From 8f7472dbb06243b304b0c8e49fe635377f7e29a5 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jun 05 2017 14:36:57 +0000
Subject: * Mon Jun 05 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.17

- Allow  dnsmasq_t domain to read systemd-resolved pid files.
- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
- Allow condor_master_t write to sysctl_net_t
- Allow nagios check disk plugin read /sys/kernel/config/
- Allow pcp_pmie_t domain execute systemctl binary
- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl
- Add interface fs_read_configfs_dirs()
- Add interface fs_read_configfs_files()
- Fix systemd_resolved_read_pid interface
- Add interface systemd_resolved_read_pid()
- Allow sshd_net_t domain read/write into crypto devices

---

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 36bc4df..4e273eb 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index 51b2655..02227d7 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -15424,10 +15424,35 @@ index d7c11a0..f521a50 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..b5e6d68 100644
+index 8416beb..1d2ce4b 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
-@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
+@@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', `
+ 
+ ########################################
+ ## <summary>
++##	Allow the type to associate to cgroup filesystems.
++## </summary>
++## <param name="type">
++##	<summary>
++##	The type of the object to be associated.
++##	</summary>
++## </param>
++#
++interface(`fs_associate_cgroupfs',`
++	gen_require(`
++		type cgroup_t;
++	')
++
++	allow $1 cgroup_t:filesystem associate;
++')
++
++########################################
++## <summary>
+ ##	Remount cgroup filesystems.
+ ## </summary>
+ ## <param name="domain">
+@@ -631,6 +649,27 @@ interface(`fs_getattr_cgroup',`
  
  ########################################
  ## <summary>
@@ -15455,7 +15480,7 @@ index 8416beb..b5e6d68 100644
  ##	Search cgroup directories.
  ## </summary>
  ## <param name="domain">
-@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',`
+@@ -646,11 +685,31 @@ interface(`fs_search_cgroup_dirs',`
  	')
  
  	search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -15487,7 +15512,7 @@ index 8416beb..b5e6d68 100644
  ##	list cgroup directories.
  ## </summary>
  ## <param name="domain">
-@@ -659,15 +700,35 @@ interface(`fs_search_cgroup_dirs',`
+@@ -659,15 +718,35 @@ interface(`fs_search_cgroup_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15524,7 +15549,7 @@ index 8416beb..b5e6d68 100644
  ########################################
  ## <summary>
  ##	Delete cgroup directories.
-@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', `
+@@ -684,6 +763,7 @@ interface(`fs_delete_cgroup_dirs', `
  	')
  
  	delete_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -15532,7 +15557,7 @@ index 8416beb..b5e6d68 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',`
+@@ -704,6 +784,7 @@ interface(`fs_manage_cgroup_dirs',`
  	')
  
  	manage_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -15540,7 +15565,7 @@ index 8416beb..b5e6d68 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -724,6 +787,8 @@ interface(`fs_read_cgroup_files',`
+@@ -724,6 +805,8 @@ interface(`fs_read_cgroup_files',`
  	')
  
  	read_files_pattern($1, cgroup_t, cgroup_t)
@@ -15549,7 +15574,7 @@ index 8416beb..b5e6d68 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -743,6 +808,7 @@ interface(`fs_write_cgroup_files', `
+@@ -743,6 +826,7 @@ interface(`fs_write_cgroup_files', `
  	')
  
  	write_files_pattern($1, cgroup_t, cgroup_t)
@@ -15557,7 +15582,7 @@ index 8416beb..b5e6d68 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',`
+@@ -762,7 +846,9 @@ interface(`fs_rw_cgroup_files',`
  
  	')
  
@@ -15567,7 +15592,33 @@ index 8416beb..b5e6d68 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',`
+@@ -788,6 +874,25 @@ interface(`fs_dontaudit_rw_cgroup_files',`
+ 
+ ########################################
+ ## <summary>
++##	Relabel cgroup files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_relabel_cgroup_files',`
++	gen_require(`
++		type cgroup_t;
++
++	')
++
++	relabel_files_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
+ ##	Manage cgroup files.
+ ## </summary>
+ ## <param name="domain">
+@@ -803,6 +908,8 @@ interface(`fs_manage_cgroup_files',`
  	')
  
  	manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -15576,7 +15627,7 @@ index 8416beb..b5e6d68 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -826,6 +896,25 @@ interface(`fs_mounton_cgroup', `
+@@ -826,6 +933,25 @@ interface(`fs_mounton_cgroup', `
  
  ########################################
  ## <summary>
@@ -15602,7 +15653,7 @@ index 8416beb..b5e6d68 100644
  ##	Do not audit attempts to read
  ##	dirs on a CIFS or SMB filesystem.
  ## </summary>
-@@ -920,6 +1009,24 @@ interface(`fs_getattr_cifs',`
+@@ -920,6 +1046,24 @@ interface(`fs_getattr_cifs',`
  
  ########################################
  ## <summary>
@@ -15627,7 +15678,7 @@ index 8416beb..b5e6d68 100644
  ##	Search directories on a CIFS or SMB filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1107,6 +1214,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1251,24 @@ interface(`fs_read_noxattr_fs_files',`
  
  ########################################
  ## <summary>
@@ -15652,7 +15703,7 @@ index 8416beb..b5e6d68 100644
  ##	Do not audit attempts to read all
  ##	noxattrfs files.
  ## </summary>
-@@ -1245,7 +1370,7 @@ interface(`fs_append_cifs_files',`
+@@ -1245,7 +1407,7 @@ interface(`fs_append_cifs_files',`
  
  ########################################
  ## <summary>
@@ -15661,7 +15712,7 @@ index 8416beb..b5e6d68 100644
  ##	on a CIFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1265,6 +1390,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1427,42 @@ interface(`fs_dontaudit_append_cifs_files',`
  
  ########################################
  ## <summary>
@@ -15704,7 +15755,7 @@ index 8416beb..b5e6d68 100644
  ##	Do not audit attempts to read or
  ##	write files on a CIFS or SMB filesystem.
  ## </summary>
-@@ -1279,7 +1440,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1477,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
  		type cifs_t;
  	')
  
@@ -15713,366 +15764,345 @@ index 8416beb..b5e6d68 100644
  ')
  
  ########################################
-@@ -1542,6 +1703,63 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,48 +1740,48 @@ interface(`fs_cifs_domtrans',`
  	domain_auto_transition_pattern($1, cifs_t, $2)
  ')
  
+-#######################################
 +########################################
-+## <summary>
+ ## <summary>
+-##	Create, read, write, and delete dirs
+-##	on a configfs filesystem.
 +##	Make general progams in cifs an entrypoint for
 +##	the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	The domain for which cifs_t is an entrypoint.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_manage_configfs_dirs',`
 +interface(`fs_cifs_entry_type',`
-+	gen_require(`
+ 	gen_require(`
+-		type configfs_t;
 +		type cifs_t;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, configfs_t, configfs_t)
 +	domain_entry_file($1, cifs_t)
-+')
-+
+ ')
+ 
+-#######################################
 +########################################
-+## <summary>
+ ## <summary>
+-##	Create, read, write, and delete files
+-##	on a configfs filesystem.
 +##	Make general progams in CIFS an entrypoint for
 +##	the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	The domain for which cifs_t is an entrypoint.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_manage_configfs_files',`
 +interface(`fs_cifs_entrypoint',`
-+	gen_require(`
+ 	gen_require(`
+-		type configfs_t;
 +		type cifs_t;
-+	')
-+
+ 	')
+ 
+-	manage_files_pattern($1, configfs_t, configfs_t)
 +    allow $1 cifs_t:file entrypoint;
-+')
-+
+ ')
+ 
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Mount a DOS filesystem, such as
+-##	FAT32 or NTFS.
 +##	dontaudit write dirs
 +##	on a configfs filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1591,19 +1789,18 @@ interface(`fs_manage_configfs_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_mount_dos_fs',`
 +interface(`fs_dontaudit_write_configfs_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type dosfs_t;
 +		type configfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 dosfs_t:filesystem mount;
 +	dontaudit $1 configfs_t:dir write;
-+')
-+
- #######################################
- ## <summary>
- ##	Create, read, write, and delete dirs
-@@ -1580,6 +1798,43 @@ interface(`fs_manage_configfs_files',`
- 	manage_files_pattern($1, configfs_t, configfs_t)
  ')
  
+-########################################
 +#######################################
-+## <summary>
-+##	Create, read, write, and delete files
+ ## <summary>
+-##	Remount a DOS filesystem, such as
+-##	FAT32 or NTFS.  This allows
+-##	some mount options to be changed.
++##	Read dirs
 +##	on a configfs filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_manage_configfs_lnk_files',`
-+	gen_require(`
-+		type configfs_t;
-+	')
-+
-+	manage_lnk_files_pattern($1, configfs_t, configfs_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Unmount a configfs filesystem
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_unmount_configfs',`
-+	gen_require(`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1611,18 +1808,18 @@ interface(`fs_mount_dos_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_remount_dos_fs',`
++interface(`fs_read_configfs_dirs',`
+ 	gen_require(`
+-		type dosfs_t;
 +		type configfs_t;
-+	')
-+
-+	allow $1 configfs_t:filesystem unmount;
-+')
-+
- ########################################
- ## <summary>
- ##	Mount a DOS filesystem, such as
-@@ -1793,63 +2048,70 @@ interface(`fs_read_eventpollfs',`
- 	refpolicywarn(`$0($*) has been deprecated.')
+ 	')
+ 
+-	allow $1 dosfs_t:filesystem remount;
++	read_dirs_pattern($1, configfs_t, configfs_t)
  ')
  
 -########################################
-+
 +#######################################
  ## <summary>
--##	Mount a FUSE filesystem.
-+##      Search directories
-+##      on a ecrypt filesystem.
+-##	Unmount a DOS filesystem, such as
+-##	FAT32 or NTFS.
++##	Create, read, write, and delete dirs
++##	on a configfs filesystem.
  ## </summary>
  ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
+ ##	<summary>
+@@ -1630,38 +1827,37 @@ interface(`fs_remount_dos_fs',`
+ ##	</summary>
  ## </param>
  #
--interface(`fs_mount_fusefs',`
--	gen_require(`
--		type fusefs_t;
--	')
-+interface(`fs_search_ecryptfs',`
-+        gen_require(`
-+                type ecryptfs_t;
-+        ')
+-interface(`fs_unmount_dos_fs',`
++interface(`fs_manage_configfs_dirs',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
  
--	allow $1 fusefs_t:filesystem mount;
-+        allow $1 ecryptfs_t:dir search_dir_perms;
+-	allow $1 dosfs_t:filesystem unmount;
++	manage_dirs_pattern($1, configfs_t, configfs_t)
  ')
  
- ########################################
+-########################################
++#######################################
  ## <summary>
--##	Unmount a FUSE filesystem.
-+##	Create, read, write, and delete directories
-+##	on a FUSEFS filesystem.
+-##	Get the attributes of a DOS
+-##	filesystem, such as FAT32 or NTFS.
++##	Read files
++##	on a configfs filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
-+## <rolecap/>
+-## <rolecap/>
  #
--interface(`fs_unmount_fusefs',`
-+interface(`fs_manage_ecryptfs_dirs',`
+-interface(`fs_getattr_dos_fs',`
++interface(`fs_read_configfs_files',`
  	gen_require(`
--		type fusefs_t;
-+		type ecryptfs_t;
+-		type dosfs_t;
++		type configfs_t;
  	')
  
--	allow $1 fusefs_t:filesystem unmount;
-+	manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
-+	allow $1 ecryptfs_t:dir manage_dir_perms;
+-	allow $1 dosfs_t:filesystem getattr;
++	read_files_pattern($1, configfs_t, configfs_t)
  ')
  
 -########################################
 +#######################################
  ## <summary>
--##	Mounton a FUSEFS filesystem.
-+##      Create, read, write, and delete files
-+##      on a FUSEFS filesystem.
+-##	Allow changing of the label of a
+-##	DOS filesystem using the context= mount option.
++##	Create, read, write, and delete files
++##	on a configfs filesystem.
  ## </summary>
  ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
+ ##	<summary>
+@@ -1669,17 +1865,18 @@ interface(`fs_getattr_dos_fs',`
+ ##	</summary>
  ## </param>
-+## <rolecap/>
  #
--interface(`fs_mounton_fusefs',`
--	gen_require(`
--		type fusefs_t;
--	')
-+interface(`fs_read_ecryptfs_files',`
-+        gen_require(`
-+                type ecryptfs_t;
-+        ')
+-interface(`fs_relabelfrom_dos_fs',`
++interface(`fs_manage_configfs_files',`
+ 	gen_require(`
+-		type dosfs_t;
++		type configfs_t;
+ 	')
  
--	allow $1 fusefs_t:dir mounton;
-+        read_files_pattern($1, ecryptfs_t, ecryptfs_t)
+-	allow $1 dosfs_t:filesystem relabelfrom;
++	manage_files_pattern($1, configfs_t, configfs_t)
  ')
  
- ########################################
+-########################################
++#######################################
  ## <summary>
--##	Search directories
+-##	Search dosfs filesystem.
 +##	Create, read, write, and delete files
- ##	on a FUSEFS filesystem.
++##	on a configfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1859,18 +2121,19 @@ interface(`fs_mounton_fusefs',`
+ ##	<summary>
+@@ -1687,17 +1884,17 @@ interface(`fs_relabelfrom_dos_fs',`
+ ##	</summary>
  ## </param>
- ## <rolecap/>
  #
--interface(`fs_search_fusefs',`
-+interface(`fs_manage_ecryptfs_files',`
+-interface(`fs_search_dos',`
++interface(`fs_manage_configfs_lnk_files',`
  	gen_require(`
--		type fusefs_t;
-+		type ecryptfs_t;
+-		type dosfs_t;
++		type configfs_t;
  	')
  
--	allow $1 fusefs_t:dir search_dir_perms;
-+	manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
+-	allow $1 dosfs_t:dir search_dir_perms;
++	manage_lnk_files_pattern($1, configfs_t, configfs_t)
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to list the contents
--##	of directories on a FUSEFS filesystem.
-+##	Do not audit attempts to create,
-+##	read, write, and delete files
-+##	on a FUSEFS filesystem.
+-##	List dirs DOS filesystem.
++##	Unmount a configfs filesystem
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1878,49 +2141,240 @@ interface(`fs_search_fusefs',`
+@@ -1705,18 +1902,18 @@ interface(`fs_search_dos',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_dontaudit_list_fusefs',`
-+interface(`fs_dontaudit_manage_ecryptfs_files',`
+-interface(`fs_list_dos',`
++interface(`fs_unmount_configfs',`
  	gen_require(`
--		type fusefs_t;
-+		type ecryptfs_t;
+-		type dosfs_t;
++		type configfs_t;
  	')
  
--	dontaudit $1 fusefs_t:dir list_dir_perms;
-+	dontaudit $1 ecryptfs_t:file manage_file_perms;
+-	list_dirs_pattern($1, dosfs_t, dosfs_t)
++	allow $1 configfs_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete directories
--##	on a FUSEFS filesystem.
-+##	Read symbolic links on a FUSEFS filesystem.
+-##	Create, read, write, and delete dirs
+-##	on a DOS filesystem.
++##	Mount a DOS filesystem, such as
++##	FAT32 or NTFS.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -1724,17 +1921,19 @@ interface(`fs_list_dos',`
  ##	</summary>
  ## </param>
--## <rolecap/>
  #
--interface(`fs_manage_fusefs_dirs',`
-+interface(`fs_read_ecryptfs_symlinks',`
+-interface(`fs_manage_dos_dirs',`
++interface(`fs_mount_dos_fs',`
  	gen_require(`
--		type fusefs_t;
-+		type ecryptfs_t;
+ 		type dosfs_t;
  	')
  
--	allow $1 fusefs_t:dir manage_dir_perms;
-+	allow $1 ecryptfs_t:dir list_dir_perms;
-+	read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+-	manage_dirs_pattern($1, dosfs_t, dosfs_t)
++	allow $1 dosfs_t:filesystem mount;
  ')
  
--########################################
-+#######################################
+ ########################################
  ## <summary>
--##	Do not audit attempts to create, read,
--##	write, and delete directories
--##	on a FUSEFS filesystem.
-+##  Dontaudit append files on  ecrypt filesystem.
+-##	Read files on a DOS filesystem.
++##	Remount a DOS filesystem, such as
++##	FAT32 or NTFS.  This allows
++##	some mount options to be changed.
  ## </summary>
  ## <param name="domain">
--##	<summary>
--##	Domain to not audit.
--##	</summary>
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
+ ##	<summary>
+@@ -1742,18 +1941,18 @@ interface(`fs_manage_dos_dirs',`
+ ##	</summary>
  ## </param>
  #
--interface(`fs_dontaudit_manage_fusefs_dirs',`
-+interface(`fs_dontaudit_append_ecryptfs_files',`
+-interface(`fs_read_dos_files',`
++interface(`fs_remount_dos_fs',`
  	gen_require(`
--		type fusefs_t;
-+		type ecryptfs_t;
+ 		type dosfs_t;
+ 	')
+ 
+-	read_files_pattern($1, dosfs_t, dosfs_t)
++	allow $1 dosfs_t:filesystem remount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files
+-##	on a DOS filesystem.
++##	Unmount a DOS filesystem, such as
++##	FAT32 or NTFS.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1761,7 +1960,138 @@ interface(`fs_read_dos_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_manage_dos_files',`
++interface(`fs_unmount_dos_fs',`
++	gen_require(`
++		type dosfs_t;
 +	')
-+	dontaudit $1 ecryptfs_t:file append;
++
++	allow $1 dosfs_t:filesystem unmount;
 +')
 +
 +########################################
 +## <summary>
-+##	Manage symbolic links on a FUSEFS filesystem.
++##	Get the attributes of a DOS
++##	filesystem, such as FAT32 or NTFS.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`fs_manage_ecryptfs_symlinks',`
++interface(`fs_getattr_dos_fs',`
 +	gen_require(`
-+		type ecryptfs_t;
++		type dosfs_t;
 +	')
 +
-+	manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++	allow $1 dosfs_t:filesystem getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Execute a file on a FUSE filesystem
-+##	in the specified domain.
++##	Allow changing of the label of a
++##	DOS filesystem using the context= mount option.
 +## </summary>
-+## <desc>
-+##	<p>
-+##	Execute a file on a FUSE filesystem
-+##	in the specified domain.  This allows
-+##	the specified domain to execute any file
-+##	on these filesystems in the specified
-+##	domain.  This is not suggested.
-+##	</p>
-+##	<p>
-+##	No interprocess communication (signals, pipes,
-+##	etc.) is provided by this interface since
-+##	the domains are not owned by this module.
-+##	</p>
-+##	<p>
-+##	This interface was added to handle
-+##	home directories on FUSE filesystems,
-+##	in particular used by the ssh-agent policy.
-+##	</p>
-+## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed to transition.
-+##	</summary>
-+## </param>
-+## <param name="target_domain">
-+##	<summary>
-+##	The type of the new process.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_ecryptfs_domtrans',`
++interface(`fs_relabelfrom_dos_fs',`
 +	gen_require(`
-+		type ecryptfs_t;
++		type dosfs_t;
 +	')
 +
-+	allow $1 ecryptfs_t:dir search_dir_perms;
-+	domain_auto_transition_pattern($1, ecryptfs_t, $2)
++	allow $1 dosfs_t:filesystem relabelfrom;
 +')
 +
 +########################################
 +## <summary>
-+##	Mount a FUSE filesystem.
++##	Search dosfs filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16080,17 +16110,17 @@ index 8416beb..b5e6d68 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_mount_fusefs',`
++interface(`fs_search_dos',`
 +	gen_require(`
-+		type fusefs_t;
++		type dosfs_t;
 +	')
 +
-+	allow $1 fusefs_t:filesystem mount;
++	allow $1 dosfs_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Unmount a FUSE filesystem.
++##	List dirs DOS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16098,17 +16128,18 @@ index 8416beb..b5e6d68 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_unmount_fusefs',`
++interface(`fs_list_dos',`
 +	gen_require(`
-+		type fusefs_t;
++		type dosfs_t;
 +	')
 +
-+	allow $1 fusefs_t:filesystem unmount;
++	list_dirs_pattern($1, dosfs_t, dosfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Mounton a FUSEFS filesystem.
++##	Create, read, write, and delete dirs
++##	on a DOS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16116,173 +16147,332 @@ index 8416beb..b5e6d68 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_mounton_fusefs',`
++interface(`fs_manage_dos_dirs',`
 +	gen_require(`
-+		type fusefs_t;
++		type dosfs_t;
 +	')
 +
-+	allow $1 fusefs_t:dir mounton;
++	manage_dirs_pattern($1, dosfs_t, dosfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Search directories
-+##	on a FUSEFS filesystem.
++##	Read files on a DOS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_search_fusefs',`
++interface(`fs_read_dos_files',`
 +	gen_require(`
-+		type fusefs_t;
++		type dosfs_t;
 +	')
 +
-+	allow $1 fusefs_t:dir search_dir_perms;
++	read_files_pattern($1, dosfs_t, dosfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to list the contents
-+##	of directories on a FUSEFS filesystem.
++##	Create, read, write, and delete files
++##	on a DOS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_list_fusefs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
-+
-+	dontaudit $1 fusefs_t:dir list_dir_perms;
-+')
++interface(`fs_manage_dos_files',`
+ 	gen_require(`
+ 		type dosfs_t;
+ 	')
+@@ -1793,45 +2123,110 @@ interface(`fs_read_eventpollfs',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
+ 
 +
-+########################################
++#######################################
 +## <summary>
-+##	Create, read, write, and delete directories
-+##	on a FUSEFS filesystem.
++##      Search directories
++##      on a ecrypt filesystem.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
++##      <summary>
++##      Domain allowed access.
++##      </summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_manage_fusefs_dirs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
++interface(`fs_search_ecryptfs',`
++        gen_require(`
++                type ecryptfs_t;
++        ')
 +
-+	allow $1 fusefs_t:dir manage_dir_perms;
++        allow $1 ecryptfs_t:dir search_dir_perms;
 +')
 +
-+########################################
-+## <summary>
-+##	Do not audit attempts to create, read,
-+##	write, and delete directories
+ ########################################
+ ## <summary>
+-##	Mount a FUSE filesystem.
++##	Create, read, write, and delete directories
 +##	on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_mount_fusefs',`
++interface(`fs_manage_ecryptfs_dirs',`
+ 	gen_require(`
+-		type fusefs_t;
++		type ecryptfs_t;
+ 	')
+ 
+-	allow $1 fusefs_t:filesystem mount;
++	manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
++	allow $1 ecryptfs_t:dir manage_dir_perms;
++')
++
++#######################################
++## <summary>
++##      Create, read, write, and delete files
++##      on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
++##      <summary>
++##      Domain allowed access.
++##      </summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`fs_dontaudit_manage_fusefs_dirs',`
-+	gen_require(`
-+		type fusefs_t;
++interface(`fs_read_ecryptfs_files',`
++        gen_require(`
++                type ecryptfs_t;
++        ')
++
++        read_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unmount a FUSE filesystem.
++##	Create, read, write, and delete files
++##	on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_unmount_fusefs',`
++interface(`fs_manage_ecryptfs_files',`
+ 	gen_require(`
+-		type fusefs_t;
++		type ecryptfs_t;
  	')
  
- 	dontaudit $1 fusefs_t:dir manage_dir_perms;
-@@ -1928,105 +2382,652 @@ interface(`fs_dontaudit_manage_fusefs_dirs',`
+-	allow $1 fusefs_t:filesystem unmount;
++	manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
  
  ########################################
  ## <summary>
--##	Read, a FUSEFS filesystem.
-+##	Read, a FUSEFS filesystem.
+-##	Mounton a FUSEFS filesystem.
++##	Do not audit attempts to create,
++##	read, write, and delete files
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_read_fusefs_files',`
++interface(`fs_dontaudit_manage_ecryptfs_files',`
 +	gen_require(`
-+		type fusefs_t;
++		type ecryptfs_t;
 +	')
 +
-+	read_files_pattern($1, fusefs_t, fusefs_t)
++	dontaudit $1 ecryptfs_t:file manage_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Execute files on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`fs_exec_fusefs_files',`
++##	Read symbolic links on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1839,174 +2234,988 @@ interface(`fs_unmount_fusefs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_mounton_fusefs',`
++interface(`fs_read_ecryptfs_symlinks',`
+ 	gen_require(`
+-		type fusefs_t;
++		type ecryptfs_t;
+ 	')
+ 
+-	allow $1 fusefs_t:dir mounton;
++	allow $1 ecryptfs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++#######################################
++## <summary>
++##  Dontaudit append files on  ecrypt filesystem.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`fs_dontaudit_append_ecryptfs_files',`
 +	gen_require(`
-+		type fusefs_t;
++		type ecryptfs_t;
++	')
++	dontaudit $1 ecryptfs_t:file append;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search directories
+-##	on a FUSEFS filesystem.
++##	Manage symbolic links on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_search_fusefs',`
++interface(`fs_manage_ecryptfs_symlinks',`
+ 	gen_require(`
+-		type fusefs_t;
++		type ecryptfs_t;
+ 	')
+ 
+-	allow $1 fusefs_t:dir search_dir_perms;
++	manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to list the contents
+-##	of directories on a FUSEFS filesystem.
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.
+ ## </summary>
++## <desc>
++##	<p>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.  This allows
++##	the specified domain to execute any file
++##	on these filesystems in the specified
++##	domain.  This is not suggested.
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++##	<p>
++##	This interface was added to handle
++##	home directories on FUSE filesystems,
++##	in particular used by the ssh-agent policy.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_list_fusefs',`
++interface(`fs_ecryptfs_domtrans',`
++	gen_require(`
++		type ecryptfs_t;
 +	')
 +
-+	exec_files_pattern($1, fusefs_t, fusefs_t)
++	allow $1 ecryptfs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, ecryptfs_t, $2)
 +')
 +
 +########################################
 +## <summary>
-+##	Make general progams in FUSEFS an entrypoint for
-+##	the specified domain.
++##	Mount a FUSE filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The domain for which fusefs_t is an entrypoint.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_fusefs_entry_type',`
++interface(`fs_mount_fusefs',`
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	dontaudit $1 fusefs_t:dir list_dir_perms;
++	allow $1 fusefs_t:filesystem mount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete directories
+-##	on a FUSEFS filesystem.
++##	Unmount a FUSE filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_unmount_fusefs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	domain_entry_file($1, fusefs_t)
++	allow $1 fusefs_t:filesystem unmount;
 +')
 +
 +########################################
 +## <summary>
-+##	Make general progams in FUSEFS an entrypoint for
-+##	the specified domain.
++##	Mounton a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The domain for which fusefs_t is an entrypoint.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_fusefs_entrypoint',`
++interface(`fs_mounton_fusefs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+    allow $1 fusefs_t:file entrypoint;
++	allow $1 fusefs_t:dir mounton;
 +')
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete files
++##	Search directories
 +##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
@@ -16292,19 +16482,18 @@ index 8416beb..b5e6d68 100644
 +## </param>
 +## <rolecap/>
 +#
-+interface(`fs_manage_fusefs_files',`
++interface(`fs_search_fusefs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	manage_files_pattern($1, fusefs_t, fusefs_t)
++	allow $1 fusefs_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to create,
-+##	read, write, and delete files
-+##	on a FUSEFS filesystem.
++##	Do not audit attempts to list the contents
++##	of directories on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16312,98 +16501,76 @@ index 8416beb..b5e6d68 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`fs_dontaudit_list_fusefs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	dontaudit $1 fusefs_t:file manage_file_perms;
++	dontaudit $1 fusefs_t:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read symbolic links on a FUSEFS filesystem.
++##	Create, read, write, and delete directories
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`fs_read_fusefs_symlinks',`
++interface(`fs_manage_fusefs_dirs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:dir list_dir_perms;
-+	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	allow $1 fusefs_t:dir manage_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Manage symbolic links on a FUSEFS filesystem.
++##	Do not audit attempts to create, read,
++##	write, and delete directories
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_manage_fusefs_symlinks',`
++interface(`fs_dontaudit_manage_fusefs_dirs',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	dontaudit $1 fusefs_t:dir manage_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Execute a file on a FUSE filesystem
-+##	in the specified domain.
++##	Read, a FUSEFS filesystem.
 +## </summary>
-+## <desc>
-+##	<p>
-+##	Execute a file on a FUSE filesystem
-+##	in the specified domain.  This allows
-+##	the specified domain to execute any file
-+##	on these filesystems in the specified
-+##	domain.  This is not suggested.
-+##	</p>
-+##	<p>
-+##	No interprocess communication (signals, pipes,
-+##	etc.) is provided by this interface since
-+##	the domains are not owned by this module.
-+##	</p>
-+##	<p>
-+##	This interface was added to handle
-+##	home directories on FUSE filesystems,
-+##	in particular used by the ssh-agent policy.
-+##	</p>
-+## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed to transition.
-+##	</summary>
-+## </param>
-+## <param name="target_domain">
-+##	<summary>
-+##	The type of the new process.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`fs_fusefs_domtrans',`
++interface(`fs_read_fusefs_files',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:dir search_dir_perms;
-+	domain_auto_transition_pattern($1, fusefs_t, $2)
++	read_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of a FUSEFS filesystem.
++##	Execute files on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16412,76 +16579,254 @@ index 8416beb..b5e6d68 100644
 +## </param>
 +## <rolecap/>
 +#
-+interface(`fs_getattr_fusefs',`
++interface(`fs_exec_fusefs_files',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:filesystem getattr;
++	exec_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of an hugetlbfs
-+##	filesystem.
++##	Make general progams in FUSEFS an entrypoint for
++##	the specified domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	The domain for which fusefs_t is an entrypoint.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_getattr_hugetlbfs',`
++interface(`fs_fusefs_entry_type',`
 +	gen_require(`
-+		type hugetlbfs_t;
++		type fusefs_t;
 +	')
 +
-+	allow $1 hugetlbfs_t:filesystem getattr;
++	domain_entry_file($1, fusefs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	List hugetlbfs.
++##	Make general progams in FUSEFS an entrypoint for
++##	the specified domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	The domain for which fusefs_t is an entrypoint.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_list_hugetlbfs',`
++interface(`fs_fusefs_entrypoint',`
 +	gen_require(`
-+		type hugetlbfs_t;
++		type fusefs_t;
 +	')
 +
-+	allow $1 hugetlbfs_t:dir list_dir_perms;
++    allow $1 fusefs_t:file entrypoint;
 +')
 +
 +########################################
 +## <summary>
-+##	Manage hugetlbfs dirs.
++##	Create, read, write, and delete files
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`fs_manage_hugetlbfs_dirs',`
++interface(`fs_manage_fusefs_files',`
 +	gen_require(`
-+		type hugetlbfs_t;
++		type fusefs_t;
 +	')
 +
-+	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++	manage_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read hugetlbfs files.
++##	Do not audit attempts to create,
++##	read, write, and delete files
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_fusefs_files',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	dontaudit $1 fusefs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++##	Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	allow $1 fusefs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++##	Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.
++## </summary>
++## <desc>
++##	<p>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.  This allows
++##	the specified domain to execute any file
++##	on these filesystems in the specified
++##	domain.  This is not suggested.
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++##	<p>
++##	This interface was added to handle
++##	home directories on FUSE filesystems,
++##	in particular used by the ssh-agent policy.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`fs_fusefs_domtrans',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	allow $1 fusefs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, fusefs_t, $2)
++')
++
++########################################
++## <summary>
++##	Get the attributes of a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_getattr_fusefs',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	allow $1 fusefs_t:filesystem getattr;
++')
++
++########################################
++## <summary>
++##	Get the attributes of an hugetlbfs
++##	filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_getattr_hugetlbfs',`
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
++	allow $1 hugetlbfs_t:filesystem getattr;
++')
++
++########################################
++## <summary>
++##	List hugetlbfs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_list_hugetlbfs',`
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
++	allow $1 hugetlbfs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++##	Manage hugetlbfs dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_hugetlbfs_dirs',`
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
++	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
++##	Read hugetlbfs files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
@@ -16739,13 +17084,12 @@ index 8416beb..b5e6d68 100644
 +## <summary>
 +##	Create an object in a hugetlbfs filesystem, with a private
 +##	type using a type transition.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <param name="private type">
 +##	<summary>
 +##	The type of the object to be created.
@@ -16761,165 +17105,141 @@ index 8416beb..b5e6d68 100644
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
- #
--interface(`fs_read_fusefs_files',`
++#
 +interface(`fs_hugetlbfs_filetrans',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type hugetlbfs_t;
- 	')
- 
--	read_files_pattern($1, fusefs_t, fusefs_t)
++	')
++
 +	allow $2 hugetlbfs_t:filesystem associate;
 +	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Execute files on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Mount an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_exec_fusefs_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_mount_iso9660_fs',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	exec_files_pattern($1, fusefs_t, fusefs_t)
++	')
++
 +	allow $1 iso9660_t:filesystem mount;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete files
--##	on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Remount an iso9660 filesystem, which
 +##	is usually used on CDs.  This allows
 +##	some mount options to be changed.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_manage_fusefs_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_remount_iso9660_fs',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	manage_files_pattern($1, fusefs_t, fusefs_t)
++	')
++
 +	allow $1 iso9660_t:filesystem remount;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to create,
--##	read, write, and delete files
--##	on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Unmount an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
++##	</summary>
++## </param>
++#
 +interface(`fs_unmount_iso9660_fs',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	dontaudit $1 fusefs_t:file manage_file_perms;
++	')
++
 +	allow $1 iso9660_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
--##	Read symbolic links on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Get the attributes of an iso9660
 +##	filesystem, which is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`fs_read_fusefs_symlinks',`
++#
 +interface(`fs_getattr_iso9660_fs',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	allow $1 fusefs_t:dir list_dir_perms;
--	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	')
++
 +	allow $1 iso9660_t:filesystem getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of an hugetlbfs
--##	filesystem.
++')
++
++########################################
++## <summary>
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2034,17 +3035,19 @@ interface(`fs_read_fusefs_symlinks',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`fs_getattr_hugetlbfs',`
+-interface(`fs_manage_fusefs_dirs',`
 +interface(`fs_getattr_iso9660_files',`
  	gen_require(`
--		type hugetlbfs_t;
+-		type fusefs_t;
 +		type iso9660_t;
  	')
  
--	allow $1 hugetlbfs_t:filesystem getattr;
+-	allow $1 fusefs_t:dir manage_dir_perms;
 +	allow $1 iso9660_t:dir list_dir_perms;
 +	allow $1 iso9660_t:file getattr;
  ')
  
  ########################################
  ## <summary>
--##	List hugetlbfs.
+-##	Do not audit attempts to create, read,
+-##	write, and delete directories
+-##	on a FUSEFS filesystem.
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2052,17 +3055,20 @@ interface(`fs_getattr_hugetlbfs',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`fs_list_hugetlbfs',`
+-interface(`fs_dontaudit_manage_fusefs_dirs',`
 +interface(`fs_read_iso9660_files',`
  	gen_require(`
--		type hugetlbfs_t;
+-		type fusefs_t;
 +		type iso9660_t;
  	')
  
--	allow $1 hugetlbfs_t:dir list_dir_perms;
+-	dontaudit $1 fusefs_t:dir manage_dir_perms;
 +	allow $1 iso9660_t:dir list_dir_perms;
 +	read_files_pattern($1, iso9660_t, iso9660_t)
 +	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
@@ -16928,114 +17248,120 @@ index 8416beb..b5e6d68 100644
 +
  ########################################
  ## <summary>
--##	Manage hugetlbfs dirs.
+-##	Read, a FUSEFS filesystem.
 +##	Mount kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2070,17 +3076,17 @@ interface(`fs_list_hugetlbfs',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`fs_manage_hugetlbfs_dirs',`
+-interface(`fs_read_fusefs_files',`
 +interface(`fs_mount_kdbus', `
  	gen_require(`
--		type hugetlbfs_t;
+-		type fusefs_t;
 +		type kdbusfs_t;
  	')
  
--	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+-	read_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 kdbusfs_t:filesystem mount;
  ')
  
  ########################################
  ## <summary>
--##	Read and write hugetlbfs files.
+-##	Execute files on a FUSEFS filesystem.
 +##	Remount kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2088,35 +3094,35 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`fs_rw_hugetlbfs_files',`
+-interface(`fs_exec_fusefs_files',`
 +interface(`fs_remount_kdbus', `
  	gen_require(`
--		type hugetlbfs_t;
+-		type fusefs_t;
 +		type kdbusfs_t;
  	')
  
--	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+-	exec_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 kdbusfs_t:filesystem remount;
  ')
  
  ########################################
  ## <summary>
--##	Allow the type to associate to hugetlbfs filesystems.
+-##	Create, read, write, and delete files
+-##	on a FUSEFS filesystem.
 +##	Unmount kdbus filesystems.
  ## </summary>
--## <param name="type">
-+## <param name="domain">
+ ## <param name="domain">
  ##	<summary>
--##	The type of the object to be associated.
-+##	Domain allowed access.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`fs_associate_hugetlbfs',`
+-interface(`fs_manage_fusefs_files',`
 +interface(`fs_unmount_kdbus', `
  	gen_require(`
--		type hugetlbfs_t;
+-		type fusefs_t;
 +		type kdbusfs_t;
  	')
  
--	allow $1 hugetlbfs_t:filesystem associate;
+-	manage_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 kdbusfs_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
--##	Search inotifyfs filesystem.
+-##	Do not audit attempts to create,
+-##	read, write, and delete files
+-##	on a FUSEFS filesystem.
 +##	Get attributes of kdbus filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2124,17 +3130,17 @@ interface(`fs_associate_hugetlbfs',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`fs_search_inotifyfs',`
+-interface(`fs_dontaudit_manage_fusefs_files',`
 +interface(`fs_getattr_kdbus',`
  	gen_require(`
--		type inotifyfs_t;
+-		type fusefs_t;
 +		type kdbusfs_t;
  	')
  
--	allow $1 inotifyfs_t:dir search_dir_perms;
+-	dontaudit $1 fusefs_t:file manage_file_perms;
 +	allow $1 kdbusfs_t:filesystem getattr;
  ')
  
  ########################################
  ## <summary>
--##	List inotifyfs filesystem.
+-##	Read symbolic links on a FUSEFS filesystem.
 +##	Search kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2142,71 +3148,118 @@ interface(`fs_search_inotifyfs',`
+@@ -2014,19 +3223,20 @@ interface(`fs_dontaudit_manage_fusefs_files',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_list_inotifyfs',`
+-interface(`fs_read_fusefs_symlinks',`
 +interface(`fs_search_kdbus_dirs',`
  	gen_require(`
--		type inotifyfs_t;
+-		type fusefs_t;
 +		type kdbusfs_t;
 +
  	')
  
--	allow $1 inotifyfs_t:dir list_dir_perms;
+-	allow $1 fusefs_t:dir list_dir_perms;
+-	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
 +	search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
@@ -17043,49 +17369,47 @@ index 8416beb..b5e6d68 100644
  
  ########################################
  ## <summary>
--##	Dontaudit List inotifyfs filesystem.
+-##	Get the attributes of an hugetlbfs
+-##	filesystem.
 +##	Relabel kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -2034,17 +3244,18 @@ interface(`fs_read_fusefs_symlinks',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_dontaudit_list_inotifyfs',`
+-interface(`fs_getattr_hugetlbfs',`
 +interface(`fs_relabel_kdbus_dirs',`
  	gen_require(`
--		type inotifyfs_t;
-+		type cgroup_t;
+-		type hugetlbfs_t;
++		type kdbusfs_t;
 +
  	')
  
--	dontaudit $1 inotifyfs_t:dir list_dir_perms;
+-	allow $1 hugetlbfs_t:filesystem getattr;
 +	relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
  ')
  
  ########################################
  ## <summary>
--##	Create an object in a hugetlbfs filesystem, with a private
--##	type using a type transition.
+-##	List hugetlbfs.
 +##	List kdbusfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -2052,17 +3263,38 @@ interface(`fs_getattr_hugetlbfs',`
  ##	</summary>
  ## </param>
--## <param name="private type">
--##	<summary>
--##	The type of the object to be created.
--##	</summary>
-+#
+ #
+-interface(`fs_list_hugetlbfs',`
 +interface(`fs_list_kdbus_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type kdbusfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 hugetlbfs_t:dir list_dir_perms;
 +	list_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
@@ -17099,8 +17423,7 @@ index 8416beb..b5e6d68 100644
 +##  <summary>
 +##	Domain to not audit.
 +##  </summary>
- ## </param>
--## <param name="object">
++## </param>
 +#
 +interface(`fs_dontaudit_search_kdbus_dirs', `
 +    gen_require(`
@@ -17109,50 +17432,51 @@ index 8416beb..b5e6d68 100644
 +
 +	dontaudit $1 kdbusfs_t:dir search_dir_perms;
 +	dev_dontaudit_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage hugetlbfs dirs.
 +##	Delete kdbusfs directories.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	The object class of the object being created.
-+##	Domain allowed access.
+@@ -2070,17 +3302,19 @@ interface(`fs_list_hugetlbfs',`
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
-+#
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
 +interface(`fs_delete_kdbus_dirs', `
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type kdbusfs_t;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write hugetlbfs files.
 +##	Manage kdbusfs directories.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	The name of the object being created.
-+##	Domain allowed access.
+@@ -2088,35 +3322,41 @@ interface(`fs_manage_hugetlbfs_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_hugetlbfs_filetrans',`
+-interface(`fs_rw_hugetlbfs_files',`
 +interface(`fs_manage_kdbus_dirs',`
  	gen_require(`
 -		type hugetlbfs_t;
 -	')
 +		type kdbusfs_t;
  
--	allow $2 hugetlbfs_t:filesystem associate;
--	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+-	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	')
 +	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
@@ -17161,25 +17485,26 @@ index 8416beb..b5e6d68 100644
  
  ########################################
  ## <summary>
--##	Mount an iso9660 filesystem, which
--##	is usually used on CDs.
+-##	Allow the type to associate to hugetlbfs filesystems.
 +##	Read kdbusfs files.
  ## </summary>
- ## <param name="domain">
+-## <param name="type">
++## <param name="domain">
  ##	<summary>
-@@ -2214,19 +3267,21 @@ interface(`fs_hugetlbfs_filetrans',`
+-##	The type of the object to be associated.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`fs_mount_iso9660_fs',`
+-interface(`fs_associate_hugetlbfs',`
 +interface(`fs_read_kdbus_files',`
  	gen_require(`
--		type iso9660_t;
-+		type cgroup_t;
+-		type hugetlbfs_t;
++		type kdbusfs_t;
 +
  	')
  
--	allow $1 iso9660_t:filesystem mount;
+-	allow $1 hugetlbfs_t:filesystem associate;
 +	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
@@ -17188,25 +17513,23 @@ index 8416beb..b5e6d68 100644
  
  ########################################
  ## <summary>
--##	Remount an iso9660 filesystem, which
--##	is usually used on CDs.  This allows
--##	some mount options to be changed.
+-##	Search inotifyfs filesystem.
 +##	Write kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2234,18 +3289,19 @@ interface(`fs_mount_iso9660_fs',`
+@@ -2124,17 +3364,19 @@ interface(`fs_associate_hugetlbfs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_remount_iso9660_fs',`
+-interface(`fs_search_inotifyfs',`
 +interface(`fs_write_kdbus_files', `
  	gen_require(`
--		type iso9660_t;
+-		type inotifyfs_t;
 +		type kdbusfs_t;
  	')
  
--	allow $1 iso9660_t:filesystem remount;
+-	allow $1 inotifyfs_t:dir search_dir_perms;
 +	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
@@ -17214,25 +17537,24 @@ index 8416beb..b5e6d68 100644
  
  ########################################
  ## <summary>
--##	Unmount an iso9660 filesystem, which
--##	is usually used on CDs.
+-##	List inotifyfs filesystem.
 +##	Read and write kdbusfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2253,38 +3309,41 @@ interface(`fs_remount_iso9660_fs',`
+@@ -2142,17 +3384,23 @@ interface(`fs_search_inotifyfs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_unmount_iso9660_fs',`
+-interface(`fs_list_inotifyfs',`
 +interface(`fs_rw_kdbus_files',`
  	gen_require(`
--		type iso9660_t;
+-		type inotifyfs_t;
 +		type kdbusfs_t;
 +
  	')
  
--	allow $1 iso9660_t:filesystem unmount;
+-	allow $1 inotifyfs_t:dir list_dir_perms;
 +	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
@@ -17241,227 +17563,547 @@ index 8416beb..b5e6d68 100644
  
  ########################################
  ## <summary>
--##	Get the attributes of an iso9660
--##	filesystem, which is usually used on CDs.
+-##	Dontaudit List inotifyfs filesystem.
 +##	Do not audit attempts to open,
 +##	get attributes, read and write
 +##	cgroup files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -2160,53 +3408,39 @@ interface(`fs_list_inotifyfs',`
  ##	</summary>
  ## </param>
--## <rolecap/>
  #
--interface(`fs_getattr_iso9660_fs',`
+-interface(`fs_dontaudit_list_inotifyfs',`
 +interface(`fs_dontaudit_rw_kdbus_files',`
  	gen_require(`
+-		type inotifyfs_t;
++		type kdbusfs_t;
+ 	')
+ 
+-	dontaudit $1 inotifyfs_t:dir list_dir_perms;
++	dontaudit $1 kdbusfs_t:file rw_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in a hugetlbfs filesystem, with a private
+-##	type using a type transition.
++##	Manage kdbusfs files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`fs_hugetlbfs_filetrans',`
++interface(`fs_manage_kdbus_files',`
+ 	gen_require(`
+-		type hugetlbfs_t;
++		type kdbusfs_t;
++
+ 	')
+ 
+-	allow $2 hugetlbfs_t:filesystem associate;
+-	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++	manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++	fs_search_tmpfs($1)
++	dev_search_sysfs($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount an iso9660 filesystem, which
+-##	is usually used on CDs.
++##	Mount on kdbusfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2214,19 +3448,18 @@ interface(`fs_hugetlbfs_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_mount_iso9660_fs',`
++interface(`fs_mounton_kdbus', `
+ 	gen_require(`
 -		type iso9660_t;
 +		type kdbusfs_t;
  	')
  
+-	allow $1 iso9660_t:filesystem mount;
++	allow $1 kdbusfs_t:dir mounton;
+ ')
+ 
++
+ ########################################
+ ## <summary>
+-##	Remount an iso9660 filesystem, which
+-##	is usually used on CDs.  This allows
+-##	some mount options to be changed.
++##	Mount a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2234,18 +3467,18 @@ interface(`fs_mount_iso9660_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_remount_iso9660_fs',`
++interface(`fs_mount_nfs',`
+ 	gen_require(`
+-		type iso9660_t;
++		type nfs_t;
+ 	')
+ 
+-	allow $1 iso9660_t:filesystem remount;
++	allow $1 nfs_t:filesystem mount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unmount an iso9660 filesystem, which
+-##	is usually used on CDs.
++##	Remount a NFS filesystem.  This allows
++##	some mount options to be changed.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2253,58 +3486,54 @@ interface(`fs_remount_iso9660_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_unmount_iso9660_fs',`
++interface(`fs_remount_nfs',`
+ 	gen_require(`
+-		type iso9660_t;
++		type nfs_t;
+ 	')
+ 
+-	allow $1 iso9660_t:filesystem unmount;
++	allow $1 nfs_t:filesystem remount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of an iso9660
+-##	filesystem, which is usually used on CDs.
++##	Unmount a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_getattr_iso9660_fs',`
++interface(`fs_unmount_nfs',`
+ 	gen_require(`
+-		type iso9660_t;
++		type nfs_t;
+ 	')
+ 
 -	allow $1 iso9660_t:filesystem getattr;
-+	dontaudit $1 kdbusfs_t:file rw_file_perms;
++	allow $1 nfs_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
 -##	Read files on an iso9660 filesystem, which
 -##	is usually used on CDs.
-+##	Manage kdbusfs files.
++##	Get the attributes of a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_getattr_iso9660_files',`
++interface(`fs_getattr_nfs',`
+ 	gen_require(`
+-		type iso9660_t;
++		type nfs_t;
+ 	')
+ 
+-	allow $1 iso9660_t:dir list_dir_perms;
+-	allow $1 iso9660_t:file getattr;
++	allow $1 nfs_t:filesystem getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files on an iso9660 filesystem, which
+-##	is usually used on CDs.
++##	Set the attributes of nfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2312,19 +3541,17 @@ interface(`fs_getattr_iso9660_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_read_iso9660_files',`
++interface(`fs_setattr_nfs_dirs',`
+ 	gen_require(`
+-		type iso9660_t;
++		type nfs_t;
+ 	')
+ 
+-	allow $1 iso9660_t:dir list_dir_perms;
+-	read_files_pattern($1, iso9660_t, iso9660_t)
+-	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
++	allow $1 nfs_t:dir setattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount a NFS filesystem.
++##	Search directories on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2332,18 +3559,17 @@ interface(`fs_read_iso9660_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_mount_nfs',`
++interface(`fs_search_nfs',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	allow $1 nfs_t:filesystem mount;
++	allow $1 nfs_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Remount a NFS filesystem.  This allows
+-##	some mount options to be changed.
++##	List NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2351,240 +3577,243 @@ interface(`fs_mount_nfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_remount_nfs',`
++interface(`fs_list_nfs',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	allow $1 nfs_t:filesystem remount;
++	allow $1 nfs_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unmount a NFS filesystem.
++##	Do not audit attempts to list the contents
++##	of directories on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_unmount_nfs',`
++interface(`fs_dontaudit_list_nfs',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	allow $1 nfs_t:filesystem unmount;
++	dontaudit $1 nfs_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of a NFS filesystem.
++##	Mounton a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_getattr_nfs',`
++interface(`fs_mounton_nfs',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	allow $1 nfs_t:filesystem getattr;
++	allow $1 nfs_t:dir mounton;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search directories on a NFS filesystem.
++##	Read files on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_search_nfs',`
++interface(`fs_read_nfs_files',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	allow $1 nfs_t:dir search_dir_perms;
++	fs_search_auto_mountpoints($1)
++	allow $1 nfs_t:dir list_dir_perms;
++	read_files_pattern($1, nfs_t, nfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List NFS filesystem.
++##	Do not audit attempts to read
++##	files on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_list_nfs',`
++interface(`fs_dontaudit_read_nfs_files',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	allow $1 nfs_t:dir list_dir_perms;
++	dontaudit $1 nfs_t:file read_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to list the contents
+-##	of directories on a NFS filesystem.
++##	Read files on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_list_nfs',`
++interface(`fs_write_nfs_files',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	dontaudit $1 nfs_t:dir list_dir_perms;
++	fs_search_auto_mountpoints($1)
++	allow $1 nfs_t:dir list_dir_perms;
++	write_files_pattern($1, nfs_t, nfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mounton a NFS filesystem.
++##	Execute files on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_mounton_nfs',`
++interface(`fs_exec_nfs_files',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	allow $1 nfs_t:dir mounton;
++	allow $1 nfs_t:dir list_dir_perms;
++	exec_files_pattern($1, nfs_t, nfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files on a NFS filesystem.
++##	Make general progams in nfs an entrypoint for
++##	the specified domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	The domain for which nfs_t is an entrypoint.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_read_nfs_files',`
++interface(`fs_nfs_entry_type',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	allow $1 nfs_t:dir list_dir_perms;
+-	read_files_pattern($1, nfs_t, nfs_t)
++	domain_entry_file($1, nfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read
+-##	files on a NFS filesystem.
++##	Make general progams in NFS an entrypoint for
++##	the specified domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	The domain for which nfs_t is an entrypoint.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_read_nfs_files',`
++interface(`fs_nfs_entrypoint',`
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	dontaudit $1 nfs_t:file read_file_perms;
++    allow $1 nfs_t:file entrypoint;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files on a NFS filesystem.
++##	Append files
++##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2292,19 +3351,21 @@ interface(`fs_getattr_iso9660_fs',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
--interface(`fs_getattr_iso9660_files',`
-+interface(`fs_manage_kdbus_files',`
+-interface(`fs_write_nfs_files',`
++interface(`fs_append_nfs_files',`
  	gen_require(`
--		type iso9660_t;
-+		type kdbusfs_t;
-+
+ 		type nfs_t;
  	')
  
--	allow $1 iso9660_t:dir list_dir_perms;
--	allow $1 iso9660_t:file getattr;
-+	manage_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+	fs_search_tmpfs($1)
-+	dev_search_sysfs($1)
+-	allow $1 nfs_t:dir list_dir_perms;
+-	write_files_pattern($1, nfs_t, nfs_t)
++	append_files_pattern($1, nfs_t, nfs_t)
  ')
  
  ########################################
  ## <summary>
--##	Read files on an iso9660 filesystem, which
--##	is usually used on CDs.
-+##	Mount on kdbusfs directories.
+-##	Execute files on a NFS filesystem.
++##	Do not audit attempts to append files
++##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2312,16 +3373,15 @@ interface(`fs_getattr_iso9660_files',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
+ ## <rolecap/>
  #
--interface(`fs_read_iso9660_files',`
-+interface(`fs_mounton_kdbus', `
+-interface(`fs_exec_nfs_files',`
++interface(`fs_dontaudit_append_nfs_files',`
  	gen_require(`
--		type iso9660_t;
-+		type kdbusfs_t;
+ 		type nfs_t;
  	')
  
--	allow $1 iso9660_t:dir list_dir_perms;
--	read_files_pattern($1, iso9660_t, iso9660_t)
--	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
-+	allow $1 kdbusfs_t:dir mounton;
+-	allow $1 nfs_t:dir list_dir_perms;
+-	exec_files_pattern($1, nfs_t, nfs_t)
++	dontaudit $1 nfs_t:file append_file_perms;
  ')
  
-+
- ########################################
- ## <summary>
- ##	Mount a NFS filesystem.
-@@ -2398,6 +3458,24 @@ interface(`fs_getattr_nfs',`
- 
  ########################################
  ## <summary>
-+##	Set the attributes of nfs directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_setattr_nfs_dirs',`
-+	gen_require(`
-+		type nfs_t;
-+	')
-+
-+	allow $1 nfs_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
- ##	Search directories on a NFS filesystem.
+-##	Append files
+-##	on a NFS filesystem.
++##	Read inherited files on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2485,6 +3563,7 @@ interface(`fs_read_nfs_files',`
- 		type nfs_t;
- 	')
- 
-+	fs_search_auto_mountpoints($1)
- 	allow $1 nfs_t:dir list_dir_perms;
- 	read_files_pattern($1, nfs_t, nfs_t)
- ')
-@@ -2523,6 +3602,7 @@ interface(`fs_write_nfs_files',`
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_append_nfs_files',`
++interface(`fs_read_inherited_nfs_files',`
+ 	gen_require(`
  		type nfs_t;
  	')
  
-+	fs_search_auto_mountpoints($1)
- 	allow $1 nfs_t:dir list_dir_perms;
- 	write_files_pattern($1, nfs_t, nfs_t)
+-	append_files_pattern($1, nfs_t, nfs_t)
++	allow $1 nfs_t:file read_inherited_file_perms;
  ')
-@@ -2549,6 +3629,44 @@ interface(`fs_exec_nfs_files',`
- 
- ########################################
- ## <summary>
-+##	Make general progams in nfs an entrypoint for
-+##	the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The domain for which nfs_t is an entrypoint.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_nfs_entry_type',`
-+	gen_require(`
-+		type nfs_t;
-+	')
-+
-+	domain_entry_file($1, nfs_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Make general progams in NFS an entrypoint for
-+##	the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The domain for which nfs_t is an entrypoint.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_nfs_entrypoint',`
-+	gen_require(`
-+		type nfs_t;
-+	')
-+
-+    allow $1 nfs_t:file entrypoint;
-+')
-+
-+########################################
-+## <summary>
- ##	Append files
- ##	on a NFS filesystem.
- ## </summary>
-@@ -2569,7 +3687,7 @@ interface(`fs_append_nfs_files',`
  
  ########################################
  ## <summary>
 -##	dontaudit Append files
-+##	Do not audit attempts to append files
- ##	on a NFS filesystem.
+-##	on a NFS filesystem.
++##	Read/write inherited files on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2589,6 +3707,42 @@ interface(`fs_dontaudit_append_nfs_files',`
- 
- ########################################
- ## <summary>
-+##	Read inherited files on a NFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_read_inherited_nfs_files',`
-+	gen_require(`
-+		type nfs_t;
-+	')
-+
-+	allow $1 nfs_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Read/write inherited files on a NFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_dontaudit_append_nfs_files',`
 +interface(`fs_rw_inherited_nfs_files',`
-+	gen_require(`
-+		type nfs_t;
-+	')
-+
+ 	gen_require(`
+ 		type nfs_t;
+ 	')
+ 
+-	dontaudit $1 nfs_t:file append_file_perms;
 +	allow $1 nfs_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to read or
- ##	write files on a NFS filesystem.
- ## </summary>
-@@ -2603,7 +3757,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+ ')
+ 
+ ########################################
+@@ -2603,7 +3832,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17470,7 +18112,7 @@ index 8416beb..b5e6d68 100644
  ')
  
  ########################################
-@@ -2627,7 +3781,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3856,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -17479,7 +18121,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2719,6 +3873,65 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3948,65 @@ interface(`fs_search_rpc',`
  
  ########################################
  ## <summary>
@@ -17545,7 +18187,7 @@ index 8416beb..b5e6d68 100644
  ##	Search removable storage directories.
  ## </summary>
  ## <param name="domain">
-@@ -2741,7 +3954,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +4029,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17554,7 +18196,7 @@ index 8416beb..b5e6d68 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +3990,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +4065,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17563,7 +18205,7 @@ index 8416beb..b5e6d68 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +4183,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +4258,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -17571,7 +18213,7 @@ index 8416beb..b5e6d68 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +4224,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +4299,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17579,7 +18221,7 @@ index 8416beb..b5e6d68 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +4265,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +4340,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -17587,7 +18229,7 @@ index 8416beb..b5e6d68 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3137,6 +4353,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +4428,24 @@ interface(`fs_nfs_domtrans',`
  
  ########################################
  ## <summary>
@@ -17612,11 +18254,27 @@ index 8416beb..b5e6d68 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3255,17 +4489,182 @@ interface(`fs_list_nfsd_fs',`
- ##	</summary>
- ## </param>
+@@ -3239,15 +4548,198 @@ interface(`fs_search_nfsd_fs',`
  #
--interface(`fs_getattr_nfsd_files',`
+ interface(`fs_list_nfsd_fs',`
+ 	gen_require(`
+-		type nfsd_fs_t;
++		type nfsd_fs_t;
++	')
++
++	allow $1 nfsd_fs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++##	Getattr files on an nfsd filesystem
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_getattr_nfsd_files',`
 +	gen_require(`
 +		type nfsd_fs_t;
@@ -17783,63 +18441,83 @@ index 8416beb..b5e6d68 100644
 +## </param>
 +#
 +interface(`fs_unmount_nsfs',`
- 	gen_require(`
--		type nfsd_fs_t;
++	gen_require(`
 +		type nsfs_t;
  	')
  
--	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+-	allow $1 nfsd_fs_t:dir list_dir_perms;
 +	allow $1 nsfs_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
--##	Read and write NFS server files.
+-##	Getattr files on an nfsd filesystem
 +##	Manage NFS server files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3273,12 +4672,12 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3255,35 +4747,35 @@ interface(`fs_list_nfsd_fs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_rw_nfsd_fs',`
+-interface(`fs_getattr_nfsd_files',`
 +interface(`fs_manage_nfsd_fs',`
  	gen_require(`
  		type nfsd_fs_t;
  	')
  
--	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+-	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 +	manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
  ')
  
  ########################################
-@@ -3301,6 +4700,24 @@ interface(`fs_associate_ramfs',`
+ ## <summary>
+-##	Read and write NFS server files.
++##	Allow the type to associate to ramfs filesystems.
+ ## </summary>
+-## <param name="domain">
++## <param name="type">
+ ##	<summary>
+-##	Domain allowed access.
++##	The type of the object to be associated.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_rw_nfsd_fs',`
++interface(`fs_associate_ramfs',`
+ 	gen_require(`
+-		type nfsd_fs_t;
++		type ramfs_t;
+ 	')
+ 
+-	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++	allow $1 ramfs_t:filesystem associate;
+ ')
  
  ########################################
  ## <summary>
+-##	Allow the type to associate to ramfs filesystems.
 +##	Allow the type to associate to proc filesystems.
-+## </summary>
-+## <param name="type">
-+##	<summary>
-+##	The type of the object to be associated.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="type">
+ ##	<summary>
+@@ -3291,12 +4783,12 @@ interface(`fs_rw_nfsd_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_associate_ramfs',`
 +interface(`fs_associate_proc',`
-+	gen_require(`
+ 	gen_require(`
+-		type ramfs_t;
 +		type proc_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 ramfs_t:filesystem associate;
 +	allow $1 proc_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ##	Mount a RAM filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -3392,7 +4809,7 @@ interface(`fs_search_ramfs',`
+ ')
+ 
+ ########################################
+@@ -3392,7 +4884,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -17848,7 +18526,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4846,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4921,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -17857,7 +18535,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4864,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4939,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -17866,7 +18544,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3779,6 +5196,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5271,24 @@ interface(`fs_mount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -17891,7 +18569,7 @@ index 8416beb..b5e6d68 100644
  ##	Remount a tmpfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3815,6 +5250,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5325,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -17916,7 +18594,7 @@ index 8416beb..b5e6d68 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3908,7 +5361,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5436,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
@@ -17925,7 +18603,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,17 +5369,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5444,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -17946,7 +18624,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3934,17 +5387,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5462,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -17967,7 +18645,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +5405,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5480,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -18007,7 +18685,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +5442,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5517,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -18063,7 +18741,7 @@ index 8416beb..b5e6d68 100644
  ')
  
  ########################################
-@@ -4057,23 +5546,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5621,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
  ## </param>
  ## <param name="name" optional="true">
  ##	<summary>
@@ -18240,7 +18918,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4081,18 +5717,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5792,18 @@ interface(`fs_tmpfs_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -18263,7 +18941,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4100,54 +5736,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5811,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18330,7 +19008,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4155,17 +5790,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5865,18 @@ interface(`fs_read_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18352,7 +19030,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4173,17 +5809,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5884,18 @@ interface(`fs_rw_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -18374,7 +19052,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4191,37 +5828,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5903,36 @@ interface(`fs_read_tmpfs_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -18420,7 +19098,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4229,18 +5865,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5940,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  ##	</summary>
  ## </param>
  #
@@ -18442,7 +19120,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4248,18 +5884,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5959,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
  ##	</summary>
  ## </param>
  #
@@ -18466,7 +19144,7 @@ index 8416beb..b5e6d68 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4267,32 +5904,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5979,31 @@ interface(`fs_rw_tmpfs_blk_files',`
  ##	</summary>
  ## </param>
  #
@@ -18505,7 +19183,7 @@ index 8416beb..b5e6d68 100644
  ')
  
  ########################################
-@@ -4407,6 +6043,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6118,25 @@ interface(`fs_search_xenfs',`
  	allow $1 xenfs_t:dir search_dir_perms;
  ')
  
@@ -18531,7 +19209,7 @@ index 8416beb..b5e6d68 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete directories
-@@ -4503,6 +6158,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6233,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -18540,7 +19218,7 @@ index 8416beb..b5e6d68 100644
  ')
  
  ########################################
-@@ -4549,7 +6206,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6281,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -18549,7 +19227,7 @@ index 8416beb..b5e6d68 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +6253,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6328,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -18576,7 +19254,7 @@ index 8416beb..b5e6d68 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +6348,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6423,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -18602,7 +19280,7 @@ index 8416beb..b5e6d68 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6608,175 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6683,175 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -18641,7 +19319,7 @@ index 8416beb..b5e6d68 100644
 +interface(`fs_tmpfs_filetrans_named_content',`
 +	gen_require(`
 +		type cgroup_t;
-+        type devlog_t;
++		type devlog_t;
 +	')
 +
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
@@ -18773,7 +19451,7 @@ index 8416beb..b5e6d68 100644
 +#
 +interface(`fs_unmount_tracefs', `
 +	gen_require(`
-+		type cgroup_t;
++		type tracefs_t;
 +	')
 +
 +	allow $1 tracefs_t:filesystem unmount;
@@ -26950,7 +27628,7 @@ index fe0c682..d55811f 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..b8e6e98 100644
+index cc877c7..92de2d7 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -27472,7 +28150,7 @@ index cc877c7..b8e6e98 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +527,148 @@ optional_policy(`
+@@ -341,3 +527,150 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -27513,6 +28191,8 @@ index cc877c7..b8e6e98 100644
 +
 +allow sshd_net_t self:process setrlimit;
 +
++dev_rw_crypto(sshd_net_t)
++
 +init_ioctl_stream_sockets(sshd_net_t)
 +init_rw_tcp_sockets(sshd_net_t)
 +
@@ -45199,10 +45879,10 @@ index 0000000..21963a2
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..86e3d01
+index 0000000..3303edd
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1803 @@
+@@ -0,0 +1,1823 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -45480,6 +46160,26 @@ index 0000000..86e3d01
 +
 +######################################
 +## <summary>
++##	Read systemd_resolved PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_resolved_read_pid',`
++	gen_require(`
++		type systemd_resolved_var_run_t;
++	')
++
++	files_search_pids($1)
++	list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++	read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++')
++
++######################################
++## <summary>
 +##	Read systemd_login PID files.
 +## </summary>
 +## <param name="domain">
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 1ff0209..b5098f7 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -12362,7 +12362,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..df89a52 100644
+index 550b287..e85ac97 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
@@ -12453,7 +12453,8 @@ index 550b287..df89a52 100644
  
  optional_policy(`
 -	apache_initrc_domtrans(certmonger_t)
- 	apache_search_config(certmonger_t)
+-	apache_search_config(certmonger_t)
++	apache_read_config(certmonger_t)
  	apache_signal(certmonger_t)
  	apache_signull(certmonger_t)
 +	apache_systemctl(certmonger_t)
@@ -16509,7 +16510,7 @@ index 881d92f..a2d588a 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index ce9f040..bd8d855 100644
+index ce9f040..08c8e6a 100644
 --- a/condor.te
 +++ b/condor.te
 @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16589,22 +16590,23 @@ index ce9f040..bd8d855 100644
  #
  
 -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
-+allow condor_master_t self:capability { chown setuid setgid sys_ptrace };
++allow condor_master_t self:capability { chown setuid setgid sys_ptrace net_admin };
  
  allow condor_master_t condor_domain:process { sigkill signal };
  
-@@ -138,6 +148,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +148,11 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
  
 +can_exec(condor_master_t, condor_master_exec_t)
 +
 +kernel_read_system_state(condor_master_t)
++kernel_rw_net_sysctls(condor_master_t)
 +
  corenet_udp_sendrecv_generic_if(condor_master_t)
  corenet_udp_sendrecv_generic_node(condor_master_t)
  corenet_tcp_bind_generic_node(condor_master_t)
-@@ -157,6 +171,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +172,8 @@ domain_read_all_domains_state(condor_master_t)
  
  auth_use_nsswitch(condor_master_t)
  
@@ -16613,7 +16615,7 @@ index ce9f040..bd8d855 100644
  optional_policy(`
  	mta_send_mail(condor_master_t)
  	mta_read_config(condor_master_t)
-@@ -174,6 +190,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +191,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
  
  kernel_read_network_state(condor_collector_t)
  
@@ -16622,7 +16624,7 @@ index ce9f040..bd8d855 100644
  #####################################
  #
  # Negotiator local policy
-@@ -183,12 +201,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,12 +202,15 @@ allow condor_negotiator_t self:capability { setuid setgid };
  allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
  allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
@@ -16638,7 +16640,7 @@ index ce9f040..bd8d855 100644
  
  allow condor_procd_t condor_domain:process sigkill;
  
-@@ -206,6 +227,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -206,6 +228,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -16647,7 +16649,7 @@ index ce9f040..bd8d855 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -214,6 +237,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +238,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
@@ -16661,7 +16663,7 @@ index ce9f040..bd8d855 100644
  #####################################
  #
  # Startd local policy
-@@ -238,11 +268,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +269,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
  init_domtrans_script(condor_startd_t)
@@ -16674,7 +16676,7 @@ index ce9f040..bd8d855 100644
  optional_policy(`
  	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
  	ssh_domtrans(condor_startd_t)
-@@ -254,3 +283,7 @@ optional_policy(`
+@@ -254,3 +284,7 @@ optional_policy(`
  		kerberos_use(condor_startd_ssh_t)
  	')
  ')
@@ -24399,7 +24401,7 @@ index 8ce99ff..1bc5d3a 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/devicekit.te b/devicekit.te
-index 77a5003..360db40 100644
+index 77a5003..86a7ed2 100644
 --- a/devicekit.te
 +++ b/devicekit.te
 @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@@ -24432,20 +24434,22 @@ index 77a5003..360db40 100644
  ########################################
  #
  # Local policy
-@@ -45,11 +49,8 @@ kernel_read_system_state(devicekit_t)
+@@ -44,12 +48,10 @@ kernel_read_system_state(devicekit_t)
+ 
  dev_read_sysfs(devicekit_t)
  dev_read_urand(devicekit_t)
- 
+-
 -files_read_etc_files(devicekit_t)
 -
 -miscfiles_read_localization(devicekit_t)
--
++dev_getattr_all(devicekit_t)
+ 
  optional_policy(`
 +	dbus_system_domain(devicekit_t, devicekit_exec_t)
  	dbus_system_bus_client(devicekit_t)
  
  	allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
-@@ -64,7 +65,8 @@ optional_policy(`
+@@ -64,7 +66,8 @@ optional_policy(`
  # Disk local policy
  #
  
@@ -24455,7 +24459,7 @@ index 77a5003..360db40 100644
  allow devicekit_disk_t self:process { getsched signal_perms };
  allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,17 +83,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,17 +84,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
  manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
  manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
  files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@@ -24476,7 +24480,7 @@ index 77a5003..360db40 100644
  
  corecmd_exec_bin(devicekit_disk_t)
  corecmd_exec_shell(devicekit_disk_t)
-@@ -99,6 +102,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+@@ -99,6 +103,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
  
  dev_getattr_all_chr_files(devicekit_disk_t)
  dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -24485,7 +24489,7 @@ index 77a5003..360db40 100644
  dev_getattr_usbfs_dirs(devicekit_disk_t)
  dev_manage_generic_files(devicekit_disk_t)
  dev_read_urand(devicekit_disk_t)
-@@ -117,8 +122,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -117,8 +123,8 @@ files_getattr_all_pipes(devicekit_disk_t)
  files_manage_boot_dirs(devicekit_disk_t)
  files_manage_isid_type_dirs(devicekit_disk_t)
  files_manage_mnt_dirs(devicekit_disk_t)
@@ -24495,7 +24499,7 @@ index 77a5003..360db40 100644
  
  fs_getattr_all_fs(devicekit_disk_t)
  fs_list_inotifyfs(devicekit_disk_t)
-@@ -135,18 +140,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -135,18 +141,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
  storage_raw_read_removable_device(devicekit_disk_t)
  storage_raw_write_removable_device(devicekit_disk_t)
  
@@ -24517,7 +24521,7 @@ index 77a5003..360db40 100644
  	dbus_system_bus_client(devicekit_disk_t)
  
  	allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -170,6 +175,7 @@ optional_policy(`
+@@ -170,6 +176,7 @@ optional_policy(`
  
  optional_policy(`
  	mount_domtrans(devicekit_disk_t)
@@ -24525,7 +24529,7 @@ index 77a5003..360db40 100644
  ')
  
  optional_policy(`
-@@ -183,6 +189,11 @@ optional_policy(`
+@@ -183,6 +190,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24537,7 +24541,7 @@ index 77a5003..360db40 100644
  	udev_domtrans(devicekit_disk_t)
  	udev_read_db(devicekit_disk_t)
  	udev_read_pid_files(devicekit_disk_t)
-@@ -192,12 +203,19 @@ optional_policy(`
+@@ -192,12 +204,19 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
@@ -24558,7 +24562,7 @@ index 77a5003..360db40 100644
  allow devicekit_power_t self:process { getsched signal_perms };
  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -212,9 +230,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -212,9 +231,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
  manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
  files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
  
@@ -24569,7 +24573,7 @@ index 77a5003..360db40 100644
  logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
  
  manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -224,12 +240,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
+@@ -224,12 +241,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
  kernel_read_fs_sysctls(devicekit_power_t)
  kernel_read_network_state(devicekit_power_t)
  kernel_read_system_state(devicekit_power_t)
@@ -24584,7 +24588,7 @@ index 77a5003..360db40 100644
  
  corecmd_exec_bin(devicekit_power_t)
  corecmd_exec_shell(devicekit_power_t)
-@@ -248,21 +264,18 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -248,21 +265,18 @@ domain_read_all_domains_state(devicekit_power_t)
  
  files_read_kernel_img(devicekit_power_t)
  files_read_etc_runtime_files(devicekit_power_t)
@@ -24607,7 +24611,7 @@ index 77a5003..360db40 100644
  sysnet_domtrans_ifconfig(devicekit_power_t)
  sysnet_domtrans_dhcpc(devicekit_power_t)
  
-@@ -277,6 +290,12 @@ optional_policy(`
+@@ -277,6 +291,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24620,7 +24624,7 @@ index 77a5003..360db40 100644
  	dbus_system_bus_client(devicekit_power_t)
  
  	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -307,8 +326,11 @@ optional_policy(`
+@@ -307,8 +327,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24633,7 +24637,7 @@ index 77a5003..360db40 100644
  	hal_manage_pid_dirs(devicekit_power_t)
  	hal_manage_pid_files(devicekit_power_t)
  ')
-@@ -347,3 +369,9 @@ optional_policy(`
+@@ -347,3 +370,9 @@ optional_policy(`
  optional_policy(`
  	vbetool_domtrans(devicekit_power_t)
  ')
@@ -32285,10 +32289,10 @@ index 0000000..a3633cd
 +/var/run/ganesha.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 diff --git a/glusterd.if b/glusterd.if
 new file mode 100644
-index 0000000..764ae00
+index 0000000..5e057b6
 --- /dev/null
 +++ b/glusterd.if
-@@ -0,0 +1,261 @@
+@@ -0,0 +1,281 @@
 +
 +## <summary>policy for glusterd</summary>
 +
@@ -32389,6 +32393,26 @@ index 0000000..764ae00
 +
 +########################################
 +## <summary>
++##	Manage glusterd PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`glusterd_manage_pid',`
++	gen_require(`
++		type glusterd_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_dirs_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
++	manage_files_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
++')
++
++########################################
++## <summary>
 +##	Manage glusterd log files
 +## </summary>
 +## <param name="domain">
@@ -42401,10 +42425,10 @@ index 0000000..bd7e7fa
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..66e747b
+index 0000000..5187a62
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,93 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@@ -42434,6 +42458,7 @@ index 0000000..66e747b
 +allow keepalived_t self:process { signal_perms };
 +allow keepalived_t self:netlink_socket create_socket_perms;
 +allow keepalived_t self:netlink_generic_socket create_socket_perms;
++allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
 +allow keepalived_t self:netlink_route_socket nlmsg_write;
 +allow keepalived_t self:packet_socket create_socket_perms;
 +allow keepalived_t self:rawip_socket create_socket_perms;
@@ -58375,7 +58400,7 @@ index 0641e97..f3b1111 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 7b3e682..e4b8c8a 100644
+index 7b3e682..69e6bf8 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@@ -58460,7 +58485,15 @@ index 7b3e682..e4b8c8a 100644
  
  ########################################
  #
-@@ -96,11 +121,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
+@@ -87,6 +112,7 @@ dontaudit nagios_t self:capability sys_tty_config;
+ allow nagios_t self:process { setpgid signal_perms };
+ allow nagios_t self:fifo_file rw_fifo_file_perms;
+ allow nagios_t self:tcp_socket { accept listen };
++allow nagios_t self:unix_stream_socket { connectto };
+ 
+ allow nagios_t nagios_plugin_domain:process signal_perms;
+ 
+@@ -96,11 +122,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
  allow nagios_t nagios_etc_t:file read_file_perms;
  allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
  
@@ -58479,7 +58512,7 @@ index 7b3e682..e4b8c8a 100644
  
  manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
  manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
-@@ -110,11 +137,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+@@ -110,11 +138,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
  files_pid_filetrans(nagios_t, nagios_var_run_t, file)
  
  manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
@@ -58496,7 +58529,7 @@ index 7b3e682..e4b8c8a 100644
  
  kernel_read_system_state(nagios_t)
  kernel_read_kernel_sysctls(nagios_t)
-@@ -123,7 +153,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -123,7 +154,6 @@ kernel_read_software_raid_state(nagios_t)
  corecmd_exec_bin(nagios_t)
  corecmd_exec_shell(nagios_t)
  
@@ -58504,7 +58537,7 @@ index 7b3e682..e4b8c8a 100644
  corenet_all_recvfrom_netlabel(nagios_t)
  corenet_tcp_sendrecv_generic_if(nagios_t)
  corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +172,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +173,6 @@ domain_read_all_domains_state(nagios_t)
  
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
@@ -58512,7 +58545,7 @@ index 7b3e682..e4b8c8a 100644
  files_search_spool(nagios_t)
  
  fs_getattr_all_fs(nagios_t)
-@@ -153,8 +181,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +182,6 @@ auth_use_nsswitch(nagios_t)
  
  logging_send_syslog_msg(nagios_t)
  
@@ -58521,7 +58554,7 @@ index 7b3e682..e4b8c8a 100644
  userdom_dontaudit_use_unpriv_user_fds(nagios_t)
  userdom_dontaudit_search_user_home_dirs(nagios_t)
  
-@@ -162,6 +188,35 @@ mta_send_mail(nagios_t)
+@@ -162,6 +189,39 @@ mta_send_mail(nagios_t)
  mta_signal_system_mail(nagios_t)
  mta_kill_system_mail(nagios_t)
  
@@ -58544,6 +58577,10 @@ index 7b3e682..e4b8c8a 100644
 +')
 +
 +optional_policy(`
++    apache_systemctl(nagios_t)
++')
++
++optional_policy(`
 +    tunable_policy(`nagios_run_sudo',`
 +        sudo_exec(nagios_t)
 +        sudo_manage_db(nagios_t)
@@ -58557,7 +58594,7 @@ index 7b3e682..e4b8c8a 100644
  optional_policy(`
  	netutils_kill_ping(nagios_t)
  ')
-@@ -178,35 +233,37 @@ optional_policy(`
+@@ -178,35 +238,37 @@ optional_policy(`
  #
  # CGI local policy
  #
@@ -58613,7 +58650,7 @@ index 7b3e682..e4b8c8a 100644
  ')
  
  ########################################
-@@ -214,7 +271,7 @@ optional_policy(`
+@@ -214,7 +276,7 @@ optional_policy(`
  # Nrpe local policy
  #
  
@@ -58622,7 +58659,7 @@ index 7b3e682..e4b8c8a 100644
  dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
  allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
  allow nrpe_t self:fifo_file rw_fifo_file_perms;
-@@ -229,9 +286,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+@@ -229,9 +291,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
  
  domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
  
@@ -58633,7 +58670,7 @@ index 7b3e682..e4b8c8a 100644
  
  corecmd_exec_bin(nrpe_t)
  corecmd_exec_shell(nrpe_t)
-@@ -252,8 +309,8 @@ dev_read_urand(nrpe_t)
+@@ -252,8 +314,8 @@ dev_read_urand(nrpe_t)
  domain_use_interactive_fds(nrpe_t)
  domain_read_all_domains_state(nrpe_t)
  
@@ -58643,7 +58680,7 @@ index 7b3e682..e4b8c8a 100644
  
  fs_getattr_all_fs(nrpe_t)
  fs_search_auto_mountpoints(nrpe_t)
-@@ -262,10 +319,34 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,10 +324,34 @@ auth_use_nsswitch(nrpe_t)
  
  logging_send_syslog_msg(nrpe_t)
  
@@ -58680,7 +58717,7 @@ index 7b3e682..e4b8c8a 100644
  optional_policy(`
  	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
  ')
-@@ -310,15 +391,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +396,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
  allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -58699,7 +58736,7 @@ index 7b3e682..e4b8c8a 100644
  logging_send_syslog_msg(nagios_mail_plugin_t)
  
  sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +426,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,9 +431,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
  kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
  
@@ -58709,7 +58746,12 @@ index 7b3e682..e4b8c8a 100644
  files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
-@@ -357,9 +441,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
++fs_read_configfs_files(nagios_checkdisk_plugin_t)
++fs_read_configfs_dirs(nagios_checkdisk_plugin_t)
+ fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+ 
+ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +448,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  # Services local policy
  #
  
@@ -58723,7 +58765,7 @@ index 7b3e682..e4b8c8a 100644
  
  corecmd_exec_bin(nagios_services_plugin_t)
  
-@@ -391,6 +477,11 @@ optional_policy(`
+@@ -391,6 +484,11 @@ optional_policy(`
  
  optional_policy(`
  	mysql_stream_connect(nagios_services_plugin_t)
@@ -58735,7 +58777,7 @@ index 7b3e682..e4b8c8a 100644
  ')
  
  optional_policy(`
-@@ -406,28 +497,36 @@ allow nagios_system_plugin_t self:capability dac_override;
+@@ -406,28 +504,36 @@ allow nagios_system_plugin_t self:capability dac_override;
  dontaudit nagios_system_plugin_t self:capability { setuid setgid };
  
  read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
@@ -58774,7 +58816,7 @@ index 7b3e682..e4b8c8a 100644
  #######################################
  #
  # Event local policy
-@@ -442,9 +541,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,9 +548,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
  
  init_domtrans_script(nagios_eventhandler_plugin_t)
  
@@ -69455,10 +69497,10 @@ index 0000000..80246e6
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..e55bf80
+index 0000000..d19e18f
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,308 @@
+@@ -0,0 +1,312 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -69728,8 +69770,12 @@ index 0000000..e55bf80
 +
 +fs_search_cgroup_dirs(pcp_pmie_t)
 +
++init_status(pcp_pmie_t)
++
 +logging_send_syslog_msg(pcp_pmie_t)
 +
++systemd_exec_systemctl(pcp_pmie_t)
++systemd_read_unit_files(pcp_pmie_t)
 +systemd_search_unit_dirs(pcp_pmie_t)
 +
 +userdom_read_user_tmp_files(pcp_pmie_t)
@@ -95357,7 +95403,7 @@ index 50d07fb..a34db48 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..c3db0c7 100644
+index 2b7c441..0aaed65 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -95948,7 +95994,7 @@ index 2b7c441..c3db0c7 100644
  ')
  
  optional_policy(`
-@@ -474,11 +501,30 @@ optional_policy(`
+@@ -474,11 +501,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95963,6 +96009,7 @@ index 2b7c441..c3db0c7 100644
 +optional_policy(`
 +    glusterd_read_conf(smbd_t)
 +    glusterd_rw_lib(smbd_t)
++    glusterd_manage_pid(smbd_t)
 +')
 +
 +optional_policy(`
@@ -95979,7 +96026,7 @@ index 2b7c441..c3db0c7 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -488,6 +534,10 @@ optional_policy(`
+@@ -488,6 +535,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95990,7 +96037,7 @@ index 2b7c441..c3db0c7 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -499,12 +549,53 @@ optional_policy(`
+@@ -499,12 +550,53 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -96045,7 +96092,7 @@ index 2b7c441..c3db0c7 100644
  allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow nmbd_t self:fd use;
  allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +603,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +604,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -96060,7 +96107,7 @@ index 2b7c441..c3db0c7 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +619,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +620,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -96085,7 +96132,7 @@ index 2b7c441..c3db0c7 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +636,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +637,44 @@ kernel_read_kernel_sysctls(nmbd_t)
  kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
@@ -96154,7 +96201,7 @@ index 2b7c441..c3db0c7 100644
  ')
  
  optional_policy(`
-@@ -606,18 +686,29 @@ optional_policy(`
+@@ -606,18 +687,29 @@ optional_policy(`
  
  ########################################
  #
@@ -96190,7 +96237,7 @@ index 2b7c441..c3db0c7 100644
  
  samba_read_config(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -627,39 +718,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +719,38 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -96242,7 +96289,7 @@ index 2b7c441..c3db0c7 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -668,26 +758,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +759,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -96278,7 +96325,7 @@ index 2b7c441..c3db0c7 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -699,58 +785,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +786,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -96370,7 +96417,7 @@ index 2b7c441..c3db0c7 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +864,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +865,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -96394,7 +96441,7 @@ index 2b7c441..c3db0c7 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -777,36 +878,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +879,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -96437,7 +96484,7 @@ index 2b7c441..c3db0c7 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -818,10 +908,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +909,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -96451,7 +96498,7 @@ index 2b7c441..c3db0c7 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -840,17 +931,20 @@ optional_policy(`
+@@ -840,17 +932,20 @@ optional_policy(`
  # Winbind local policy
  #
  
@@ -96478,7 +96525,7 @@ index 2b7c441..c3db0c7 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +954,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +955,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -96489,7 +96536,7 @@ index 2b7c441..c3db0c7 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +965,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +966,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -96543,7 +96590,7 @@ index 2b7c441..c3db0c7 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1008,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1009,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -96602,7 +96649,7 @@ index 2b7c441..c3db0c7 100644
  ')
  
  optional_policy(`
-@@ -959,31 +1069,36 @@ optional_policy(`
+@@ -959,31 +1070,36 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -96646,7 +96693,7 @@ index 2b7c441..c3db0c7 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1112,38 @@ optional_policy(`
+@@ -997,25 +1113,38 @@ optional_policy(`
  
  ########################################
  #
@@ -105553,7 +105600,7 @@ index a240455..277f8f2 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..d4fee07 100644
+index 2d8db1f..dea44e9 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t)
@@ -105592,7 +105639,7 @@ index 2d8db1f..d4fee07 100644
  
  manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
  manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -51,9 +63,11 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+@@ -51,28 +63,27 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
  manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
  files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
  
@@ -105607,7 +105654,9 @@ index 2d8db1f..d4fee07 100644
  logging_log_filetrans(sssd_t, sssd_var_log_t, file)
  
  manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +76,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+ manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+-files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
++files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file })
  
  kernel_read_network_state(sssd_t)
  kernel_read_system_state(sssd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b481727..b98add2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 225.16%{?dist}
+Release: 225.17%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,20 @@ exit 0
 %endif
 
 %changelog
+* Mon Jun 05 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.17
+- Allow  dnsmasq_t domain to read systemd-resolved pid files.
+- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
+- Allow condor_master_t write to sysctl_net_t
+- Allow nagios check disk plugin read /sys/kernel/config/
+- Allow pcp_pmie_t domain execute systemctl binary
+- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl
+- Add interface fs_read_configfs_dirs()
+- Add interface fs_read_configfs_files()
+- Fix systemd_resolved_read_pid interface
+- Add interface systemd_resolved_read_pid()
+- Allow sshd_net_t domain read/write into crypto devices
+
+
 * Mon May 15 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225.16
 - Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit
 - Update targetd policy to accommodate changes in the service