diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 880e282..cda5ab2 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -1354,7 +1354,7 @@ index cc8df9d..34c2a4e 100644
 +	files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
 +')
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index e3dbbb8..a99f6e9 100644
+index e3dbbb8..ee8e830 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
 @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2)
@@ -1452,15 +1452,16 @@ index e3dbbb8..a99f6e9 100644
  # for nscd
  files_dontaudit_search_pids(bootloader_t)
  # for blkid.tab
-@@ -111,6 +134,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -111,6 +134,8 @@ files_manage_etc_runtime_files(bootloader_t)
  files_etc_filetrans_etc_runtime(bootloader_t, file)
  files_dontaudit_search_home(bootloader_t)
  
 +
++init_read_state(bootloader_t)
  init_getattr_initctl(bootloader_t)
  init_use_script_ptys(bootloader_t)
  init_use_script_fds(bootloader_t)
-@@ -118,19 +142,20 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,19 +143,20 @@ init_rw_script_pipes(bootloader_t)
  
  libs_read_lib_files(bootloader_t)
  libs_exec_lib_files(bootloader_t)
@@ -1486,7 +1487,7 @@ index e3dbbb8..a99f6e9 100644
  userdom_dontaudit_search_user_home_dirs(bootloader_t)
  
  ifdef(`distro_debian',`
-@@ -166,7 +191,8 @@ ifdef(`distro_redhat',`
+@@ -166,7 +192,8 @@ ifdef(`distro_redhat',`
  	files_manage_isid_type_chr_files(bootloader_t)
  
  	# for mke2fs
@@ -1496,7 +1497,7 @@ index e3dbbb8..a99f6e9 100644
  
  	optional_policy(`
  		unconfined_domain(bootloader_t)
-@@ -174,6 +200,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +201,10 @@ ifdef(`distro_redhat',`
  ')
  
  optional_policy(`
@@ -1507,7 +1508,7 @@ index e3dbbb8..a99f6e9 100644
  	fstools_exec(bootloader_t)
  ')
  
-@@ -183,6 +213,14 @@ optional_policy(`
+@@ -183,6 +214,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -1522,7 +1523,7 @@ index e3dbbb8..a99f6e9 100644
  	kudzu_domtrans(bootloader_t)
  ')
  
-@@ -195,17 +233,18 @@ optional_policy(`
+@@ -195,17 +234,18 @@ optional_policy(`
  
  optional_policy(`
  	modutils_exec_insmod(bootloader_t)
@@ -6149,7 +6150,7 @@ index b31c054..0ad8553 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..fb27ae5 100644
+index 76f285e..d86836b 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7211,7 +7212,15 @@ index 76f285e..fb27ae5 100644
  ## <summary>
 -##	Read hardware state information.
 +##	Do not audit attempts to search sysfs.
-+## </summary>
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read the contents of
+-##	the sysfs filesystem.  This filesystem contains
+-##	information, parameters, and other settings on the
+-##	hardware installed on the system.
+-##	</p>
+-## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
@@ -7309,15 +7318,7 @@ index 76f285e..fb27ae5 100644
 +########################################
 +## <summary>
 +##	Relabel cpu online hardware state information.
- ## </summary>
--## <desc>
--##	<p>
--##	Allow the specified domain to read the contents of
--##	the sysfs filesystem.  This filesystem contains
--##	information, parameters, and other settings on the
--##	hardware installed on the system.
--##	</p>
--## </desc>
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -7650,10 +7651,28 @@ index 76f285e..fb27ae5 100644
  ##	Read and write VMWare devices.
  ## </summary>
  ## <param name="domain">
-@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5532,44 @@ interface(`dev_rw_xserver_misc',`
  
  ########################################
  ## <summary>
++##	Dontaudit attempts to Read and write X server miscellaneous devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_leaked_xserver_misc',`
++	gen_require(`
++		type xserver_misc_device_t;
++	')
++
++	dontaudit $1 xserver_misc_device_t:chr_file { read write };
++')
++
++########################################
++## <summary>
 +##	Read and write X server miscellaneous devices.
 +## </summary>
 +## <param name="domain">
@@ -7677,7 +7696,7 @@ index 76f285e..fb27ae5 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5641,946 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5659,946 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -8931,7 +8950,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..2df18b9 100644
+index cf04cb5..e739a3a 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8972,7 +8991,7 @@ index cf04cb5..2df18b9 100644
  
  # Transitions only allowed from domains to other domains
  neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,48 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,52 @@ neverallow ~{ domain unlabeled_t } *:process *;
  allow domain self:dir list_dir_perms;
  allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
  allow domain self:file rw_file_perms;
@@ -9004,9 +9023,10 @@ index cf04cb5..2df18b9 100644
  
  # list the root directory
  files_list_root(domain)
-+# allow all domains to search through default_t directory, since users sometimes
-+# place labels within these directories.  (samba_share_t) for example.
-+files_search_default(domain)
++# allow all domains to search through base_file_type directory, since users 
++# sometimes place labels within these directories.  (samba_share_t) for example.
++files_search_base_file_types(domain)
++
 +files_read_inherited_tmp_files(domain)
 +files_append_inherited_tmp_files(domain)
 +files_read_all_base_ro_files(domain)
@@ -9015,6 +9035,9 @@ index cf04cb5..2df18b9 100644
 +# All executables should be able to search the directory they are in
 +corecmd_search_bin(domain)
 +
++optional_policy(`
++    userdom_search_admin_dir(domain)
++')
 +
 +tunable_policy(`domain_kernel_load_modules',`
 +	kernel_request_load_module(domain)
@@ -9022,7 +9045,7 @@ index cf04cb5..2df18b9 100644
  
  ifdef(`hide_broken_symptoms',`
  	# This check is in the general socket
-@@ -121,8 +170,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +174,18 @@ tunable_policy(`global_ssp',`
  ')
  
  optional_policy(`
@@ -9041,7 +9064,7 @@ index cf04cb5..2df18b9 100644
  ')
  
  optional_policy(`
-@@ -133,6 +192,9 @@ optional_policy(`
+@@ -133,6 +196,9 @@ optional_policy(`
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -9051,7 +9074,7 @@ index cf04cb5..2df18b9 100644
  ')
  
  ########################################
-@@ -147,12 +209,18 @@ optional_policy(`
+@@ -147,12 +213,18 @@ optional_policy(`
  # Use/sendto/connectto sockets created by any domain.
  allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
  
@@ -9071,7 +9094,7 @@ index cf04cb5..2df18b9 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +234,339 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,339 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -9659,7 +9682,7 @@ index c2c6e05..7996499 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..2dd815a 100644
+index 64ff4d7..8a14ff2 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -9979,7 +10002,7 @@ index 64ff4d7..2dd815a 100644
  ##	Read all files.
  ## </summary>
  ## <param name="domain">
-@@ -683,12 +906,107 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +906,125 @@ interface(`files_read_non_security_files',`
  		attribute non_security_file_type;
  	')
  
@@ -10059,6 +10082,24 @@ index 64ff4d7..2dd815a 100644
 +
 +########################################
 +## <summary>
++##	Search all base file dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_base_file_types',`
++	gen_require(`
++		attribute base_file_type;
++	')
++
++	allow $1 base_file_type:dir search_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Relabel all base file types.
 +## </summary>
 +## <param name="domain">
@@ -10087,7 +10128,7 @@ index 64ff4d7..2dd815a 100644
  ##	Read all directories on the filesystem, except
  ##	the listed exceptions.
  ## </summary>
-@@ -953,6 +1271,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1289,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
  
  ########################################
  ## <summary>
@@ -10113,7 +10154,7 @@ index 64ff4d7..2dd815a 100644
  ##	Get the attributes of all named sockets.
  ## </summary>
  ## <param name="domain">
-@@ -991,8 +1328,8 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,8 +1346,8 @@ interface(`files_dontaudit_getattr_all_sockets',`
  
  ########################################
  ## <summary>
@@ -10124,7 +10165,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1000,43 +1337,81 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -1000,12 +1355,50 @@ interface(`files_dontaudit_getattr_all_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -10137,87 +10178,48 @@ index 64ff4d7..2dd815a 100644
  
 -	dontaudit $1 non_security_file_type:sock_file getattr;
 +	dontaudit $1 file_type:sock_file read;
- ')
- 
- ########################################
- ## <summary>
--##	Read all block nodes with file types.
-+##	Do not audit attempts to read
-+##	of all security file types.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_read_all_blk_files',`
-+interface(`files_dontaudit_read_all_non_security_files',`
- 	gen_require(`
--		attribute file_type;
-+		attribute non_security_file_type;
- 	')
- 
--	read_blk_files_pattern($1, file_type, file_type)
-+	dontaudit $1 non_security_file_type:file read_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read all character nodes with file types.
-+##	Do not audit attempts to get the attributes
-+##	of non security named sockets.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_read_all_chr_files',`
-+interface(`files_dontaudit_getattr_non_security_sockets',`
-+	gen_require(`
-+		attribute non_security_file_type;
-+	')
-+
-+	dontaudit $1 non_security_file_type:sock_file getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Read all block nodes with file types.
++##	Do not audit attempts to read
++##	of all security file types.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_read_all_blk_files',`
++interface(`files_dontaudit_read_all_non_security_files',`
 +	gen_require(`
-+		attribute file_type;
++		attribute non_security_file_type;
 +	')
 +
-+	read_blk_files_pattern($1, file_type, file_type)
++	dontaudit $1 non_security_file_type:file read_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read all character nodes with file types.
++##	Do not audit attempts to get the attributes
++##	of non security named sockets.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_read_all_chr_files',`
- 	gen_require(`
- 		attribute file_type;
- 	')
-@@ -1073,10 +1448,8 @@ interface(`files_relabel_all_files',`
++interface(`files_dontaudit_getattr_non_security_sockets',`
++	gen_require(`
++		attribute non_security_file_type;
++	')
++
++	dontaudit $1 non_security_file_type:sock_file getattr;
+ ')
+ 
+ ########################################
+@@ -1073,10 +1466,8 @@ interface(`files_relabel_all_files',`
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -10230,7 +10232,7 @@ index 64ff4d7..2dd815a 100644
  
  	# satisfy the assertions:
  	seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1555,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1573,6 @@ interface(`files_list_all',`
  
  ########################################
  ## <summary>
@@ -10255,7 +10257,7 @@ index 64ff4d7..2dd815a 100644
  ##	Do not audit attempts to search the
  ##	contents of any directories on extended
  ##	attribute filesystems.
-@@ -1443,9 +1798,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1816,6 @@ interface(`files_relabel_non_auth_files',`
  	# device nodes with file types.
  	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
  	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -10265,7 +10267,7 @@ index 64ff4d7..2dd815a 100644
  ')
  
  #############################################
-@@ -1583,6 +1935,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1953,24 @@ interface(`files_getattr_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10290,7 +10292,7 @@ index 64ff4d7..2dd815a 100644
  ##	Set the attributes of all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +1989,24 @@ interface(`files_setattr_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10315,7 +10317,7 @@ index 64ff4d7..2dd815a 100644
  ##	Do not audit attempts to set the attributes on all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1673,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +2079,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10340,7 +10342,7 @@ index 64ff4d7..2dd815a 100644
  ##	Do not audit attempts to write to mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1691,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +2115,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10383,7 +10385,7 @@ index 64ff4d7..2dd815a 100644
  ##	List the contents of the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -1707,6 +2149,23 @@ interface(`files_list_root',`
+@@ -1707,6 +2167,23 @@ interface(`files_list_root',`
  	allow $1 root_t:dir list_dir_perms;
  	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
  ')
@@ -10407,7 +10409,7 @@ index 64ff4d7..2dd815a 100644
  
  ########################################
  ## <summary>
-@@ -1747,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',`
+@@ -1747,6 +2224,26 @@ interface(`files_dontaudit_rw_root_dir',`
  
  ########################################
  ## <summary>
@@ -10434,7 +10436,7 @@ index 64ff4d7..2dd815a 100644
  ##	Create an object in the root directory, with a private
  ##	type using a type transition.
  ## </summary>
-@@ -1874,25 +2353,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2371,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -10466,7 +10468,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1905,7 +2384,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2402,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -10475,7 +10477,7 @@ index 64ff4d7..2dd815a 100644
  ')
  
  ########################################
-@@ -1928,6 +2407,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2425,24 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -10500,7 +10502,7 @@ index 64ff4d7..2dd815a 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2163,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2678,24 @@ interface(`files_relabelfrom_boot_files',`
  	relabelfrom_files_pattern($1, boot_t, boot_t)
  ')
  
@@ -10525,7 +10527,7 @@ index 64ff4d7..2dd815a 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2627,6 +3142,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3160,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -10550,7 +10552,7 @@ index 64ff4d7..2dd815a 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2698,6 +3231,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3249,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10558,7 +10560,7 @@ index 64ff4d7..2dd815a 100644
  ')
  
  ########################################
-@@ -2706,7 +3240,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3258,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -10567,7 +10569,7 @@ index 64ff4d7..2dd815a 100644
  ##	</summary>
  ## </param>
  #
-@@ -2762,6 +3296,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3314,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -10593,7 +10595,7 @@ index 64ff4d7..2dd815a 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2780,6 +3333,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3351,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -10618,7 +10620,7 @@ index 64ff4d7..2dd815a 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2945,26 +3516,8 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3534,6 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -10640,14 +10642,10 @@ index 64ff4d7..2dd815a 100644
 -
 -########################################
 -## <summary>
--##	Read files in /etc that are dynamically
--##	created on boot, such as mtab.
-+##	Read files in /etc that are dynamically
-+##	created on boot, such as mtab.
+ ##	Read files in /etc that are dynamically
+ ##	created on boot, such as mtab.
  ## </summary>
- ## <desc>
- ##	<p>
-@@ -3003,9 +3556,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3574,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -10658,7 +10656,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3013,18 +3564,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3582,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -10680,7 +10678,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3042,6 +3592,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3610,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -10707,7 +10705,7 @@ index 64ff4d7..2dd815a 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3059,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3647,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10715,7 +10713,7 @@ index 64ff4d7..2dd815a 100644
  ')
  
  ########################################
-@@ -3080,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3669,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10723,7 +10721,7 @@ index 64ff4d7..2dd815a 100644
  ')
  
  ########################################
-@@ -3132,6 +3704,44 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3722,44 @@ interface(`files_getattr_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -10768,7 +10766,7 @@ index 64ff4d7..2dd815a 100644
  ##	Do not audit attempts to search directories on new filesystems
  ##	that have not yet been labeled.
  ## </summary>
-@@ -3205,6 +3815,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3833,62 @@ interface(`files_delete_isid_type_dirs',`
  
  	delete_dirs_pattern($1, file_t, file_t)
  ')
@@ -10831,7 +10829,7 @@ index 64ff4d7..2dd815a 100644
  
  ########################################
  ## <summary>
-@@ -3246,6 +3912,25 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3246,6 +3930,25 @@ interface(`files_mounton_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -10857,7 +10855,7 @@ index 64ff4d7..2dd815a 100644
  ##	Read files on new filesystems
  ##	that have not yet been labeled.
  ## </summary>
-@@ -3455,6 +4140,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +4158,25 @@ interface(`files_rw_isid_type_blk_files',`
  
  ########################################
  ## <summary>
@@ -10883,7 +10881,7 @@ index 64ff4d7..2dd815a 100644
  ##	Create, read, write, and delete block device nodes
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3796,20 +4500,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4518,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -10927,7 +10925,7 @@ index 64ff4d7..2dd815a 100644
  ')
  
  ########################################
-@@ -4199,192 +4921,215 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,192 +4939,215 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -11239,7 +11237,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4392,53 +5137,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4392,53 +5155,56 @@ interface(`files_manage_generic_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11308,7 +11306,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4446,77 +5194,92 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,77 +5212,92 @@ interface(`files_rw_generic_tmp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -11425,7 +11423,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4524,110 +5287,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4524,110 +5305,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -11564,7 +11562,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4635,22 +5386,17 @@ interface(`files_tmp_filetrans',`
+@@ -4635,22 +5404,17 @@ interface(`files_tmp_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -11591,7 +11589,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4658,17 +5404,17 @@ interface(`files_purge_tmp',`
+@@ -4658,17 +5422,17 @@ interface(`files_purge_tmp',`
  ##	</summary>
  ## </param>
  #
@@ -11613,7 +11611,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4676,18 +5422,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4676,18 +5440,17 @@ interface(`files_setattr_usr_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11636,7 +11634,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4695,35 +5440,35 @@ interface(`files_search_usr',`
+@@ -4695,35 +5458,35 @@ interface(`files_search_usr',`
  ##	</summary>
  ## </param>
  #
@@ -11681,7 +11679,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4731,36 +5476,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4731,36 +5494,35 @@ interface(`files_dontaudit_write_usr_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11727,7 +11725,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4768,17 +5512,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4768,17 +5530,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11749,7 +11747,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4786,73 +5530,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4786,73 +5548,59 @@ interface(`files_delete_usr_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11842,7 +11840,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4860,55 +5590,58 @@ interface(`files_read_usr_files',`
+@@ -4860,55 +5608,58 @@ interface(`files_read_usr_files',`
  ##	</summary>
  ## </param>
  #
@@ -11917,7 +11915,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4916,67 +5649,70 @@ interface(`files_manage_usr_files',`
+@@ -4916,67 +5667,70 @@ interface(`files_manage_usr_files',`
  ##	</summary>
  ## </param>
  #
@@ -12006,7 +12004,7 @@ index 64ff4d7..2dd815a 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -4985,35 +5721,50 @@ interface(`files_read_usr_symlinks',`
+@@ -4985,35 +5739,50 @@ interface(`files_read_usr_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -12066,7 +12064,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5021,20 +5772,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5021,20 +5790,17 @@ interface(`files_dontaudit_search_src',`
  ##	</summary>
  ## </param>
  #
@@ -12091,7 +12089,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5042,20 +5790,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5042,20 +5808,18 @@ interface(`files_getattr_usr_src_files',`
  ##	</summary>
  ## </param>
  #
@@ -12116,7 +12114,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5063,38 +5809,35 @@ interface(`files_read_usr_src_files',`
+@@ -5063,38 +5827,35 @@ interface(`files_read_usr_src_files',`
  ##	</summary>
  ## </param>
  #
@@ -12164,7 +12162,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5102,37 +5845,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5102,37 +5863,36 @@ interface(`files_create_kernel_symbol_table',`
  ##	</summary>
  ## </param>
  #
@@ -12212,7 +12210,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5140,35 +5882,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5140,35 +5900,35 @@ interface(`files_delete_kernel_symbol_table',`
  ##	</summary>
  ## </param>
  #
@@ -12257,7 +12255,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5176,36 +5918,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5176,36 +5936,55 @@ interface(`files_dontaudit_write_var_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -12323,7 +12321,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5213,36 +5974,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5213,36 +5992,37 @@ interface(`files_dontaudit_search_var',`
  ##	</summary>
  ## </param>
  #
@@ -12371,7 +12369,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5250,17 +6012,17 @@ interface(`files_manage_var_dirs',`
+@@ -5250,17 +6030,17 @@ interface(`files_manage_var_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -12393,7 +12391,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5268,17 +6030,17 @@ interface(`files_read_var_files',`
+@@ -5268,17 +6048,17 @@ interface(`files_read_var_files',`
  ##	</summary>
  ## </param>
  #
@@ -12415,7 +12413,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5286,73 +6048,86 @@ interface(`files_append_var_files',`
+@@ -5286,73 +6066,86 @@ interface(`files_append_var_files',`
  ##	</summary>
  ## </param>
  #
@@ -12522,7 +12520,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5360,50 +6135,41 @@ interface(`files_read_var_symlinks',`
+@@ -5360,50 +6153,41 @@ interface(`files_read_var_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -12587,7 +12585,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5411,69 +6177,56 @@ interface(`files_var_filetrans',`
+@@ -5411,69 +6195,56 @@ interface(`files_var_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -12672,7 +12670,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5481,17 +6234,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5481,17 +6252,18 @@ interface(`files_dontaudit_search_var_lib',`
  ##	</summary>
  ## </param>
  #
@@ -12696,7 +12694,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5499,70 +6253,54 @@ interface(`files_list_var_lib',`
+@@ -5499,70 +6271,54 @@ interface(`files_list_var_lib',`
  ##	</summary>
  ## </param>
  #
@@ -12780,7 +12778,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5570,41 +6308,36 @@ interface(`files_read_var_lib_files',`
+@@ -5570,41 +6326,36 @@ interface(`files_read_var_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -12832,7 +12830,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5612,36 +6345,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5612,36 +6363,36 @@ interface(`files_manage_urandom_seed',`
  ##	</summary>
  ## </param>
  #
@@ -12879,7 +12877,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5649,38 +6382,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5649,38 +6400,35 @@ interface(`files_setattr_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -12927,7 +12925,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5688,19 +6418,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,19 +6436,17 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -12951,7 +12949,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5708,60 +6436,54 @@ interface(`files_list_locks',`
+@@ -5708,60 +6454,54 @@ interface(`files_list_locks',`
  ##	</summary>
  ## </param>
  #
@@ -13027,7 +13025,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5769,20 +6491,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,20 +6509,18 @@ interface(`files_relabel_all_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13053,7 +13051,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5790,185 +6510,207 @@ interface(`files_getattr_generic_locks',`
+@@ -5790,185 +6528,207 @@ interface(`files_getattr_generic_locks',`
  ##	</summary>
  ## </param>
  #
@@ -13338,7 +13336,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5976,39 +6718,37 @@ interface(`files_setattr_pid_dirs',`
+@@ -5976,39 +6736,37 @@ interface(`files_setattr_pid_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13389,7 +13387,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6016,18 +6756,21 @@ interface(`files_dontaudit_search_pids',`
+@@ -6016,18 +6774,21 @@ interface(`files_dontaudit_search_pids',`
  ##	</summary>
  ## </param>
  #
@@ -13416,7 +13414,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6035,19 +6778,19 @@ interface(`files_list_pids',`
+@@ -6035,19 +6796,19 @@ interface(`files_list_pids',`
  ##	</summary>
  ## </param>
  #
@@ -13442,16 +13440,19 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6055,58 +6798,1223 @@ interface(`files_read_generic_pids',`
+@@ -6055,58 +6816,1223 @@ interface(`files_read_generic_pids',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_write_generic_pid_pipes',`
 +interface(`files_manage_mounttab',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		type var_t, var_lib_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:fifo_file write;
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_files_pattern($1, var_lib_t, var_lib_t)
 +')
@@ -13987,12 +13988,38 @@ index 64ff4d7..2dd815a 100644
 +
 +	files_search_pids($1)
 +	allow $1 var_run_t:fifo_file write;
-+')
-+
-+########################################
-+## <summary>
-+##	Create an object in the process ID directory, with a private type.
-+## </summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##	Create an object in the process ID directory, with a private type.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Create an object in the process ID directory (e.g., /var/run)
+-##	with a private type.  Typically this is used for creating
+-##	private PID files in /var/run with the private type instead
+-##	of the general PID file type. To accomplish this goal,
+-##	either the program must be SELinux-aware, or use this interface.
+-##	</p>
+-##	<p>
+-##	Related interfaces:
+-##	</p>
+-##	<ul>
+-##		<li>files_pid_file()</li>
+-##	</ul>
+-##	<p>
+-##	Example usage with a domain that can create and
+-##	write its PID file with a private PID file type in the
+-##	/var/run directory:
+-##	</p>
+-##	<p>
+-##	type mypidfile_t;
+-##	files_pid_file(mypidfile_t)
+-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-##	</p>
+-## </desc>
 +## <desc>
 +##	<p>
 +##	Create an object in the process ID directory (e.g., /var/run)
@@ -14332,12 +14359,10 @@ index 64ff4d7..2dd815a 100644
 +## </param>
 +#
 +interface(`files_exec_generic_pid_files',`
- 	gen_require(`
- 		type var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:fifo_file write;
++	gen_require(`
++		type var_run_t;
++	')
++
 +	exec_files_pattern($1, var_run_t, var_run_t)
 +')
 +
@@ -14548,11 +14573,10 @@ index 64ff4d7..2dd815a 100644
 +	')
 +
 +	search_dirs_pattern($1, var_t, var_spool_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create an object in the process ID directory, with a private type.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to search generic
 +##	spool directories.
 +## </summary>
@@ -14574,33 +14598,7 @@ index 64ff4d7..2dd815a 100644
 +## <summary>
 +##	List the contents of generic spool
 +##	(/var/spool) directories.
- ## </summary>
--## <desc>
--##	<p>
--##	Create an object in the process ID directory (e.g., /var/run)
--##	with a private type.  Typically this is used for creating
--##	private PID files in /var/run with the private type instead
--##	of the general PID file type. To accomplish this goal,
--##	either the program must be SELinux-aware, or use this interface.
--##	</p>
--##	<p>
--##	Related interfaces:
--##	</p>
--##	<ul>
--##		<li>files_pid_file()</li>
--##	</ul>
--##	<p>
--##	Example usage with a domain that can create and
--##	write its PID file with a private PID file type in the
--##	/var/run directory:
--##	</p>
--##	<p>
--##	type mypidfile_t;
--##	files_pid_file(mypidfile_t)
--##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
--##	</p>
--## </desc>
++## </summary>
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
@@ -14700,7 +14698,7 @@ index 64ff4d7..2dd815a 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -6114,44 +8022,165 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6114,44 +8040,165 @@ interface(`files_write_generic_pid_pipes',`
  ##	The name of the object being created.
  ##	</summary>
  ## </param>
@@ -14885,7 +14883,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6159,20 +8188,18 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6159,20 +8206,18 @@ interface(`files_pid_filetrans_lock_dir',`
  ##	</summary>
  ## </param>
  #
@@ -14911,7 +14909,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6180,19 +8207,17 @@ interface(`files_rw_generic_pids',`
+@@ -6180,19 +8225,17 @@ interface(`files_rw_generic_pids',`
  ##	</summary>
  ## </param>
  #
@@ -14935,7 +14933,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6200,18 +8225,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6200,18 +8243,17 @@ interface(`files_dontaudit_getattr_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -14958,7 +14956,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6219,41 +8243,43 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6219,41 +8261,43 @@ interface(`files_dontaudit_write_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -15016,7 +15014,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6262,67 +8288,55 @@ interface(`files_read_all_pids',`
+@@ -6262,67 +8306,55 @@ interface(`files_read_all_pids',`
  ## </param>
  ## <rolecap/>
  #
@@ -15101,7 +15099,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6330,37 +8344,37 @@ interface(`files_manage_all_pids',`
+@@ -6330,37 +8362,37 @@ interface(`files_manage_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -15150,7 +15148,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6368,132 +8382,206 @@ interface(`files_search_spool',`
+@@ -6368,132 +8400,206 @@ interface(`files_search_spool',`
  ##	</summary>
  ## </param>
  #
@@ -15408,7 +15406,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6501,53 +8589,17 @@ interface(`files_spool_filetrans',`
+@@ -6501,53 +8607,17 @@ interface(`files_spool_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -15466,7 +15464,7 @@ index 64ff4d7..2dd815a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6555,10 +8607,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6555,10 +8625,10 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
@@ -27954,14 +27952,14 @@ index c6fdab7..af71c62 100644
  	sudo_sigchld(application_domain_type)
  ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..a1a917c 100644
+index 28ad538..ed25543 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
 @@ -1,14 +1,28 @@
 +HOME_DIR/\.yubico(/.*)?				    gen_context(system_u:object_r:auth_home_t,s0)
 +HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 +HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
-+/root/\.yubico/(.*)                     gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.yubico(/.*)?                    gen_context(system_u:object_r:auth_home_t,s0)
 +/root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 +/root/\.google_authenticator~			gen_context(system_u:object_r:auth_home_t,s0)
  
@@ -31489,7 +31487,7 @@ index 24e7804..2863546 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..6d72189 100644
+index dd3be8d..d76c572 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -31751,7 +31749,7 @@ index dd3be8d..6d72189 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +300,231 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +300,232 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -31786,6 +31784,7 @@ index dd3be8d..6d72189 100644
  optional_policy(`
 -	auth_rw_login_records(init_t)
 +	kdump_read_crash(init_t)
++	kdump_read_config(init_t)
  ')
  
  optional_policy(`
@@ -31991,7 +31990,7 @@ index dd3be8d..6d72189 100644
  ')
  
  optional_policy(`
-@@ -216,7 +532,30 @@ optional_policy(`
+@@ -216,7 +533,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32022,7 +32021,7 @@ index dd3be8d..6d72189 100644
  ')
  
  ########################################
-@@ -225,8 +564,9 @@ optional_policy(`
+@@ -225,8 +565,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -32034,7 +32033,7 @@ index dd3be8d..6d72189 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -32051,7 +32050,7 @@ index dd3be8d..6d72189 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -32094,7 +32093,7 @@ index dd3be8d..6d72189 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -32106,7 +32105,7 @@ index dd3be8d..6d72189 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +671,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +672,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -32117,7 +32116,7 @@ index dd3be8d..6d72189 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +682,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +683,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -32127,7 +32126,7 @@ index dd3be8d..6d72189 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +691,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +692,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -32135,7 +32134,7 @@ index dd3be8d..6d72189 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -32143,7 +32142,7 @@ index dd3be8d..6d72189 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +706,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +707,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -32161,7 +32160,7 @@ index dd3be8d..6d72189 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +724,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +725,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -32175,7 +32174,7 @@ index dd3be8d..6d72189 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +739,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +740,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -32189,7 +32188,7 @@ index dd3be8d..6d72189 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +752,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +753,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -32197,7 +32196,7 @@ index dd3be8d..6d72189 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +764,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +765,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -32205,7 +32204,7 @@ index dd3be8d..6d72189 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +783,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +784,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -32229,7 +32228,7 @@ index dd3be8d..6d72189 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +816,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +817,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -32237,7 +32236,7 @@ index dd3be8d..6d72189 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +850,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +851,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -32248,7 +32247,7 @@ index dd3be8d..6d72189 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +874,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +875,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -32257,7 +32256,7 @@ index dd3be8d..6d72189 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +889,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +890,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -32265,7 +32264,7 @@ index dd3be8d..6d72189 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +910,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +911,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -32273,7 +32272,7 @@ index dd3be8d..6d72189 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +920,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +921,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -32318,7 +32317,7 @@ index dd3be8d..6d72189 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +965,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +966,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -32350,7 +32349,7 @@ index dd3be8d..6d72189 100644
  	')
  ')
  
-@@ -576,6 +1000,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +1001,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -32390,7 +32389,7 @@ index dd3be8d..6d72189 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1045,8 @@ optional_policy(`
+@@ -588,6 +1046,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -32399,7 +32398,7 @@ index dd3be8d..6d72189 100644
  ')
  
  optional_policy(`
-@@ -609,6 +1068,7 @@ optional_policy(`
+@@ -609,6 +1069,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -32407,7 +32406,7 @@ index dd3be8d..6d72189 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1085,17 @@ optional_policy(`
+@@ -625,6 +1086,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32425,7 +32424,7 @@ index dd3be8d..6d72189 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1112,13 @@ optional_policy(`
+@@ -641,9 +1113,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -32439,7 +32438,7 @@ index dd3be8d..6d72189 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1131,11 @@ optional_policy(`
+@@ -656,15 +1132,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32457,7 +32456,7 @@ index dd3be8d..6d72189 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1156,15 @@ optional_policy(`
+@@ -685,6 +1157,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32473,7 +32472,7 @@ index dd3be8d..6d72189 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1205,7 @@ optional_policy(`
+@@ -725,6 +1206,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -32481,7 +32480,7 @@ index dd3be8d..6d72189 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1223,13 @@ optional_policy(`
+@@ -742,7 +1224,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32496,7 +32495,7 @@ index dd3be8d..6d72189 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1252,10 @@ optional_policy(`
+@@ -765,6 +1253,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32507,7 +32506,7 @@ index dd3be8d..6d72189 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1265,20 @@ optional_policy(`
+@@ -774,10 +1266,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32528,7 +32527,7 @@ index dd3be8d..6d72189 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1287,10 @@ optional_policy(`
+@@ -786,6 +1288,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32539,7 +32538,7 @@ index dd3be8d..6d72189 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1312,6 @@ optional_policy(`
+@@ -807,8 +1313,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -32548,7 +32547,7 @@ index dd3be8d..6d72189 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1320,10 @@ optional_policy(`
+@@ -817,6 +1321,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32559,7 +32558,7 @@ index dd3be8d..6d72189 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1333,12 @@ optional_policy(`
+@@ -826,10 +1334,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -32572,7 +32571,7 @@ index dd3be8d..6d72189 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1365,35 @@ optional_policy(`
+@@ -856,12 +1366,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32609,7 +32608,7 @@ index dd3be8d..6d72189 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1403,18 @@ optional_policy(`
+@@ -871,6 +1404,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -32628,7 +32627,7 @@ index dd3be8d..6d72189 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1430,10 @@ optional_policy(`
+@@ -886,6 +1431,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32639,7 +32638,7 @@ index dd3be8d..6d72189 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1444,218 @@ optional_policy(`
+@@ -896,3 +1445,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index c36d9a5..3cd488e 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -3562,7 +3562,7 @@ index 550a69e..43bb1c9 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 83e899c..64beed7 100644
+index 83e899c..9426db5 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -3578,7 +3578,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="prefix">
  ##	<summary>
-@@ -13,118 +13,101 @@
+@@ -13,118 +13,103 @@
  #
  template(`apache_content_template',`
  	gen_require(`
@@ -3681,10 +3681,11 @@ index 83e899c..64beed7 100644
 -	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
 -	allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
 -	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
--
+ 
 -	tunable_policy(`allow_httpd_$1_script_anon_write',`
 -		miscfiles_manage_public_files(httpd_$1_script_t)
 -	')
++    allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write };
  
 +	# Allow the web server to run scripts and serve pages
  	tunable_policy(`httpd_builtin_scripting',`
@@ -3744,7 +3745,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="role">
  ##	<summary>
-@@ -133,47 +116,61 @@ template(`apache_content_template',`
+@@ -133,47 +118,61 @@ template(`apache_content_template',`
  ## </param>
  ## <param name="domain">
  ##	<summary>
@@ -3835,7 +3836,7 @@ index 83e899c..64beed7 100644
  		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
  	')
  
-@@ -184,7 +181,7 @@ interface(`apache_role',`
+@@ -184,7 +183,7 @@ interface(`apache_role',`
  
  ########################################
  ## <summary>
@@ -3844,7 +3845,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',`
+@@ -204,7 +203,7 @@ interface(`apache_read_user_scripts',`
  
  ########################################
  ## <summary>
@@ -3853,7 +3854,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -224,7 +221,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +223,7 @@ interface(`apache_read_user_content',`
  
  ########################################
  ## <summary>
@@ -3862,7 +3863,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -241,27 +238,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +240,47 @@ interface(`apache_domtrans',`
  	domtrans_pattern($1, httpd_exec_t, httpd_t)
  ')
  
@@ -3917,7 +3918,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -279,7 +296,7 @@ interface(`apache_signal',`
+@@ -279,7 +298,7 @@ interface(`apache_signal',`
  
  ########################################
  ## <summary>
@@ -3926,7 +3927,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -297,7 +314,7 @@ interface(`apache_signull',`
+@@ -297,7 +316,7 @@ interface(`apache_signull',`
  
  ########################################
  ## <summary>
@@ -3935,7 +3936,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -315,8 +332,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +334,7 @@ interface(`apache_sigchld',`
  
  ########################################
  ## <summary>
@@ -3945,7 +3946,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -334,8 +350,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +352,8 @@ interface(`apache_use_fds',`
  
  ########################################
  ## <summary>
@@ -3956,7 +3957,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +366,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
  		type httpd_t;
  	')
  
@@ -3973,7 +3974,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -372,8 +390,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -3984,7 +3985,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +409,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
  
  ########################################
  ## <summary>
@@ -3994,7 +3995,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +434,8 @@ interface(`apache_manage_all_content',`
  
  ########################################
  ## <summary>
@@ -4004,7 +4005,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +453,8 @@ interface(`apache_setattr_cache_dirs',`
  
  ########################################
  ## <summary>
@@ -4014,7 +4015,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -453,7 +470,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +472,8 @@ interface(`apache_list_cache',`
  
  ########################################
  ## <summary>
@@ -4024,7 +4025,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +491,8 @@ interface(`apache_rw_cache_files',`
  
  ########################################
  ## <summary>
@@ -4034,7 +4035,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +510,8 @@ interface(`apache_delete_cache_dirs',`
  
  ########################################
  ## <summary>
@@ -4044,7 +4045,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +529,51 @@ interface(`apache_delete_cache_files',`
  
  ########################################
  ## <summary>
@@ -4107,7 +4108,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -570,8 +592,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +594,8 @@ interface(`apache_manage_config',`
  
  ########################################
  ## <summary>
@@ -4118,7 +4119,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +632,38 @@ interface(`apache_domtrans_helper',`
  #
  interface(`apache_run_helper',`
  	gen_require(`
@@ -4160,7 +4161,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -639,7 +683,8 @@ interface(`apache_read_log',`
+@@ -639,7 +685,8 @@ interface(`apache_read_log',`
  
  ########################################
  ## <summary>
@@ -4170,7 +4171,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -657,10 +702,29 @@ interface(`apache_append_log',`
+@@ -657,10 +704,29 @@ interface(`apache_append_log',`
  	append_files_pattern($1, httpd_log_t, httpd_log_t)
  ')
  
@@ -4202,7 +4203,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +744,8 @@ interface(`apache_dontaudit_append_log',`
  
  ########################################
  ## <summary>
@@ -4213,7 +4214,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -687,20 +751,21 @@ interface(`apache_dontaudit_append_log',`
+@@ -687,20 +753,21 @@ interface(`apache_dontaudit_append_log',`
  ##	</summary>
  ## </param>
  #
@@ -4243,7 +4244,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -708,19 +773,21 @@ interface(`apache_manage_log',`
+@@ -708,19 +775,21 @@ interface(`apache_manage_log',`
  ##	</summary>
  ## </param>
  #
@@ -4269,7 +4270,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -738,7 +805,8 @@ interface(`apache_dontaudit_search_modules',`
+@@ -738,7 +807,8 @@ interface(`apache_dontaudit_search_modules',`
  
  ########################################
  ## <summary>
@@ -4279,7 +4280,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -746,17 +814,19 @@ interface(`apache_dontaudit_search_modules',`
+@@ -746,17 +816,19 @@ interface(`apache_dontaudit_search_modules',`
  ##	</summary>
  ## </param>
  #
@@ -4302,7 +4303,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -764,19 +834,19 @@ interface(`apache_list_modules',`
+@@ -764,19 +836,19 @@ interface(`apache_list_modules',`
  ##	</summary>
  ## </param>
  #
@@ -4326,7 +4327,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -784,19 +854,19 @@ interface(`apache_exec_modules',`
+@@ -784,19 +856,19 @@ interface(`apache_exec_modules',`
  ##	</summary>
  ## </param>
  #
@@ -4351,7 +4352,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -809,13 +879,50 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -809,13 +881,50 @@ interface(`apache_domtrans_rotatelogs',`
  		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
  	')
  
@@ -4404,7 +4405,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -829,13 +936,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +938,14 @@ interface(`apache_list_sys_content',`
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4421,7 +4422,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -844,6 +952,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +954,7 @@ interface(`apache_list_sys_content',`
  ## </param>
  ## <rolecap/>
  #
@@ -4429,7 +4430,7 @@ index 83e899c..64beed7 100644
  interface(`apache_manage_sys_content',`
  	gen_require(`
  		type httpd_sys_content_t;
-@@ -855,32 +964,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +966,98 @@ interface(`apache_manage_sys_content',`
  	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
  ')
  
@@ -4455,11 +4456,31 @@ index 83e899c..64beed7 100644
 +')
 +
 +######################################
++## <summary>
++##	Allow the specified domain to read
++##	apache system content rw dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_read_sys_content_rw_dirs',`
++	gen_require(`
++		type httpd_sys_rw_content_t;
++	')
++
++	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	httpd system rw content.
-+##	Allow the specified domain to read
-+##	apache system content rw dirs.
++##	Allow the specified domain to manage
++##	apache system content rw files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -4469,32 +4490,12 @@ index 83e899c..64beed7 100644
 +## <rolecap/>
  #
 -interface(`apache_manage_sys_rw_content',`
-+interface(`apache_read_sys_content_rw_dirs',`
++interface(`apache_manage_sys_content_rw',`
  	gen_require(`
  		type httpd_sys_rw_content_t;
  	')
  
 -	apache_search_sys_content($1)
-+	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+######################################
-+## <summary>
-+##	Allow the specified domain to manage
-+##	apache system content rw files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`apache_manage_sys_content_rw',`
-+	gen_require(`
-+		type httpd_sys_rw_content_t;
-+	')
-+
 +	files_search_var($1)
  	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 -	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -4536,7 +4537,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -888,10 +1063,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1065,17 @@ interface(`apache_manage_sys_rw_content',`
  ##	</summary>
  ## </param>
  #
@@ -4555,7 +4556,7 @@ index 83e899c..64beed7 100644
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1083,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1085,8 @@ interface(`apache_domtrans_sys_script',`
  
  ########################################
  ## <summary>
@@ -4567,7 +4568,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -941,7 +1122,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1124,7 @@ interface(`apache_domtrans_all_scripts',`
  ########################################
  ## <summary>
  ##	Execute all user scripts in the user
@@ -4576,7 +4577,7 @@ index 83e899c..64beed7 100644
  ##	to the specified role.
  ## </summary>
  ## <param name="domain">
-@@ -954,6 +1135,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1137,7 @@ interface(`apache_domtrans_all_scripts',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -4584,7 +4585,7 @@ index 83e899c..64beed7 100644
  #
  interface(`apache_run_all_scripts',`
  	gen_require(`
-@@ -966,7 +1148,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1150,8 @@ interface(`apache_run_all_scripts',`
  
  ########################################
  ## <summary>
@@ -4594,7 +4595,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -979,12 +1162,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1164,13 @@ interface(`apache_read_squirrelmail_data',`
  		type httpd_squirrelmail_t;
  	')
  
@@ -4610,7 +4611,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1002,7 +1186,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1188,7 @@ interface(`apache_append_squirrelmail_data',`
  
  ########################################
  ## <summary>
@@ -4619,7 +4620,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1015,13 +1199,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1201,12 @@ interface(`apache_search_sys_content',`
  		type httpd_sys_content_t;
  	')
  
@@ -4634,7 +4635,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1041,7 +1224,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1226,7 @@ interface(`apache_read_sys_content',`
  
  ########################################
  ## <summary>
@@ -4643,7 +4644,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1059,8 +1242,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1244,7 @@ interface(`apache_search_sys_scripts',`
  
  ########################################
  ## <summary>
@@ -4653,7 +4654,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1070,13 +1252,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1254,22 @@ interface(`apache_search_sys_scripts',`
  ## <rolecap/>
  #
  interface(`apache_manage_all_user_content',`
@@ -4679,7 +4680,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1094,7 +1285,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1287,8 @@ interface(`apache_search_sys_script_state',`
  
  ########################################
  ## <summary>
@@ -4689,7 +4690,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1111,10 +1303,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1305,29 @@ interface(`apache_read_tmp_files',`
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -4721,7 +4722,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1127,7 +1338,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1340,7 @@ interface(`apache_dontaudit_write_tmp_files',`
  		type httpd_tmp_t;
  	')
  
@@ -4730,7 +4731,7 @@ index 83e899c..64beed7 100644
  ')
  
  ########################################
-@@ -1136,6 +1347,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1349,9 @@ interface(`apache_dontaudit_write_tmp_files',`
  ## </summary>
  ##	<desc>
  ##	<p>
@@ -4740,7 +4741,7 @@ index 83e899c..64beed7 100644
  ##	This is an interface to support third party modules
  ##	and its use is not allowed in upstream reference
  ##	policy.
-@@ -1165,8 +1379,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1381,30 @@ interface(`apache_cgi_domain',`
  
  ########################################
  ## <summary>
@@ -4773,7 +4774,7 @@ index 83e899c..64beed7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1183,18 +1419,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1421,19 @@ interface(`apache_cgi_domain',`
  interface(`apache_admin',`
  	gen_require(`
  		attribute httpdcontent, httpd_script_exec_type;
@@ -4802,7 +4803,7 @@ index 83e899c..64beed7 100644
  
  	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1204,10 +1441,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1443,10 @@ interface(`apache_admin',`
  	apache_manage_all_content($1)
  	miscfiles_manage_public_files($1)
  
@@ -4816,7 +4817,7 @@ index 83e899c..64beed7 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1455,141 @@ interface(`apache_admin',`
+@@ -1218,9 +1457,141 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -4963,7 +4964,7 @@ index 83e899c..64beed7 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..0dbb289 100644
+index 1a82e29..bce7760 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,381 @@
@@ -6281,7 +6282,7 @@ index 1a82e29..0dbb289 100644
  ')
  
  optional_policy(`
-@@ -836,20 +1029,39 @@ optional_policy(`
+@@ -836,20 +1029,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6292,6 +6293,7 @@ index 1a82e29..0dbb289 100644
 +
 +optional_policy(`
 +	passenger_exec(httpd_t)
++	passenger_kill(httpd_t)
 +	passenger_manage_pid_content(httpd_t)
 +')
 +
@@ -6327,7 +6329,7 @@ index 1a82e29..0dbb289 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1069,35 @@ optional_policy(`
+@@ -857,19 +1070,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6363,7 +6365,7 @@ index 1a82e29..0dbb289 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1105,173 @@ optional_policy(`
+@@ -877,65 +1106,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6559,7 +6561,7 @@ index 1a82e29..0dbb289 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1280,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1281,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6714,7 +6716,7 @@ index 1a82e29..0dbb289 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1364,106 @@ optional_policy(`
+@@ -1077,172 +1365,106 @@ optional_policy(`
  	')
  ')
  
@@ -6951,7 +6953,7 @@ index 1a82e29..0dbb289 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1471,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1472,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7048,7 +7050,7 @@ index 1a82e29..0dbb289 100644
  
  ########################################
  #
-@@ -1315,8 +1546,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1547,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7065,7 +7067,7 @@ index 1a82e29..0dbb289 100644
  ')
  
  ########################################
-@@ -1324,49 +1562,38 @@ optional_policy(`
+@@ -1324,49 +1563,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7130,7 +7132,7 @@ index 1a82e29..0dbb289 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1603,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1604,100 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -25532,8 +25534,21 @@ index 94fb625..3742ee1 100644
  
  fs_search_auto_mountpoints(evolution_server_t)
  
+diff --git a/exim.fc b/exim.fc
+index dc0254b..9df498d 100644
+--- a/exim.fc
++++ b/exim.fc
+@@ -3,6 +3,8 @@
+ /usr/sbin/exim[0-9]?	--	gen_context(system_u:object_r:exim_exec_t,s0)
+ /usr/sbin/exim_tidydb	--	gen_context(system_u:object_r:exim_exec_t,s0)
+ 
++/var/lib/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_lib_t,s0)
++
+ /var/log/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_log_t,s0)
+ 
+ /var/run/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_run_t,s0)
 diff --git a/exim.if b/exim.if
-index 6041113..ef3b449 100644
+index 6041113..4a8d053 100644
 --- a/exim.if
 +++ b/exim.if
 @@ -21,35 +21,51 @@ interface(`exim_domtrans',`
@@ -25658,18 +25673,52 @@ index 6041113..ef3b449 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -225,8 +241,8 @@ interface(`exim_manage_spool_files',`
+@@ -225,6 +241,44 @@ interface(`exim_manage_spool_files',`
  
  ########################################
  ## <summary>
--##	All of the rules required to
--##	administrate an exim environment.
-+##	All of the rules required to administrate
-+##	an exim environment.
++##	Read exim var lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_read_var_lib_files',`
++	gen_require(`
++		type exim_var_lib_t;
++	')
++
++	read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Create, read, and write exim var lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_manage_var_lib_files',`
++	gen_require(`
++		type exim_var_lib_t;
++	')
++
++	manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
+ ##	All of the rules required to
+ ##	administrate an exim environment.
  ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -238,18 +254,21 @@ interface(`exim_manage_spool_files',`
+@@ -238,22 +292,29 @@ interface(`exim_manage_spool_files',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -25677,10 +25726,9 @@ index 6041113..ef3b449 100644
  #
  interface(`exim_admin',`
  	gen_require(`
--		type exim_t, exim_spool_t, exim_log_t;
--		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
-+		type exim_t, exim_initrc_exec_t, exim_log_t;
-+		type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ 		type exim_t, exim_spool_t, exim_log_t;
+ 		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++		type exim_keytab_t;
  	')
  
 -	allow $1 exim_t:process { ptrace signal_perms };
@@ -25696,11 +25744,31 @@ index 6041113..ef3b449 100644
  	domain_system_change_exemption($1)
  	role_transition $2 exim_initrc_exec_t system_r;
  	allow $2 system_r;
+ 
++	files_search_etc($1)
++	admin_pattern($1, exim_keytab_t)
++
+ 	files_search_spool($1)
+ 	admin_pattern($1, exim_spool_t)
+ 
 diff --git a/exim.te b/exim.te
-index 19325ce..3e86b12 100644
+index 19325ce..5495c90 100644
 --- a/exim.te
 +++ b/exim.te
-@@ -49,7 +49,7 @@ type exim_log_t;
+@@ -1,4 +1,4 @@
+-policy_module(exim, 1.5.4)
++policy_module(exim, 1.6.1)
+ 
+ ########################################
+ #
+@@ -45,11 +45,14 @@ mta_agent_executable(exim_exec_t)
+ type exim_initrc_exec_t;
+ init_script_file(exim_initrc_exec_t)
+ 
++type exim_var_lib_t;
++files_type(exim_var_lib_t)
++
+ type exim_log_t;
  logging_log_file(exim_log_t)
  
  type exim_spool_t;
@@ -25709,8 +25777,31 @@ index 19325ce..3e86b12 100644
  
  type exim_tmp_t;
  files_tmp_file(exim_tmp_t)
-@@ -90,11 +90,10 @@ can_exec(exim_t, exim_exec_t)
+@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
+ type exim_var_run_t;
+ files_pid_file(exim_var_run_t)
+ 
++ifdef(`distro_debian',`
++	init_daemon_run_dir(exim_var_run_t, "exim4")
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
+ allow exim_t self:tcp_socket { accept listen };
+ 
++manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
++
+ append_files_pattern(exim_t, exim_log_t, exim_log_t)
+ create_files_pattern(exim_t, exim_log_t, exim_log_t)
+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -88,13 +97,13 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
+ 
+ can_exec(exim_t, exim_exec_t)
  
++kernel_read_crypto_sysctls(exim_t)
  kernel_read_kernel_sysctls(exim_t)
  kernel_read_network_state(exim_t)
 -kernel_dontaudit_read_system_state(exim_t)
@@ -25722,7 +25813,19 @@ index 19325ce..3e86b12 100644
  corenet_all_recvfrom_netlabel(exim_t)
  corenet_tcp_sendrecv_generic_if(exim_t)
  corenet_udp_sendrecv_generic_if(exim_t)
-@@ -138,7 +137,6 @@ auth_use_nsswitch(exim_t)
+@@ -123,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
+ 
+ dev_read_rand(exim_t)
+ dev_read_urand(exim_t)
++dev_read_sysfs(exim_t)
+ 
+ domain_use_interactive_fds(exim_t)
+ 
+@@ -135,10 +145,10 @@ fs_getattr_xattr_fs(exim_t)
+ fs_list_inotifyfs(exim_t)
+ 
+ auth_use_nsswitch(exim_t)
++auth_domtrans_chk_passwd(exim_t)
  
  logging_send_syslog_msg(exim_t)
  
@@ -25730,7 +25833,7 @@ index 19325ce..3e86b12 100644
  miscfiles_read_generic_certs(exim_t)
  
  userdom_dontaudit_search_user_home_dirs(exim_t)
-@@ -154,9 +152,9 @@ tunable_policy(`exim_can_connect_db',`
+@@ -154,9 +164,9 @@ tunable_policy(`exim_can_connect_db',`
  	corenet_sendrecv_mssql_client_packets(exim_t)
  	corenet_tcp_connect_mssql_port(exim_t)
  	corenet_tcp_sendrecv_mssql_port(exim_t)
@@ -25743,7 +25846,7 @@ index 19325ce..3e86b12 100644
  ')
  
  tunable_policy(`exim_read_user_files',`
-@@ -170,8 +168,8 @@ tunable_policy(`exim_manage_user_files',`
+@@ -170,13 +180,14 @@ tunable_policy(`exim_manage_user_files',`
  ')
  
  optional_policy(`
@@ -25754,19 +25857,27 @@ index 19325ce..3e86b12 100644
  ')
  
  optional_policy(`
-@@ -192,11 +190,6 @@ optional_policy(`
+ 	cron_read_pipes(exim_t)
+ 	cron_rw_system_job_pipes(exim_t)
++	cron_use_system_job_fds(exim_t)
  ')
  
  optional_policy(`
--	mailman_read_data_files(exim_t)
--	mailman_domtrans(exim_t)
+@@ -188,12 +199,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(exim, exim_t)
 -')
 -
 -optional_policy(`
- 	nagios_search_spool(exim_t)
+-	mailman_read_data_files(exim_t)
+-	mailman_domtrans(exim_t)
++    kerberos_keytab_template(exim, exim_t)
  ')
  
-@@ -218,6 +211,7 @@ optional_policy(`
+ optional_policy(`
+@@ -218,6 +224,7 @@ optional_policy(`
  
  optional_policy(`
  	procmail_domtrans(exim_t)
@@ -45073,7 +45184,7 @@ index 6194b80..cafb2b0 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..e76899c 100644
+index 6a306ee..39094ea 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -45519,7 +45630,7 @@ index 6a306ee..e76899c 100644
  ')
  
  optional_policy(`
-@@ -300,259 +326,250 @@ optional_policy(`
+@@ -300,259 +326,251 @@ optional_policy(`
  
  ########################################
  #
@@ -45735,6 +45846,7 @@ index 6a306ee..e76899c 100644
 -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
 -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
 +dev_dontaudit_getattr_all(mozilla_plugin_t)
++dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
  
  domain_use_interactive_fds(mozilla_plugin_t)
  domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -45917,7 +46029,7 @@ index 6a306ee..e76899c 100644
  ')
  
  optional_policy(`
-@@ -560,7 +577,11 @@ optional_policy(`
+@@ -560,7 +578,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -45930,7 +46042,7 @@ index 6a306ee..e76899c 100644
  ')
  
  optional_policy(`
-@@ -568,108 +589,131 @@ optional_policy(`
+@@ -568,108 +590,131 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46512,10 +46624,10 @@ index c97c177..9411154 100644
  netutils_domtrans_ping(mrtg_t)
  
 diff --git a/mta.fc b/mta.fc
-index f42896c..36b363c 100644
+index f42896c..1e1a679 100644
 --- a/mta.fc
 +++ b/mta.fc
-@@ -1,34 +1,44 @@
+@@ -1,34 +1,45 @@
 -HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
@@ -46574,6 +46686,7 @@ index f42896c..36b363c 100644
  /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 -/var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
++/var/spool/smtpd(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
 index ed81cac..8f217ea 100644
 --- a/mta.if
@@ -49491,7 +49604,7 @@ index 687af38..a77dc09 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 9f6179e..699587e 100644
+index 9f6179e..6e73360 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -1,4 +1,4 @@
@@ -49581,7 +49694,7 @@ index 9f6179e..699587e 100644
  
  manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
  manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -93,50 +92,55 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
  
@@ -49638,6 +49751,7 @@ index 9f6179e..699587e 100644
  
 -miscfiles_read_localization(mysqld_t)
 +sysnet_read_config(mysqld_t)
++sysnet_exec_ifconfig(mysqld_t)
  
 -userdom_search_user_home_dirs(mysqld_t)
 -userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
@@ -49653,7 +49767,7 @@ index 9f6179e..699587e 100644
  ')
  
  optional_policy(`
-@@ -144,6 +147,10 @@ optional_policy(`
+@@ -144,6 +148,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49664,7 +49778,7 @@ index 9f6179e..699587e 100644
  	seutil_sigchld_newrole(mysqld_t)
  ')
  
-@@ -153,29 +160,25 @@ optional_policy(`
+@@ -153,29 +161,25 @@ optional_policy(`
  
  #######################################
  #
@@ -49703,7 +49817,7 @@ index 9f6179e..699587e 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
  corecmd_exec_bin(mysqld_safe_t)
  corecmd_exec_shell(mysqld_safe_t)
  
@@ -49739,7 +49853,7 @@ index 9f6179e..699587e 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -205,7 +216,7 @@ optional_policy(`
+@@ -205,7 +217,7 @@ optional_policy(`
  
  ########################################
  #
@@ -49748,7 +49862,7 @@ index 9f6179e..699587e 100644
  #
  
  allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -49766,7 +49880,7 @@ index 9f6179e..699587e 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -226,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -59812,7 +59926,7 @@ index 2c389ea..9155bd0 100644
 +
 +/var/run/passenger(/.*)?		gen_context(system_u:object_r:passenger_var_run_t,s0)
 diff --git a/passenger.if b/passenger.if
-index bf59ef7..0ec51d4 100644
+index bf59ef7..2d8335f 100644
 --- a/passenger.if
 +++ b/passenger.if
 @@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
@@ -59868,7 +59982,7 @@ index bf59ef7..0ec51d4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',`
+@@ -53,6 +69,112 @@ interface(`passenger_read_lib_files',`
  		type passenger_var_lib_t;
  	')
  
@@ -59897,7 +60011,7 @@ index bf59ef7..0ec51d4 100644
 +	manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
 +	manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
 +	files_search_var_lib($1)
-+')
+ ')
 +
 +#####################################
 +## <summary>
@@ -59962,7 +60076,26 @@ index bf59ef7..0ec51d4 100644
 +    files_search_tmp($1)
 +	manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
 +	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
- ')
++')
++
++########################################
++## <summary>
++##	Send kill signals to passenger.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`passenger_kill',`
++	gen_require(`
++		type passenger_t;
++	')
++
++	allow $1 passenger_t:process sigkill;
++')
++
 diff --git a/passenger.te b/passenger.te
 index 4e114ff..1b1cb71 100644
 --- a/passenger.te
@@ -93942,10 +94075,10 @@ index 0000000..80c6480
 +')
 diff --git a/stapserver.te b/stapserver.te
 new file mode 100644
-index 0000000..e472397
+index 0000000..6aeecac
 --- /dev/null
 +++ b/stapserver.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
 +policy_module(stapserver, 1.0.0)
 +
 +########################################
@@ -94020,6 +94153,7 @@ index 0000000..e472397
 +files_search_kernel_modules(stapserver_t)
 +
 +fs_search_cgroup_dirs(stapserver_t)
++fs_getattr_all_fs(stapserver_t)
 +
 +auth_use_nsswitch(stapserver_t)
 +
@@ -101594,7 +101728,7 @@ index 9dec06c..88dcafb 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..f618cd0 100644
+index 1f22fba..0fd2172 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,147 +1,209 @@
@@ -103300,7 +103434,7 @@ index 1f22fba..f618cd0 100644
 +
 +tunable_policy(`virt_use_samba',`
 +	fs_manage_cifs_files(svirt_sandbox_domain)
-+	fs_manage_cifs_files(svirt_sandbox_domain)
++	fs_manage_cifs_dirs(svirt_sandbox_domain)
 +	fs_read_cifs_symlinks(svirt_sandbox_domain)
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f22b575..a7b9e03 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 159%{?dist}
+Release: 160%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,23 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon May 05 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-160
+- Dontaudit leaked xserver_misc_device_t into plugins
+- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
+- Bootloader wants to look at init state
+- init reads kdbump etc files
+- userdom_search_admin_dir() calling needs to be optional in kernel.te
+- Fix labeling for /root/\.yubico
+- Allow httpd_t to kill passenger
+- Add new labeling for /var/spool/smtpd
+- Dontaudit leaked xserver_misc_device_t into plugins
+- Backport exim policy from rawhide to F20
+- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets
+- Add back kerberos_keytab_template() for exim+f20.
+- ALlow stap-server to get attr on all fs
+- Allow mysql to execute ifconfig if Red Hat OpenStack
+- Fix virt_use_samba in virt.te
+
 * Fri May 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-159
 - Add support for us_cli ports
 - Fix labeling for /var/run/user/<UID>/gvfs