diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index f491cf2..459d84d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2042,7 +2042,7 @@ index 0960199..aa51ab2 100644
 +	can_exec($1, sudo_exec_t)
 +')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..ed65dbc 100644
+index d9fce57..fc6d1d3 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
 @@ -7,3 +7,100 @@ attribute sudodomain;
@@ -2115,7 +2115,7 @@ index d9fce57..ed65dbc 100644
 +#auth_run_chk_passwd(sudodomain)
 +# sudo stores a token in the pam_pid directory
 +auth_manage_pam_pid(sudodomain)
-+#auth_use_nsswitch(sudodomain)
++auth_manage_faillog(sudodomain)
 +
 +application_signal(sudodomain)
 +
@@ -3027,7 +3027,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..4debbf2 100644
+index 644d4d7..38a8a2d 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3185,7 +3185,7 @@ index 644d4d7..4debbf2 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +246,30 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +246,31 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3198,6 +3198,7 @@ index 644d4d7..4debbf2 100644
 +/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nagios/plugins/urlize  --  gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/utils.pm  --  gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/netsaint/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nspluginwrapper/np.*	gen_context(system_u:object_r:bin_t,s0)
@@ -3223,7 +3224,7 @@ index 644d4d7..4debbf2 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +284,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +285,15 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3239,7 +3240,7 @@ index 644d4d7..4debbf2 100644
  /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +305,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +306,17 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -3260,7 +3261,7 @@ index 644d4d7..4debbf2 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +331,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +332,15 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -3276,7 +3277,7 @@ index 644d4d7..4debbf2 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +354,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +355,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -3301,7 +3302,7 @@ index 644d4d7..4debbf2 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +387,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +388,27 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -3330,7 +3331,7 @@ index 644d4d7..4debbf2 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +456,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +457,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -3347,7 +3348,7 @@ index 644d4d7..4debbf2 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +474,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +475,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -5082,7 +5083,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..a69e038 100644
+index 4edc40d..73d7b76 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5168,7 +5169,15 @@ index 4edc40d..a69e038 100644
  network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
  network_port(audit, tcp,60,s0)
  network_port(auth, tcp,113,s0)
-@@ -107,7 +129,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
+@@ -96,6 +118,7 @@ network_port(boinc, tcp,31416,s0)
+ network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
+ network_port(biff) # no defined portcon
+ network_port(certmaster, tcp,51235,s0)
++network_port(collectd, udp,25826,s0)
+ network_port(chronyd, udp,323,s0)
+ network_port(clamd, tcp,3310,s0)
+ network_port(clockspeed, udp,4041,s0)
+@@ -107,7 +130,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
  network_port(comsat, udp,512,s0)
  network_port(condor, tcp,9618,s0, udp,9618,s0)
  network_port(couchdb, tcp,5984,s0, udp,5984,s0)
@@ -5176,7 +5185,7 @@ index 4edc40d..a69e038 100644
  network_port(ctdb, tcp,4379,s0, udp,4397,s0)
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -119,18 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,18 +141,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
  network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
  network_port(dict, tcp,2628,s0)
  network_port(distccd, tcp,3632,s0)
@@ -5201,7 +5210,7 @@ index 4edc40d..a69e038 100644
  network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
-@@ -139,45 +165,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +166,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5267,7 +5276,7 @@ index 4edc40d..a69e038 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -188,21 +220,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -188,21 +221,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
  network_port(nessus, tcp,1241,s0)
  network_port(netport, tcp,3129,s0, udp,3129,s0)
  network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -5299,7 +5308,7 @@ index 4edc40d..a69e038 100644
  network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +253,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +254,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5347,7 +5356,7 @@ index 4edc40d..a69e038 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +299,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +300,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5358,7 +5367,7 @@ index 4edc40d..a69e038 100644
  network_port(transproxy, tcp,8081,s0)
  network_port(trisoap, tcp,10200,s0, udp,10200,s0)
  network_port(ups, tcp,3493,s0)
-@@ -268,10 +311,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +312,10 @@ network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -5371,7 +5380,7 @@ index 4edc40d..a69e038 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +335,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +336,16 @@ network_port(zope, tcp,8021,s0)
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
  # these entries just cover any remaining reserved ports not otherwise declared.
  
@@ -5390,7 +5399,7 @@ index 4edc40d..a69e038 100644
  
  ########################################
  #
-@@ -330,6 +377,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +378,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5399,7 +5408,7 @@ index 4edc40d..a69e038 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -342,9 +391,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +392,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -5451,10 +5460,10 @@ index 3f6e168..51ad69a 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..3a628fe 100644
+index b31c054..3035b45 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
-@@ -15,15 +15,17 @@
+@@ -15,15 +15,18 @@
  /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
@@ -5471,10 +5480,11 @@ index b31c054..3a628fe 100644
  /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 +/dev/ecryptfs		-c	gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
++/dev/ptp.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
  /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
  /dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -61,7 +63,8 @@
+@@ -61,7 +64,8 @@
  /dev/loop-control	-c	gen_context(system_u:object_r:loop_control_device_t,s0)
  /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -5484,7 +5494,15 @@ index b31c054..3a628fe 100644
  /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +132,14 @@ ifdef(`distro_suse', `
+@@ -118,6 +122,7 @@
+ ifdef(`distro_suse', `
+ /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ ')
++/dev/vfio/vfio		-c	gen_context(system_u:object_r:vfio_device_t,s0)
+ /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
+ /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -129,12 +134,14 @@ ifdef(`distro_suse', `
  /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -5499,7 +5517,7 @@ index b31c054..3a628fe 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -198,12 +203,22 @@ ifdef(`distro_debian',`
+@@ -198,12 +205,22 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -5525,7 +5543,7 @@ index b31c054..3a628fe 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..059e984 100644
+index 76f285e..09ccba4 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6424,7 +6442,7 @@ index 76f285e..059e984 100644
  #
 -interface(`dev_manage_sysfs_dirs',`
 +interface(`dev_read_cpu_online',`
- 	gen_require(`
++	gen_require(`
 +		type cpu_online_t;
 +	')
 +
@@ -6443,7 +6461,7 @@ index 76f285e..059e984 100644
 +## </param>
 +#
 +interface(`dev_relabel_cpu_online',`
-+	gen_require(`
+ 	gen_require(`
 +		type cpu_online_t;
  		type sysfs_t;
  	')
@@ -6457,11 +6475,81 @@ index 76f285e..059e984 100644
  ########################################
  ## <summary>
  ##	Read hardware state information.
-@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',`
+@@ -4016,7 +4445,7 @@ interface(`dev_rw_sysfs',`
  
  ########################################
  ## <summary>
+-##	Read and write the TPM device.
 +##	Relabel hardware state directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4024,58 +4453,114 @@ interface(`dev_rw_sysfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_tpm',`
++interface(`dev_relabel_sysfs_dirs',`
+ 	gen_require(`
+-		type device_t, tpm_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, tpm_device_t)
++	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read from pseudo random number generator devices (e.g., /dev/urandom).
++##	Relabel hardware state files
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read from pseudo random number
+-##	generator devices (e.g., /dev/urandom).  Typically this is
+-##	used in situations when a cryptographically secure random
+-##	number is not necessarily needed.  One example is the Stack
+-##	Smashing Protector (SSP, formerly known as ProPolice) support
+-##	that may be compiled into programs.
+-##	</p>
+-##	<p>
+-##	Related interface:
+-##	</p>
+-##	<ul>
+-##		<li>dev_read_rand()</li>
+-##	</ul>
+-##	<p>
+-##	Related tunable:
+-##	</p>
+-##	<ul>
+-##		<li>global_ssp</li>
+-##	</ul>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`dev_read_urand',`
++interface(`dev_relabel_all_sysfs',`
+ 	gen_require(`
+-		type device_t, urandom_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	read_chr_files_pattern($1, device_t, urandom_device_t)
++	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++	relabel_files_pattern($1, sysfs_t, sysfs_t)
++	relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read from pseudo
++##	Allow caller to modify hardware state information.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6469,17 +6557,17 @@ index 76f285e..059e984 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_relabel_sysfs_dirs',`
++interface(`dev_manage_sysfs_dirs',`
 +	gen_require(`
 +		type sysfs_t;
 +	')
 +
-+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++	manage_dirs_pattern($1, sysfs_t, sysfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Relabel hardware state files
++##	Read and write the TPM device.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6487,37 +6575,59 @@ index 76f285e..059e984 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_rw_tpm',`
 +	gen_require(`
-+		type sysfs_t;
++		type device_t, tpm_device_t;
 +	')
 +
-+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+	relabel_files_pattern($1, sysfs_t, sysfs_t)
-+	relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++	rw_chr_files_pattern($1, device_t, tpm_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to modify hardware state information.
++##	Read from pseudo random number generator devices (e.g., /dev/urandom).
 +## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read from pseudo random number
++##	generator devices (e.g., /dev/urandom).  Typically this is
++##	used in situations when a cryptographically secure random
++##	number is not necessarily needed.  One example is the Stack
++##	Smashing Protector (SSP, formerly known as ProPolice) support
++##	that may be compiled into programs.
++##	</p>
++##	<p>
++##	Related interface:
++##	</p>
++##	<ul>
++##		<li>dev_read_rand()</li>
++##	</ul>
++##	<p>
++##	Related tunable:
++##	</p>
++##	<ul>
++##		<li>global_ssp</li>
++##	</ul>
++## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <infoflow type="read" weight="10"/>
 +#
-+interface(`dev_manage_sysfs_dirs',`
++interface(`dev_read_urand',`
 +	gen_require(`
-+		type sysfs_t;
++		type device_t, urandom_device_t;
 +	')
 +
-+	manage_dirs_pattern($1, sysfs_t, sysfs_t)
++	read_chr_files_pattern($1, device_t, urandom_device_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Read and write the TPM device.
++##	Do not audit attempts to read from pseudo
+ ##	random devices (e.g., /dev/urandom)
  ## </summary>
  ## <param name="domain">
 @@ -4113,6 +4598,25 @@ interface(`dev_write_urand',`
@@ -6546,7 +6656,193 @@ index 76f285e..059e984 100644
  ##	Getattr generic the USB devices.
  ## </summary>
  ## <param name="domain">
-@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',`
+@@ -4409,9 +4913,9 @@ interface(`dev_rw_usbfs',`
+ 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+ 
+-########################################
++######################################
+ ## <summary>
+-##	Get the attributes of video4linux devices.
++##	Read and write userio device.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4419,17 +4923,17 @@ interface(`dev_rw_usbfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
++		type device_t, userio_device_t;
+ 	')
+ 
+-	getattr_chr_files_pattern($1, device_t, v4l_device_t)
++	rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+ 
+-######################################
++########################################
+ ## <summary>
+-##	Read and write userio device.
++##	Get the attributes of video4linux devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4437,12 +4941,12 @@ interface(`dev_getattr_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ 	gen_require(`
+-		type device_t, userio_device_t;
++		type device_t, v4l_device_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, userio_device_t)
++	getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+ 
+ ########################################
+@@ -4539,6 +5043,134 @@ interface(`dev_write_video_dev',`
+ 
+ ########################################
+ ## <summary>
++##	Get the attributes of vfio devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_vfio_dev',`
++	gen_require(`
++		type device_t, vfio_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of vfio device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_vfio_dev',`
++	gen_require(`
++		type vfio_device_t;
++	')
++
++	dontaudit $1 vfio_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++##	Set the attributes of vfio device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_vfio_dev',`
++	gen_require(`
++		type device_t, vfio_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to set the attributes
++##	of vfio device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_setattr_vfio_dev',`
++	gen_require(`
++		type vfio_device_t;
++	')
++
++	dontaudit $1 vfio_device_t:chr_file setattr;
++')
++
++########################################
++## <summary>
++##	Read the vfio devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_vfio_dev',`
++	gen_require(`
++		type device_t, vfio_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++##	Write the vfio devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_write_vfio_dev',`
++	gen_require(`
++		type device_t, vfio_device_t;
++	')
++
++	write_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++##	Read and write the VFIO devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_vfio_dev',`
++	gen_require(`
++		type device_t, vfio_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
+ ##	Allow read/write the vhost net device
+ ## </summary>
+ ## <param name="domain">
+@@ -4557,6 +5189,24 @@ interface(`dev_rw_vhost',`
  
  ########################################
  ## <summary>
@@ -6571,7 +6867,7 @@ index 76f285e..059e984 100644
  ##	Read and write VMWare devices.
  ## </summary>
  ## <param name="domain">
-@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5412,26 @@ interface(`dev_rw_xserver_misc',`
  
  ########################################
  ## <summary>
@@ -6598,7 +6894,7 @@ index 76f285e..059e984 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5521,943 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -6758,6 +7054,7 @@ index 76f285e..059e984 100644
 +	type dlm_control_device_t;
 +	type clock_device_t;
 +	type v4l_device_t;
++	type vfio_device_t;
 +	type event_device_t;
 +	type xen_device_t;
 +	type framebuf_device_t;
@@ -6901,7 +7198,12 @@ index 76f285e..059e984 100644
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
 +	filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
++	filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0")
++	filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1")
++	filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2")
++	filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3")
 +	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
++	filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio")
 +	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
 +	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
 +	filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
@@ -7537,7 +7839,7 @@ index 76f285e..059e984 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 6529bd9..cfec99c 100644
+index 6529bd9..831344c 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -7603,7 +7905,17 @@ index 6529bd9..cfec99c 100644
  #
  # Type for /dev/tpm
  #
-@@ -274,6 +283,7 @@ dev_node(v4l_device_t)
+@@ -266,6 +275,9 @@ dev_node(usbmon_device_t)
+ type userio_device_t;
+ dev_node(userio_device_t)
+ 
++type vfio_device_t;
++dev_node(vfio_device_t)
++
+ type v4l_device_t;
+ dev_node(v4l_device_t)
+ 
+@@ -274,6 +286,7 @@ dev_node(v4l_device_t)
  #
  type vhost_device_t;
  dev_node(vhost_device_t)
@@ -7611,7 +7923,7 @@ index 6529bd9..cfec99c 100644
  
  # Type for vmware devices.
  type vmware_device_t;
-@@ -319,5 +329,5 @@ files_associate_tmp(device_node)
+@@ -319,5 +332,5 @@ files_associate_tmp(device_node)
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -7757,7 +8069,7 @@ index 6a1e4d1..adafd25 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ff7b3f4 100644
+index cf04cb5..3a38af0 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7790,11 +8102,13 @@ index cf04cb5..ff7b3f4 100644
  
  ## <desc>
  ## <p>
-@@ -86,23 +109,43 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +109,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
  allow domain self:dir list_dir_perms;
  allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
  allow domain self:file rw_file_perms;
 +allow domain self:fifo_file rw_fifo_file_perms;
++allow domain self:sem create_sem_perms;
++allow domain self:shm create_shm_perms;
 +
  kernel_read_proc_symlinks(domain)
 +kernel_read_crypto_sysctls(domain)
@@ -7835,7 +8149,7 @@ index cf04cb5..ff7b3f4 100644
  
  ifdef(`hide_broken_symptoms',`
  	# This check is in the general socket
-@@ -121,8 +164,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +166,18 @@ tunable_policy(`global_ssp',`
  ')
  
  optional_policy(`
@@ -7854,7 +8168,7 @@ index cf04cb5..ff7b3f4 100644
  ')
  
  optional_policy(`
-@@ -133,6 +186,8 @@ optional_policy(`
+@@ -133,6 +188,8 @@ optional_policy(`
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -7863,7 +8177,7 @@ index cf04cb5..ff7b3f4 100644
  ')
  
  ########################################
-@@ -147,12 +202,18 @@ optional_policy(`
+@@ -147,12 +204,18 @@ optional_policy(`
  # Use/sendto/connectto sockets created by any domain.
  allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
  
@@ -7883,7 +8197,7 @@ index cf04cb5..ff7b3f4 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -8395,7 +8709,7 @@ index c2c6e05..be423a7 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..87c124c 100644
+index 64ff4d7..9389e60 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -8543,7 +8857,7 @@ index 64ff4d7..87c124c 100644
  ##		<li>files_tmp_file()</li>
  ##		<li>files_tmpfs_file()</li>
  ##		<li>logging_log_file()</li>
-@@ -125,30 +256,31 @@ interface(`files_security_file',`
+@@ -125,44 +256,59 @@ interface(`files_security_file',`
  	typeattribute $1 file_type, security_file_type, non_auth_file_type;
  ')
  
@@ -8575,55 +8889,74 @@ index 64ff4d7..87c124c 100644
  
  ########################################
  ## <summary>
- ##	Make the specified type usable for
+-##	Make the specified type usable for
 -##	filesystem mount points.
-+##	security file filesystem mount points.
++##	Create a private type object in mountpoint dir
++##	with an automatic type transition
  ## </summary>
- ## <param name="type">
+-## <param name="type">
++## <param name="domain">
  ##	<summary>
-@@ -156,33 +288,33 @@ interface(`files_lock_file',`
+-##	Type to be used for mount points.
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private_type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
  ##	</summary>
  ## </param>
  #
 -interface(`files_mountpoint',`
-+interface(`files_security_mountpoint',`
++interface(`files_mountpoint_filetrans',`
  	gen_require(`
  		attribute mountpoint;
  	')
  
 -	files_type($1)
-+	files_security_file($1)
- 	typeattribute $1 mountpoint;
+-	typeattribute $1 mountpoint;
++	filetrans_pattern($1, mountpoint, $2, $3, $4)
  ')
  
  ########################################
+@@ -188,6 +334,26 @@ interface(`files_security_mountpoint',`
+ ########################################
  ## <summary>
  ##	Make the specified type usable for
--##	security file filesystem mount points.
 +##	lock files.
- ## </summary>
- ## <param name="type">
- ##	<summary>
--##	Type to be used for mount points.
++## </summary>
++## <param name="type">
++##	<summary>
 +##	Type to be used for lock files.
- ##	</summary>
- ## </param>
- #
--interface(`files_security_mountpoint',`
++##	</summary>
++## </param>
++#
 +interface(`files_lock_file',`
- 	gen_require(`
--		attribute mountpoint;
++	gen_require(`
 +		attribute lockfile;
- 	')
- 
--	files_security_file($1)
--	typeattribute $1 mountpoint;
++	')
++
 +	files_type($1)
 +	typeattribute $1 lockfile;
- ')
- 
- ########################################
-@@ -521,7 +653,7 @@ interface(`files_mounton_non_security',`
++')
++
++########################################
++## <summary>
++##	Make the specified type usable for
+ ##	runtime process ID files.
+ ## </summary>
+ ## <desc>
+@@ -521,7 +687,7 @@ interface(`files_mounton_non_security',`
  		attribute non_security_file_type;
  	')
  
@@ -8632,7 +8965,7 @@ index 64ff4d7..87c124c 100644
  	allow $1 non_security_file_type:file mounton;
  ')
  
-@@ -620,6 +752,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +786,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
  
  ########################################
  ## <summary>
@@ -8696,7 +9029,7 @@ index 64ff4d7..87c124c 100644
  ##	Read all files.
  ## </summary>
  ## <param name="domain">
-@@ -683,12 +872,82 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +906,82 @@ interface(`files_read_non_security_files',`
  		attribute non_security_file_type;
  	')
  
@@ -8779,7 +9112,7 @@ index 64ff4d7..87c124c 100644
  ##	Read all directories on the filesystem, except
  ##	the listed exceptions.
  ## </summary>
-@@ -953,6 +1212,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1246,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
  
  ########################################
  ## <summary>
@@ -8805,7 +9138,7 @@ index 64ff4d7..87c124c 100644
  ##	Get the attributes of all named sockets.
  ## </summary>
  ## <param name="domain">
-@@ -991,6 +1269,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1303,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
  
  ########################################
  ## <summary>
@@ -8831,7 +9164,7 @@ index 64ff4d7..87c124c 100644
  ##	Do not audit attempts to get the attributes
  ##	of non security named sockets.
  ## </summary>
-@@ -1073,10 +1370,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1404,8 @@ interface(`files_relabel_all_files',`
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8844,7 +9177,7 @@ index 64ff4d7..87c124c 100644
  
  	# satisfy the assertions:
  	seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1477,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1511,6 @@ interface(`files_list_all',`
  
  ########################################
  ## <summary>
@@ -8869,17 +9202,19 @@ index 64ff4d7..87c124c 100644
  ##	Do not audit attempts to search the
  ##	contents of any directories on extended
  ##	attribute filesystems.
-@@ -1443,9 +1720,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,10 +1754,7 @@ interface(`files_relabel_non_auth_files',`
  	# device nodes with file types.
  	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
  	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
 -
 -	# satisfy the assertions:
 -	seutil_relabelto_bin_policy($1)
- ')
+-')
++')
  
  #############################################
-@@ -1583,6 +1857,24 @@ interface(`files_getattr_all_mountpoints',`
+ ## <summary>
+@@ -1583,6 +1891,24 @@ interface(`files_getattr_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -8904,54 +9239,35 @@ index 64ff4d7..87c124c 100644
  ##	Set the attributes of all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1673,25 +1965,61 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +1999,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
--##	Do not audit attempts to write to mount points.
 +##	Write all mount points.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_write_all_mountpoints',`
--	gen_require(`
--		attribute mountpoint;
--	')
-+interface(`files_write_all_mountpoints',`
-+    gen_require(`
-+        attribute mountpoint;
-+    ')
- 
--	dontaudit $1 mountpoint:dir write;
-+	allow $1 mountpoint:dir write;
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of the root directory.
-+##	Do not audit attempts to write to mount points.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_write_all_mountpoints',`
-+	gen_require(`
-+		attribute mountpoint;
-+	')
++interface(`files_write_all_mountpoints',`
++    gen_require(`
++        attribute mountpoint;
++    ')
 +
-+	dontaudit $1 mountpoint:dir write;
++	allow $1 mountpoint:dir write;
 +')
 +
 +########################################
 +## <summary>
+ ##	Do not audit attempts to write to mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1691,6 +2035,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ 
+ ########################################
+ ## <summary>
 +##	Write all file type directories.
 +## </summary>
 +## <param name="domain">
@@ -8970,11 +9286,10 @@ index 64ff4d7..87c124c 100644
 +
 +########################################
 +## <summary>
-+##	List the contents of the root directory.
+ ##	List the contents of the root directory.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -1874,25 +2202,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2236,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -9006,7 +9321,7 @@ index 64ff4d7..87c124c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1905,7 +2233,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2267,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -9015,7 +9330,7 @@ index 64ff4d7..87c124c 100644
  ')
  
  ########################################
-@@ -1928,6 +2256,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2290,24 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -9040,7 +9355,7 @@ index 64ff4d7..87c124c 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2627,6 +2973,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3007,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -9065,7 +9380,7 @@ index 64ff4d7..87c124c 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2698,6 +3062,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3096,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -9073,7 +9388,7 @@ index 64ff4d7..87c124c 100644
  ')
  
  ########################################
-@@ -2706,7 +3071,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3105,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -9082,7 +9397,7 @@ index 64ff4d7..87c124c 100644
  ##	</summary>
  ## </param>
  #
-@@ -2762,6 +3127,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3161,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -9108,7 +9423,7 @@ index 64ff4d7..87c124c 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2780,6 +3164,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3198,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -9133,7 +9448,7 @@ index 64ff4d7..87c124c 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2945,24 +3347,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3381,6 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -9158,7 +9473,7 @@ index 64ff4d7..87c124c 100644
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3003,9 +3387,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3421,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -9169,7 +9484,7 @@ index 64ff4d7..87c124c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3013,18 +3395,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3429,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -9191,7 +9506,7 @@ index 64ff4d7..87c124c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3042,6 +3423,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3457,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -9218,7 +9533,7 @@ index 64ff4d7..87c124c 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3059,6 +3460,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3494,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -9226,7 +9541,7 @@ index 64ff4d7..87c124c 100644
  ')
  
  ########################################
-@@ -3080,6 +3482,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3516,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -9234,7 +9549,7 @@ index 64ff4d7..87c124c 100644
  ')
  
  ########################################
-@@ -3132,6 +3535,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3569,25 @@ interface(`files_getattr_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -9260,7 +9575,7 @@ index 64ff4d7..87c124c 100644
  ##	Do not audit attempts to search directories on new filesystems
  ##	that have not yet been labeled.
  ## </summary>
-@@ -3208,6 +3630,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3664,25 @@ interface(`files_delete_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -9286,7 +9601,7 @@ index 64ff4d7..87c124c 100644
  ##	Create, read, write, and delete directories
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3455,6 +3896,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3930,25 @@ interface(`files_rw_isid_type_blk_files',`
  
  ########################################
  ## <summary>
@@ -9312,7 +9627,7 @@ index 64ff4d7..87c124c 100644
  ##	Create, read, write, and delete block device nodes
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3796,20 +4256,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4290,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -9356,7 +9671,7 @@ index 64ff4d7..87c124c 100644
  ')
  
  ########################################
-@@ -4199,156 +4677,176 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,58 +4711,225 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -9441,13 +9756,11 @@ index 64ff4d7..87c124c 100644
 -interface(`files_dontaudit_getattr_tmp_dirs',`
 -	gen_require(`
 -		type tmp_t;
--	')
 +interface(`files_filetrans_system_conf_named_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
- 
--	dontaudit $1 tmp_t:dir getattr;
++
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -9464,473 +9777,386 @@ index 64ff4d7..87c124c 100644
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
- ')
- 
--########################################
++')
++
 +######################################
- ## <summary>
--##	Search the tmp directory (/tmp).
++## <summary>
 +##  Relabel manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
--interface(`files_search_tmp',`
--	gen_require(`
--		type tmp_t;
--	')
++## </param>
++#
 +interface(`files_relabelto_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
- 
--	allow $1 tmp_t:dir search_dir_perms;
++
 +    relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
- 
--########################################
++')
++
 +######################################
- ## <summary>
--##	Do not audit attempts to search the tmp directory (/tmp).
++## <summary>
 +##  Relabel manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain to not audit.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_tmp',`
--	gen_require(`
--		type tmp_t;
--	')
++## </param>
++#
 +interface(`files_relabelfrom_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
- 
--	dontaudit $1 tmp_t:dir search_dir_perms;
++
 +    relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
- ')
- 
--########################################
++')
++
 +###################################
- ## <summary>
--##	Read the tmp directory (/tmp).
++## <summary>
 +##  Create files in /etc with the type used for
 +##  the manageable system config files.
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  The type of the process performing this action.
 +##  </summary>
- ## </param>
- #
--interface(`files_list_tmp',`
--	gen_require(`
--		type tmp_t;
--	')
++## </param>
++#
 +interface(`files_etc_filetrans_system_conf',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
- 
--	allow $1 tmp_t:dir list_dir_perms;
++
 +    filetrans_pattern($1, etc_t, system_conf_t, file)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit listing of the tmp directory (/tmp).
++')
++
++########################################
++## <summary>
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	temporary directory (/tmp).
- ## </summary>
--## <param name="domain">
++## </summary>
 +## <param name="file_type">
- ##	<summary>
--##	Domain not to audit.
++##	<summary>
 +##	Type of the file to associate.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_list_tmp',`
++##	</summary>
++## </param>
++#
 +interface(`files_associate_tmp',`
- 	gen_require(`
- 		type tmp_t;
- 	')
- 
--	dontaudit $1 tmp_t:dir list_dir_perms;
++	gen_require(`
++		type tmp_t;
++	')
++
 +	allow $1 tmp_t:filesystem associate;
- ')
- 
- ########################################
- ## <summary>
--##	Remove entries from the tmp directory.
++')
++
++########################################
++## <summary>
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	/ file system
- ## </summary>
--## <param name="domain">
++## </summary>
 +## <param name="file_type">
- ##	<summary>
--##	Domain allowed access.
++##	<summary>
 +##	Type of the file to associate.
- ##	</summary>
- ## </param>
- #
--interface(`files_delete_tmp_dir_entry',`
++##	</summary>
++## </param>
++#
 +interface(`files_associate_rootfs',`
- 	gen_require(`
--		type tmp_t;
++	gen_require(`
 +		type root_t;
- 	')
- 
--	allow $1 tmp_t:dir del_entry_dir_perms;
++	')
++
 +	allow $1 root_t:filesystem associate;
- ')
- 
- ########################################
- ## <summary>
--##	Read files in the tmp directory (/tmp).
++')
++
++########################################
++## <summary>
 +##	Get the	attributes of the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4356,53 +4854,56 @@ interface(`files_delete_tmp_dir_entry',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_generic_tmp_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_getattr_tmp_dirs',`
- 	gen_require(`
- 		type tmp_t;
- 	')
- 
--	read_files_pattern($1, tmp_t, tmp_t)
++	gen_require(`
++		type tmp_t;
++	')
++
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 tmp_t:dir getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Manage temporary directories in /tmp.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to check the 
 +##	access on tmp files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_tmp_dirs',`
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_access_check_tmp',`
- 	gen_require(`
--		type tmp_t;
++	gen_require(`
 +		type etc_t;
- 	')
- 
--	manage_dirs_pattern($1, tmp_t, tmp_t)
++	')
++
 +	dontaudit $1 tmp_t:dir_file_class_set audit_access;
- ')
- 
- ########################################
- ## <summary>
--##	Manage temporary files and directories in /tmp.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to get the
 +##	attributes of the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_tmp_files',`
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_getattr_tmp_dirs',`
- 	gen_require(`
- 		type tmp_t;
++	gen_require(`
++		type tmp_t;
  	')
  
--	manage_files_pattern($1, tmp_t, tmp_t)
-+	dontaudit $1 tmp_t:dir getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Read symbolic links in the tmp directory (/tmp).
-+##	Search the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4410,35 +4911,36 @@ interface(`files_manage_generic_tmp_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_generic_tmp_symlinks',`
-+interface(`files_search_tmp',`
- 	gen_require(`
+ 	dontaudit $1 tmp_t:dir getattr;
+@@ -4271,6 +4950,7 @@ interface(`files_search_tmp',`
  		type tmp_t;
  	')
  
- 	read_lnk_files_pattern($1, tmp_t, tmp_t)
-+	allow $1 tmp_t:dir search_dir_perms;
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
+ 	allow $1 tmp_t:dir search_dir_perms;
  ')
  
- ########################################
- ## <summary>
--##	Read and write generic named sockets in the tmp directory (/tmp).
-+##	Do not audit attempts to search the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_rw_generic_tmp_sockets',`
-+interface(`files_dontaudit_search_tmp',`
- 	gen_require(`
+@@ -4307,6 +4987,7 @@ interface(`files_list_tmp',`
  		type tmp_t;
  	')
  
--	rw_sock_files_pattern($1, tmp_t, tmp_t)
-+	dontaudit $1 tmp_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of all tmp directories.
-+##	Read the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4446,77 +4948,74 @@ interface(`files_rw_generic_tmp_sockets',`
- ##	</summary>
- ## </param>
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_list_tmp',`
- 	gen_require(`
--		attribute tmpfile;
-+		type tmp_t;
- 	')
- 
--	allow $1 tmpfile:dir { search_dir_perms setattr };
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
-+	allow $1 tmp_t:dir list_dir_perms;
+ 	allow $1 tmp_t:dir list_dir_perms;
  ')
  
- ########################################
- ## <summary>
--##	List all tmp directories.
-+##	Do not audit listing of the tmp directory (/tmp).
+@@ -4316,7 +4997,7 @@ interface(`files_list_tmp',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
+-##	Domain not to audit.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_list_all_tmp',`
-+interface(`files_dontaudit_list_tmp',`
- 	gen_require(`
--		attribute tmpfile;
-+		type tmp_t;
- 	')
- 
--	allow $1 tmpfile:dir list_dir_perms;
-+	dontaudit $1 tmp_t:dir list_dir_perms;
+@@ -4328,6 +5009,25 @@ interface(`files_dontaudit_list_tmp',`
+ 	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
--########################################
 +#######################################
- ## <summary>
--##	Relabel to and from all temporary
--##	directory types.
++## <summary>
 +##  Allow read and write to the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain not to audit.
 +##  </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_dirs',`
--	gen_require(`
--		attribute tmpfile;
--		type var_t;
--	')
++## </param>
++#
 +interface(`files_rw_generic_tmp_dir',`
 +    gen_require(`
 +        type tmp_t;
 +    ')
- 
--	allow $1 var_t:dir search_dir_perms;
--	relabel_dirs_pattern($1, tmpfile, tmpfile)
++
 +    files_search_tmp($1)
 +    allow $1 tmp_t:dir rw_dir_perms;
- ')
- 
++')
++
  ########################################
  ## <summary>
--##	Do not audit attempts to get the attributes
--##	of all tmp files.
-+##	Remove entries from the tmp directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-+interface(`files_delete_tmp_dir_entry',`
- 	gen_require(`
--		attribute tmpfile;
-+		type tmp_t;
+ ##	Remove entries from the tmp directory.
+@@ -4343,6 +5043,7 @@ interface(`files_delete_tmp_dir_entry',`
+ 		type tmp_t;
  	')
  
--	dontaudit $1 tmpfile:file getattr;
 +	files_search_tmp($1)
-+	allow $1 tmp_t:dir del_entry_dir_perms;
+ 	allow $1 tmp_t:dir del_entry_dir_perms;
  ')
  
+@@ -4384,6 +5085,32 @@ interface(`files_manage_generic_tmp_dirs',`
+ 
  ########################################
  ## <summary>
--##	Allow attempts to get the attributes
--##	of all tmp files.
-+##	Read files in the tmp directory (/tmp).
++##	Allow shared library text relocations in tmp files.
++## </summary>
++## <desc>
++##	<p>
++##	Allow shared library text relocations in tmp files.
++##	</p>
++##	<p>
++##	This is added to support java policy.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_execmod_tmp',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	allow $1 tmpfile:file execmod;
++')
++
++########################################
++## <summary>
+ ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -4524,58 +5023,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_read_generic_tmp_files',`
- 	gen_require(`
--		attribute tmpfile;
-+		type tmp_t;
- 	')
- 
--	allow $1 tmpfile:file getattr;
-+	read_files_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4438,6 +5165,42 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
--##	Relabel to and from all temporary
--##	file types.
-+##	Manage temporary directories in /tmp.
++##	Relabel a dir from the type used in /tmp.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabelfrom_tmp_dirs',`
++	gen_require(`
++		type tmp_t;
++	')
++
++	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++## <summary>
++##	Relabel a file from the type used in /tmp.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabelfrom_tmp_files',`
++	gen_require(`
++		type tmp_t;
++	')
++
++	relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++## <summary>
+ ##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_manage_generic_tmp_dirs',`
- 	gen_require(`
--		attribute tmpfile;
--		type var_t;
-+		type tmp_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	relabel_files_pattern($1, tmpfile, tmpfile)
-+	manage_dirs_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4456,6 +5219,60 @@ interface(`files_setattr_all_tmp_dirs',`
  
  ########################################
  ## <summary>
--##	Do not audit attempts to get the attributes
--##	of all tmp sock_file.
-+##	Allow shared library text relocations in tmp files.
++##	Allow caller to read inherited tmp files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_inherited_tmp_files',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
++########################################
++## <summary>
++##	Allow caller to append inherited tmp files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_append_inherited_tmp_files',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	allow $1 tmpfile:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
++##	Allow caller to read and write inherited tmp files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_rw_inherited_tmp_file',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ##	List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4501,7 +5318,7 @@ interface(`files_relabel_all_tmp_dirs',`
  ## </summary>
-+## <desc>
-+##	<p>
-+##	Allow shared library text relocations in tmp files.
-+##	</p>
-+##	<p>
-+##	This is added to support java policy.
-+##	</p>
-+## </desc>
  ## <param name="domain">
  ##	<summary>
 -##	Domain not to audit.
-+##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_execmod_tmp',`
- 	gen_require(`
- 		attribute tmpfile;
- 	')
- 
--	dontaudit $1 tmpfile:sock_file getattr;
-+	allow $1 tmpfile:file execmod;
- ')
- 
- ########################################
- ## <summary>
--##	Read all tmp files.
-+##	Manage temporary files and directories in /tmp.
+@@ -4561,7 +5378,7 @@ interface(`files_relabel_all_tmp_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4583,51 +5085,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+-##	Domain not to audit.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_read_all_tmp_files',`
-+interface(`files_manage_generic_tmp_files',`
- 	gen_require(`
--		attribute tmpfile;
-+		type tmp_t;
- 	')
- 
--	read_files_pattern($1, tmpfile, tmpfile)
-+	manage_files_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4593,59 +5410,107 @@ interface(`files_read_all_tmp_files',`
  
  ########################################
  ## <summary>
 -##	Create an object in the tmp directories, with a private
 -##	type using a type transition.
-+##	Read symbolic links in the tmp directory (/tmp).
++##	Do not audit attempts to read or write
++##	all leaked tmpfiles files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
 -## <param name="private type">
 -##	<summary>
 -##	The type of the object to be created.
@@ -9944,2805 +10170,815 @@ index 64ff4d7..87c124c 100644
 -## <param name="name" optional="true">
 -##	<summary>
 -##	The name of the object being created.
--##	</summary>
--## </param>
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
  #
 -interface(`files_tmp_filetrans',`
-+interface(`files_read_generic_tmp_symlinks',`
++interface(`files_dontaudit_tmp_file_leaks',`
  	gen_require(`
- 		type tmp_t;
+-		type tmp_t;
++		attribute tmpfile;
  	')
  
 -	filetrans_pattern($1, tmp_t, $2, $3, $4)
-+	read_lnk_files_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmpfile:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Delete the contents of /tmp.
-+##	Read and write generic named sockets in the tmp directory (/tmp).
++##	Do allow attempts to read or write
++##	all leaked tmpfiles files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4635,22 +5121,17 @@ interface(`files_tmp_filetrans',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
 -interface(`files_purge_tmp',`
-+interface(`files_rw_generic_tmp_sockets',`
++interface(`files_rw_tmp_file_leaks',`
  	gen_require(`
--		attribute tmpfile;
-+		type tmp_t;
+ 		attribute tmpfile;
  	')
  
 -	allow $1 tmpfile:dir list_dir_perms;
 -	delete_dirs_pattern($1, tmpfile, tmpfile)
--	delete_files_pattern($1, tmpfile, tmpfile)
--	delete_lnk_files_pattern($1, tmpfile, tmpfile)
--	delete_fifo_files_pattern($1, tmpfile, tmpfile)
--	delete_sock_files_pattern($1, tmpfile, tmpfile)
-+	rw_sock_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++##	Create an object in the tmp directories, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_tmp_filetrans',`
++	gen_require(`
++		type tmp_t;
++	')
++
++	filetrans_pattern($1, tmp_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Delete the contents of /tmp.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_purge_tmp',`
++	gen_require(`
++		attribute tmpfile;
++	')
++
++	allow $1 tmpfile:dir list_dir_perms;
++	delete_dirs_pattern($1, tmpfile, tmpfile)
+ 	delete_files_pattern($1, tmpfile, tmpfile)
+ 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ 	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	delete_chr_files_pattern($1, tmpfile, tmpfile)
++	delete_blk_files_pattern($1, tmpfile, tmpfile)
++	files_list_isid_type_dirs($1)
++	files_delete_isid_type_dirs($1)
++	files_delete_isid_type_files($1)
++	files_delete_isid_type_symlinks($1)
++	files_delete_isid_type_fifo_files($1)
++	files_delete_isid_type_sock_files($1)
++	files_delete_isid_type_blk_files($1)
++	files_delete_isid_type_chr_files($1)
  ')
  
  ########################################
+@@ -5223,6 +6088,24 @@ interface(`files_list_var',`
+ 
+ ########################################
  ## <summary>
--##	Set the attributes of the /usr directory.
-+##	Relabel a dir from the type used in /tmp.
++##	Do not audit listing of the var directory (/var).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_list_var',`
++	gen_require(`
++		type var_t;
++	')
++
++	dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete directories
+ ##	in the /var directory.
  ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4658,17 +5139,17 @@ interface(`files_purge_tmp',`
- ##	</summary>
- ## </param>
- #
--interface(`files_setattr_usr_dirs',`
-+interface(`files_relabelfrom_tmp_dirs',`
- 	gen_require(`
--		type usr_t;
-+		type tmp_t;
- 	')
- 
--	allow $1 usr_t:dir setattr;
-+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+@@ -5578,6 +6461,25 @@ interface(`files_read_var_lib_symlinks',`
+ 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
++########################################
++## <summary>
++##	manage generic symbolic links
++##	in the /var/lib directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_var_lib_symlinks',`
++	gen_require(`
++		type var_lib_t;
++	')
++
++	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++')
++
+ # cjp: the next two interfaces really need to be fixed
+ # in some way.  They really neeed their own types.
+ 
+@@ -5623,7 +6525,7 @@ interface(`files_manage_mounttab',`
+ 
  ########################################
  ## <summary>
--##	Search the content of /usr.
-+##	Relabel a file from the type used in /tmp.
+-##	Set the attributes of the generic lock directories.
++##	List generic lock directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4676,18 +5157,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -5631,12 +6533,13 @@ interface(`files_manage_mounttab',`
  ##	</summary>
  ## </param>
  #
--interface(`files_search_usr',`
-+interface(`files_relabelfrom_tmp_files',`
+-interface(`files_setattr_lock_dirs',`
++interface(`files_list_locks',`
  	gen_require(`
--		type usr_t;
-+		type tmp_t;
+ 		type var_t, var_lock_t;
  	')
  
--	allow $1 usr_t:dir search_dir_perms;
-+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
+-	setattr_dirs_pattern($1, var_t, var_lock_t)
++	files_search_locks($1)
++	list_dirs_pattern($1, var_t, var_lock_t)
  ')
  
  ########################################
- ## <summary>
--##	List the contents of generic
--##	directories in /usr.
-+##	Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4695,35 +5175,35 @@ interface(`files_search_usr',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_usr',`
-+interface(`files_setattr_all_tmp_dirs',`
- 	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+@@ -5654,6 +6557,7 @@ interface(`files_search_locks',`
+ 		type var_t, var_lock_t;
  	')
  
--	allow $1 usr_t:dir list_dir_perms;
-+	allow $1 tmpfile:dir { search_dir_perms setattr };
++	files_search_pids($1)
+ 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ 	search_dirs_pattern($1, var_t, var_lock_t)
  ')
+@@ -5680,7 +6584,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
--##	Do not audit write of /usr dirs
-+##	Allow caller to read inherited tmp files.
+-##	List generic lock directories.
++##	Do not audit attempts to read/write inherited
++##	locks (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the /var/lock directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -5688,13 +6611,12 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
+-interface(`files_list_locks',`
++interface(`files_setattr_lock_dirs',`
  	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+-		type var_t, var_lock_t;
++		type var_lock_t;
  	')
  
--	dontaudit $1 usr_t:dir write;
-+	allow $1 tmpfile:file { append read_inherited_file_perms };
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_lock_t)
++	allow $1 var_lock_t:dir setattr;
  ')
  
  ########################################
- ## <summary>
--##	Add and remove entries from /usr directories.
-+##	Allow caller to append inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4731,36 +5211,35 @@ interface(`files_dontaudit_write_usr_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
- 	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+@@ -5713,7 +6635,7 @@ interface(`files_rw_lock_dirs',`
+ 		type var_t, var_lock_t;
  	')
  
--	allow $1 usr_t:dir rw_dir_perms;
-+	allow $1 tmpfile:file append_inherited_file_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	files_search_locks($1)
+ 	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
- ########################################
- ## <summary>
--##	Do not audit attempts to add and remove
--##	entries from /usr directories.
-+##	Allow caller to read and write inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -5746,7 +6668,6 @@ interface(`files_create_lock_dirs',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
+ interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+@@ -5774,8 +6695,7 @@ interface(`files_getattr_generic_locks',`
+ 		type var_t, var_lock_t;
  	')
  
--	dontaudit $1 usr_t:dir rw_dir_perms;
-+	allow $1 tmpfile:file rw_inherited_file_perms;
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	files_search_locks($1)
+ 	allow $1 var_lock_t:dir list_dir_perms;
+ 	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
- 
- ########################################
- ## <summary>
--##	Delete generic directories in /usr in the caller domain.
-+##	List all tmp directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4768,111 +5247,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
- ##	</summary>
+@@ -5791,13 +6711,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
--interface(`files_delete_usr_dirs',`
-+interface(`files_list_all_tmp',`
- 	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
- 	')
+ interface(`files_delete_generic_locks',`
+-	gen_require(`
++       gen_require(`
+ 		type var_t, var_lock_t;
+-	')
++       ')
  
--	delete_dirs_pattern($1, usr_t, usr_t)
-+	allow $1 tmpfile:dir list_dir_perms;
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, var_lock_t, var_lock_t)
++       files_search_locks($1)
++       delete_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
  ########################################
- ## <summary>
--##	Delete generic files in /usr in the caller domain.
-+##	Relabel to and from all temporary
-+##	directory types.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`files_delete_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
- 	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
-+		type var_t;
+@@ -5816,9 +6735,7 @@ interface(`files_manage_generic_locks',`
+ 		type var_t, var_lock_t;
  	')
  
--	delete_files_pattern($1, usr_t, usr_t)
-+	allow $1 var_t:dir search_dir_perms;
-+	relabel_dirs_pattern($1, tmpfile, tmpfile)
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	manage_dirs_pattern($1, var_lock_t, var_lock_t)
++	files_search_locks($1)
+ 	manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+ 
+@@ -5860,8 +6777,7 @@ interface(`files_read_all_locks',`
+ 		type var_t, var_lock_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
++	files_search_locks($1)
+ 	allow $1 lockfile:dir list_dir_perms;
+ 	read_files_pattern($1, lockfile, lockfile)
+ 	read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5883,8 +6799,7 @@ interface(`files_manage_all_locks',`
+ 		type var_t, var_lock_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
++	files_search_locks($1)
+ 	manage_dirs_pattern($1, lockfile, lockfile)
+ 	manage_files_pattern($1, lockfile, lockfile)
+ 	manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5921,8 +6836,7 @@ interface(`files_lock_filetrans',`
+ 		type var_t, var_lock_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	files_search_locks($1)
+ 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ ')
+ 
+@@ -5961,7 +6875,7 @@ interface(`files_setattr_pid_dirs',`
+ 		type var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	files_search_pids($1)
+ 	allow $1 var_run_t:dir setattr;
+ ')
+ 
+@@ -5981,10 +6895,48 @@ interface(`files_search_pids',`
+ 		type var_t, var_run_t;
+ 	')
+ 
++	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ 	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++    gen_require(`
++        type var_run_t;
++    ')
++
++    allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++## <summary>
++##      Create generic pid directory.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`files_create_var_run_dirs',`
++        gen_require(`
++                type var_t, var_run_t;
++        ')
++
++        allow $1 var_t:dir search_dir_perms;
++        allow $1 var_run_t:dir create_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to search
+@@ -6007,6 +6959,25 @@ interface(`files_dontaudit_search_pids',`
+ 
  ########################################
  ## <summary>
--##	Get the attributes of files in /usr.
-+##	Do not audit attempts to get the attributes
-+##	of all tmp files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++##	Do not audit attempts to search
++##	the all /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_getattr_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
- 	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_all_pids',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	List the contents of the runtime process
+ ##	ID directories (/var/run).
+ ## </summary>
+@@ -6021,7 +6992,7 @@ interface(`files_list_pids',`
+ 		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	files_search_pids($1)
+ 	list_dirs_pattern($1, var_t, var_run_t)
+ ')
+ 
+@@ -6040,7 +7011,7 @@ interface(`files_read_generic_pids',`
+ 		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	files_search_pids($1)
+ 	list_dirs_pattern($1, var_t, var_run_t)
+ 	read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6060,7 +7031,7 @@ interface(`files_write_generic_pid_pipes',`
+ 		type var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	files_search_pids($1)
+ 	allow $1 var_run_t:fifo_file write;
+ ')
+ 
+@@ -6122,7 +7093,6 @@ interface(`files_pid_filetrans',`
+ 	')
+ 
+ 	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ 	filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+ 
+@@ -6164,7 +7134,7 @@ interface(`files_rw_generic_pids',`
+ 		type var_t, var_run_t;
  	')
  
--	getattr_files_pattern($1, usr_t, usr_t)
-+	dontaudit $1 tmpfile:file getattr;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	files_search_pids($1)
+ 	list_dirs_pattern($1, var_t, var_run_t)
+ 	rw_files_pattern($1, var_run_t, var_run_t)
  ')
+@@ -6231,55 +7201,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
--##	Read generic files in /usr.
-+##	Allow attempts to get the attributes
-+##	of all tmp files.
+-##	Read all process ID files.
++##	Relable all pid directories
  ## </summary>
--## <desc>
--##	<p>
--##	Allow the specified domain to read generic
--##	files in /usr. These files are various program
--##	files that do not have more specific SELinux types.
--##	Some examples of these files are:
--##	</p>
--##	<ul>
--##		<li>/usr/include/*</li>
--##		<li>/usr/share/doc/*</li>
--##		<li>/usr/share/info/*</li>
--##	</ul>
--##	<p>
--##	Generally, it is safe for many domains to have
--##	this access.
--##	</p>
--## </desc>
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <infoflow type="read" weight="10"/>
+-## <rolecap/>
  #
--interface(`files_read_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
  	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+ 		attribute pidfile;
+-		type var_t, var_run_t;
  	')
  
--	allow $1 usr_t:dir list_dir_perms;
--	read_files_pattern($1, usr_t, usr_t)
--	read_lnk_files_pattern($1, usr_t, usr_t)
-+	allow $1 tmpfile:file getattr;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, pidfile)
+-	read_files_pattern($1, pidfile, pidfile)
++	relabel_dirs_pattern($1, pidfile, pidfile)
  ')
  
  ########################################
  ## <summary>
--##	Execute generic programs in /usr in the caller domain.
-+##	Relabel to and from all temporary
-+##	file types.
+-##	Delete all process IDs.
++##	Delete all pid sockets
  ## </summary>
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
-+## <rolecap/>
+-## <rolecap/>
  #
--interface(`files_exec_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
+-interface(`files_delete_all_pids',`
++interface(`files_delete_all_pid_sockets',`
  	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
-+		type var_t;
+ 		attribute pidfile;
+-		type var_t, var_run_t;
  	')
  
--	allow $1 usr_t:dir list_dir_perms;
--	exec_files_pattern($1, usr_t, usr_t)
--	read_lnk_files_pattern($1, usr_t, usr_t)
-+	allow $1 var_t:dir search_dir_perms;
-+	relabel_files_pattern($1, tmpfile, tmpfile)
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir rmdir;
+-	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+-	delete_files_pattern($1, pidfile, pidfile)
+-	delete_fifo_files_pattern($1, pidfile, pidfile)
+-	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++	allow $1 pidfile:sock_file delete_sock_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	dontaudit write of /usr files
-+##	Do not audit attempts to get the attributes
-+##	of all tmp sock_file.
+-##	Delete all process ID directories.
++##	Create all pid sockets
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4880,35 +5348,17 @@ interface(`files_exec_usr_files',`
+@@ -6287,42 +7245,35 @@ interface(`files_delete_all_pids',`
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_write_usr_files',`
--	gen_require(`
--		type usr_t;
--	')
--
--	dontaudit $1 usr_t:file write;
--')
--
--########################################
--## <summary>
--##	Create, read, write, and delete files in the /usr directory.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
--interface(`files_manage_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_sockets',`
  	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+ 		attribute pidfile;
+-		type var_t, var_run_t;
  	')
  
--	manage_files_pattern($1, usr_t, usr_t)
-+	dontaudit $1 tmpfile:sock_file getattr;
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	delete_dirs_pattern($1, pidfile, pidfile)
++	allow $1 pidfile:sock_file create_sock_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Relabel a file to the type used in /usr.
-+##	Read all tmp files.
+-##	Create, read, write and delete all
+-##	var_run (pid) content
++##	Create all pid named pipes
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4916,67 +5366,70 @@ interface(`files_manage_usr_files',`
+-##	Domain alloed access.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_relabelto_usr_files',`
-+interface(`files_read_all_tmp_files',`
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_pid_pipes',`
  	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+ 		attribute pidfile;
  	')
  
--	relabelto_files_pattern($1, usr_t, usr_t)
-+	read_files_pattern($1, tmpfile, tmpfile)
+-	manage_dirs_pattern($1, pidfile, pidfile)
+-	manage_files_pattern($1, pidfile, pidfile)
+-	manage_lnk_files_pattern($1, pidfile, pidfile)
++	allow $1 pidfile:fifo_file create_fifo_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Relabel a file from the type used in /usr.
-+##	Do not audit attempts to read or write
-+##	all leaked tmpfiles files.
+-##	Mount filesystems on all polyinstantiation
+-##	member directories.
++##	Delete all pid named pipes
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -6330,18 +7281,18 @@ interface(`files_manage_all_pids',`
  ##	</summary>
  ## </param>
  #
--interface(`files_relabelfrom_usr_files',`
-+interface(`files_dontaudit_tmp_file_leaks',`
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_pipes',`
  	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+-		attribute polymember;
++		attribute pidfile;
  	')
  
--	relabelfrom_files_pattern($1, usr_t, usr_t)
-+	dontaudit $1 tmpfile:file rw_inherited_file_perms;
+-	allow $1 polymember:dir mounton;
++	allow $1 pidfile:fifo_file delete_fifo_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Read symbolic links in /usr.
-+##	Do allow attempts to read or write
-+##	all leaked tmpfiles files.
+-##	Search the contents of generic spool
+-##	directories (/var/spool).
++##	manage all pidfile directories
++##	in the /var/run directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -6349,37 +7300,40 @@ interface(`files_mounton_all_poly_members',`
  ##	</summary>
  ## </param>
  #
--interface(`files_read_usr_symlinks',`
-+interface(`files_rw_tmp_file_leaks',`
+-interface(`files_search_spool',`
++interface(`files_manage_all_pid_dirs',`
  	gen_require(`
--		type usr_t;
-+		attribute tmpfile;
+-		type var_t, var_spool_t;
++		attribute pidfile;
  	')
  
--	read_lnk_files_pattern($1, usr_t, usr_t)
-+	allow $1 tmpfile:file rw_inherited_file_perms;
+-	search_dirs_pattern($1, var_t, var_spool_t)
++	manage_dirs_pattern($1,pidfile,pidfile)
  ')
  
++
  ########################################
  ## <summary>
--##	Create objects in the /usr directory
-+##	Create an object in the tmp directories, with a private
-+##	type using a type transition.
+-##	Do not audit attempts to search generic
+-##	spool directories.
++##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="file_type">
-+## <param name="private type">
- ##	<summary>
--##	The type of the object to be created
-+##	The type of the object to be created.
- ##	</summary>
- ## </param>
--## <param name="object_class">
-+## <param name="object">
- ##	<summary>
--##	The object class.
-+##	The object class of the object being created.
- ##	</summary>
- ## </param>
- ## <param name="name" optional="true">
-@@ -4985,35 +5438,50 @@ interface(`files_read_usr_symlinks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_usr_filetrans',`
-+interface(`files_tmp_filetrans',`
- 	gen_require(`
--		type usr_t;
-+		type tmp_t;
- 	')
- 
--	filetrans_pattern($1, usr_t, $2, $3, $4)
-+	filetrans_pattern($1, tmp_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to search /usr/src.
-+##	Delete the contents of /tmp.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_search_src',`
-+interface(`files_purge_tmp',`
- 	gen_require(`
--		type src_t;
-+		attribute tmpfile;
- 	')
- 
--	dontaudit $1 src_t:dir search_dir_perms;
-+	allow $1 tmpfile:dir list_dir_perms;
-+	delete_dirs_pattern($1, tmpfile, tmpfile)
-+	delete_files_pattern($1, tmpfile, tmpfile)
-+	delete_lnk_files_pattern($1, tmpfile, tmpfile)
-+	delete_fifo_files_pattern($1, tmpfile, tmpfile)
-+	delete_sock_files_pattern($1, tmpfile, tmpfile)
-+	delete_chr_files_pattern($1, tmpfile, tmpfile)
-+	delete_blk_files_pattern($1, tmpfile, tmpfile)
-+	files_list_isid_type_dirs($1)
-+	files_delete_isid_type_dirs($1)
-+	files_delete_isid_type_files($1)
-+	files_delete_isid_type_symlinks($1)
-+	files_delete_isid_type_fifo_files($1)
-+	files_delete_isid_type_sock_files($1)
-+	files_delete_isid_type_blk_files($1)
-+	files_delete_isid_type_chr_files($1)
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of files in /usr/src.
-+##	Set the attributes of the /usr directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5021,20 +5489,17 @@ interface(`files_dontaudit_search_src',`
- ##	</summary>
- ## </param>
- #
--interface(`files_getattr_usr_src_files',`
-+interface(`files_setattr_usr_dirs',`
- 	gen_require(`
--		type usr_t, src_t;
-+		type usr_t;
- 	')
- 
--	getattr_files_pattern($1, src_t, src_t)
--
--	# /usr/src/linux symlink:
--	read_lnk_files_pattern($1, usr_t, src_t)
-+	allow $1 usr_t:dir setattr;
- ')
- 
- ########################################
- ## <summary>
--##	Read files in /usr/src.
-+##	Search the content of /usr.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5042,20 +5507,18 @@ interface(`files_getattr_usr_src_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_usr_src_files',`
-+interface(`files_search_usr',`
- 	gen_require(`
--		type usr_t, src_t;
-+		type usr_t;
- 	')
- 
- 	allow $1 usr_t:dir search_dir_perms;
--	read_files_pattern($1, { usr_t src_t }, src_t)
--	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
--	allow $1 src_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Execute programs in /usr/src in the caller domain.
-+##	List the contents of generic
-+##	directories in /usr.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5063,38 +5526,35 @@ interface(`files_read_usr_src_files',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
--interface(`files_exec_usr_src_files',`
-+interface(`files_list_usr',`
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
  	gen_require(`
--		type usr_t, src_t;
-+		type usr_t;
+-		type var_spool_t;
++		attribute pidfile;
++		type var_t;
  	')
  
--	list_dirs_pattern($1, usr_t, src_t)
--	exec_files_pattern($1, src_t, src_t)
--	read_lnk_files_pattern($1, src_t, src_t)
-+	allow $1 usr_t:dir list_dir_perms;
+-	dontaudit $1 var_spool_t:dir search_dir_perms;
++	list_dirs_pattern($1, var_t, pidfile)
++	read_files_pattern($1, pidfile, pidfile)
++	read_lnk_files_pattern($1, pidfile, pidfile)
  ')
  
  ########################################
  ## <summary>
--##	Install a system.map into the /boot directory.
-+##	Do not audit write of /usr dirs
+-##	List the contents of generic spool
+-##	(/var/spool) directories.
++##	Relable all pid files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -6387,18 +7341,17 @@ interface(`files_dontaudit_search_spool',`
  ##	</summary>
  ## </param>
  #
--interface(`files_create_kernel_symbol_table',`
-+interface(`files_dontaudit_write_usr_dirs',`
+-interface(`files_list_spool',`
++interface(`files_relabel_all_pid_files',`
  	gen_require(`
--		type boot_t, system_map_t;
-+		type usr_t;
+-		type var_t, var_spool_t;
++		attribute pidfile;
  	')
  
--	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
--	allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+	dontaudit $1 usr_t:dir write;
+-	list_dirs_pattern($1, var_t, var_spool_t)
++	relabel_files_pattern($1, pidfile, pidfile)
  ')
  
  ########################################
  ## <summary>
--##	Read system.map in the /boot directory.
-+##	Add and remove entries from /usr directories.
+-##	Create, read, write, and delete generic
+-##	spool directories (/var/spool).
++##	Execute generic programs in /var/run in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5102,37 +5562,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -6406,18 +7359,18 @@ interface(`files_list_spool',`
  ##	</summary>
  ## </param>
  #
--interface(`files_read_kernel_symbol_table',`
-+interface(`files_rw_usr_dirs',`
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_exec_generic_pid_files',`
  	gen_require(`
--		type boot_t, system_map_t;
-+		type usr_t;
+-		type var_t, var_spool_t;
++		type var_run_t;
  	')
  
--	allow $1 boot_t:dir list_dir_perms;
--	read_files_pattern($1, boot_t, system_map_t)
-+	allow $1 usr_t:dir rw_dir_perms;
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++	exec_files_pattern($1, var_run_t, var_run_t)
  ')
  
  ########################################
  ## <summary>
--##	Delete a system.map in the /boot directory.
-+##	Do not audit attempts to add and remove
-+##	entries from /usr directories.
+-##	Read generic spool files.
++##	manage all pidfiles 
++##	in the /var/run directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -6425,19 +7378,18 @@ interface(`files_manage_generic_spool_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_delete_kernel_symbol_table',`
-+interface(`files_dontaudit_rw_usr_dirs',`
+-interface(`files_read_generic_spool',`
++interface(`files_manage_all_pids',`
  	gen_require(`
--		type boot_t, system_map_t;
-+		type usr_t;
+-		type var_t, var_spool_t;
++		attribute pidfile;
  	')
  
--	allow $1 boot_t:dir list_dir_perms;
--	delete_files_pattern($1, boot_t, system_map_t)
-+	dontaudit $1 usr_t:dir rw_dir_perms;
+-	list_dirs_pattern($1, var_t, var_spool_t)
+-	read_files_pattern($1, var_spool_t, var_spool_t)
++	manage_files_pattern($1,pidfile,pidfile)
  ')
  
  ########################################
  ## <summary>
--##	Search the contents of /var.
-+##	Delete generic directories in /usr in the caller domain.
+-##	Create, read, write, and delete generic
+-##	spool files.
++##	Mount filesystems on all polyinstantiation
++##	member directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5140,35 +5599,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -6445,29 +7397,296 @@ interface(`files_read_generic_spool',`
  ##	</summary>
  ## </param>
  #
--interface(`files_search_var',`
-+interface(`files_delete_usr_dirs',`
+-interface(`files_manage_generic_spool',`
++interface(`files_mounton_all_poly_members',`
  	gen_require(`
--		type var_t;
-+		type usr_t;
+-		type var_t, var_spool_t;
++		attribute polymember;
  	')
  
 -	allow $1 var_t:dir search_dir_perms;
-+	delete_dirs_pattern($1, usr_t, usr_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to write to /var.
-+##	Delete generic files in /usr in the caller domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_write_var_dirs',`
-+interface(`files_delete_usr_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	dontaudit $1 var_t:dir write;
-+	delete_files_pattern($1, usr_t, usr_t)
+-	manage_files_pattern($1, var_spool_t, var_spool_t)
++	allow $1 polymember:dir mounton;
  ')
  
  ########################################
  ## <summary>
--##	Allow attempts to write to /var.dirs
-+##	Get the attributes of files in /usr.
+-##	Create objects in the spool directory
+-##	with a private type with a type transition.
++##	Delete all process IDs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5176,36 +5635,55 @@ interface(`files_dontaudit_write_var_dirs',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
- #
--interface(`files_write_var_dirs',`
-+interface(`files_getattr_usr_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	allow $1 var_t:dir write;
-+	getattr_files_pattern($1, usr_t, usr_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to search
--##	the contents of /var.
-+##	Read generic files in /usr.
- ## </summary>
+-## <param name="file">
+-##	<summary>
+-##	Type to which the created node will be transitioned.
+-##	</summary>
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_t, var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_run_t:dir rmdir;
++	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++	delete_files_pattern($1, pidfile, pidfile)
++	delete_fifo_files_pattern($1, pidfile, pidfile)
++	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++##	Delete all process ID directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++	gen_require(`
++		attribute pidfile;
++		type var_t, var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_t:dir search_dir_perms;
++	delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++##	Make the specified type a file
++##	used for spool files.
++## </summary>
 +## <desc>
 +##	<p>
-+##	Allow the specified domain to read generic
-+##	files in /usr. These files are various program
-+##	files that do not have more specific SELinux types.
-+##	Some examples of these files are:
++##	Make the specified type usable for spool files.
++##	This will also make the type usable for files, making
++##	calls to files_type() redundant.  Failure to use this interface
++##	for a spool file may result in problems with
++##	purging spool files.
++##	</p>
++##	<p>
++##	Related interfaces:
 +##	</p>
 +##	<ul>
-+##		<li>/usr/include/*</li>
-+##		<li>/usr/share/doc/*</li>
-+##		<li>/usr/share/info/*</li>
++##		<li>files_spool_filetrans()</li>
 +##	</ul>
 +##	<p>
-+##	Generally, it is safe for many domains to have
-+##	this access.
-+##	</p>
-+## </desc>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <infoflow type="read" weight="10"/>
- #
--interface(`files_dontaudit_search_var',`
-+interface(`files_read_usr_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	dontaudit $1 var_t:dir search_dir_perms;
-+	allow $1 usr_t:dir list_dir_perms;
-+	read_files_pattern($1, usr_t, usr_t)
-+	read_lnk_files_pattern($1, usr_t, usr_t)
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of /var.
-+##	Execute generic programs in /usr in the caller domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5213,36 +5691,37 @@ interface(`files_dontaudit_search_var',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_var',`
-+interface(`files_exec_usr_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	allow $1 var_t:dir list_dir_perms;
-+	allow $1 usr_t:dir list_dir_perms;
-+	exec_files_pattern($1, usr_t, usr_t)
-+	read_lnk_files_pattern($1, usr_t, usr_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete directories
--##	in the /var directory.
-+##	dontaudit write of /usr files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_var_dirs',`
-+interface(`files_dontaudit_write_usr_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	allow $1 var_t:dir manage_dir_perms;
-+	dontaudit $1 usr_t:file write;
- ')
- 
- ########################################
- ## <summary>
--##	Read files in the /var directory.
-+##	Create, read, write, and delete files in the /usr directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5250,17 +5729,17 @@ interface(`files_manage_var_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_var_files',`
-+interface(`files_manage_usr_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	read_files_pattern($1, var_t, var_t)
-+	manage_files_pattern($1, usr_t, usr_t)
- ')
- 
- ########################################
- ## <summary>
--##	Append files in the /var directory.
-+##	Relabel a file to the type used in /usr.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5268,17 +5747,17 @@ interface(`files_read_var_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_append_var_files',`
-+interface(`files_relabelto_usr_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	append_files_pattern($1, var_t, var_t)
-+	relabelto_files_pattern($1, usr_t, usr_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read and write files in the /var directory.
-+##	Relabel a file from the type used in /usr.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5286,73 +5765,86 @@ interface(`files_append_var_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_rw_var_files',`
-+interface(`files_relabelfrom_usr_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	rw_files_pattern($1, var_t, var_t)
-+	relabelfrom_files_pattern($1, usr_t, usr_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read and write
--##	files in the /var directory.
-+##	Read symbolic links in /usr.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_read_usr_symlinks',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	dontaudit $1 var_t:file rw_file_perms;
-+	read_lnk_files_pattern($1, usr_t, usr_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete files in the /var directory.
-+##	Create objects in the /usr directory
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <param name="file_type">
-+##	<summary>
-+##	The type of the object to be created
-+##	</summary>
-+## </param>
-+## <param name="object_class">
-+##	<summary>
-+##	The object class.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
- #
--interface(`files_manage_var_files',`
-+interface(`files_usr_filetrans',`
- 	gen_require(`
--		type var_t;
-+		type usr_t;
- 	')
- 
--	manage_files_pattern($1, var_t, var_t)
-+	filetrans_pattern($1, usr_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Read symbolic links in the /var directory.
-+##	Do not audit attempts to search /usr/src.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_read_var_symlinks',`
-+interface(`files_dontaudit_search_src',`
- 	gen_require(`
--		type var_t;
-+		type src_t;
- 	')
- 
--	read_lnk_files_pattern($1, var_t, var_t)
-+	dontaudit $1 src_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete symbolic
--##	links in the /var directory.
-+##	Get the attributes of files in /usr/src.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5360,50 +5852,41 @@ interface(`files_read_var_symlinks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_var_symlinks',`
-+interface(`files_getattr_usr_src_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t, src_t;
- 	')
- 
--	manage_lnk_files_pattern($1, var_t, var_t)
-+	getattr_files_pattern($1, src_t, src_t)
-+
-+	# /usr/src/linux symlink:
-+	read_lnk_files_pattern($1, usr_t, src_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in the /var directory
-+##	Read files in /usr/src.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="file_type">
--##	<summary>
--##	The type of the object to be created
--##	</summary>
--## </param>
--## <param name="object_class">
--##	<summary>
--##	The object class.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
- #
--interface(`files_var_filetrans',`
-+interface(`files_read_usr_src_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t, src_t;
- 	')
- 
--	filetrans_pattern($1, var_t, $2, $3, $4)
-+	allow $1 usr_t:dir search_dir_perms;
-+	read_files_pattern($1, { usr_t src_t }, src_t)
-+	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+	allow $1 src_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of the /var/lib directory.
-+##	Execute programs in /usr/src in the caller domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5411,69 +5894,57 @@ interface(`files_var_filetrans',`
- ##	</summary>
- ## </param>
- #
--interface(`files_getattr_var_lib_dirs',`
-+interface(`files_exec_usr_src_files',`
- 	gen_require(`
--		type var_t, var_lib_t;
-+		type usr_t, src_t;
- 	')
- 
--	getattr_dirs_pattern($1, var_t, var_lib_t)
-+	list_dirs_pattern($1, usr_t, src_t)
-+	exec_files_pattern($1, src_t, src_t)
-+	read_lnk_files_pattern($1, src_t, src_t)
- ')
- 
- ########################################
- ## <summary>
--##	Search the /var/lib directory.
-+##	Install a system.map into the /boot directory.
- ## </summary>
--## <desc>
--##	<p>
--##	Search the /var/lib directory.  This is
--##	necessary to access files or directories under
--##	/var/lib that have a private type.  For example, a
--##	domain accessing a private library file in the
--##	/var/lib directory:
--##	</p>
--##	<p>
--##	allow mydomain_t mylibfile_t:file read_file_perms;
--##	files_search_var_lib(mydomain_t)
--##	</p>
--## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <infoflow type="read" weight="5"/>
- #
--interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
- 	gen_require(`
--		type var_t, var_lib_t;
-+		type boot_t, system_map_t;
- 	')
- 
--	search_dirs_pattern($1, var_t, var_lib_t)
-+	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+	allow $1 system_map_t:file { create_file_perms rw_file_perms };
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to search the
--##	contents of /var/lib.
-+##	Read system.map in the /boot directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <infoflow type="read" weight="5"/>
- #
--interface(`files_dontaudit_search_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
- 	gen_require(`
--		type var_lib_t;
-+		type boot_t, system_map_t;
- 	')
- 
--	dontaudit $1 var_lib_t:dir search_dir_perms;
-+	allow $1 boot_t:dir list_dir_perms;
-+	read_files_pattern($1, boot_t, system_map_t)
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of the /var/lib directory.
-+##	Delete a system.map in the /boot directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5481,17 +5952,18 @@ interface(`files_dontaudit_search_var_lib',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_var_lib',`
-+interface(`files_delete_kernel_symbol_table',`
- 	gen_require(`
--		type var_t, var_lib_t;
-+		type boot_t, system_map_t;
- 	')
- 
--	list_dirs_pattern($1, var_t, var_lib_t)
-+	allow $1 boot_t:dir list_dir_perms;
-+	delete_files_pattern($1, boot_t, system_map_t)
- ')
- 
--###########################################
-+########################################
- ## <summary>
--##	Read-write /var/lib directories
-+##	Search the contents of /var.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5499,51 +5971,35 @@ interface(`files_list_var_lib',`
- ##	</summary>
- ## </param>
- #
--interface(`files_rw_var_lib_dirs',`
-+interface(`files_search_var',`
- 	gen_require(`
--		type var_lib_t;
-+		type var_t;
- 	')
- 
--	rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+	allow $1 var_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in the /var/lib directory
-+##	Do not audit attempts to write to /var.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--## <param name="file_type">
--##	<summary>
--##	The type of the object to be created
--##	</summary>
--## </param>
--## <param name="object_class">
--##	<summary>
--##	The object class.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_var_lib_filetrans',`
-+interface(`files_dontaudit_write_var_dirs',`
- 	gen_require(`
--		type var_t, var_lib_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	filetrans_pattern($1, var_lib_t, $2, $3, $4)
-+	dontaudit $1 var_t:dir write;
- ')
- 
- ########################################
- ## <summary>
--##	Read generic files in /var/lib.
-+##	Allow attempts to write to /var.dirs
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5551,40 +6007,36 @@ interface(`files_var_lib_filetrans',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_write_var_dirs',`
- 	gen_require(`
--		type var_t, var_lib_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_lib_t:dir list_dir_perms;
--	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+	allow $1 var_t:dir write;
- ')
- 
- ########################################
- ## <summary>
--##	Read generic symbolic links in /var/lib
-+##	Do not audit attempts to search
-+##	the contents of /var.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_read_var_lib_symlinks',`
-+interface(`files_dontaudit_search_var',`
- 	gen_require(`
--		type var_t, var_lib_t;
-+		type var_t;
- 	')
- 
--	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+	dontaudit $1 var_t:dir search_dir_perms;
- ')
- 
--# cjp: the next two interfaces really need to be fixed
--# in some way.  They really neeed their own types.
--
- ########################################
- ## <summary>
--##	Create, read, write, and delete the
--##	pseudorandom number generator seed.
-+##	List the contents of /var.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5592,38 +6044,36 @@ interface(`files_read_var_lib_symlinks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_urandom_seed',`
-+interface(`files_list_var',`
- 	gen_require(`
--		type var_t, var_lib_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_files_pattern($1, var_lib_t, var_lib_t)
-+	allow $1 var_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Allow domain to manage mount tables
--##	necessary for rpcd, nfsd, etc.
-+##	Do not audit listing of the var directory (/var).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_mounttab',`
-+interface(`files_dontaudit_list_var',`
- 	gen_require(`
--		type var_t, var_lib_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_files_pattern($1, var_lib_t, var_lib_t)
-+	dontaudit $1 var_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of the generic lock directories.
-+##	Create, read, write, and delete directories
-+##	in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5631,17 +6081,17 @@ interface(`files_manage_mounttab',`
- ##	</summary>
- ## </param>
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_manage_var_dirs',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t;
- 	')
- 
--	setattr_dirs_pattern($1, var_t, var_lock_t)
-+	allow $1 var_t:dir manage_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Search the locks directory (/var/lock).
-+##	Read files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5649,38 +6099,35 @@ interface(`files_setattr_lock_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_search_locks',`
-+interface(`files_read_var_files',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	search_dirs_pattern($1, var_t, var_lock_t)
-+	read_files_pattern($1, var_t, var_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to search the
--##	locks directory (/var/lock).
-+##	Append files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_search_locks',`
-+interface(`files_append_var_files',`
- 	gen_require(`
--		type var_lock_t;
-+		type var_t;
- 	')
- 
--	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
--	dontaudit $1 var_lock_t:dir search_dir_perms;
-+	append_files_pattern($1, var_t, var_t)
- ')
- 
- ########################################
- ## <summary>
--##	List generic lock directories.
-+##	Read and write files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5688,80 +6135,73 @@ interface(`files_dontaudit_search_locks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_locks',`
-+interface(`files_rw_var_files',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_lock_t)
-+	rw_files_pattern($1, var_t, var_t)
- ')
- 
- ########################################
- ## <summary>
--##	Add and remove entries in the /var/lock
--##	directories.
-+##	Do not audit attempts to read and write
-+##	files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_rw_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	rw_dirs_pattern($1, var_t, var_lock_t)
-+	dontaudit $1 var_t:file rw_file_perms;
- ')
- 
- ########################################
- ## <summary>
--## 	Create lock directories
-+##	Create, read, write, and delete files in the /var directory.
- ## </summary>
- ## <param name="domain">
--## 	<summary>
--##	Domain allowed access
-+##	<summary>
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_create_lock_dirs',`
-+interface(`files_manage_var_files',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	create_dirs_pattern($1, var_lock_t, var_lock_t)
-+	manage_files_pattern($1, var_t, var_t)
- ')
- 
- ########################################
- ## <summary>
--##	Relabel to and from all lock directory types.
-+##	Read symbolic links in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_lock_dirs',`
-+interface(`files_read_var_symlinks',`
- 	gen_require(`
--		attribute lockfile;
--		type var_t, var_lock_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	relabel_dirs_pattern($1, lockfile, lockfile)
-+	read_lnk_files_pattern($1, var_t, var_t)
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of generic lock files.
-+##	Create, read, write, and delete symbolic
-+##	links in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5769,41 +6209,50 @@ interface(`files_relabel_all_lock_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 var_lock_t:dir list_dir_perms;
--	getattr_files_pattern($1, var_lock_t, var_lock_t)
-+	manage_lnk_files_pattern($1, var_t, var_t)
- ')
- 
- ########################################
- ## <summary>
--##	Delete generic lock files.
-+##	Create objects in the /var directory
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <param name="file_type">
-+##	<summary>
-+##	The type of the object to be created
-+##	</summary>
-+## </param>
-+## <param name="object_class">
-+##	<summary>
-+##	The object class.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_var_filetrans',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, var_lock_t, var_lock_t)
-+	filetrans_pattern($1, var_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	lock files.
-+##	Get the attributes of the /var/lib directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5811,65 +6260,69 @@ interface(`files_delete_generic_locks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_locks',`
-+interface(`files_getattr_var_lib_dirs',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t, var_lib_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	manage_dirs_pattern($1, var_lock_t, var_lock_t)
--	manage_files_pattern($1, var_lock_t, var_lock_t)
-+	getattr_dirs_pattern($1, var_t, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	Delete all lock files.
-+##	Search the /var/lib directory.
- ## </summary>
-+## <desc>
-+##	<p>
-+##	Search the /var/lib directory.  This is
-+##	necessary to access files or directories under
-+##	/var/lib that have a private type.  For example, a
-+##	domain accessing a private library file in the
-+##	/var/lib directory:
-+##	</p>
-+##	<p>
-+##	allow mydomain_t mylibfile_t:file read_file_perms;
-+##	files_search_var_lib(mydomain_t)
-+##	</p>
-+## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
-+## <infoflow type="read" weight="5"/>
- #
--interface(`files_delete_all_locks',`
-+interface(`files_search_var_lib',`
- 	gen_require(`
--		attribute lockfile;
--		type var_t, var_lock_t;
-+		type var_t, var_lib_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, lockfile, lockfile)
-+	search_dirs_pattern($1, var_t, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read all lock files.
-+##	Do not audit attempts to search the
-+##	contents of /var/lib.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
-+## <infoflow type="read" weight="5"/>
- #
--interface(`files_read_all_locks',`
-+interface(`files_dontaudit_search_var_lib',`
- 	gen_require(`
--		attribute lockfile;
--		type var_t, var_lock_t;
-+		type var_lib_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
--	allow $1 lockfile:dir list_dir_perms;
--	read_files_pattern($1, lockfile, lockfile)
--	read_lnk_files_pattern($1, lockfile, lockfile)
-+	dontaudit $1 var_lib_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	manage all lock files.
-+##	List the contents of the /var/lib directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5877,37 +6330,49 @@ interface(`files_read_all_locks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_all_locks',`
-+interface(`files_list_var_lib',`
- 	gen_require(`
--		attribute lockfile;
--		type var_t, var_lock_t;
-+		type var_t, var_lib_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
--	manage_dirs_pattern($1, lockfile, lockfile)
--	manage_files_pattern($1, lockfile, lockfile)
--	manage_lnk_files_pattern($1, lockfile, lockfile)
-+	list_dirs_pattern($1, var_t, var_lib_t)
-+')
-+
-+###########################################
-+## <summary>
-+##	Read-write /var/lib directories
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_rw_var_lib_dirs',`
-+	gen_require(`
-+		type var_lib_t;
-+	')
-+
-+	rw_dirs_pattern($1, var_lib_t, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create an object in the locks directory, with a private
--##	type using a type transition.
-+##	Create objects in the /var/lib directory
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="private type">
-+## <param name="file_type">
- ##	<summary>
--##	The type of the object to be created.
-+##	The type of the object to be created
- ##	</summary>
- ## </param>
--## <param name="object">
-+## <param name="object_class">
- ##	<summary>
--##	The object class of the object being created.
-+##	The object class.
- ##	</summary>
- ## </param>
- ## <param name="name" optional="true">
-@@ -5916,39 +6381,37 @@ interface(`files_manage_all_locks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_lock_filetrans',`
-+interface(`files_var_lib_filetrans',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_t, var_lib_t;
- 	')
- 
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+	filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to get the attributes
--##	of the /var/run directory.
-+##	Read generic files in /var/lib.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_read_var_lib_files',`
- 	gen_require(`
--		type var_run_t;
-+		type var_t, var_lib_t;
- 	')
- 
--	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
--	dontaudit $1 var_run_t:dir getattr;
-+	allow $1 var_lib_t:dir list_dir_perms;
-+	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of the /var/run directory.
-+##	Read generic symbolic links in /var/lib
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5956,19 +6419,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_read_var_lib_symlinks',`
- 	gen_require(`
--		type var_run_t;
-+		type var_t, var_lib_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:dir setattr;
-+	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	Search the contents of runtime process
--##	ID directories (/var/run).
-+##	manage generic symbolic links
-+##	in the /var/lib directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5976,19 +6438,1114 @@ interface(`files_setattr_pid_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_search_pids',`
-+interface(`files_manage_var_lib_symlinks',`
- 	gen_require(`
--		type var_t, var_run_t;
-+		type var_lib_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	search_dirs_pattern($1, var_t, var_run_t)
-+	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
- ')
- 
-+# cjp: the next two interfaces really need to be fixed
-+# in some way.  They really neeed their own types.
-+
- ########################################
- ## <summary>
--##	Do not audit attempts to search
--##	the /var/run directory.
-+##	Create, read, write, and delete the
-+##	pseudorandom number generator seed.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_urandom_seed',`
-+	gen_require(`
-+		type var_t, var_lib_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow domain to manage mount tables
-+##	necessary for rpcd, nfsd, etc.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_mounttab',`
-+	gen_require(`
-+		type var_t, var_lib_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+##	List generic lock directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_list_locks',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
-+	list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Search the locks directory (/var/lock).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_search_locks',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_pids($1)
-+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	search_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to search the
-+##	locks directory (/var/lock).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_locks',`
-+	gen_require(`
-+		type var_lock_t;
-+	')
-+
-+	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	dontaudit $1 var_lock_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read/write inherited
-+##	locks (/var/lock).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+	gen_require(`
-+		type var_lock_t;
-+	')
-+
-+	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Set the attributes of the /var/lock directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_setattr_lock_dirs',`
-+	gen_require(`
-+		type var_lock_t;
-+	')
-+
-+	allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Add and remove entries in the /var/lock
-+##	directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_rw_lock_dirs',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
-+	rw_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+## 	Create lock directories
-+## </summary>
-+## <param name="domain">
-+## 	<summary>
-+##	Domain allowed access
-+##	</summary>
-+## </param>
-+#
-+interface(`files_create_lock_dirs',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	create_dirs_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel to and from all lock directory types.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+	gen_require(`
-+		attribute lockfile;
-+		type var_t, var_lock_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of generic lock files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_getattr_generic_locks',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
-+	allow $1 var_lock_t:dir list_dir_perms;
-+	getattr_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Delete generic lock files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_delete_generic_locks',`
-+       gen_require(`
-+		type var_t, var_lock_t;
-+       ')
-+
-+       files_search_locks($1)
-+       delete_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete generic
-+##	lock files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_generic_locks',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
-+	manage_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all lock files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_delete_all_locks',`
-+	gen_require(`
-+		attribute lockfile;
-+		type var_t, var_lock_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	delete_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Read all lock files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_read_all_locks',`
-+	gen_require(`
-+		attribute lockfile;
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
-+	allow $1 lockfile:dir list_dir_perms;
-+	read_files_pattern($1, lockfile, lockfile)
-+	read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+##	manage all lock files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_all_locks',`
-+	gen_require(`
-+		attribute lockfile;
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
-+	manage_dirs_pattern($1, lockfile, lockfile)
-+	manage_files_pattern($1, lockfile, lockfile)
-+	manage_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Create an object in the locks directory, with a private
-+##	type using a type transition.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="private type">
-+##	<summary>
-+##	The type of the object to be created.
-+##	</summary>
-+## </param>
-+## <param name="object">
-+##	<summary>
-+##	The object class of the object being created.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_lock_filetrans',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
-+	filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to get the attributes
-+##	of the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_pid_dirs',`
-+	gen_require(`
-+		type var_run_t;
-+	')
-+
-+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+	dontaudit $1 var_run_t:dir getattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Set the attributes of the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_setattr_pid_dirs',`
-+	gen_require(`
-+		type var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	allow $1 var_run_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Search the contents of runtime process
-+##	ID directories (/var/run).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_search_pids',`
-+	gen_require(`
-+		type var_t, var_run_t;
-+	')
-+
-+	allow $1 var_t:lnk_file read_lnk_file_perms;
-+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+	search_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+######################################
-+## <summary>
-+## Add and remove entries from pid directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_pid_dirs',`
-+    gen_require(`
-+        type var_run_t;
-+    ')
-+
-+    allow $1 var_run_t:dir rw_dir_perms;
-+')
-+
-+#######################################
-+## <summary>
-+##      Create generic pid directory.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`files_create_var_run_dirs',`
-+        gen_require(`
-+                type var_t, var_run_t;
-+        ')
-+
-+        allow $1 var_t:dir search_dir_perms;
-+        allow $1 var_run_t:dir create_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to search
-+##	the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_pids',`
-+	gen_require(`
-+		type var_run_t;
-+	')
-+
-+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+	dontaudit $1 var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to search
-+##	the all /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	List the contents of the runtime process
-+##	ID directories (/var/run).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_list_pids',`
-+	gen_require(`
-+		type var_t, var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read generic process ID files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_read_generic_pids',`
-+	gen_require(`
-+		type var_t, var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	list_dirs_pattern($1, var_t, var_run_t)
-+	read_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Write named generic process ID pipes
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_write_generic_pid_pipes',`
-+	gen_require(`
-+		type var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	allow $1 var_run_t:fifo_file write;
-+')
-+
-+########################################
-+## <summary>
-+##	Create an object in the process ID directory, with a private type.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Create an object in the process ID directory (e.g., /var/run)
-+##	with a private type.  Typically this is used for creating
-+##	private PID files in /var/run with the private type instead
-+##	of the general PID file type. To accomplish this goal,
-+##	either the program must be SELinux-aware, or use this interface.
-+##	</p>
-+##	<p>
-+##	Related interfaces:
-+##	</p>
-+##	<ul>
-+##		<li>files_pid_file()</li>
-+##	</ul>
-+##	<p>
-+##	Example usage with a domain that can create and
-+##	write its PID file with a private PID file type in the
-+##	/var/run directory:
-+##	</p>
-+##	<p>
-+##	type mypidfile_t;
-+##	files_pid_file(mypidfile_t)
-+##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-+##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+##	</p>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="private type">
-+##	<summary>
-+##	The type of the object to be created.
-+##	</summary>
-+## </param>
-+## <param name="object">
-+##	<summary>
-+##	The object class of the object being created.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+## <infoflow type="write" weight="10"/>
-+#
-+interface(`files_pid_filetrans',`
-+	gen_require(`
-+		type var_t, var_run_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	filetrans_pattern($1, var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
-+## 	Create a generic lock directory within the run directories
-+## </summary>
-+## <param name="domain">
-+## 	<summary>
-+##	Domain allowed access
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_pid_filetrans_lock_dir',`
-+	gen_require(`
-+		type var_lock_t;
-+	')
-+
-+	files_pid_filetrans($1, var_lock_t, dir, $2)
-+')
-+
-+########################################
-+## <summary>
-+##	Read and write generic process ID files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_rw_generic_pids',`
-+	gen_require(`
-+		type var_t, var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	list_dirs_pattern($1, var_t, var_run_t)
-+	rw_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to get the attributes of
-+##	daemon runtime data files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_all_pids',`
-+	gen_require(`
-+		attribute pidfile;
-+		type var_run_t;
-+	')
-+
-+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+	dontaudit $1 pidfile:file getattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to write to daemon runtime data files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_write_all_pids',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+	dontaudit $1 pidfile:file write;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to ioctl daemon runtime data files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_ioctl_all_pids',`
-+	gen_require(`
-+		attribute pidfile;
-+		type var_run_t;
-+	')
-+
-+	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+	dontaudit $1 pidfile:file ioctl;
-+')
-+
-+########################################
-+## <summary>
-+##	Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabel_all_pid_dirs',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all pid sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_delete_all_pid_sockets',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Create all pid sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_create_all_pid_sockets',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Create all pid named pipes
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_create_all_pid_pipes',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all pid named pipes
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_delete_all_pid_pipes',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	manage all pidfile directories
-+##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_all_pid_dirs',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
-+
-+########################################
-+## <summary>
-+##	Read all process ID files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_read_all_pids',`
-+	gen_require(`
-+		attribute pidfile;
-+		type var_t;
-+	')
-+
-+	list_dirs_pattern($1, var_t, pidfile)
-+	read_files_pattern($1, pidfile, pidfile)
-+	read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Relable all pid files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabel_all_pid_files',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute generic programs in /var/run in the caller domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_exec_generic_pid_files',`
-+	gen_require(`
-+		type var_run_t;
-+	')
-+
-+	exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	manage all pidfiles 
-+##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_all_pids',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	manage_files_pattern($1,pidfile,pidfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Mount filesystems on all polyinstantiation
-+##	member directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_mounton_all_poly_members',`
-+	gen_require(`
-+		attribute polymember;
-+	')
-+
-+	allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all process IDs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_delete_all_pids',`
-+	gen_require(`
-+		attribute pidfile;
-+		type var_t, var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	allow $1 var_t:dir search_dir_perms;
-+	allow $1 var_run_t:dir rmdir;
-+	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+	delete_files_pattern($1, pidfile, pidfile)
-+	delete_fifo_files_pattern($1, pidfile, pidfile)
-+	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all process ID directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_delete_all_pid_dirs',`
-+	gen_require(`
-+		attribute pidfile;
-+		type var_t, var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	allow $1 var_t:dir search_dir_perms;
-+	delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Make the specified type a file
-+##	used for spool files.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Make the specified type usable for spool files.
-+##	This will also make the type usable for files, making
-+##	calls to files_type() redundant.  Failure to use this interface
-+##	for a spool file may result in problems with
-+##	purging spool files.
-+##	</p>
-+##	<p>
-+##	Related interfaces:
-+##	</p>
-+##	<ul>
-+##		<li>files_spool_filetrans()</li>
-+##	</ul>
-+##	<p>
-+##	Example usage with a domain that can create and
-+##	write its spool file in the system spool file
-+##	directories (/var/spool):
-+##	</p>
-+##	<p>
-+##	type myspoolfile_t;
-+##	files_spool_file(myfile_spool_t)
-+##	allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+##	files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++##	Example usage with a domain that can create and
++##	write its spool file in the system spool file
++##	directories (/var/spool):
++##	</p>
++##	<p>
++##	type myspoolfile_t;
++##	files_spool_file(myfile_spool_t)
++##	allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++##	files_spool_filetrans(mydomain_t, myfile_spool_t, file)
 +##	</p>
 +## </desc>
 +## <param name="file_type">
@@ -12788,300 +11024,137 @@ index 64ff4d7..87c124c 100644
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
-+## </param>
-+#
-+interface(`files_delete_all_spool_sockets',`
-+	gen_require(`
-+		attribute spoolfile;
-+	')
-+
-+	allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel to and from all spool
-+##	directory types.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_relabel_all_spool_dirs',`
-+	gen_require(`
-+		attribute spoolfile;
-+		type var_t;
-+	')
-+
-+	relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Search the contents of generic spool
-+##	directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_search_spool',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to search generic
-+##	spool directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5996,19 +7553,18 @@ interface(`files_search_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_search_pids',`
-+interface(`files_dontaudit_search_spool',`
- 	gen_require(`
--		type var_run_t;
-+		type var_spool_t;
- 	')
- 
--	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
--	dontaudit $1 var_run_t:dir search_dir_perms;
-+	dontaudit $1 var_spool_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of the runtime process
--##	ID directories (/var/run).
-+##	List the contents of generic spool
-+##	(/var/spool) directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6016,18 +7572,18 @@ interface(`files_dontaudit_search_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_pids',`
-+interface(`files_list_spool',`
- 	gen_require(`
--		type var_t, var_run_t;
-+		type var_t, var_spool_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
-+	list_dirs_pattern($1, var_t, var_spool_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read generic process ID files.
-+##	Create, read, write, and delete generic
-+##	spool directories (/var/spool).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6035,19 +7591,18 @@ interface(`files_list_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_generic_pids',`
-+interface(`files_manage_generic_spool_dirs',`
- 	gen_require(`
--		type var_t, var_run_t;
-+		type var_t, var_spool_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
--	read_files_pattern($1, var_run_t, var_run_t)
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_dirs_pattern($1, var_spool_t, var_spool_t)
- ')
- 
- ########################################
- ## <summary>
--##	Write named generic process ID pipes
-+##	Read generic spool files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6055,103 +7610,220 @@ interface(`files_read_generic_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_write_generic_pid_pipes',`
-+interface(`files_read_generic_spool',`
- 	gen_require(`
--		type var_run_t;
-+		type var_t, var_spool_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:fifo_file write;
-+	list_dirs_pattern($1, var_t, var_spool_t)
-+	read_files_pattern($1, var_spool_t, var_spool_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create an object in the process ID directory, with a private type.
-+##	Create, read, write, and delete generic
-+##	spool files.
- ## </summary>
--## <desc>
--##	<p>
--##	Create an object in the process ID directory (e.g., /var/run)
--##	with a private type.  Typically this is used for creating
--##	private PID files in /var/run with the private type instead
--##	of the general PID file type. To accomplish this goal,
--##	either the program must be SELinux-aware, or use this interface.
--##	</p>
--##	<p>
--##	Related interfaces:
--##	</p>
--##	<ul>
--##		<li>files_pid_file()</li>
--##	</ul>
--##	<p>
--##	Example usage with a domain that can create and
--##	write its PID file with a private PID file type in the
--##	/var/run directory:
--##	</p>
--##	<p>
--##	type mypidfile_t;
--##	files_pid_file(mypidfile_t)
--##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
--##	</p>
--## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="private type">
++## </param>
 +#
-+interface(`files_manage_generic_spool',`
++interface(`files_delete_all_spool_sockets',`
 +	gen_require(`
-+		type var_t, var_spool_t;
++		attribute spoolfile;
 +	')
 +
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_files_pattern($1, var_spool_t, var_spool_t)
++	allow $1 spoolfile:sock_file delete_sock_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Create objects in the spool directory
-+##	with a private type with a type transition.
++##	Relabel to and from all spool
++##	directory types.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The type of the object to be created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="object">
-+## <param name="file">
- ##	<summary>
--##	The object class of the object being created.
-+##	Type to which the created node will be transitioned.
 +##	</summary>
 +## </param>
-+## <param name="class">
++## <rolecap/>
++#
++interface(`files_relabel_all_spool_dirs',`
++	gen_require(`
++		attribute spoolfile;
++		type var_t;
++	')
++
++	relabel_dirs_pattern($1, spoolfile, spoolfile)
++')
++
++########################################
++## <summary>
++##	Search the contents of generic spool
++##	directories (/var/spool).
++## </summary>
++## <param name="domain">
 +##	<summary>
-+##	Object class(es) (single or set including {}) for which this
-+##	the transition will occur.
- ##	</summary>
- ## </param>
- ## <param name="name" optional="true">
- ##	<summary>
--##	The name of the object being created.
-+##	The name of the object being created.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_spool_filetrans',`
++interface(`files_search_spool',`
 +	gen_require(`
 +		type var_t, var_spool_t;
 +	')
 +
-+	allow $1 var_t:dir search_dir_perms;
-+	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++	search_dirs_pattern($1, var_t, var_spool_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow access to manage all polyinstantiated
-+##	directories on the system.
++##	Do not audit attempts to search generic
++##	spool directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_polyinstantiate_all',`
++interface(`files_dontaudit_search_spool',`
 +	gen_require(`
-+		attribute polydir, polymember, polyparent;
-+		type poly_t;
++		type var_spool_t;
 +	')
 +
-+	# Need to give access to /selinux/member
-+	selinux_compute_member($1)
-+
-+	# Need sys_admin capability for mounting
-+	allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+	# Need to give access to the directories to be polyinstantiated
-+	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+	# Need to give access to the polyinstantiated subdirectories
-+	allow $1 polymember:dir search_dir_perms;
++	dontaudit $1 var_spool_t:dir search_dir_perms;
++')
 +
-+	# Need to give access to parent directories where original
-+	# is remounted for polyinstantiation aware programs (like gdm)
-+	allow $1 polyparent:dir { getattr mounton };
++########################################
++## <summary>
++##	List the contents of generic spool
++##	(/var/spool) directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
 +
-+	# Need to give permission to create directories where applicable
-+	allow $1 self:process setfscreate;
-+	allow $1 polymember: dir { create setattr relabelto };
-+	allow $1 polydir: dir { write add_name open };
-+	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++	list_dirs_pattern($1, var_t, var_spool_t)
++')
 +
-+	# Default type for mountpoints
-+	allow $1 poly_t:dir { create mounton };
-+	fs_unmount_xattr_fs($1)
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	spool directories (/var/spool).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_spool_dirs',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
 +
-+	fs_mount_tmpfs($1)
-+	fs_unmount_tmpfs($1)
++	allow $1 var_t:dir search_dir_perms;
++	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
 +
-+	ifdef(`distro_redhat',`
-+		# namespace.init
-+		files_search_tmp($1)
-+		files_search_home($1)
-+		corecmd_exec_bin($1)
-+		seutil_domtrans_setfiles($1)
++########################################
++## <summary>
++##	Read generic spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
 +	')
++
++	list_dirs_pattern($1, var_t, var_spool_t)
++	read_files_pattern($1, var_spool_t, var_spool_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Unconfined access to files.
++##	Create, read, write, and delete generic
++##	spool files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -13089,16 +11162,39 @@ index 64ff4d7..87c124c 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_unconfined',`
++interface(`files_manage_generic_spool',`
 +	gen_require(`
-+		attribute files_unconfined_type;
++		type var_t, var_spool_t;
 +	')
 +
-+	typeattribute $1 files_unconfined_type;
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_spool_t, var_spool_t)
 +')
 +
 +########################################
 +## <summary>
++##	Create objects in the spool directory
++##	with a private type with a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="file">
++##	<summary>
++##	Type to which the created node will be transitioned.
++##	</summary>
+ ## </param>
+ ## <param name="class">
+ ##	<summary>
+@@ -6562,3 +7781,459 @@ interface(`files_unconfined',`
+ 
+ 	typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
 +##	Create a core files in /
 +## </summary>
 +## <desc>
@@ -13109,37 +11205,28 @@ index 64ff4d7..87c124c 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <infoflow type="write" weight="10"/>
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`files_pid_filetrans',`
++#
 +interface(`files_manage_root_files',`
- 	gen_require(`
--		type var_t, var_run_t;
++	gen_require(`
 +		type root_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	filetrans_pattern($1, var_run_t, $2, $3, $4)
++	')
++
 +	manage_files_pattern($1, root_t, root_t)
- ')
- 
- ########################################
- ## <summary>
--## 	Create a generic lock directory within the run directories
++')
++
++########################################
++## <summary>
 +##     Create a default directory
- ## </summary>
++## </summary>
 +## <desc>
 +##     <p>
 +##     Create a default_t direcrory
 +##     </p>
 +## </desc>
- ## <param name="domain">
--## 	<summary>
--##	Domain allowed access
++## <param name="domain">
 +##     <summary>
 +##     Domain allowed access.
 +##     </summary>
@@ -13162,367 +11249,272 @@ index 64ff4d7..87c124c 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="name" optional="true">
++##	</summary>
++## </param>
 +## <param name="object">
- ##	<summary>
--##	The name of the object being created.
++##	<summary>
 +##	The class of the object being created.
- ##	</summary>
- ## </param>
- #
--interface(`files_pid_filetrans_lock_dir',`
--	gen_require(`
--		type var_lock_t;
--	')
++##	</summary>
++## </param>
++#
 +interface(`files_root_filetrans_default',`
 +       gen_require(`
 +               type root_t, default_t;
 +       ')
- 
--	files_pid_filetrans($1, var_lock_t, dir, $2)
++
 +       filetrans_pattern($1, root_t, default_t, $2)
- ')
- 
- ########################################
- ## <summary>
--##	Read and write generic process ID files.
++')
++
++########################################
++## <summary>
 +##	manage generic symbolic links
 +##	in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',`
- ##	</summary>
- ## </param>
- #
--interface(`files_rw_generic_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_generic_pids_symlinks',`
- 	gen_require(`
--		type var_t, var_run_t;
++	gen_require(`
 +		type var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
--	rw_files_pattern($1, var_run_t, var_run_t)
++	')
++
 +	manage_lnk_files_pattern($1,var_run_t,var_run_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to get the attributes of
--##	daemon runtime data files.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to getattr
 +##	all tmpfs files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_getattr_tmpfs_files',`
- 	gen_require(`
--		attribute pidfile;
--		type var_run_t;
++	gen_require(`
 +		attribute tmpfsfile;
- 	')
- 
--	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
--	dontaudit $1 pidfile:file getattr;
++	')
++
 +	allow $1 tmpfsfile:file getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to write to daemon runtime data files.
++')
++
++########################################
++## <summary>
 +##	Allow read write all tmpfs files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_write_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
 +interface(`files_rw_tmpfs_files',`
- 	gen_require(`
--		attribute pidfile;
++	gen_require(`
 +		attribute tmpfsfile;
- 	')
- 
--	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
--	dontaudit $1 pidfile:file write;
++	')
++
 +	allow $1 tmpfsfile:file { read write };
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to ioctl daemon runtime data files.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to read security files 
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_ioctl_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_read_security_files',`
- 	gen_require(`
--		attribute pidfile;
--		type var_run_t;
++	gen_require(`
 +		attribute security_file_type;
- 	')
- 
--	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
--	dontaudit $1 pidfile:file ioctl;
++	')
++
 +	dontaudit $1 security_file_type:file read_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read all process ID files.
++')
++
++########################################
++## <summary>
 +##	rw any files inherited from another process
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <param name="object_type">
 +##  <summary>
 +##  Object type.
 +##  </summary>
 +## </param>
- #
--interface(`files_read_all_pids',`
++#
 +interface(`files_rw_all_inherited_files',`
- 	gen_require(`
--		attribute pidfile;
--		type var_t, var_run_t;
++	gen_require(`
 +		attribute file_type;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, pidfile)
--	read_files_pattern($1, pidfile, pidfile)
++	')
++
 +	allow $1 { file_type $2 }:file rw_inherited_file_perms;
 +	allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
 +	allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
 +	allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Delete all process IDs.
++')
++
++########################################
++## <summary>
 +##	Allow any file point to be the entrypoint of this domain
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',`
- ## </param>
- ## <rolecap/>
- #
--interface(`files_delete_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
 +interface(`files_entrypoint_all_files',`
- 	gen_require(`
--		attribute pidfile;
--		type var_t, var_run_t;
++	gen_require(`
 +		attribute file_type;
- 	')
--
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:dir rmdir;
--	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
--	delete_files_pattern($1, pidfile, pidfile)
--	delete_fifo_files_pattern($1, pidfile, pidfile)
--	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++	')
 +	allow $1 file_type:file entrypoint;
- ')
- 
- ########################################
- ## <summary>
--##	Delete all process ID directories.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to rw inherited file perms
 +##	of non security files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_delete_all_pid_dirs',`
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_all_non_security_leaks',`
- 	gen_require(`
--		attribute pidfile;
--		type var_t, var_run_t;
++	gen_require(`
 +		attribute non_security_file_type;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	delete_dirs_pattern($1, pidfile, pidfile)
++	')
++
 +	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write and delete all
--##	var_run (pid) content
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to read or write
 +##	all leaked files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain alloed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_leaks',`
- 	gen_require(`
--		attribute pidfile;
++	gen_require(`
 +		attribute file_type;
- 	')
- 
--	manage_dirs_pattern($1, pidfile, pidfile)
--	manage_files_pattern($1, pidfile, pidfile)
--	manage_lnk_files_pattern($1, pidfile, pidfile)
++	')
++
 +	dontaudit $1 file_type:file rw_inherited_file_perms;
 +	dontaudit $1 file_type:lnk_file { read };
- ')
- 
- ########################################
- ## <summary>
--##	Mount filesystems on all polyinstantiation
--##	member directories.
++')
++
++########################################
++## <summary>
 +##	Allow domain to create_file_ass all types
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_create_as_is_all_files',`
- 	gen_require(`
--		attribute polymember;
++	gen_require(`
 +		attribute file_type;
 +		class kernel_service create_files_as;
- 	')
- 
--	allow $1 polymember:dir mounton;
++	')
++
 +	allow $1 file_type:kernel_service create_files_as;
- ')
- 
- ########################################
- ## <summary>
--##	Search the contents of generic spool
--##	directories (/var/spool).
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to check the 
 +##	access on all files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_search_spool',`
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_all_access_check',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute file_type;
- 	')
- 
--	search_dirs_pattern($1, var_t, var_spool_t)
++	')
++
 +	dontaudit $1 file_type:dir_file_class_set audit_access;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to search generic
--##	spool directories.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to write to all files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6368,186 +8025,169 @@ interface(`files_search_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_search_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_write_all_files',`
- 	gen_require(`
--		type var_spool_t;
++	gen_require(`
 +		attribute file_type;
- 	')
- 
--	dontaudit $1 var_spool_t:dir search_dir_perms;
++	')
++
 +	dontaudit $1 file_type:dir_file_class_set write;
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of generic spool
--##	(/var/spool) directories.
++')
++
++########################################
++## <summary>
 +##	Allow domain to delete to all files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_list_spool',`
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_non_security_files',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute non_security_file_type;
- 	')
- 
--	list_dirs_pattern($1, var_t, var_spool_t)
++	')
++
 +	allow $1 non_security_file_type:dir del_entry_dir_perms;
 +	allow $1 non_security_file_type:file_class_set delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	spool directories (/var/spool).
++')
++
++########################################
++## <summary>
 +##	Transition named content in the var_run_t directory
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##      Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_spool_dirs',`
++##	</summary>
++## </param>
++#
 +interface(`files_filetrans_named_content',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		type mnt_t;
 +		type usr_t;
 +		type var_t;
 +		type tmp_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	files_pid_filetrans($1, mnt_t, dir, "media")
 +	files_root_filetrans($1, etc_runtime_t, file, ".readahead")
 +	files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -13544,15 +11536,13 @@ index 64ff4d7..87c124c 100644
 +	files_etc_filetrans_etc_runtime($1, file, "hwconf")
 +	files_etc_filetrans_etc_runtime($1, file, "iptables.save")
 +	files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
- ')
- 
- ########################################
- ## <summary>
--##	Read generic spool files.
++')
++
++########################################
++## <summary>
 +##	Make the specified type a
 +##	base file.
- ## </summary>
--## <param name="domain">
++## </summary>
 +## <desc>
 +##	<p>
 +##	Identify file type as base file type.  Tools will use this attribute,
@@ -13560,185 +11550,103 @@ index 64ff4d7..87c124c 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
- ##	<summary>
--##	Domain allowed access.
++##	<summary>
 +##	Type to be used as a base files.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <infoflow type="none"/>
- #
--interface(`files_read_generic_spool',`
++#
 +interface(`files_base_file',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute base_file_type;
- 	')
--
--	list_dirs_pattern($1, var_t, var_spool_t)
--	read_files_pattern($1, var_spool_t, var_spool_t)
++	')
 +	files_type($1)
 +	typeattribute $1 base_file_type;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	spool files.
++')
++
++########################################
++## <summary>
 +##	Make the specified type a
 +##	base read only file.
- ## </summary>
--## <param name="domain">
++## </summary>
 +## <desc>
 +##	<p>
 +##	Make the specified type readable for all domains.
 +##	</p>
 +## </desc>
 +## <param name="file_type">
- ##	<summary>
--##	Domain allowed access.
++##	<summary>
 +##	Type to be used as a base read only files.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <infoflow type="none"/>
- #
--interface(`files_manage_generic_spool',`
++#
 +interface(`files_ro_base_file',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute base_ro_file_type;
- 	')
--
--	allow $1 var_t:dir search_dir_perms;
--	manage_files_pattern($1, var_spool_t, var_spool_t)
++	')
 +	files_base_file($1)
 +	typeattribute $1 base_ro_file_type;
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in the spool directory
--##	with a private type with a type transition.
++')
++
++########################################
++## <summary>
 +##	Read all ro base files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="file">
--##	<summary>
--##	Type to which the created node will be transitioned.
--##	</summary>
--## </param>
--## <param name="class">
--##	<summary>
--##	Object class(es) (single or set including {}) for which this
--##	the transition will occur.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`files_spool_filetrans',`
++#
 +interface(`files_read_all_base_ro_files',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute base_ro_file_type;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++	')
++
 +	list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
 +	read_files_pattern($1, base_ro_file_type, base_ro_file_type)
 +	read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
- ')
- 
- ########################################
- ## <summary>
--##	Allow access to manage all polyinstantiated
--##	directories on the system.
++')
++
++########################################
++## <summary>
 +##	Execute all base ro files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`files_polyinstantiate_all',`
++#
 +interface(`files_exec_all_base_ro_files',`
- 	gen_require(`
--		attribute polydir, polymember, polyparent;
--		type poly_t;
++	gen_require(`
 +		attribute base_ro_file_type;
- 	')
- 
--	# Need to give access to /selinux/member
--	selinux_compute_member($1)
--
--	# Need sys_admin capability for mounting
--	allow $1 self:capability { chown fsetid sys_admin fowner };
--
--	# Need to give access to the directories to be polyinstantiated
--	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
--	# Need to give access to the polyinstantiated subdirectories
--	allow $1 polymember:dir search_dir_perms;
--
--	# Need to give access to parent directories where original
--	# is remounted for polyinstantiation aware programs (like gdm)
--	allow $1 polyparent:dir { getattr mounton };
--
--	# Need to give permission to create directories where applicable
--	allow $1 self:process setfscreate;
--	allow $1 polymember: dir { create setattr relabelto };
--	allow $1 polydir: dir { write add_name open };
--	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
--	# Default type for mountpoints
--	allow $1 poly_t:dir { create mounton };
--	fs_unmount_xattr_fs($1)
--
--	fs_mount_tmpfs($1)
--	fs_unmount_tmpfs($1)
--
--	ifdef(`distro_redhat',`
--		# namespace.init
--		files_search_tmp($1)
--		files_search_home($1)
--		corecmd_exec_bin($1)
--		seutil_domtrans_setfiles($1)
--	')
++	')
++
 +	can_exec($1, base_ro_file_type)
- ')
- 
- ########################################
- ## <summary>
--##	Unconfined access to files.
++')
++
++########################################
++## <summary>
 +##	Allow the specified domain to modify the systemd configuration of 
 +##	any file.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',`
- ##	</summary>
- ## </param>
- #
--interface(`files_unconfined',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_config_all_files',`
- 	gen_require(`
--		attribute files_unconfined_type;
++	gen_require(`
 +		attribute file_type;
- 	')
- 
--	typeattribute $1 files_unconfined_type;
++	')
++
 +	allow $1 file_type:service all_service_perms;
- ')
++')
 +
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 148d87a..822f6be 100644
@@ -13961,7 +11869,7 @@ index cda5588..3035829 100644
 +/var/run/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
 +/var/run/[^/]*/gvfs/.*	<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..60b2ce1 100644
+index 8416beb..0776923 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -14024,7 +11932,14 @@ index 8416beb..60b2ce1 100644
  ##	list cgroup directories.
  ## </summary>
  ## <param name="domain">
-@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', `
+@@ -659,15 +700,35 @@ interface(`fs_search_cgroup_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_list_cgroup_dirs', `
++interface(`fs_list_cgroup_dirs',`
+ 	gen_require(`
+ 		type cgroup_t;
  	')
  
  	list_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -18196,7 +16111,7 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..8bd910a 100644
+index 5da7870..3577c24 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
@@ -18516,7 +16431,7 @@ index 5da7870..8bd910a 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +363,21 @@ ifndef(`distro_redhat',`
+@@ -176,3 +363,22 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -18535,7 +16450,8 @@ index 5da7870..8bd910a 100644
 +		allow staff_t self:fifo_file relabelfrom;
 +		dev_rw_kvm(staff_t)
 +		virt_manage_images(staff_t)
-+        virt_stream_connect_svirt(staff_t)
++		virt_stream_connect_svirt(staff_t)
++		virt_exec(staff_t)
 +	')
 +')
 diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
@@ -25455,7 +23371,7 @@ index 28ad538..ebe81bf 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..792df83 100644
+index 3efd5b6..5188076 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -25477,7 +23393,12 @@ index 3efd5b6..792df83 100644
  ')
  
  ########################################
-@@ -57,6 +63,8 @@ interface(`auth_use_pam',`
+@@ -53,10 +59,12 @@ interface(`auth_use_pam',`
+ 	auth_read_login_records($1)
+ 	auth_append_login_records($1)
+ 	auth_rw_lastlog($1)
+-	auth_rw_faillog($1)
++	auth_manage_faillog($1)
  	auth_exec_pam($1)
  	auth_use_nsswitch($1)
  
@@ -34542,7 +32463,7 @@ index 3822072..1029e3b 100644
 +    userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..d08ae58 100644
+index ec01d0b..73ef1e8 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,17 @@ gen_require(`
@@ -34761,7 +32682,7 @@ index ec01d0b..d08ae58 100644
  files_read_etc_files(newrole_t)
  files_read_var_files(newrole_t)
  files_read_var_symlinks(newrole_t)
-@@ -276,25 +310,38 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
  term_getattr_unallocated_ttys(newrole_t)
  term_dontaudit_use_unallocated_ttys(newrole_t)
  
@@ -34769,10 +32690,6 @@ index ec01d0b..d08ae58 100644
 -auth_run_chk_passwd(newrole_t, newrole_roles)
 -auth_run_upd_passwd(newrole_t, newrole_roles)
 -auth_rw_faillog(newrole_t)
-+#auth_use_nsswitch(newrole_t)
-+#auth_run_chk_passwd(newrole_t, newrole_roles)
-+#auth_run_upd_passwd(newrole_t, newrole_roles)
-+#auth_rw_faillog(newrole_t)
 +auth_use_pam(newrole_t)
  
  # Write to utmp.
@@ -34807,7 +32724,7 @@ index ec01d0b..d08ae58 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(newrole_t)
-@@ -309,7 +356,7 @@ if(secure_mode) {
+@@ -309,7 +352,7 @@ if(secure_mode) {
  	userdom_spec_domtrans_all_users(newrole_t)
  }
  
@@ -34816,7 +32733,7 @@ index ec01d0b..d08ae58 100644
  	files_polyinstantiate_all(newrole_t)
  ')
  
-@@ -328,9 +375,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
  kernel_rw_pipes(restorecond_t)
  kernel_read_system_state(restorecond_t)
  
@@ -34831,7 +32748,7 @@ index ec01d0b..d08ae58 100644
  fs_list_inotifyfs(restorecond_t)
  
  selinux_validate_context(restorecond_t)
-@@ -341,16 +392,17 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
  
  files_relabel_non_auth_files(restorecond_t )
  files_read_non_auth_files(restorecond_t)
@@ -34851,7 +32768,7 @@ index ec01d0b..d08ae58 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -366,21 +418,24 @@ optional_policy(`
+@@ -366,21 +414,24 @@ optional_policy(`
  # Run_init local policy
  #
  
@@ -34878,7 +32795,7 @@ index ec01d0b..d08ae58 100644
  dev_dontaudit_list_all_dev_nodes(run_init_t)
  
  domain_use_interactive_fds(run_init_t)
-@@ -398,23 +453,30 @@ selinux_compute_create_context(run_init_t)
+@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
  selinux_compute_relabel_context(run_init_t)
  selinux_compute_user_contexts(run_init_t)
  
@@ -34914,7 +32831,7 @@ index ec01d0b..d08ae58 100644
  
  ifndef(`direct_sysadm_daemon',`
  	ifdef(`distro_gentoo',`
-@@ -425,6 +487,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
  	')
  ')
  
@@ -34934,7 +32851,7 @@ index ec01d0b..d08ae58 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -440,81 +515,87 @@ optional_policy(`
+@@ -440,81 +511,87 @@ optional_policy(`
  # semodule local policy
  #
  
@@ -35075,7 +32992,7 @@ index ec01d0b..d08ae58 100644
  ')
  
  ########################################
-@@ -522,108 +603,178 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +599,178 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 59d0278..e01db22 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6715,7 +6715,7 @@ index f3c0aba..5189407 100644
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..7e05d8c 100644
+index b236327..f194ee1 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -6728,7 +6728,18 @@ index b236327..7e05d8c 100644
  ########################################
  #
  # Local policy
-@@ -54,7 +57,6 @@ kernel_read_system_state(apcupsd_t)
+@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+ allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
+ 
+-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
++manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+ logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
+ 
+ manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t)
  corecmd_exec_bin(apcupsd_t)
  corecmd_exec_shell(apcupsd_t)
  
@@ -6736,7 +6747,7 @@ index b236327..7e05d8c 100644
  corenet_all_recvfrom_netlabel(apcupsd_t)
  corenet_tcp_sendrecv_generic_if(apcupsd_t)
  corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,6 +69,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,6 +67,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
  corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
  corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
  corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -6744,7 +6755,7 @@ index b236327..7e05d8c 100644
  
  corenet_udp_bind_snmp_port(apcupsd_t)
  corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +77,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +75,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
@@ -6772,7 +6783,7 @@ index b236327..7e05d8c 100644
  
  optional_policy(`
  	hostname_exec(apcupsd_t)
-@@ -112,7 +119,6 @@ optional_policy(`
+@@ -112,7 +117,6 @@ optional_policy(`
  	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
  
@@ -8088,7 +8099,7 @@ index 866a1e2..6c2dbe4 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..6bf02f0 100644
+index 076ffee..e3dbd11 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8110,9 +8121,12 @@ index 076ffee..6bf02f0 100644
  type named_log_t;
  logging_log_file(named_log_t)
  
-@@ -70,6 +73,7 @@ role ndc_roles types ndc_t;
+@@ -68,8 +71,9 @@ role ndc_roles types ndc_t;
+ # Local policy
+ #
  
- allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
++allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
  dontaudit named_t self:capability sys_tty_config;
 +allow named_t self:capability2 block_suspend;
  allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
@@ -9905,7 +9919,7 @@ index 2354e21..fb8c9ed 100644
 +	')
 +')
 diff --git a/certwatch.te b/certwatch.te
-index 403af41..8da9f32 100644
+index 403af41..48a40cd 100644
 --- a/certwatch.te
 +++ b/certwatch.te
 @@ -20,33 +20,42 @@ role certwatch_roles types certwatch_t;
@@ -9943,7 +9957,7 @@ index 403af41..8da9f32 100644
 +userdom_dontaudit_list_admin_dir(certwatch_t)
  
  optional_policy(`
-+	apache_exec(certwatch_t)
++	apache_domtrans(certwatch_t)
  	apache_exec_modules(certwatch_t)
  	apache_read_config(certwatch_t)
  ')
@@ -10183,19 +10197,22 @@ index fdee107..7a38b63 100644
 +logging_send_syslog_msg(cgred_t)
 diff --git a/chrome.fc b/chrome.fc
 new file mode 100644
-index 0000000..88107d7
+index 0000000..57866f6
 --- /dev/null
 +++ b/chrome.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,9 @@
 +/opt/google/chrome/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 +
 +/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 +
 +/opt/google/chrome/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
 +/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++
++HOME_DIR/\.cache/google-chrome(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
++HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
 diff --git a/chrome.if b/chrome.if
 new file mode 100644
-index 0000000..36bd6be
+index 0000000..5977d96
 --- /dev/null
 +++ b/chrome.if
 @@ -0,0 +1,134 @@
@@ -10285,9 +10302,9 @@ index 0000000..36bd6be
 +
 +	allow chrome_sandbox_t $2:unix_dgram_socket { read write };
 +	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+	allow chrome_sandbox_t $2:unix_stream_socket { append getattr read write };
++	allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
 +	dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
-+	allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
++	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
 +	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
 +	allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
 +
@@ -10335,10 +10352,10 @@ index 0000000..36bd6be
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..6300c78
+index 0000000..41d3959
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,205 @@
+@@ -0,0 +1,220 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -10365,6 +10382,9 @@ index 0000000..6300c78
 +role system_r types chrome_sandbox_nacl_t;
 +ubac_constrained(chrome_sandbox_nacl_t)
 +
++type chrome_sandbox_home_t;
++userdom_user_home_content(chrome_sandbox_home_t)
++
 +########################################
 +#
 +# chrome_sandbox local policy
@@ -10382,12 +10402,17 @@ index 0000000..6300c78
 +allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
 +dontaudit chrome_sandbox_t self:memprotect mmap_zero;
 +
++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++
 +manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
 +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
 +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
++userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
 +
 +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
 +
 +kernel_read_system_state(chrome_sandbox_t)
 +kernel_read_kernel_sysctls(chrome_sandbox_t)
@@ -10444,6 +10469,9 @@ index 0000000..6300c78
 +optional_policy(`
 +	gnome_rw_inherited_config(chrome_sandbox_t)
 +	gnome_read_home_config(chrome_sandbox_t)
++	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
++	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
++
 +')
 +
 +optional_policy(`
@@ -10520,10 +10548,14 @@ index 0000000..6300c78
 +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
 +ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
 +
++manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++
 +kernel_read_state(chrome_sandbox_nacl_t)
 +kernel_read_system_state(chrome_sandbox_nacl_t)
 +
-+corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
++corecmd_bin_entry_type(chrome_sandbox_nacl_t)
 +
 +dev_read_urand(chrome_sandbox_nacl_t)
 +dev_read_sysfs(chrome_sandbox_nacl_t)
@@ -11887,7 +11919,7 @@ index 954309e..f4db2ca 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..afeb58c 100644
+index 6471fa8..ace40ae 100644
 --- a/collectd.te
 +++ b/collectd.te
 @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -11905,28 +11937,37 @@ index 6471fa8..afeb58c 100644
  ########################################
  #
  # Local policy
-@@ -38,6 +44,7 @@ allow collectd_t self:process { getsched setsched signal };
+@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal };
  allow collectd_t self:fifo_file rw_fifo_file_perms;
  allow collectd_t self:packet_socket create_socket_perms;
  allow collectd_t self:unix_stream_socket { accept listen };
-+allow collectd_t self:netlink_tcpdiag_socket create_socket_perms;
++allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow collectd_t self:udp_socket create_socket_perms;
  
  manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
  manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -48,21 +55,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+ manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
  
- domain_use_interactive_fds(collectd_t)
+-domain_use_interactive_fds(collectd_t)
++kernel_read_all_sysctls(collectd_t)
++kernel_read_all_proc(collectd_t)
++kernel_list_all_proc(collectd_t)
  
 -kernel_read_network_state(collectd_t)
 -kernel_read_net_sysctls(collectd_t)
 -kernel_read_system_state(collectd_t)
-+kernel_read_all_sysctls(collectd_t)
-+kernel_read_all_proc(collectd_t)
++corenet_udp_bind_generic_node(collectd_t)
++corenet_udp_bind_collectd_port(collectd_t)
  
  dev_read_rand(collectd_t)
  dev_read_sysfs(collectd_t)
  dev_read_urand(collectd_t)
  
++domain_use_interactive_fds(collectd_t)
++domain_read_all_domains_state(collectd_t)
++
  files_getattr_all_dirs(collectd_t)
 -files_read_etc_files(collectd_t)
 -files_read_usr_files(collectd_t)
@@ -11938,7 +11979,7 @@ index 6471fa8..afeb58c 100644
  
  logging_send_syslog_msg(collectd_t)
  
-@@ -80,11 +84,17 @@ optional_policy(`
+@@ -80,11 +90,17 @@ optional_policy(`
  
  ########################################
  #
@@ -16289,7 +16330,7 @@ index 06da9a0..ca832e1 100644
 +	ps_process_pattern($1, cupsd_t)
  ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..c861b5b 100644
+index 9f34c2e..52c170f 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16629,7 +16670,7 @@ index 9f34c2e..c861b5b 100644
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t, cupsd_t)
  
-@@ -375,18 +410,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +410,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
  manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
  files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
  
@@ -16639,9 +16680,10 @@ index 9f34c2e..c861b5b 100644
  stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  can_exec(cupsd_config_t, cupsd_config_exec_t)
- 
--domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
 -
+-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
++can_exec(cupsd_config_t, cupsd_exec_t)
+ 
  kernel_read_system_state(cupsd_config_t)
  kernel_read_all_sysctls(cupsd_config_t)
  
@@ -16649,7 +16691,7 @@ index 9f34c2e..c861b5b 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +427,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +428,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
  corenet_sendrecv_all_client_packets(cupsd_config_t)
  corenet_tcp_connect_all_ports(cupsd_config_t)
  
@@ -16670,7 +16712,7 @@ index 9f34c2e..c861b5b 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +444,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +445,6 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -16682,7 +16724,7 @@ index 9f34c2e..c861b5b 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +471,12 @@ optional_policy(`
+@@ -452,9 +472,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16696,7 +16738,7 @@ index 9f34c2e..c861b5b 100644
  ')
  
  optional_policy(`
-@@ -490,10 +512,6 @@ optional_policy(`
+@@ -490,10 +513,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -16707,7 +16749,7 @@ index 9f34c2e..c861b5b 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +529,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +530,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -16740,7 +16782,7 @@ index 9f34c2e..c861b5b 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -546,7 +555,6 @@ optional_policy(`
+@@ -546,7 +556,6 @@ optional_policy(`
  #
  
  allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16748,7 +16790,7 @@ index 9f34c2e..c861b5b 100644
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +570,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +571,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -16900,7 +16942,7 @@ index 9f34c2e..c861b5b 100644
  
  ########################################
  #
-@@ -731,7 +614,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +615,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -16908,7 +16950,7 @@ index 9f34c2e..c861b5b 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +623,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +624,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -16922,7 +16964,7 @@ index 9f34c2e..c861b5b 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -755,8 +635,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +636,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -23993,7 +24035,7 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..16c0ddd 100644
+index e0a4f46..79bc951 100644
 --- a/glance.te
 +++ b/glance.te
 @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -24027,7 +24069,7 @@ index e0a4f46..16c0ddd 100644
  allow glance_domain self:fifo_file rw_fifo_file_perms;
  allow glance_domain self:unix_stream_socket create_stream_socket_perms;
  allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,21 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
  manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  
@@ -24040,6 +24082,7 @@ index e0a4f46..16c0ddd 100644
  corenet_tcp_sendrecv_all_ports(glance_domain)
  corenet_tcp_bind_generic_node(glance_domain)
 +corenet_tcp_connect_mysqld_port(glance_domain)
++corenet_tcp_connect_http_port(glance_domain)
  
  corecmd_exec_bin(glance_domain)
  corecmd_exec_shell(glance_domain)
@@ -24057,7 +24100,7 @@ index e0a4f46..16c0ddd 100644
  sysnet_dns_name_resolve(glance_domain)
  
  ########################################
-@@ -88,8 +84,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
  manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
  files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
  
@@ -24072,7 +24115,7 @@ index e0a4f46..16c0ddd 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,13 +110,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
@@ -32070,7 +32113,7 @@ index e736c45..4b1e1e4 100644
  
  /var/log/ksmtuned.*	gen_context(system_u:object_r:ksmtuned_log_t,s0)
 diff --git a/ksmtuned.if b/ksmtuned.if
-index c530214..eadf7e0 100644
+index c530214..641f494 100644
 --- a/ksmtuned.if
 +++ b/ksmtuned.if
 @@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
@@ -32103,7 +32146,7 @@ index c530214..eadf7e0 100644
  ########################################
  ## <summary>
  ##	All of the rules required to
-@@ -57,21 +80,26 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -57,21 +80,24 @@ interface(`ksmtuned_initrc_domtrans',`
  #
  interface(`ksmtuned_admin',`
  	gen_require(`
@@ -32132,11 +32175,9 @@ index c530214..eadf7e0 100644
  	logging_search_logs($1)
  	admin_pattern($1, ksmtuned_log_t)
 +
-+    ksmtuned_systemctl($1)
-+    admin_pattern($1, ksmtuned_unit_file_t)
-+    allow $1 ksmtuned_unit_file_t:service all_service_perms;
-+
-+
++	ksmtuned_systemctl($1)
++	admin_pattern($1, ksmtuned_unit_file_t)
++	allow $1 ksmtuned_unit_file_t:service all_service_perms;
  ')
 diff --git a/ksmtuned.te b/ksmtuned.te
 index c1539b5..fd0a17f 100644
@@ -37336,7 +37377,7 @@ index 6194b80..116d9d2 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..3ac5d92 100644
+index 6a306ee..66e7ada 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -37345,7 +37386,7 @@ index 6a306ee..3ac5d92 100644
  
  ########################################
  #
-@@ -6,17 +6,27 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4)
  #
  
  ## <desc>
@@ -37362,6 +37403,13 @@ index 6a306ee..3ac5d92 100644
 +
 +## <desc>
 +## <p>
++## Allow mozilla plugin to support spice protocols.
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_use_spice, false)
++
++## <desc>
++## <p>
 +## Allow confined web browsers to read home directory content
 +## </p>
 +## </desc>
@@ -37378,7 +37426,7 @@ index 6a306ee..3ac5d92 100644
  type mozilla_t;
  type mozilla_exec_t;
  typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +34,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
  userdom_user_application_domain(mozilla_t, mozilla_exec_t)
  role mozilla_roles types mozilla_t;
  
@@ -37388,7 +37436,7 @@ index 6a306ee..3ac5d92 100644
  type mozilla_home_t;
  typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
  typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,29 +44,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t)
  
  type mozilla_plugin_t;
  type mozilla_plugin_exec_t;
@@ -37423,7 +37471,7 @@ index 6a306ee..3ac5d92 100644
  
  type mozilla_tmp_t;
  userdom_user_tmp_file(mozilla_tmp_t)
-@@ -63,10 +71,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
  typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
  userdom_user_tmpfs_file(mozilla_tmpfs_t)
  
@@ -37434,7 +37482,7 @@ index 6a306ee..3ac5d92 100644
  ########################################
  #
  # Local policy
-@@ -75,27 +79,30 @@ optional_policy(`
+@@ -75,27 +86,30 @@ optional_policy(`
  allow mozilla_t self:capability { sys_nice setgid setuid };
  allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
  allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -37478,7 +37526,7 @@ index 6a306ee..3ac5d92 100644
  
  manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +110,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
  
@@ -37586,7 +37634,7 @@ index 6a306ee..3ac5d92 100644
  
  term_dontaudit_getattr_pty_dirs(mozilla_t)
  
-@@ -181,56 +181,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t)
  logging_send_syslog_msg(mozilla_t)
  
  miscfiles_read_fonts(mozilla_t)
@@ -37594,15 +37642,15 @@ index 6a306ee..3ac5d92 100644
  miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
  
 -userdom_use_user_ptys(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+ 
 -userdom_manage_user_tmp_dirs(mozilla_t)
 -userdom_manage_user_tmp_files(mozilla_t)
 -
 -userdom_manage_user_home_content_dirs(mozilla_t)
 -userdom_manage_user_home_content_files(mozilla_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-+userdom_use_inherited_user_ptys(mozilla_t)
- 
+-
 -userdom_write_user_tmp_sockets(mozilla_t)
 -
 -mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37697,7 +37745,7 @@ index 6a306ee..3ac5d92 100644
  ')
  
  optional_policy(`
-@@ -244,19 +261,12 @@ optional_policy(`
+@@ -244,19 +268,12 @@ optional_policy(`
  
  optional_policy(`
  	cups_read_rw_config(mozilla_t)
@@ -37719,7 +37767,7 @@ index 6a306ee..3ac5d92 100644
  
  	optional_policy(`
  		networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +275,32 @@ optional_policy(`
+@@ -265,33 +282,32 @@ optional_policy(`
  
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
@@ -37732,34 +37780,34 @@ index 6a306ee..3ac5d92 100644
 -	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
 +	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+	java_domtrans(mozilla_t)
  ')
  
  optional_policy(`
 -	java_exec(mozilla_t)
 -	java_manage_generic_home_content(mozilla_t)
 -	java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+	lpd_domtrans_lpr(mozilla_t)
++	java_domtrans(mozilla_t)
  ')
  
  optional_policy(`
 -	lpd_run_lpr(mozilla_t, mozilla_roles)
-+	mplayer_domtrans(mozilla_t)
-+	mplayer_read_user_home_files(mozilla_t)
++	lpd_domtrans_lpr(mozilla_t)
  ')
  
  optional_policy(`
 -	mplayer_exec(mozilla_t)
 -	mplayer_manage_generic_home_content(mozilla_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+	nscd_socket_use(mozilla_t)
++	mplayer_domtrans(mozilla_t)
++	mplayer_read_user_home_files(mozilla_t)
  ')
  
  optional_policy(`
 -	pulseaudio_run(mozilla_t, mozilla_roles)
++	nscd_socket_use(mozilla_t)
++')
++
++optional_policy(`
 +	#pulseaudio_role(mozilla_roles, mozilla_t)
 +	pulseaudio_exec(mozilla_t)
 +	pulseaudio_stream_connect(mozilla_t)
@@ -37767,7 +37815,7 @@ index 6a306ee..3ac5d92 100644
  ')
  
  optional_policy(`
-@@ -300,221 +309,174 @@ optional_policy(`
+@@ -300,221 +316,174 @@ optional_policy(`
  
  ########################################
  #
@@ -37849,12 +37897,12 @@ index 6a306ee..3ac5d92 100644
  allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
 +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
  
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
 -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
 +can_exec(mozilla_plugin_t, mozilla_exec_t)
  
@@ -38084,7 +38132,7 @@ index 6a306ee..3ac5d92 100644
  ')
  
  optional_policy(`
-@@ -523,36 +485,47 @@ optional_policy(`
+@@ -523,36 +492,47 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38145,7 +38193,7 @@ index 6a306ee..3ac5d92 100644
  ')
  
  optional_policy(`
-@@ -560,7 +533,7 @@ optional_policy(`
+@@ -560,7 +540,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38154,7 +38202,7 @@ index 6a306ee..3ac5d92 100644
  ')
  
  optional_policy(`
-@@ -568,108 +541,109 @@ optional_policy(`
+@@ -568,108 +548,113 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38310,13 +38358,10 @@ index 6a306ee..3ac5d92 100644
  
 -optional_policy(`
 -	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
--')
 +#tunable_policy(`mozilla_plugin_enable_homedirs',`
 +#	userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
 +#', `
- 
--optional_policy(`
--	xserver_use_user_fonts(mozilla_plugin_config_t)
++
 +	#userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
 +  	#userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
 +#')
@@ -38324,6 +38369,12 @@ index 6a306ee..3ac5d92 100644
 +tunable_policy(`selinuxuser_execmod',`
 +	userdom_execmod_user_home_files(mozilla_plugin_t)
  ')
+ 
+-optional_policy(`
+-	xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_use_spice',`
++	dev_rw_generic_usb_dev(mozilla_plugin_t)
+ ')
 diff --git a/mpd.fc b/mpd.fc
 index 313ce52..6aa46d2 100644
 --- a/mpd.fc
@@ -42355,7 +42406,7 @@ index 0641e97..d7d9a79 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 44ad3b7..5ba0194 100644
+index 44ad3b7..d731adf 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -42505,7 +42556,15 @@ index 44ad3b7..5ba0194 100644
  
  corecmd_exec_bin(nagios_services_plugin_t)
  
-@@ -411,6 +411,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -391,6 +391,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	mysql_stream_connect(nagios_services_plugin_t)
++    mysql_read_config(nagios_services_plugin_t)
+ ')
+ 
+ optional_policy(`
+@@ -411,6 +412,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
@@ -42513,7 +42572,7 @@ index 44ad3b7..5ba0194 100644
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
  corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +421,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +422,10 @@ dev_read_sysfs(nagios_system_plugin_t)
  
  domain_read_all_domains_state(nagios_system_plugin_t)
  
@@ -42526,7 +42585,7 @@ index 44ad3b7..5ba0194 100644
  optional_policy(`
  	init_read_utmp(nagios_system_plugin_t)
  ')
-@@ -442,6 +443,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,6 +444,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
  
  init_domtrans_script(nagios_eventhandler_plugin_t)
  
@@ -42541,7 +42600,7 @@ index 44ad3b7..5ba0194 100644
  ########################################
  #
  # Unconfined plugin policy
-@@ -450,3 +459,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+@@ -450,3 +460,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
  optional_policy(`
  	unconfined_domain(nagios_unconfined_plugin_t)
  ')
@@ -50676,28 +50735,59 @@ index dfd46e4..9515043 100644
  
  /usr/share/Pegasus/mof(/.*)?/.*\.mof	gen_context(system_u:object_r:pegasus_mof_t,s0)
 diff --git a/pegasus.if b/pegasus.if
-index d2fc677..22b745a 100644
+index d2fc677..ded726f 100644
 --- a/pegasus.if
 +++ b/pegasus.if
-@@ -1,52 +1,37 @@
+@@ -1,52 +1,59 @@
  ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
  
--########################################
 +######################################
- ## <summary>
--##	All of the rules required to
--##	administrate an pegasus environment.
++## <summary>
 +##  Creates types and rules for a basic
 +##  openlmi init daemon domain.
- ## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
++## </summary>
 +## <param name="prefix">
 +##  <summary>
 +##  Prefix for the domain.
 +##  </summary>
++## </param>
++#
++template(`pegasus_openlmi_domain_template',`
++    gen_require(`
++        attribute pegasus_openlmi_domain;
++        type pegasus_t;
++    ')
++
++	##############################
++	#
++	# Declarations
++	#
++
++	type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
++	type pegasus_openlmi_$1_exec_t;
++	init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
++
++	##############################
++	#
++	# Local policy
++	#
++	
++	domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
++
++	kernel_read_system_state(pegasus_openlmi_$1_t)
++	logging_send_syslog_msg(pegasus_openlmi_$1_t)
++')
++
+ ########################################
+ ## <summary>
+-##	All of the rules required to
+-##	administrate an pegasus environment.
++##	Connect to pegasus over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
  ## </param>
 -## <param name="role">
 -##	<summary>
@@ -50707,12 +50797,14 @@ index d2fc677..22b745a 100644
 -## <rolecap/>
  #
 -interface(`pegasus_admin',`
--	gen_require(`
++interface(`pegasus_stream_connect',`
+ 	gen_require(`
 -		type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
 -		type pegasus_cache_t, pegasus_data_t, pegasus_conf_t;
 -		type pegasus_mof_t, pegasus_var_run_t;
--	')
--
++		type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
+ 	')
+ 
 -	allow $1 pegasus_t:process { ptrace signal_perms };
 -	ps_process_pattern($1, pegasus_t)
 -
@@ -50736,34 +50828,14 @@ index d2fc677..22b745a 100644
 -	files_search_var_lib($1)
 -	admin_pattern($1, pegasus_data_t)
 -
--	files_search_pids($1)
+ 	files_search_pids($1)
 -	admin_pattern($1, pegasus_var_run_t)
-+template(`pegasus_openlmi_domain_template',`
-+    gen_require(`
-+        attribute pegasus_openlmi_domain;
-+    ')
-+
-+	##############################
-+	#
-+	# Declarations
-+	#
-+
-+	type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
-+	type $1_exec_t;
-+	init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
-+
-+	##############################
-+	#
-+	# Local policy
-+	#
-+	
-+	domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
-+
-+	kernel_read_system_state(pegasus_openlmi_$1_t)
-+	logging_send_syslog_msg(pegasus_openlmi_$1_t)
++    stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
++    stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
  ')
++
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..36032a6 100644
+index 7bcf327..832de74 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -50787,22 +50859,62 @@ index 7bcf327..36032a6 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,33 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,73 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
 +# pegasus openlmi providers
-+#pegasus_openlmi_domain_template(account)
++pegasus_openlmi_domain_template(account)
 +
 +#######################################
 +#
 +# pegasus openlmi providers local policy
 +#
 +
++allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
++
++list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++read_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++
 +corecmd_exec_bin(pegasus_openlmi_domain)
 +
 +sysnet_read_config(pegasus_openlmi_domain)
 +
++optional_policy(`
++    pegasus_stream_connect(pegasus_openlmi_domain)
++')
++
++######################################
++#
++# pegasus openlmi account local policy
++#
++
++allow pegasus_openlmi_account_t self:capability { setuid chown setgid dac_override };
++allow pegasus_openlmi_account_t self:process setfscreate;
++
++auth_manage_passwd(pegasus_openlmi_account_t)
++auth_manage_shadow(pegasus_openlmi_account_t)
++auth_relabel_shadow(pegasus_openlmi_account_t)
++auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
++
++init_rw_utmp(pegasus_openlmi_account_t)
++
++logging_send_syslog_msg(pegasus_openlmi_account_t)
++
++seutil_read_config(pegasus_openlmi_account_t)
++seutil_read_file_contexts(pegasus_openlmi_account_t)
++seutil_read_default_contexts(pegasus_openlmi_account_t)
++
++# Add/remove user home directories
++userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t)
++userdom_manage_home_role(system_r, pegasus_openlmi_account_t)
++userdom_delete_all_user_home_content(pegasus_openlmi_account_t)
++
++optional_policy(`
++    # run userdel
++    usermanage_domtrans_useradd(pegasus_openlmi_account_t)
++')
++
  ########################################
  #
 -# Local policy
@@ -50825,7 +50937,7 @@ index 7bcf327..36032a6 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +66,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +106,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -50856,7 +50968,7 @@ index 7bcf327..36032a6 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +92,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +132,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -50889,7 +51001,7 @@ index 7bcf327..36032a6 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,6 +120,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +160,7 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -50897,7 +51009,7 @@ index 7bcf327..36032a6 100644
  
  domain_use_interactive_fds(pegasus_t)
  domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +135,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +175,25 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -50929,7 +51041,7 @@ index 7bcf327..36032a6 100644
  ')
  
  optional_policy(`
-@@ -151,16 +165,19 @@ optional_policy(`
+@@ -151,16 +205,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50953,7 +51065,7 @@ index 7bcf327..36032a6 100644
  ')
  
  optional_policy(`
-@@ -168,7 +185,7 @@ optional_policy(`
+@@ -168,7 +225,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53264,7 +53376,7 @@ index 032a84d..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policykit.te b/policykit.te
-index 49694e8..3ad3019 100644
+index 49694e8..12483ae 100644
 --- a/policykit.te
 +++ b/policykit.te
 @@ -1,4 +1,4 @@
@@ -53296,7 +53408,7 @@ index 49694e8..3ad3019 100644
  
  type policykit_resolve_t, policykit_domain;
  type policykit_resolve_exec_t;
-@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t)
+@@ -42,63 +37,65 @@ files_pid_file(policykit_var_run_t)
  
  #######################################
  #
@@ -53363,6 +53475,7 @@ index 49694e8..3ad3019 100644
  
 +fs_getattr_all_fs(policykit_t)
  fs_list_inotifyfs(policykit_t)
++fs_list_cgroup_dirs(policykit_t)
  
  auth_use_nsswitch(policykit_t)
  
@@ -53380,7 +53493,7 @@ index 49694e8..3ad3019 100644
  	optional_policy(`
  		consolekit_dbus_chat(policykit_t)
  	')
-@@ -109,29 +105,43 @@ optional_policy(`
+@@ -109,29 +106,43 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53432,7 +53545,7 @@ index 49694e8..3ad3019 100644
  
  rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
  
-@@ -145,9 +155,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,9 +156,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
  manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
  
@@ -53442,7 +53555,7 @@ index 49694e8..3ad3019 100644
  kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
  
  dev_read_video_dev(policykit_auth_t)
-@@ -157,53 +164,64 @@ files_search_home(policykit_auth_t)
+@@ -157,53 +165,64 @@ files_search_home(policykit_auth_t)
  
  fs_getattr_all_fs(policykit_auth_t)
  fs_search_tmpfs(policykit_auth_t)
@@ -53517,7 +53630,7 @@ index 49694e8..3ad3019 100644
  
  rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
  
-@@ -211,23 +229,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +230,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
  
  manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
  
@@ -53544,7 +53657,7 @@ index 49694e8..3ad3019 100644
  	optional_policy(`
  		consolekit_dbus_chat(policykit_grant_t)
  	')
-@@ -235,26 +250,28 @@ optional_policy(`
+@@ -235,26 +251,28 @@ optional_policy(`
  
  ########################################
  #
@@ -53579,7 +53692,7 @@ index 49694e8..3ad3019 100644
  userdom_read_all_users_state(policykit_resolve_t)
  
  optional_policy(`
-@@ -266,6 +283,7 @@ optional_policy(`
+@@ -266,6 +284,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55203,7 +55316,7 @@ index 2e23946..589bbf2 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..a9c1d4b 100644
+index 191a66f..e9e96bd 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -1,4 +1,4 @@
@@ -55297,9 +55410,8 @@ index 191a66f..a9c1d4b 100644
  ########################################
  #
 -# Common postfix domain local policy
-+# Postfix master process local policy
- #
- 
+-#
+-
 -allow postfix_domain self:capability { sys_nice sys_chroot };
 -dontaudit postfix_domain self:capability sys_tty_config;
 -allow postfix_domain self:process { signal_perms setpgid setsched };
@@ -55387,8 +55499,9 @@ index 191a66f..a9c1d4b 100644
 -########################################
 -#
 -# Master local policy
--#
--
++# Postfix master process local policy
+ #
+ 
 -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
 +# chown is to set the correct ownership of queue dirs
 +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -55412,10 +55525,10 @@ index 191a66f..a9c1d4b 100644
  
 -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
 +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
-+
-+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
  
 -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
++
 +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
 +
 +manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -55462,17 +55575,17 @@ index 191a66f..a9c1d4b 100644
 +rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
- 
+-
 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
 -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-+kernel_read_all_sysctls(postfix_master_t)
- 
--can_exec(postfix_master_t, postfix_exec_t)
 -
+-can_exec(postfix_master_t, postfix_exec_t)
+ 
 -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
 -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
--
++kernel_read_all_sysctls(postfix_master_t)
+ 
 -corenet_all_recvfrom_unlabeled(postfix_master_t)
  corenet_all_recvfrom_netlabel(postfix_master_t)
  corenet_tcp_sendrecv_generic_if(postfix_master_t)
@@ -55875,7 +55988,7 @@ index 191a66f..a9c1d4b 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +577,78 @@ optional_policy(`
+@@ -647,67 +577,77 @@ optional_policy(`
  
  ########################################
  #
@@ -55921,12 +56034,11 @@ index 191a66f..a9c1d4b 100644
 +allow postfix_showq_t self:tcp_socket create_socket_perms;
  
  allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-+rw_files_pattern(postfix_showq_t, postfix_var_run_t, postfix_var_run_t)
-+
+ 
 +allow postfix_showq_t postfix_spool_t:file read_file_perms;
 +
 +postfix_list_spool(postfix_showq_t)
- 
++
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
@@ -55972,7 +56084,7 @@ index 191a66f..a9c1d4b 100644
  ')
  
  optional_policy(`
-@@ -720,24 +661,27 @@ optional_policy(`
+@@ -720,24 +660,27 @@ optional_policy(`
  
  ########################################
  #
@@ -56006,7 +56118,7 @@ index 191a66f..a9c1d4b 100644
  fs_getattr_all_dirs(postfix_smtpd_t)
  fs_getattr_all_fs(postfix_smtpd_t)
  
-@@ -754,6 +698,7 @@ optional_policy(`
+@@ -754,6 +697,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -56014,7 +56126,7 @@ index 191a66f..a9c1d4b 100644
  ')
  
  optional_policy(`
-@@ -764,31 +709,99 @@ optional_policy(`
+@@ -764,31 +708,99 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -56081,7 +56193,7 @@ index 191a66f..a9c1d4b 100644
 +
 +allow postfix_domain postfix_spool_t:dir list_dir_perms;
 +
-+manage_files_pattern(postfix_t, postfix_var_run_t, postfix_var_run_t)
++manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
 +files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
 +
 +kernel_read_network_state(postfix_domain)
@@ -68023,7 +68135,7 @@ index 3bd6446..a61764b 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/rpc.te b/rpc.te
-index e5212e6..427ea8c 100644
+index e5212e6..ede6c81 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -1,4 +1,4 @@
@@ -68234,7 +68346,7 @@ index e5212e6..427ea8c 100644
  ')
  
  ########################################
-@@ -195,41 +141,54 @@ optional_policy(`
+@@ -195,41 +141,55 @@ optional_policy(`
  #
  
  allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -68259,9 +68371,10 @@ index e5212e6..427ea8c 100644
 +corenet_udp_bind_all_rpc_ports(nfsd_t)
  corenet_tcp_bind_nfs_port(nfsd_t)
  corenet_udp_bind_nfs_port(nfsd_t)
- 
--corecmd_exec_shell(nfsd_t)
 -
+-corecmd_exec_shell(nfsd_t)
++corenet_udp_bind_mountd_port(nfsd_t)
+ 
  dev_dontaudit_getattr_all_blk_files(nfsd_t)
  dev_dontaudit_getattr_all_chr_files(nfsd_t)
  dev_rw_lvm_control(nfsd_t)
@@ -68296,7 +68409,7 @@ index e5212e6..427ea8c 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -68304,7 +68417,7 @@ index e5212e6..427ea8c 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -68319,7 +68432,7 @@ index e5212e6..427ea8c 100644
  ')
  
  ########################################
-@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -68327,7 +68440,7 @@ index e5212e6..427ea8c 100644
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)
  kernel_request_load_module(gssd_t)
-@@ -279,25 +238,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +239,29 @@ kernel_signal(gssd_t)
  
  corecmd_exec_bin(gssd_t)
  
@@ -68360,7 +68473,7 @@ index e5212e6..427ea8c 100644
  ')
  
  optional_policy(`
-@@ -306,8 +269,7 @@ optional_policy(`
+@@ -306,8 +270,7 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(gssd, gssd_t)
@@ -79810,10 +79923,10 @@ index 9992e62..47f1802 100644
 +
  allow stunnel_t stunnel_port_t:tcp_socket name_bind;
 diff --git a/svnserve.fc b/svnserve.fc
-index effffd0..5ab0840 100644
+index effffd0..12ca090 100644
 --- a/svnserve.fc
 +++ b/svnserve.fc
-@@ -1,8 +1,12 @@
+@@ -1,8 +1,13 @@
 -/etc/rc\.d/init\.d/svnserve	--	gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
 +/etc/rc.d/init.d/svnserve	--	gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
  
@@ -79829,6 +79942,7 @@ index effffd0..5ab0840 100644
 +/var/run/svnserve(/.*)?			gen_context(system_u:object_r:svnserve_var_run_t,s0)
 +/var/run/svnserve.pid		--	gen_context(system_u:object_r:svnserve_var_run_t,s0)
 +
++/var/svn(/.*)?                  gen_context(system_u:object_r:svnserve_content_t,s0)
 +/var/subversion/repo(/.*)?		gen_context(system_u:object_r:svnserve_content_t,s0)	
 +/var/lib/subversion/repo(/.*)?		gen_context(system_u:object_r:svnserve_content_t,s0)	
 diff --git a/svnserve.if b/svnserve.if
@@ -79968,10 +80082,10 @@ index 2ac91b6..dd2ac36 100644
  ')
 +
 diff --git a/svnserve.te b/svnserve.te
-index c6aaac7..dc3f167 100644
+index c6aaac7..a5600a8 100644
 --- a/svnserve.te
 +++ b/svnserve.te
-@@ -12,6 +12,9 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
+@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
  type svnserve_initrc_exec_t;
  init_script_file(svnserve_initrc_exec_t)
  
@@ -79981,7 +80095,28 @@ index c6aaac7..dc3f167 100644
  type svnserve_content_t;
  files_type(svnserve_content_t)
  
-@@ -34,9 +37,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
+ type svnserve_var_run_t;
+ files_pid_file(svnserve_var_run_t)
+ 
++type svnserve_tmp_t;
++files_tmp_file(svnserve_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
+ allow svnserve_t self:tcp_socket create_stream_socket_perms;
+ allow svnserve_t self:unix_stream_socket { listen accept };
+ 
++manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir })
++
+ manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
+ manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
+ 
+@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
  manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
  files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
  
@@ -79991,7 +80126,7 @@ index c6aaac7..dc3f167 100644
  corenet_all_recvfrom_unlabeled(svnserve_t)
  corenet_all_recvfrom_netlabel(svnserve_t)
  corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -54,6 +54,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
+@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
  
  logging_send_syslog_msg(svnserve_t)
  
@@ -85244,7 +85379,7 @@ index c30da4c..d60e3e4 100644
 +/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..6e25af1 100644
+index 9dec06c..7877729 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -85386,38 +85521,19 @@ index 9dec06c..6e25af1 100644
  ##	</summary>
  ## </param>
  #
-@@ -125,51 +56,32 @@ interface(`virt_image',`
+@@ -125,31 +56,32 @@ interface(`virt_image',`
  
  	typeattribute $1 virt_image_type;
  	files_type($1)
--	dev_node($1)
--')
--
--########################################
--## <summary>
--##	Execute a domain transition to run virtd.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed to transition.
--##	</summary>
--## </param>
--#
--interface(`virt_domtrans',`
--	gen_require(`
--		type virtd_t, virtd_exec_t;
--	')
- 
--	corecmd_search_bin($1)
--	domtrans_pattern($1, virtd_exec_t, virtd_t)
++
 +	# virt images can be assigned to blk devices
-+	dev_node($1)
+ 	dev_node($1)
  ')
  
 -########################################
 +#######################################
  ## <summary>
--##	Execute a domain transition to run virt qmf.
+-##	Execute a domain transition to run virtd.
 +##  Getattr on virt executable.
  ## </summary>
  ## <param name="domain">
@@ -85429,9 +85545,9 @@ index 9dec06c..6e25af1 100644
 +##  </summary>
  ## </param>
  #
--interface(`virt_domtrans_qmf',`
+-interface(`virt_domtrans',`
 -	gen_require(`
--		type virt_qmf_t, virt_qmf_exec_t;
+-		type virtd_t, virtd_exec_t;
 -	')
 +interface(`virt_getattr_exec',`
 +    gen_require(`
@@ -85439,32 +85555,56 @@ index 9dec06c..6e25af1 100644
 +    ')
  
 -	corecmd_search_bin($1)
--	domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+-	domtrans_pattern($1, virtd_exec_t, virtd_t)
 +	allow $1 virtd_exec_t:file getattr;
  ')
  
  ########################################
  ## <summary>
+-##	Execute a domain transition to run virt qmf.
++##	Execute a domain transition to run virt.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -157,162 +89,71 @@ interface(`virt_domtrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_domtrans_qmf',`
++interface(`virt_domtrans',`
+ 	gen_require(`
+-		type virt_qmf_t, virt_qmf_exec_t;
++		type virtd_t, virtd_exec_t;
+ 	')
+ 
+-	corecmd_search_bin($1)
+-	domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
++	domtrans_pattern($1, virtd_exec_t, virtd_t)
+ ')
+ 
+ ########################################
+ ## <summary>
 -##	Execute a domain transition to
 -##	run virt bridgehelper.
-+##	Execute a domain transition to run virt.
++##	Execute virtd in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -177,142 +89,53 @@ interface(`virt_domtrans_qmf',`
+-##	Domain allowed to transition.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`virt_domtrans_bridgehelper',`
-+interface(`virt_domtrans',`
++interface(`virt_exec',`
  	gen_require(`
 -		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
-+		type virtd_t, virtd_exec_t;
++		type virtd_exec_t;
  	')
  
 -	corecmd_search_bin($1)
 -	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
-+	domtrans_pattern($1, virtd_exec_t, virtd_t)
++	can_exec($1, virtd_exec_t)
  ')
  
  ########################################
@@ -85608,7 +85748,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -320,18 +143,18 @@ interface(`virt_run_svirt_lxc_domain',`
+@@ -320,18 +161,18 @@ interface(`virt_run_svirt_lxc_domain',`
  ##	</summary>
  ## </param>
  #
@@ -85632,7 +85772,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -339,18 +162,17 @@ interface(`virt_getattr_virtd_exec_files',`
+@@ -339,18 +180,17 @@ interface(`virt_getattr_virtd_exec_files',`
  ##	</summary>
  ## </param>
  #
@@ -85655,7 +85795,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -369,7 +191,7 @@ interface(`virt_attach_tun_iface',`
+@@ -369,7 +209,7 @@ interface(`virt_attach_tun_iface',`
  
  ########################################
  ## <summary>
@@ -85664,7 +85804,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -383,7 +205,6 @@ interface(`virt_read_config',`
+@@ -383,7 +223,6 @@ interface(`virt_read_config',`
  	')
  
  	files_search_etc($1)
@@ -85672,7 +85812,7 @@ index 9dec06c..6e25af1 100644
  	read_files_pattern($1, virt_etc_t, virt_etc_t)
  	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
  	read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -391,8 +212,7 @@ interface(`virt_read_config',`
+@@ -391,8 +230,7 @@ interface(`virt_read_config',`
  
  ########################################
  ## <summary>
@@ -85682,7 +85822,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -406,7 +226,6 @@ interface(`virt_manage_config',`
+@@ -406,7 +244,6 @@ interface(`virt_manage_config',`
  	')
  
  	files_search_etc($1)
@@ -85690,7 +85830,7 @@ index 9dec06c..6e25af1 100644
  	manage_files_pattern($1, virt_etc_t, virt_etc_t)
  	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
  	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +233,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
  
  ########################################
  ## <summary>
@@ -85700,7 +85840,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -450,8 +268,7 @@ interface(`virt_read_content',`
+@@ -450,8 +286,7 @@ interface(`virt_read_content',`
  
  ########################################
  ## <summary>
@@ -85710,7 +85850,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,35 +276,17 @@ interface(`virt_read_content',`
+@@ -459,35 +294,17 @@ interface(`virt_read_content',`
  ##	</summary>
  ## </param>
  #
@@ -85749,7 +85889,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -495,53 +294,40 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +312,40 @@ interface(`virt_manage_virt_content',`
  ##	</summary>
  ## </param>
  #
@@ -85816,7 +85956,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -549,67 +335,36 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,67 +353,36 @@ interface(`virt_home_filetrans_virt_content',`
  ##	</summary>
  ## </param>
  #
@@ -85897,7 +86037,7 @@ index 9dec06c..6e25af1 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -618,54 +373,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +391,36 @@ interface(`virt_relabel_svirt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -85961,7 +86101,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -673,54 +410,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +428,38 @@ interface(`virt_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -86028,7 +86168,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -728,52 +449,78 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +467,39 @@ interface(`virt_manage_generic_virt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -86062,58 +86202,75 @@ index 9dec06c..6e25af1 100644
  ##	</summary>
  ## </param>
 -## <param name="object_class">
+-##	<summary>
+-##	Class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`virt_home_filetrans_virt_home',`
 +interface(`virt_read_log',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_home_t;
 +		type virt_log_t;
-+	')
-+
+ 	')
+ 
+-	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
 +	logging_search_logs($1)
 +	read_files_pattern($1, virt_log_t, virt_log_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read virt pid files.
 +##	Allow the specified domain to append
 +##	virt log files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	Class of the object being created.
-+##	Domain allowed access.
+@@ -781,19 +507,18 @@ interface(`virt_home_filetrans_virt_home',`
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
-+#
+ #
+-interface(`virt_read_pid_files',`
 +interface(`virt_append_log',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_var_run_t;
 +		type virt_log_t;
-+	')
-+
+ 	')
+ 
+-	files_search_pids($1)
+-	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
 +	logging_search_logs($1)
 +	append_files_pattern($1, virt_log_t, virt_log_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt pid files.
 +##	Allow domain to manage virt log files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	The name of the object being created.
-+##	Domain allowed access.
+@@ -801,18 +526,19 @@ interface(`virt_read_pid_files',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_home_filetrans_virt_home',`
+-interface(`virt_manage_pid_files',`
 +interface(`virt_manage_log',`
  	gen_require(`
--		type virt_home_t;
+-		type virt_var_run_t;
 +		type virt_log_t;
  	')
  
--	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+-	files_search_pids($1)
+-	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
 +	manage_dirs_pattern($1, virt_log_t, virt_log_t)
 +	manage_files_pattern($1, virt_log_t, virt_log_t)
 +	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
@@ -86121,50 +86278,49 @@ index 9dec06c..6e25af1 100644
  
  ########################################
  ## <summary>
--##	Read virt pid files.
+-##	Search virt lib directories.
 +##	Allow domain to search virt image direcories
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -781,19 +528,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -820,18 +546,18 @@ interface(`virt_manage_pid_files',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_read_pid_files',`
+-interface(`virt_search_lib',`
 +interface(`virt_search_images',`
  	gen_require(`
--		type virt_var_run_t;
+-		type virt_var_lib_t;
 +		attribute virt_image_type;
  	')
  
--	files_search_pids($1)
--	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+-	files_search_var_lib($1)
+-	allow $1 virt_var_lib_t:dir search_dir_perms;
 +	virt_search_lib($1)
 +	allow $1 virt_image_type:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete
--##	virt pid files.
+-##	Read virt lib files.
 +##	Allow domain to read virt image files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -801,18 +547,36 @@ interface(`virt_read_pid_files',`
+@@ -839,20 +565,73 @@ interface(`virt_search_lib',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_manage_pid_files',`
+-interface(`virt_read_lib_files',`
 +interface(`virt_read_images',`
  	gen_require(`
--		type virt_var_run_t;
-+		type virt_var_lib_t;
+ 		type virt_var_lib_t;
 +		attribute virt_image_type;
  	')
  
--	files_search_pids($1)
--	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+-	files_search_var_lib($1)
+-	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+-	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 +	virt_search_lib($1)
 +	allow $1 virt_image_type:dir list_dir_perms;
 +	list_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -86184,52 +86340,41 @@ index 9dec06c..6e25af1 100644
 +		fs_read_cifs_files($1)
 +		fs_read_cifs_symlinks($1)
 +	')
- ')
- 
- ########################################
- ## <summary>
--##	Search virt lib directories.
++')
++
++########################################
++## <summary>
 +##	Allow domain to read virt blk image files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -820,18 +584,17 @@ interface(`virt_manage_pid_files',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_search_lib',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`virt_read_blk_images',`
- 	gen_require(`
--		type virt_var_lib_t;
++	gen_require(`
 +		attribute virt_image_type;
- 	')
- 
--	files_search_var_lib($1)
--	allow $1 virt_var_lib_t:dir search_dir_perms;
++	')
++
 +	read_blk_files_pattern($1, virt_image_type, virt_image_type)
- ')
- 
- ########################################
- ## <summary>
--##	Read virt lib files.
++')
++
++########################################
++## <summary>
 +##	Allow domain to read/write virt image chr files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -839,20 +602,18 @@ interface(`virt_search_lib',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_read_lib_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`virt_rw_chr_files',`
- 	gen_require(`
--		type virt_var_lib_t;
++	gen_require(`
 +		attribute virt_image_type;
- 	')
- 
--	files_search_var_lib($1)
--	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
--	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++	')
++
 +	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
  ')
  
@@ -86241,7 +86386,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,115 +621,245 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +639,245 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -86524,7 +86669,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -976,18 +867,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +885,17 @@ interface(`virt_manage_log',`
  ##	</summary>
  ## </param>
  #
@@ -86547,7 +86692,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,36 +885,35 @@ interface(`virt_search_images',`
+@@ -995,36 +903,35 @@ interface(`virt_search_images',`
  ##	</summary>
  ## </param>
  #
@@ -86603,7 +86748,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1032,58 +921,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +939,57 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -86683,7 +86828,7 @@ index 9dec06c..6e25af1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,95 +979,168 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +997,168 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -86912,7 +87057,7 @@ index 9dec06c..6e25af1 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..9d71252 100644
+index 1f22fba..3f1bc45 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,94 +1,98 @@
@@ -87554,7 +87699,7 @@ index 1f22fba..9d71252 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -520,22 +343,12 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +343,15 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -87577,8 +87722,11 @@ index 1f22fba..9d71252 100644
 -
  corenet_rw_tun_tap_dev(virtd_t)
  
++dev_rw_vfio_dev(virtd_t)
  dev_rw_sysfs(virtd_t)
-@@ -548,22 +361,22 @@ dev_rw_vhost(virtd_t)
+ dev_read_urand(virtd_t)
+ dev_read_rand(virtd_t)
+@@ -548,22 +362,23 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -87600,13 +87748,14 @@ index 1f22fba..9d71252 100644
 -# files_manage_system_conf_files(virtd_t)
 +files_manage_system_conf_files(virtd_t)
  
++fs_read_tmpfs_symlinks(virtd_t)
  fs_list_auto_mountpoints(virtd_t)
 -fs_getattr_all_fs(virtd_t)
 +fs_getattr_xattr_fs(virtd_t)
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +407,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +409,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -87626,7 +87775,7 @@ index 1f22fba..9d71252 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +429,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +431,24 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -87661,7 +87810,7 @@ index 1f22fba..9d71252 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +455,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +457,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -87670,7 +87819,7 @@ index 1f22fba..9d71252 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -646,107 +468,327 @@ optional_policy(`
+@@ -646,107 +470,328 @@ optional_policy(`
  	consoletype_exec(virtd_t)
  ')
  
@@ -87865,6 +88014,7 @@ index 1f22fba..9d71252 100644
 +dev_read_urand(virt_domain)
 +dev_write_sound(virt_domain)
 +dev_rw_ksm(virt_domain)
++dev_rw_vfio_dev(virt_domain)
 +dev_rw_kvm(virt_domain)
 +dev_rw_qemu(virt_domain)
 +dev_rw_inherited_vhost(virt_domain)
@@ -88056,7 +88206,7 @@ index 1f22fba..9d71252 100644
  
  manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +800,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88086,7 +88236,7 @@ index 1f22fba..9d71252 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +819,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -88113,7 +88263,7 @@ index 1f22fba..9d71252 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +839,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +842,22 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -88145,7 +88295,7 @@ index 1f22fba..9d71252 100644
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
  	fs_manage_nfs_files(virsh_t)
-@@ -847,14 +872,19 @@ optional_policy(`
+@@ -847,14 +875,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -88159,6 +88309,7 @@ index 1f22fba..9d71252 100644
  optional_policy(`
  	xen_manage_image_dirs(virsh_t)
 +    xen_read_image_files(virsh_t)
++    xen_read_lib_files(virsh_t)
  	xen_append_log(virsh_t)
  	xen_domtrans(virsh_t)
 -	xen_read_xenstored_pid_files(virsh_t)
@@ -88166,7 +88317,7 @@ index 1f22fba..9d71252 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,34 +909,44 @@ optional_policy(`
+@@ -879,34 +913,44 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -88220,7 +88371,7 @@ index 1f22fba..9d71252 100644
  
  manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +956,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +960,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
  allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -88238,7 +88389,7 @@ index 1f22fba..9d71252 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +978,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +982,8 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -88249,7 +88400,7 @@ index 1f22fba..9d71252 100644
  files_relabel_rootfs(virtd_lxc_t)
  files_mounton_non_security(virtd_lxc_t)
  files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +987,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +991,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
  files_list_isid_type_dirs(virtd_lxc_t)
  files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
  
@@ -88257,7 +88408,7 @@ index 1f22fba..9d71252 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +999,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1003,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -88276,7 +88427,7 @@ index 1f22fba..9d71252 100644
  
  term_use_generic_ptys(virtd_lxc_t)
  term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1013,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1017,36 @@ auth_use_nsswitch(virtd_lxc_t)
  
  logging_send_syslog_msg(virtd_lxc_t)
  
@@ -88321,7 +88472,7 @@ index 1f22fba..9d71252 100644
  allow svirt_lxc_domain self:fifo_file manage_file_perms;
  allow svirt_lxc_domain self:sem create_sem_perms;
  allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1050,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1054,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
  allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
  allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
  
@@ -88348,7 +88499,7 @@ index 1f22fba..9d71252 100644
  
  manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1068,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1072,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88367,7 +88518,7 @@ index 1f22fba..9d71252 100644
  kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
  
  corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1087,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1091,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
  files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
  files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
  files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -88394,7 +88545,7 @@ index 1f22fba..9d71252 100644
  auth_dontaudit_read_login_records(svirt_lxc_domain)
  auth_dontaudit_write_login_records(svirt_lxc_domain)
  auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1112,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1116,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
  
  libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
  
@@ -88453,7 +88604,8 @@ index 1f22fba..9d71252 100644
  allow svirt_lxc_net_t self:socket create_socket_perms;
  allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
 -allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
- allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
+-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
  allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
  
  kernel_read_network_state(svirt_lxc_net_t)
@@ -88532,7 +88684,7 @@ index 1f22fba..9d71252 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1210,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1214,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -88547,7 +88699,7 @@ index 1f22fba..9d71252 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1228,8 @@ optional_policy(`
+@@ -1183,9 +1232,8 @@ optional_policy(`
  
  ########################################
  #
@@ -88558,7 +88710,7 @@ index 1f22fba..9d71252 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1242,75 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1246,75 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -89829,7 +89981,7 @@ index 42d83b0..7977c2c 100644
 -/xen(/.*)?	gen_context(system_u:object_r:xen_image_t,s0)
 +/xen(/.*)?			gen_context(system_u:object_r:xen_image_t,s0)
 diff --git a/xen.if b/xen.if
-index f93558c..cc73c96 100644
+index f93558c..16e29c1 100644
 --- a/xen.if
 +++ b/xen.if
 @@ -1,13 +1,13 @@
@@ -89880,44 +90032,58 @@ index f93558c..cc73c96 100644
  	can_exec($1, xend_exec_t)
  ')
  
-@@ -75,24 +74,24 @@ interface(`xen_dontaudit_use_fds',`
+@@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',`
  	dontaudit $1 xend_t:fd use;
  ')
  
--########################################
 +#######################################
++## <summary>
++##  Read xend pid files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`xen_read_pid_files_xenstored',`
++    gen_require(`
++        type xenstored_var_run_t;
++    ')
++
++    files_search_pids($1)
++
++    read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
++')
++
+ ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	xend image directories.
-+##  Read xend pid files.
++##	Read xend lib files.
  ## </summary>
  ## <param name="domain">
 -##	<summary>
--##	Domain allowed access.
++## 	<summary>
+ ##	Domain allowed access.
 -##	</summary>
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
++## 	</summary>
  ## </param>
  #
 -interface(`xen_manage_image_dirs',`
--	gen_require(`
--		type xend_var_lib_t;
--	')
-+interface(`xen_read_pid_files_xenstored',`
-+    gen_require(`
-+        type xenstored_var_run_t;
-+    ')
++interface(`xen_read_lib_files',`
+ 	gen_require(`
+ 		type xend_var_lib_t;
+ 	')
  
 -	files_search_var_lib($1)
 -	manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
-+    files_search_pids($1)
-+
-+    read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
++	files_list_var_lib($1)
++	read_files_pattern($1, xend_var_lib_t, xend_var_lib_t)
  ')
  
  ########################################
-@@ -100,9 +99,9 @@ interface(`xen_manage_image_dirs',`
+@@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',`
  ##	Read xend image files.
  ## </summary>
  ## <param name="domain">
@@ -89929,7 +90095,7 @@ index f93558c..cc73c96 100644
  ## </param>
  #
  interface(`xen_read_image_files',`
-@@ -111,18 +110,40 @@ interface(`xen_read_image_files',`
+@@ -111,18 +129,40 @@ interface(`xen_read_image_files',`
  	')
  
  	files_list_var_lib($1)
@@ -89973,7 +90139,7 @@ index f93558c..cc73c96 100644
  ## </param>
  #
  interface(`xen_rw_image_files',`
-@@ -137,7 +158,8 @@ interface(`xen_rw_image_files',`
+@@ -137,7 +177,8 @@ interface(`xen_rw_image_files',`
  
  ########################################
  ## <summary>
@@ -89983,7 +90149,7 @@ index f93558c..cc73c96 100644
  ## </summary>
  ## <param name="domain">
  ## 	<summary>
-@@ -157,13 +179,13 @@ interface(`xen_append_log',`
+@@ -157,13 +198,13 @@ interface(`xen_append_log',`
  
  ########################################
  ## <summary>
@@ -90000,7 +90166,7 @@ index f93558c..cc73c96 100644
  ## </param>
  #
  interface(`xen_manage_log',`
-@@ -176,29 +198,11 @@ interface(`xen_manage_log',`
+@@ -176,29 +217,11 @@ interface(`xen_manage_log',`
  	manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
  ')
  
@@ -90032,7 +90198,7 @@ index f93558c..cc73c96 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -216,8 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -90042,7 +90208,7 @@ index f93558c..cc73c96 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -236,8 +239,7 @@ interface(`xen_stream_connect_xenstore',`
+@@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',`
  
  ########################################
  ## <summary>
@@ -90052,7 +90218,7 @@ index f93558c..cc73c96 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -270,16 +272,15 @@ interface(`xen_stream_connect',`
+@@ -270,16 +291,15 @@ interface(`xen_stream_connect',`
  interface(`xen_domtrans_xm',`
  	gen_require(`
  		type xm_t, xm_exec_t;
@@ -90072,7 +90238,7 @@ index f93558c..cc73c96 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -289,7 +290,7 @@ interface(`xen_domtrans_xm',`
+@@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',`
  #
  interface(`xen_stream_connect_xm',`
  	gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 24f2db5..192605c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 42%{?dist}
+Release: 43%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,45 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon May 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-43
+- Transition directories and files when in a user_tmp_t directory
+- Change certwatch to domtrans to apache instead of just execute
+- Allow virsh_t to read xen lib files
+- update policy rules for pegasus_openlmi_account_t
+- Add support for svnserve_tmp_t
+- Activate account openlmi policy
+- pegasus_openlmi_domain_template needs also require pegasus_t
+- One more fix for policykit.te
+- Call fs_list_cgroups_dirs() in policykit.te
+- Allow nagios service plugin to read mysql config files
+- Add labeling for /var/svn
+- Fix chrome.te
+- Fix pegasus_openlmi_domain_template() interfaces
+- Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks
+- Fix location of google-chrome data
+- Add support for chome_sandbox to store content in the homedir
+- Allow policykit to watch for changes in cgroups file system
+- Add boolean to allow  mozilla_plugin_t to use spice
+- Allow collectd to bind to udp port
+- Allow collected_t to read all of /proc
+- Should use netlink socket_perms
+- Should use netlink socket_perms
+- Allow glance domains to connect to apache ports
+- Allow apcupsd_t to manage its log files
+- Allow chrome objects to rw_inherited unix_stream_socket from callers
+- Allow staff_t to execute virtd_exec_t for running vms
+- nfsd_t needs to bind mountd port to make nfs-mountd.service working
+- Allow unbound net_admin capability because of setsockopt syscall
+- Fix fs_list_cgroup_dirs()
+- Label /usr/lib/nagios/plugins/utils.pm as bin_t
+- Remove uplicate definition of fs_read_cgroup_files()
+- Remove duplicate definition of fs_read_cgroup_files()
+- Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd
+- Additional interfaces needed to list and read cgroups config
+- Add port definition for collectd port
+- Add labels for /dev/ptp*
+- Allow staff_t to execute virtd_exec_t for running vms
+
 * Mon May 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-42
 - Allow samba-net to also read realmd tmp files
 - Allow NUT to use serial ports