exec_t,s0)   
+/usr/libexec/Xorg\.wrap  --  gen_context(system_u:object_r:xserver_exec_t,s0)
+
+/usr/libexec/gsd-backlight-helper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
 
@@ -91,19 +136,34 @@ ifndef(`distro_debian',`
 /var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
 /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/sddm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm-data(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[mxkwg]dm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
+/var/cache/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/cache/[mg]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 
-/var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/lxdm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/gdm(3)?(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/slim\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mkwx]dm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/mdm(/.*)?		gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/spool/[mg]dm(/.*)?	 	gen_context(system_u:object_r:xdm_spool_t,s0)
 
 /var/run/gdm(3)?(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/[kgm]dm(/.*)?	 	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket		-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lightdm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -111,7 +171,18 @@ ifndef(`distro_debian',`
 /var/run/slim.*			gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/sddm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/systemd/multi-session-x(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 ifdef(`distro_suse',`
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 ')
+
+/var/lib/nxserver/home/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/nxserver/home/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc2d..a7f53d058 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
 #
 interface(`xserver_restricted_role',`
 	gen_require(`
-		type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
-		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
-		type iceauth_t, iceauth_exec_t, iceauth_home_t;
-		type xauth_t, xauth_exec_t, xauth_home_t;
+		type xauth_t, iceauth_t;
+		attribute dridomain, x_userdomain;
 	')
 
-	role $1 types { xserver_t xauth_t iceauth_t };
-
-	# Xserver read/write client shm
-	allow xserver_t $2:fd use;
-	allow xserver_t $2:shm rw_shm_perms;
-
-	allow xserver_t $2:process signal;
-
-	allow xserver_t $2:shm rw_shm_perms;
-
-	allow $2 user_fonts_t:dir list_dir_perms;
-	allow $2 user_fonts_t:file read_file_perms;
-
-	allow $2 user_fonts_config_t:dir list_dir_perms;
-	allow $2 user_fonts_config_t:file read_file_perms;
-
-	manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
-
-	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
-	files_search_tmp($2)
-
-	# Communicate via System V shared memory.
-	allow $2 xserver_t:shm r_shm_perms;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
-
-	# allow ps to show iceauth
-	ps_process_pattern($2, iceauth_t)
-
-	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
-
-	allow $2 iceauth_home_t:file read_file_perms;
-
-	domtrans_pattern($2, xauth_exec_t, xauth_t)
-
-	allow $2 xauth_t:process signal;
-
-	# allow ps to show xauth
-	ps_process_pattern($2, xauth_t)
-	allow $2 xserver_t:process signal;
-
-	allow $2 xauth_home_t:file read_file_perms;
-
-	# for when /tmp/.X11-unix is created by the system
-	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
-	allow $2 xdm_tmp_t:dir search;
-	allow $2 xdm_tmp_t:sock_file { read write };
-	dontaudit $2 xdm_t:tcp_socket { read write };
-
-	# Client read xserver shm
-	allow $2 xserver_t:fd use;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
-
-	# Read /tmp/.X0-lock
-	allow $2 xserver_tmp_t:file { getattr read };
-
-	dev_rw_xserver_misc($2)
-	dev_rw_power_management($2)
-	dev_read_input($2)
-	dev_read_misc($2)
-	dev_write_misc($2)
-	# open office is looking for the following
-	dev_getattr_agp_dev($2)
-	dev_dontaudit_rw_dri($2)
-	# GNOME checks for usb and other devices:
-	dev_rw_usbfs($2)
-
-	miscfiles_read_fonts($2)
+	role $1 types { xauth_t iceauth_t };
+	typeattribute $2 x_userdomain, dridomain;
 
-	xserver_common_x_domain_template(user, $2)
-	xserver_domtrans($2)
-	xserver_unconfined($2)
-	xserver_xsession_entry_type($2)
-	xserver_dontaudit_write_log($2)
+	xserver_common_x_domain_template(user,$2)
 	xserver_stream_connect_xdm($2)
-	# certain apps want to read xdm.pid file
-	xserver_read_xdm_pid($2)
-	# gnome-session creates socket under /tmp/.ICE-unix/
-	xserver_create_xdm_tmp_sockets($2)
-	# Needed for escd, remove if we get escd policy
-	xserver_manage_xdm_tmp_files($2)
+	xserver_xdm_append_log($2)
 
-	# Client write xserver shm
-	tunable_policy(`allow_write_xshm',`
-		allow $2 xserver_t:shm rw_shm_perms;
-		allow $2 xserver_tmpfs_t:file rw_file_perms;
+	xserver_dri_domain($2)
+')
+
+########################################
+## <summary>
+##	Domain wants to use direct io devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dri_domain',`
+	gen_require(`
+		attribute dridomain;
 	')
+
+	typeattribute $1 dridomain;
 ')
 
 ########################################
@@ -143,13 +79,15 @@ interface(`xserver_role',`
 	allow $2 xserver_tmpfs_t:file rw_file_perms;
 
 	allow $2 iceauth_home_t:file manage_file_perms;
-	allow $2 iceauth_home_t:file { relabelfrom relabelto };
+	allow $2 iceauth_home_t:file relabel_file_perms;
 
 	allow $2 xauth_home_t:file manage_file_perms;
-	allow $2 xauth_home_t:file { relabelfrom relabelto };
+	allow $2 xauth_home_t:file relabel_file_perms;
 
+	mls_xwin_read_to_clearance($2)
 	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
 	manage_files_pattern($2, user_fonts_t, user_fonts_t)
+	allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
 	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
 	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
 
@@ -162,7 +100,6 @@ interface(`xserver_role',`
 	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
 ')
 
 #######################################
@@ -197,7 +134,7 @@ interface(`xserver_ro_session',`
 	allow $1 xserver_t:process signal;
 
 	# Read /tmp/.X0-lock
-	allow $1 xserver_tmp_t:file { getattr read };
+	allow $1 xserver_tmp_t:file read_file_perms;
 
 	# Client read xserver shm
 	allow $1 xserver_t:fd use;
@@ -227,7 +164,7 @@ interface(`xserver_rw_session',`
 		type xserver_t, xserver_tmpfs_t;
 	')
 
-	xserver_ro_session($1,$2)
+	xserver_ro_session($1, $2)
 	allow $1 xserver_t:shm rw_shm_perms;
 	allow $1 xserver_tmpfs_t:file rw_file_perms;
 ')
@@ -255,7 +192,7 @@ interface(`xserver_non_drawing_client',`
 
 	allow $1 self:x_gc { create setattr };
 
-	allow $1 xdm_var_run_t:dir search;
+	allow $1 xdm_var_run_t:dir search_dir_perms;
 	allow $1 xserver_t:unix_stream_socket connectto;
 
 	allow $1 xextension_t:x_extension { query use };
@@ -282,7 +219,7 @@ interface(`xserver_non_drawing_client',`
 interface(`xserver_user_client',`
 	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
 	gen_require(`
-		type xdm_t, xdm_tmp_t;
+		type xdm_t;
 		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
 	')
 
@@ -291,14 +228,14 @@ interface(`xserver_user_client',`
 	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $1 xauth_home_t:file { getattr read };
-	allow $1 iceauth_home_t:file { getattr read };
+	allow $1 xauth_home_t:file read_file_perms;
+	allow $1 iceauth_home_t:file read_file_perms;
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $1 xdm_t:fd use;
-	allow $1 xdm_t:fifo_file { getattr read write ioctl };
-	allow $1 xdm_tmp_t:dir search;
-	allow $1 xdm_tmp_t:sock_file { read write };
+	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+    userdom_search_user_tmp_dirs($1)
+    userdom_rw_user_tmp_sock_files($1)
 	dontaudit $1 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
@@ -316,7 +253,7 @@ interface(`xserver_user_client',`
 	xserver_read_xdm_tmp_files($1)
 
 	# Client write xserver shm
-	tunable_policy(`allow_write_xshm',`
+	tunable_policy(`xserver_clients_write_xshm',`
 		allow $1 xserver_t:shm rw_shm_perms;
 		allow $1 xserver_tmpfs_t:file rw_file_perms;
 	')
@@ -342,19 +279,23 @@ interface(`xserver_user_client',`
 #
 template(`xserver_common_x_domain_template',`
 	gen_require(`
-		type root_xdrawable_t;
+		type root_xdrawable_t, xdm_t, xserver_t;
 		type xproperty_t, $1_xproperty_t;
 		type xevent_t, client_xevent_t;
 		type input_xevent_t, $1_input_xevent_t;
 
-		attribute x_domain;
+		attribute x_domain, input_xevent_type;
 		attribute xdrawable_type, xcolormap_type;
-		attribute input_xevent_type;
 
 		class x_drawable all_x_drawable_perms;
 		class x_property all_x_property_perms;
 		class x_event all_x_event_perms;
 		class x_synthetic_event all_x_synthetic_event_perms;
+		class x_client destroy;
+		class x_server manage;
+		class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor };
+		class x_pointer { get_property set_property manage };
+		class x_keyboard { read manage freeze };
 	')
 
 	##############################
@@ -383,9 +324,18 @@ template(`xserver_common_x_domain_template',`
 	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
 	# can receive default events
 	allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+	allow $2 xevent_t:{ x_event x_synthetic_event } { send receive };
 	# dont audit send failures
 	dontaudit $2 input_xevent_type:x_event send;
+
+	allow $2 xdm_t:x_drawable { hide read add_child manage };
+	allow $2 xdm_t:x_client destroy;
+
+	allow $2 root_xdrawable_t:x_drawable write;
+	allow $2 xserver_t:x_server manage;
+	allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show };
+	allow $2 xserver_t:x_pointer { get_property set_property manage };
+	allow $2 xserver_t:x_keyboard { read manage freeze };
 ')
 
 #######################################
@@ -444,8 +394,9 @@ template(`xserver_object_types_template',`
 #
 template(`xserver_user_x_domain_template',`
 	gen_require(`
-		type xdm_t, xdm_tmp_t;
-		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+		type xdm_t, xserver_tmpfs_t;
+		type xdm_home_t;
+		type xauth_home_t, iceauth_home_t, xserver_t;
 	')
 
 	allow $2 self:shm create_shm_perms;
@@ -456,11 +407,13 @@ template(`xserver_user_x_domain_template',`
 	allow $2 xauth_home_t:file read_file_perms;
 	allow $2 iceauth_home_t:file read_file_perms;
 
+	xserver_filetrans_home_content($2)
+
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
-	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+    userdom_search_user_tmp_dirs($2)
+    userdom_rw_user_tmp_sock_files($2)
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
@@ -472,20 +425,26 @@ template(`xserver_user_x_domain_template',`
 	# for .xsession-errors
 	userdom_dontaudit_write_user_home_content_files($2)
 
-	xserver_ro_session($2,$3)
+	xserver_ro_session($2, $3)
 	xserver_use_user_fonts($2)
 
-	xserver_read_xdm_tmp_files($2)
+    userdom_read_user_tmp_files($2)
+	xserver_read_xdm_pid($2)
+	xserver_xdm_append_log($2)
 
 	# X object manager
 	xserver_object_types_template($1)
-	xserver_common_x_domain_template($1,$2)
+	xserver_common_x_domain_template($1, $2)
 
 	# Client write xserver shm
-	tunable_policy(`allow_write_xshm',`
+	tunable_policy(`xserver_clients_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
+
+	tunable_policy(`selinuxuser_direct_dri_enabled',`
+		dev_rw_dri($2)
+	')
 ')
 
 ########################################
@@ -517,6 +476,7 @@ interface(`xserver_use_user_fonts',`
 	# Read per user fonts
 	allow $1 user_fonts_t:dir list_dir_perms;
 	allow $1 user_fonts_t:file read_file_perms;
+	allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
 
 	# Manipulate the global font cache
 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
@@ -547,6 +507,42 @@ interface(`xserver_domtrans_xauth',`
 	domtrans_pattern($1, xauth_exec_t, xauth_t)
 ')
 
+######################################
+## <summary>
+##  Allow exec of Xauthority program..
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`xserver_exec_xauth',`
+	gen_require(`
+		type xauth_t, xauth_exec_t;
+	')
+
+	can_exec($1, xauth_exec_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit exec of Xauthority program.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_exec_xauth',`
+	gen_require(`
+		type xauth_exec_t;
+	')
+
+	dontaudit $1 xauth_exec_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Create a Xauthority file in the user home directory.
@@ -565,6 +561,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
 	userdom_user_home_dir_filetrans($1, xauth_home_t, file)
 ')
 
+########################################
+## <summary>
+##	Create a Xauthority file in the admin home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_admin_home_dir_filetrans_xauth',`
+	gen_require(`
+		type xauth_home_t;
+	')
+
+	userdom_admin_home_dir_filetrans($1, xauth_home_t, file)
+')
+
 ########################################
 ## <summary>
 ##	Read all users fonts, user font configurations,
@@ -598,6 +612,25 @@ interface(`xserver_read_user_xauth',`
 
 	allow $1 xauth_home_t:file read_file_perms;
 	userdom_search_user_home_dirs($1)
+	xserver_read_xdm_pid($1)
+')
+
+########################################
+## <summary>
+##	Manage all users .Xauthority.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_user_xauth',`
+	gen_require(`
+		type xauth_home_t;
+	')
+
+	allow $1 xauth_home_t:file manage_file_perms;
 ')
 
 ########################################
@@ -615,7 +648,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')
 
-	allow $1 xconsole_device_t:fifo_file setattr;
+	allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
 ')
 
 ########################################
@@ -636,6 +669,25 @@ interface(`xserver_rw_console',`
 	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read XDM state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_state_xdm',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, xdm_t)
+')
+
 ########################################
 ## <summary>
 ##	Use file descriptors for xdm.
@@ -651,7 +703,7 @@ interface(`xserver_use_xdm_fds',`
 		type xdm_t;
 	')
 
-	allow $1 xdm_t:fd use; 
+	allow $1 xdm_t:fd use;
 ')
 
 ########################################
@@ -670,7 +722,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
 		type xdm_t;
 	')
 
-	dontaudit $1 xdm_t:fd use; 
+	dontaudit $1 xdm_t:fd use;
 ')
 
 ########################################
@@ -688,7 +740,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')
 
-	allow $1 xdm_t:fifo_file { getattr read write }; 
+	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -703,12 +755,11 @@ interface(`xserver_rw_xdm_pipes',`
 ## </param>
 #
 interface(`xserver_dontaudit_rw_xdm_pipes',`
-
 	gen_require(`
 		type xdm_t;
 	')
 
-	dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; 
+	dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -765,11 +816,92 @@ interface(`xserver_manage_xdm_spool_files',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
-		type xdm_t, xdm_tmp_t;
+		type xdm_t, xdm_var_run_t;
 	')
 
 	files_search_tmp($1)
-	stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+	files_search_pids($1)
+	stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
+    userdom_stream_connect($1)
+')
+
+########################################
+## <summary>
+##	Allow domain to append XDM unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+
+interface(`xserver_append_xdm_stream_socket',`
+	gen_require(`
+		type xdm_t;
+	')
+
+    allow $1 xdm_t:unix_stream_socket append;
+')
+
+########################################
+## <summary>
+##	Read XDM files in user home directories. 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_xdm_home_files',`
+	gen_require(`
+		type xdm_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 xdm_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read xserver configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_config',`
+	gen_require(`
+		type xserver_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, xserver_etc_t, xserver_etc_t)
+	read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage xserver configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_config',`
+	gen_require(`
+		type xserver_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, xserver_etc_t, xserver_etc_t)
+	manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
 ')
 
 ########################################
@@ -791,6 +923,21 @@ interface(`xserver_read_xdm_rw_config',`
 	allow $1 xdm_rw_etc_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Search XDM temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_xdm_tmp_dirs',`
+    refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
+    userdom_search_user_tmp_dirs($1)
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of XDM temporary directories.
@@ -802,11 +949,23 @@ interface(`xserver_read_xdm_rw_config',`
 ## </param>
 #
 interface(`xserver_setattr_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
+    userdom_dontaudit_setattr_user_tmp($1)
+')
 
-	allow $1 xdm_tmp_t:dir setattr;
+########################################
+## <summary>
+##	Dont audit attempts to set the attributes of XDM temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_xdm_tmp_dirs',`
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
+    userdom_dontaudit_setattr_user_tmp($1)
 ')
 
 ########################################
@@ -821,13 +980,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 ## </param>
 #
 interface(`xserver_create_xdm_tmp_sockets',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 xdm_tmp_t:dir list_dir_perms;
-	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
+    userdom_create_user_tmp_sockets($1)
 ')
 
 ########################################
@@ -846,7 +1000,26 @@ interface(`xserver_read_xdm_pid',`
 	')
 
 	files_search_pids($1)
-	allow $1 xdm_var_run_t:file read_file_perms;
+	read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
+')
+
+######################################
+## <summary>
+##  Dontaudit Read XDM pid files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`xserver_dontaudit_read_xdm_pid',`
+    gen_require(`
+        type xdm_var_run_t;
+    ')
+
+	dontaudit $1 xdm_var_run_t:dir search_dir_perms;
+    dontaudit $1 xdm_var_run_t:file read_file_perms;
 ')
 
 ########################################
@@ -864,7 +1037,26 @@ interface(`xserver_read_xdm_lib_files',`
 		type xdm_var_lib_t;
 	')
 
-	allow $1 xdm_var_lib_t:file read_file_perms;
+	read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
+	read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read inherited XDM var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_inherited_xdm_lib_files',`
+	gen_require(`
+		type xdm_var_lib_t;
+	')
+
+	allow $1 xdm_var_lib_t:file read_inherited_file_perms;
 ')
 
 ########################################
@@ -938,17 +1130,36 @@ interface(`xserver_getattr_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 xserver_log_t:file getattr;
+	allow $1 xserver_log_t:file getattr_file_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Do not audit attempts to write the X server
-##	log files.
+##  Allow domain to read X server logs.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain to not audit.
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`xserver_read_log',`
+    gen_require(`
+        type xserver_log_t;
+    ')
+
+    logging_search_logs($1)
+    allow $1 xserver_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write the X server
+##	log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -957,7 +1168,7 @@ interface(`xserver_dontaudit_write_log',`
 		type xserver_log_t;
 	')
 
-	dontaudit $1 xserver_log_t:file { append write };
+	dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -1004,7 +1215,7 @@ interface(`xserver_read_xkb_libs',`
 
 ########################################
 ## <summary>
-##	Read xdm temporary files.
+##	Manage X keyboard extension libraries.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1012,51 +1223,117 @@ interface(`xserver_read_xkb_libs',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_read_xdm_tmp_files',`
+interface(`xserver_manage_xkb_libs',`
 	gen_require(`
-		type xdm_tmp_t;
+		type xkb_var_lib_t;
 	')
 
- 	files_search_tmp($1)
-	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+	files_search_var_lib($1)
+	allow $1 xkb_var_lib_t:dir list_dir_perms;
+	manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read xdm temporary files.
+##	dontaudit access checks X keyboard extension libraries.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`xserver_dontaudit_read_xdm_tmp_files',`
+interface(`xserver_dontaudit_xkb_libs_access',`
 	gen_require(`
-		type xdm_tmp_t;
+		type xkb_var_lib_t;
 	')
 
-	dontaudit $1 xdm_tmp_t:dir search_dir_perms;
-	dontaudit $1 xdm_tmp_t:file read_file_perms;
+	dontaudit $1 xkb_var_lib_t:dir audit_access;
+	dontaudit $1 xkb_var_lib_t:file audit_access;
 ')
 
 ########################################
 ## <summary>
-##	Read write xdm temporary files.
+##	Read xdm config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit
 ##	</summary>
 ## </param>
 #
-interface(`xserver_rw_xdm_tmp_files',`
+interface(`xserver_read_xdm_etc_files',`
+	gen_require(`
+		type xdm_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+	read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage xdm config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_xdm_etc_files',`
 	gen_require(`
-		type xdm_tmp_t;
+		type xdm_etc_t;
 	')
 
-	allow $1 xdm_tmp_t:dir search_dir_perms;
-	allow $1 xdm_tmp_t:file rw_file_perms;
+	files_search_etc($1)
+	manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
+##	Read xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_xdm_tmp_files',`
+    refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
+    userdom_read_user_tmpfs_files($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_read_xdm_tmp_files',`
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
+    userdom_dontaudit_read_user_tmp_files($1)
+')
+
+########################################
+## <summary>
+##	Read write xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_tmp_files',`
+    refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
+    userdom_rw_user_tmpfs_files($1)
 ')
 
 ########################################
@@ -1070,11 +1347,38 @@ interface(`xserver_rw_xdm_tmp_files',`
 ## </param>
 #
 interface(`xserver_manage_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
+    refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
+    userdom_manage_user_tmp_files($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_relabel_xdm_tmp_dirs',`
+    refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
+    userdom_relabel_user_tmp_dirs($1)
+')
 
-	manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+########################################
+## <summary>
+##	Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_dirs',`
+    refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
+    userdom_manage_user_tmp_dirs($1)
 ')
 
 ########################################
@@ -1089,11 +1393,8 @@ interface(`xserver_manage_xdm_tmp_files',`
 ## </param>
 #
 interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	dontaudit $1 xdm_tmp_t:sock_file getattr;
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.')
+    userdom_dontaudit_user_getattr_tmp_sockets($1)
 ')
 
 ########################################
@@ -1111,8 +1412,28 @@ interface(`xserver_domtrans',`
 		type xserver_t, xserver_exec_t;
 	')
 
- 	allow $1 xserver_t:process siginh;
+	allow $1 xserver_t:process siginh;
 	domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+	allow xserver_t $1:process getpgid;
+')
+
+########################################
+## <summary>
+##	Allow execute the X server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`xserver_exec',`
+	gen_require(`
+		type xserver_exec_t;
+	')
+
+	can_exec($1, xserver_exec_t)
 ')
 
 ########################################
@@ -1133,6 +1454,24 @@ interface(`xserver_signal',`
 	allow $1 xserver_t:process signal;
 ')
 
+########################################
+## <summary>
+##	Send a null signal to xdm processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdm_signull',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process signull;
+')
+
 ########################################
 ## <summary>
 ##	Kill X servers
@@ -1208,6 +1547,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
 	dontaudit $1 xserver_t:unix_stream_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write xdm
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_xdm_rw_stream_sockets',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write };
+')
+
 ########################################
 ## <summary>
 ##	Connect to the X server over a unix domain
@@ -1226,6 +1584,26 @@ interface(`xserver_stream_connect',`
 
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+	allow xserver_t $1:shm rw_shm_perms;
+')
+
+######################################
+## <summary>
+##  Dontaudit attempts to connect to xserver
+##  over a unix stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`xserver_dontaudit_stream_connect',`
+    gen_require(`
+        type xserver_t, xserver_tmp_t;
+    ')
+
+    stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
 ')
 
 ########################################
@@ -1251,7 +1629,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
-##      virtual core keyboard and virtual core pointer devices.
+##	virtual core keyboard and virtual core pointer devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1261,13 +1639,27 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
-		type xserver_t;
+		type xserver_t, root_xdrawable_t, xevent_t;
 		class x_device all_x_device_perms;
 		class x_pointer all_x_pointer_perms;
 		class x_keyboard all_x_keyboard_perms;
+		class x_screen all_x_screen_perms;
+		class x_drawable { manage };
+		attribute x_domain;
+		class x_drawable all_x_drawable_perms;
+		class x_resource all_x_resource_perms;
+		class x_synthetic_event all_x_synthetic_event_perms;
+		class x_cursor all_x_cursor_perms;
 	')
 
 	allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+	allow $1 xserver_t:{ x_screen } setattr;
+	
+	allow $1 x_domain:x_cursor all_x_cursor_perms;
+	allow $1 x_domain:x_drawable all_x_drawable_perms;
+	allow $1 x_domain:x_resource all_x_resource_perms;
+	allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms;
+	allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms;
 ')
 
 ########################################
@@ -1284,10 +1676,662 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
-		attribute x_domain;
-		attribute xserver_unconfined_type;
+		attribute x_domain, xserver_unconfined_type;
 	')
 
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Dontaudit append to .xsession-errors file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_append_xdm_home_files',`
+	gen_require(`
+		type xdm_home_t;
+	')
+
+	dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_dontaudit_rw_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_dontaudit_rw_cifs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	append to .xsession-errors file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_append_xdm_home_files',`
+	gen_require(`
+		type xdm_home_t, xserver_tmp_t;
+	')
+
+	allow $1 xdm_home_t:file append_file_perms;
+	allow $1 xserver_tmp_t:file append_file_perms;
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_append_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_append_cifs_files($1)
+	')
+')
+
+#######################################
+## <summary>
+##  Allow search the xdm_spool files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`xserver_xdm_search_spool',`
+    gen_require(`
+        type xdm_spool_t;
+    ')
+
+    files_search_spool($1)
+    search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+######################################
+## <summary>
+##  Allow read the xdm_spool files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`xserver_xdm_read_spool',`
+    gen_require(`
+        type xdm_spool_t;
+    ')
+
+    files_search_spool($1)
+    read_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage the xdm_spool files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdm_manage_spool',`
+	gen_require(`
+		type xdm_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+	gen_require(`
+		type xdm_t;
+		class dbus send_msg;
+	')
+
+	allow $1 xdm_t:dbus send_msg;
+	allow xdm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dbus_chat',`
+	gen_require(`
+		type xserver_t;
+		class dbus send_msg;
+	')
+
+	allow $1 xserver_t:dbus send_msg;
+	allow xserver_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_pid',`
+	gen_require(`
+		type xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_exec_pid',`
+	gen_require(`
+		type xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##	Write xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_write_pid',`
+	gen_require(`
+		type xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##	Allow append the xdm
+##	log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_xdm_append_log',`
+	gen_require(`
+		type xdm_log_t;
+		attribute xdmhomewriter;
+	')
+
+	typeattribute $1 xdmhomewriter;
+	allow $1 xdm_log_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow ioctl the xdm log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_xdm_ioctl_log',`
+	gen_require(`
+		type xdm_log_t;
+	')
+
+	allow $1 xdm_log_t:file ioctl;
+')
+
+########################################
+## <summary>
+##	Allow append the xdm
+##	tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_append_xdm_tmp_files',`
+    refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
+    userdom_append_user_tmp_files($1)
+')
+
+########################################
+## <summary>
+##	Read a user Iceauthority domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+	gen_require(`
+		type iceauth_home_t;
+	')
+
+	# Read .Iceauthority file
+	allow $1 iceauth_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/write inherited user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_inherited_user_fonts',`
+	gen_require(`
+		type user_fonts_t, user_fonts_config_t;
+	')
+
+	allow $1 user_fonts_t:file rw_inherited_file_perms;
+	allow $1 user_fonts_t:file read_lnk_file_perms;
+
+	allow $1 user_fonts_config_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Search XDM var lib dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_xdm_lib',`
+	gen_require(`
+		type xdm_var_lib_t;
+	')
+
+	allow $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Make an X executable an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which the shell is an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`xserver_entry_type',`
+	gen_require(`
+		type xserver_exec_t;
+	')
+
+	domain_entry_file($1, xserver_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute xsever in the xserver domain, and
+##	allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the xserver domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_run',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	xserver_domtrans($1)
+	role $2 types xserver_t;
+')
+
+########################################
+## <summary>
+##	Execute xsever in the xserver domain, and
+##	allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the xserver domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_run_xauth',`
+	gen_require(`
+		type xauth_t;
+	')
+
+	xserver_domtrans_xauth($1)
+	role $2 types xauth_t;
+')
+
+########################################
+## <summary>
+##	Read user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_read_home_fonts',`
+	gen_require(`
+		type user_fonts_t, user_fonts_config_t;
+	')
+
+	list_dirs_pattern($1, user_fonts_t, user_fonts_t)
+	read_files_pattern($1, user_fonts_t, user_fonts_t)
+	read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+	read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
+
+########################################
+## <summary>
+##	Manage user fonts dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_manage_user_fonts_dir',`
+	gen_require(`
+		type user_fonts_t;
+	')
+
+	manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+	files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
+')
+
+########################################
+## <summary>
+##	Manage user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_manage_home_fonts',`
+	gen_require(`
+		type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
+	')
+
+	manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+	manage_files_pattern($1, user_fonts_t, user_fonts_t)
+	manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+
+#	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
+#	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+#	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
+
+#######################################
+## <summary>
+##  Transition to xserver .fontconfig named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`xserver_filetrans_fonts_cache_home_content',`
+    gen_require(`
+        type user_fonts_cache_t;
+    ')
+
+	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
+
+########################################
+## <summary>
+##	Transition to xserver named content
+## </summary>
+## <param name="domain