+##
+## Allow ABRT to modify public files
@@ -20067,14 +20100,17 @@ index 30861ec..ced411a 100644
+##
+gen_tunable(abrt_anon_write, false)
+
- type abrt_t;
++attribute abrt_domain;
++
++type abrt_t, abrt_domain;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t)
+
+@@ -32,9 +42,15 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
-+type abrt_dump_oops_t;
++type abrt_dump_oops_t, abrt_domain;
+type abrt_dump_oops_exec_t;
+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+
@@ -20082,8 +20118,12 @@ index 30861ec..ced411a 100644
+
# type needed to allow all domains
# to handle /var/cache/abrt
- type abrt_helper_t;
-@@ -43,14 +57,37 @@ ifdef(`enable_mcs',`
+-type abrt_helper_t;
++type abrt_helper_t, abrt_domain;
+ type abrt_helper_exec_t;
+ application_domain(abrt_helper_t, abrt_helper_exec_t)
+ role system_r types abrt_helper_t;
+@@ -43,14 +59,37 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -20091,12 +20131,12 @@ index 30861ec..ced411a 100644
+# Support for ABRT retrace server
+#
+
-+type abrt_retrace_worker_t;
++type abrt_retrace_worker_t, abrt_domain;
+type abrt_retrace_worker_exec_t;
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+role system_r types abrt_retrace_worker_t;
+
-+type abrt_retrace_coredump_t;
++type abrt_retrace_coredump_t, abrt_domain;
+type abrt_retrace_coredump_exec_t;
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
@@ -20123,7 +20163,7 @@ index 30861ec..ced411a 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +98,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -20131,7 +20171,7 @@ index 30861ec..ced411a 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +109,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -20139,7 +20179,7 @@ index 30861ec..ced411a 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +123,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -20147,8 +20187,11 @@ index 30861ec..ced411a 100644
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
kernel_read_ring_buffer(abrt_t)
- kernel_read_system_state(abrt_t)
-@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+-kernel_read_system_state(abrt_t)
+ kernel_rw_kernel_sysctl(abrt_t)
+
+ corecmd_exec_bin(abrt_t)
+@@ -104,6 +144,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -20156,7 +20199,7 @@ index 30861ec..ced411a 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +154,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -20166,7 +20209,7 @@ index 30861ec..ced411a 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +163,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -20175,7 +20218,7 @@ index 30861ec..ced411a 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +175,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -20183,9 +20226,10 @@ index 30861ec..ced411a 100644
+sysnet_dns_name_resolve(abrt_t)
logging_read_generic_logs(abrt_t)
- logging_send_syslog_msg(abrt_t)
-@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t)
- miscfiles_read_localization(abrt_t)
+-logging_send_syslog_msg(abrt_t)
+
+ miscfiles_read_generic_certs(abrt_t)
+-miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
@@ -20201,7 +20245,7 @@ index 30861ec..ced411a 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +203,11 @@ optional_policy(`
+@@ -150,6 +202,11 @@ optional_policy(`
')
optional_policy(`
@@ -20213,7 +20257,7 @@ index 30861ec..ced411a 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +225,7 @@ optional_policy(`
+@@ -167,6 +224,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -20221,7 +20265,7 @@ index 30861ec..ced411a 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +237,18 @@ optional_policy(`
+@@ -178,12 +236,18 @@ optional_policy(`
')
optional_policy(`
@@ -20241,7 +20285,7 @@ index 30861ec..ced411a 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +264,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -20249,12 +20293,18 @@ index 30861ec..ced411a 100644
+
domain_read_all_domains_state(abrt_helper_t)
- files_read_etc_files(abrt_helper_t)
+-files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t)
+
+ auth_use_nsswitch(abrt_helper_t)
+
+-logging_send_syslog_msg(abrt_helper_t)
+-
+-miscfiles_read_localization(abrt_helper_t)
+-
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -20264,7 +20314,7 @@ index 30861ec..ced411a 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +287,124 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -20272,7 +20322,7 @@ index 30861ec..ced411a 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
- ')
++')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -20282,7 +20332,7 @@ index 30861ec..ced411a 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
+ ')
+
+#######################################
+#
@@ -20299,20 +20349,13 @@ index 30861ec..ced411a 100644
+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+
-+kernel_read_system_state(abrt_retrace_coredump_t)
-+
+corecmd_exec_bin(abrt_retrace_coredump_t)
+corecmd_exec_shell(abrt_retrace_coredump_t)
+
+dev_read_urand(abrt_retrace_coredump_t)
+
-+files_read_etc_files(abrt_retrace_coredump_t)
+files_read_usr_files(abrt_retrace_coredump_t)
+
-+logging_send_syslog_msg(abrt_retrace_coredump_t)
-+
-+miscfiles_read_localization(abrt_retrace_coredump_t)
-+
+sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+
+# to install debuginfo packages
@@ -20346,20 +20389,13 @@ index 30861ec..ced411a 100644
+
+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+
-+kernel_read_system_state(abrt_retrace_worker_t)
-+
+corecmd_exec_bin(abrt_retrace_worker_t)
+corecmd_exec_shell(abrt_retrace_worker_t)
+
+dev_read_urand(abrt_retrace_worker_t)
+
-+files_read_etc_files(abrt_retrace_worker_t)
+files_read_usr_files(abrt_retrace_worker_t)
+
-+logging_send_syslog_msg(abrt_retrace_worker_t)
-+
-+miscfiles_read_localization(abrt_retrace_worker_t)
-+
+sysnet_dns_name_resolve(abrt_retrace_worker_t)
+
+optional_policy(`
@@ -20386,16 +20422,23 @@ index 30861ec..ced411a 100644
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
-+kernel_read_system_state(abrt_dump_oops_t)
+
+domain_use_interactive_fds(abrt_dump_oops_t)
+
-+files_read_etc_files(abrt_dump_oops_t)
-+
+logging_read_generic_logs(abrt_dump_oops_t)
-+logging_send_syslog_msg(abrt_dump_oops_t)
+
-+miscfiles_read_localization(abrt_dump_oops_t)
++#######################################
++#
++# Local policy for all abrt domain
++#
++
++kernel_read_system_state(abrt_domain)
++
++files_read_etc_files(abrt_domain)
++
++logging_send_syslog_msg(abrt_domain)
++
++miscfiles_read_localization(abrt_domain)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858d..d639ae0 100644
--- a/policy/modules/services/accountsd.if
@@ -26424,7 +26467,7 @@ index 5220c9d..a2e6830 100644
##