##
@@ -4526,7 +4558,7 @@ index 83e899c..fac6fe5 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1379,30 @@ interface(`apache_cgi_domain',`
########################################
##
@@ -4559,7 +4591,7 @@ index 83e899c..fac6fe5 100644
##
##
##
-@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1419,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4588,7 +4620,7 @@ index 83e899c..fac6fe5 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1441,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4602,7 +4634,7 @@ index 83e899c..fac6fe5 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1455,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -4666,7 +4698,19 @@ index 83e899c..fac6fe5 100644
+
+
+ apache_filetrans_home_content($1)
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
++ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
++ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
@@ -7090,7 +7134,7 @@ index f3c0aba..b6afc90 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..7b2142b 100644
+index b236327..11fcb66 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7131,7 +7175,7 @@ index b236327..7b2142b 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +76,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -7146,22 +7190,32 @@ index b236327..7b2142b 100644
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
++
++auth_use_nsswitch(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
-+auth_use_nsswitch(apcupsd_t)
-+
+logging_send_syslog_msg(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
-+systemd_start_power_services(apcupsd_t)
-+
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -112,7 +120,6 @@ optional_policy(`
+@@ -101,6 +107,11 @@ optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+ ')
+
++optional_policy(`
++ systemd_start_power_services(apcupsd_t)
++ systemd_status_power_services(apcupsd_t)
++')
++
+ ########################################
+ #
+ # CGI local policy
+@@ -112,7 +123,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -10510,7 +10564,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 2354e21..fb8c9ed 100644
+index 2354e21..fb4590f 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10577,9 +10631,10 @@ index 2354e21..fb8c9ed 100644
-miscfiles_read_localization(certmonger_t)
miscfiles_manage_generic_cert_files(certmonger_t)
+-userdom_search_user_home_content(certmonger_t)
+systemd_exec_systemctl(certmonger_t)
+
- userdom_search_user_home_content(certmonger_t)
++userdom_manage_home_certs(certmonger_t)
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
@@ -10612,7 +10667,7 @@ index 2354e21..fb8c9ed 100644
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
-+ pki_read_tomcat_lib_files(certmonger_t)
++ pki_read_tomcat_lib_files(certmonger_t)
+')
+
+########################################
@@ -10852,7 +10907,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index fdee107..7a38b63 100644
+index fdee107..9bb9ad1 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -10905,13 +10960,15 @@ index fdee107..7a38b63 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +102,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
- fs_write_cgroup_files(cgred_t)
+-fs_write_cgroup_files(cgred_t)
++fs_manage_cgroup_dirs(cgred_t)
++fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
-logging_send_syslog_msg(cgred_t)
@@ -12593,7 +12650,7 @@ index c223f81..8b567c1 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..8c4ac39 100644
+index 2a71346..3a38b11 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12642,23 +12699,42 @@ index 2a71346..8c4ac39 100644
')
optional_policy(`
-+ apache_domtrans(cobblerd_t)
++ apache_domtrans(cobblerd_t)
apache_search_sys_content(cobblerd_t)
')
-@@ -188,17 +191,25 @@ optional_policy(`
+@@ -170,6 +173,7 @@ optional_policy(`
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
++ bind_systemctl(cobblerd_t)
')
optional_policy(`
-+ libs_exec_ldconfig(cobblerd_t)
+@@ -179,12 +183,22 @@ optional_policy(`
+ optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
++ dhcpd_systemctl(cobblerd_t)
+ ')
+
+ optional_policy(`
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
++ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
-+ mysql_stream_connect(cobblerd_t)
++ libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
- rpm_exec(cobblerd_t)
++ mysql_stream_connect(cobblerd_t)
+ ')
+
+ optional_policy(`
+@@ -192,13 +206,13 @@ optional_policy(`
')
optional_policy(`
@@ -16119,7 +16195,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..f871609 100644
+index 28e1b86..0cf34ad 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -16769,7 +16845,7 @@ index 28e1b86..f871609 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -16778,6 +16854,7 @@ index 28e1b86..f871609 100644
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
++ apache_manage_lib(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
+')
@@ -16787,7 +16864,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -546,10 +542,6 @@ optional_policy(`
+@@ -546,10 +543,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -16798,7 +16875,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -581,6 +573,7 @@ optional_policy(`
+@@ -581,6 +574,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -16806,7 +16883,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -588,15 +581,19 @@ optional_policy(`
+@@ -588,15 +582,19 @@ optional_policy(`
')
optional_policy(`
@@ -16828,7 +16905,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -606,6 +603,7 @@ optional_policy(`
+@@ -606,6 +604,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -16836,7 +16913,7 @@ index 28e1b86..f871609 100644
')
optional_policy(`
-@@ -613,12 +611,24 @@ optional_policy(`
+@@ -613,12 +612,24 @@ optional_policy(`
')
optional_policy(`
@@ -16863,7 +16940,7 @@ index 28e1b86..f871609 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +637,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16897,7 +16974,7 @@ index 28e1b86..f871609 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +670,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -25560,18 +25637,19 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..34e1f1c 100644
+index c81b6e8..6f2c7b8 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
+@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
allow fprintd_t self:capability sys_nice;
allow fprintd_t self:process { getsched setsched signal sigkill };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t)
dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
@@ -25585,11 +25663,11 @@ index c81b6e8..34e1f1c 100644
auth_use_nsswitch(fprintd_t)
-miscfiles_read_localization(fprintd_t)
--
++logging_send_syslog_msg(fprintd_t)
+
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-
-@@ -54,8 +52,13 @@ optional_policy(`
+@@ -54,8 +55,13 @@ optional_policy(`
')
')
@@ -26939,10 +27017,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..3a71ad6
+index 0000000..ed9fdd0
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,200 @@
+policy_module(glusterfs, 1.0.1)
+
+##
@@ -27034,12 +27112,13 @@ index 0000000..3a71ad6
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
@@ -31039,10 +31118,10 @@ index 0000000..3ce0ac0
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
-index 0000000..5044e7b
+index 0000000..bbd5979
--- /dev/null
+++ b/gssproxy.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,68 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
@@ -31067,6 +31146,7 @@ index 0000000..5044e7b
+#
+# gssproxy local policy
+#
++allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -31097,6 +31177,7 @@ index 0000000..5044e7b
+
+miscfiles_read_localization(gssproxy_t)
+
++userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
@@ -31944,7 +32025,7 @@ index ac00fb0..36ef2e5 100644
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index ecad9c7..e413e5a 100644
+index ecad9c7..abf0b2d 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
@@ -32002,23 +32083,27 @@ index ecad9c7..e413e5a 100644
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
-corenet_all_recvfrom_unlabeled(irc_t)
++corecmd_exec_shell(irc_t)
++corecmd_exec_bin(irc_t)
++
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
-@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
+@@ -93,8 +111,6 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
-files_read_usr_files(irc_t)
-
+-
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t)
+
+@@ -106,15 +122,18 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
@@ -32039,7 +32124,7 @@ index ecad9c7..e413e5a 100644
corenet_sendrecv_all_server_packets(irc_t)
corenet_tcp_bind_all_unreserved_ports(irc_t)
corenet_sendrecv_all_client_packets(irc_t)
-@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -32076,7 +32161,7 @@ index ecad9c7..e413e5a 100644
+
+kernel_read_system_state(irssi_t)
+
-+corecmd_search_bin(irssi_t)
++corecmd_exec_shell(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
@@ -40275,16 +40360,16 @@ index 0000000..c713b27
+/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
diff --git a/mirrormanager.if b/mirrormanager.if
new file mode 100644
-index 0000000..7ba3eed
+index 0000000..dd049c7
--- /dev/null
+++ b/mirrormanager.if
-@@ -0,0 +1,222 @@
+@@ -0,0 +1,224 @@
+
+## policy for mirrormanager
+
+########################################
+##
-+## Execute TEMPLATE in the mirrormanager domin.
++## Execute mirrormanager in the mirrormanager domin.
+##
+##
+##
@@ -40300,6 +40385,7 @@ index 0000000..7ba3eed
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
+')
++
+########################################
+##
+## Read mirrormanager's log files.
@@ -40496,6 +40582,7 @@ index 0000000..7ba3eed
+
+ files_search_pids($1)
+ admin_pattern($1, mirrormanager_var_run_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -40503,10 +40590,10 @@ index 0000000..7ba3eed
+')
diff --git a/mirrormanager.te b/mirrormanager.te
new file mode 100644
-index 0000000..a19c096
+index 0000000..841b732
--- /dev/null
+++ b/mirrormanager.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,43 @@
+policy_module(mirrormanager, 1.0.0)
+
+########################################
@@ -40531,29 +40618,25 @@ index 0000000..a19c096
+#
+# mirrormanager local policy
+#
++
+allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
+allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
-+logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir file lnk_file })
++logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir })
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
-+files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir file lnk_file })
++files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir })
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
-+files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir file lnk_file })
-+
-+domain_use_interactive_fds(mirrormanager_t)
++files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
+
-+files_read_etc_files(mirrormanager_t)
-+
-+miscfiles_read_localization(mirrormanager_t)
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -41239,7 +41322,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..ab6fb25 100644
+index cb4c13d..9342be3 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -41252,12 +41335,15 @@ index cb4c13d..ab6fb25 100644
########################################
#
# Local policy
-@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
+@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ kernel_read_system_state(modemmanager_t)
+
dev_read_sysfs(modemmanager_t)
++dev_read_urand(modemmanager_t)
dev_rw_modem(modemmanager_t)
-files_read_etc_files(modemmanager_t)
-
+-
term_use_generic_ptys(modemmanager_t)
term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
@@ -41796,7 +41882,7 @@ index 6ffaba2..cb1e8b0 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..7fbb9e7 100644
+index 6194b80..b8952a1 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -41928,7 +42014,8 @@ index 6194b80..7fbb9e7 100644
- mozilla_run_plugin($2, $1)
- mozilla_run_plugin_config($2, $1)
--
++ mozilla_filetrans_home_content($2)
+
- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
-
@@ -41950,8 +42037,7 @@ index 6194b80..7fbb9e7 100644
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-+ mozilla_filetrans_home_content($2)
-
+-
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
@@ -42306,7 +42392,7 @@ index 6194b80..7fbb9e7 100644
##
##
##
-@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +353,144 @@ interface(`mozilla_dbus_chat',`
##
##
#
@@ -42409,7 +42495,25 @@ index 6194b80..7fbb9e7 100644
+ type mozilla_plugin_t;
+ ')
+
-+ allow $1 mozilla_plugin_t:sem { unix_read unix_write };
++ dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
++')
++
++#######################################
++##
++## Allow generict ipc read/write to a mozilla_plugin
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mozilla_plugin_rw_sem',`
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
++
++ allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
')
########################################
@@ -42462,7 +42566,7 @@ index 6194b80..7fbb9e7 100644
##
##
##
-@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +498,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
@@ -42487,7 +42591,7 @@ index 6194b80..7fbb9e7 100644
##
##
##
-@@ -530,45 +499,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +517,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -42569,7 +42673,7 @@ index 6194b80..7fbb9e7 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..32542a8 100644
+index 6a306ee..bf3015e 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -42843,12 +42947,12 @@ index 6a306ee..32542a8 100644
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -43276,12 +43380,12 @@ index 6a306ee..32542a8 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -43406,16 +43510,20 @@ index 6a306ee..32542a8 100644
')
optional_policy(`
-@@ -560,7 +568,7 @@ optional_policy(`
+@@ -560,7 +568,11 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
++ policykit_dbus_chat(mozilla_plugin_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
')
optional_policy(`
-@@ -568,108 +576,130 @@ optional_policy(`
+@@ -568,108 +580,130 @@ optional_policy(`
')
optional_policy(`
@@ -43448,7 +43556,8 @@ index 6a306ee..32542a8 100644
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -43457,7 +43566,8 @@ index 6a306ee..32542a8 100644
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
@@ -43467,22 +43577,20 @@ index 6a306ee..32542a8 100644
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-
--filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+-
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
@@ -44009,7 +44117,7 @@ index f42896c..cb2791a 100644
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index ed81cac..566684a 100644
+index ed81cac..26c97cd 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
@@ -44060,7 +44168,7 @@ index ed81cac..566684a 100644
#
type $1_mail_t, user_mail_domain;
-@@ -43,17 +57,16 @@ template(`mta_base_mail_template',`
+@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
@@ -44075,6 +44183,8 @@ index ed81cac..566684a 100644
+ kernel_read_system_state($1_mail_t)
+
++ corenet_all_recvfrom_netlabel($1_mail_t)
++
auth_use_nsswitch($1_mail_t)
+ logging_send_syslog_msg($1_mail_t)
@@ -44082,7 +44192,7 @@ index ed81cac..566684a 100644
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
-@@ -61,61 +74,41 @@ template(`mta_base_mail_template',`
+@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
########################################
##
@@ -44154,7 +44264,7 @@ index ed81cac..566684a 100644
')
')
-@@ -163,125 +156,23 @@ interface(`mta_agent_executable',`
+@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -44287,7 +44397,7 @@ index ed81cac..566684a 100644
')
########################################
-@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',`
+@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
')
init_system_domain($1, sendmail_exec_t)
@@ -44295,7 +44405,7 @@ index ed81cac..566684a 100644
typeattribute $1 mailserver_domain;
')
-@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',`
+@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
')
typeattribute $1 mailserver_delivery;
@@ -44311,7 +44421,7 @@ index ed81cac..566684a 100644
')
#######################################
-@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',`
+@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -44324,7 +44434,7 @@ index ed81cac..566684a 100644
')
########################################
-@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',`
+@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -44346,7 +44456,7 @@ index ed81cac..566684a 100644
')
########################################
-@@ -445,18 +355,24 @@ interface(`mta_send_mail',`
+@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -44376,7 +44486,7 @@ index ed81cac..566684a 100644
##
##
##
-@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
##
##
#
@@ -44384,7 +44494,7 @@ index ed81cac..566684a 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
########################################
##
@@ -44429,7 +44539,7 @@ index ed81cac..566684a 100644
##
##
##
-@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',`
+@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
type sendmail_exec_t;
')
@@ -44464,7 +44574,7 @@ index ed81cac..566684a 100644
##
##
##
-@@ -528,13 +498,13 @@ interface(`mta_read_config',`
+@@ -528,13 +500,13 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
@@ -44481,7 +44591,7 @@ index ed81cac..566684a 100644
##
##
##
-@@ -548,33 +518,31 @@ interface(`mta_write_config',`
+@@ -548,33 +520,31 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -44521,7 +44631,7 @@ index ed81cac..566684a 100644
##
##
##
-@@ -582,84 +550,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
##
##
#
@@ -44622,7 +44732,7 @@ index ed81cac..566684a 100644
##