diff --git a/policy-F16.patch b/policy-F16.patch
index 9083cd5..142d456 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1937,10 +1937,10 @@ index 0000000..bd83148
+## No Interfaces
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..c66d190
+index 0000000..0bd2028
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,343 @@
+@@ -0,0 +1,349 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -2283,7 +2283,13 @@ index 0000000..c66d190
+ permissive chrome_sandbox_nacl_t;
+')
+
++optional_policy(`
++ gen_require(`
++ type matahari_sysconfigd_t;
++ ')
+
++ permissive matahari_sysconfigd_t;
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -4664,10 +4670,10 @@ index 0000000..5901e21
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..7cbe3a7
+index 0000000..1553356
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,133 @@
+
+## policy for chrome
+
@@ -4755,6 +4761,8 @@ index 0000000..7cbe3a7
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
@@ -4801,10 +4809,10 @@ index 0000000..7cbe3a7
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..0eb3c23
+index 0000000..859eb9f
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,177 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4889,6 +4897,7 @@ index 0000000..0eb3c23
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
++userdom_search_user_home_content(chrome_sandbox_t)
+
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
@@ -4950,6 +4959,8 @@ index 0000000..0eb3c23
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
@@ -4963,6 +4974,7 @@ index 0000000..0eb3c23
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
@@ -7174,7 +7186,7 @@ index 40e0a2a..93d212c 100644
##
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..b5d4ca3 100644
+index 9050e8c..401a4ec 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -7249,7 +7261,7 @@ index 9050e8c..b5d4ca3 100644
mta_write_config(gpg_t)
-@@ -142,6 +161,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -142,20 +161,33 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -7265,22 +7277,29 @@ index 9050e8c..b5d4ca3 100644
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
')
-@@ -151,10 +179,10 @@ optional_policy(`
- xserver_rw_xdm_pipes(gpg_t)
+
+ optional_policy(`
+- xserver_use_xdm_fds(gpg_t)
+- xserver_rw_xdm_pipes(gpg_t)
++ spamassassin_read_spamd_tmp_files(gpg_t)
')
--optional_policy(`
+ optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
--')
++ xserver_use_xdm_fds(gpg_t)
++ xserver_rw_xdm_pipes(gpg_t)
+ ')
+
+#optional_policy(`
+# cron_system_entry(gpg_t, gpg_exec_t)
+# cron_read_system_job_tmp_files(gpg_t)
+#')
-
++
########################################
#
-@@ -191,7 +219,7 @@ files_read_etc_files(gpg_helper_t)
+ # GPG helper local policy
+@@ -191,7 +223,7 @@ files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
@@ -7289,7 +7308,7 @@ index 9050e8c..b5d4ca3 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -205,11 +233,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,11 +237,12 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -7303,7 +7322,7 @@ index 9050e8c..b5d4ca3 100644
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-@@ -239,19 +268,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+@@ -239,19 +272,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -7326,7 +7345,7 @@ index 9050e8c..b5d4ca3 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-@@ -332,6 +362,10 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +366,10 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -7337,7 +7356,7 @@ index 9050e8c..b5d4ca3 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +376,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +380,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -7359,7 +7378,7 @@ index 9050e8c..b5d4ca3 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +400,28 @@ optional_policy(`
+@@ -356,4 +404,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -15840,7 +15859,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..b949cfb 100644
+index fae1ab1..a60d2f8 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -15933,11 +15952,104 @@ index fae1ab1..b949cfb 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,122 @@ allow unconfined_domain_type domain:key *;
+@@ -158,5 +195,215 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+ # act on all domains keys
+ allow unconfined_domain_type domain:key *;
++dev_filetrans_all_named_dev(unconfined_domain_type)
++
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
++storage_filetrans_all_named_dev(unconfined_domain_type)
++
++term_filetrans_all_named_dev(unconfined_domain_type)
++
++optional_policy(`
++ authlogin_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ alsa_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ apache_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ bootloader_filetrans_config(unconfined_domain_type)
++')
++
++optional_policy(`
++ gnome_filetrans_admin_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ devicekit_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ dnsmasq_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ kerberos_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ libs_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ miscfiles_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ mta_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ modules_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ networkmanager_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ nx_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ postfix_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ pulseaudio_filetrans_home_content(unconfined_domain_type)
++ pulseaudio_filetrans_admin_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ quota_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ sysnet_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
++')
++
++optional_policy(`
++ virt_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(unconfined_domain_type)
++')
++
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
@@ -21006,7 +21118,7 @@ index 2be17d2..b172ab4 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..2d6db89 100644
+index e14b961..c6aa0bc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
@@ -21150,14 +21262,14 @@ index e14b961..2d6db89 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
++ kudzu_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -21239,43 +21351,47 @@ index e14b961..2d6db89 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,19 +334,19 @@ optional_policy(`
+@@ -253,31 +334,32 @@ optional_policy(`
')
optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
-+ prelink_run(sysadm_t, sysadm_r)
++ postfix_filetrans_named_content(sysadm_t)
')
optional_policy(`
- quota_run(sysadm_t, sysadm_r)
-+ puppet_run_puppetca(sysadm_t, sysadm_r)
++ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
- raid_run_mdadm(sysadm_r, sysadm_t)
-+ quota_run(sysadm_t, sysadm_r)
++ puppet_run_puppetca(sysadm_t, sysadm_r)
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
++ quota_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+- rpc_domtrans_nfsd(sysadm_t)
+ raid_domtrans_mdadm(sysadm_t)
')
optional_policy(`
-@@ -274,10 +355,7 @@ optional_policy(`
+- rpm_run(sysadm_t, sysadm_r)
++ rpc_domtrans_nfsd(sysadm_t)
+ ')
optional_policy(`
- rpm_run(sysadm_t, sysadm_r)
--')
--
--optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
++ rpm_run(sysadm_t, sysadm_r)
+ rpm_dbus_chat(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -302,12 +380,18 @@ optional_policy(`
+@@ -302,12 +384,18 @@ optional_policy(`
')
optional_policy(`
@@ -21295,7 +21411,7 @@ index e14b961..2d6db89 100644
')
optional_policy(`
-@@ -332,7 +416,10 @@ optional_policy(`
+@@ -332,7 +420,10 @@ optional_policy(`
')
optional_policy(`
@@ -21307,7 +21423,7 @@ index e14b961..2d6db89 100644
')
optional_policy(`
-@@ -343,19 +430,15 @@ optional_policy(`
+@@ -343,19 +434,15 @@ optional_policy(`
')
optional_policy(`
@@ -21329,7 +21445,7 @@ index e14b961..2d6db89 100644
')
optional_policy(`
-@@ -367,45 +450,45 @@ optional_policy(`
+@@ -367,45 +454,45 @@ optional_policy(`
')
optional_policy(`
@@ -21386,7 +21502,7 @@ index e14b961..2d6db89 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +501,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +505,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21397,7 +21513,7 @@ index e14b961..2d6db89 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +518,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +522,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -21405,7 +21521,7 @@ index e14b961..2d6db89 100644
')
optional_policy(`
-@@ -446,11 +526,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +530,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22184,10 +22300,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..b1e60db
+index 0000000..4163dc5
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,499 @@
+@@ -0,0 +1,442 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -22271,20 +22387,6 @@ index 0000000..b1e60db
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
-+dev_filetrans_all_named_dev(unconfined_t)
-+storage_filetrans_all_named_dev(unconfined_t)
-+term_filetrans_all_named_dev(unconfined_t)
-+
-+authlogin_filetrans_named_content(unconfined_t)
-+
-+miscfiles_filetrans_named_content(unconfined_t)
-+
-+sysnet_filetrans_named_content(unconfined_t)
-+
-+optional_policy(`
-+ ssh_filetrans_admin_home_content(unconfined_t)
-+')
-+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
@@ -22293,8 +22395,6 @@ index 0000000..b1e60db
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
-+lib_filetrans_named_content(unconfined_t)
-+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
@@ -22307,8 +22407,6 @@ index 0000000..b1e60db
+
+unconfined_domain_noaudit(unconfined_t)
+
-+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
@@ -22361,7 +22459,6 @@ index 0000000..b1e60db
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
-+ devicekit_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
@@ -22370,7 +22467,6 @@ index 0000000..b1e60db
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
-+ networkmanager_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
@@ -22415,12 +22511,7 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ alsa_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r)
-+ apache_filetrans_home_content(unconfined_t)
+')
+
+optional_policy(`
@@ -22428,10 +22519,6 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ bootloader_filetrans_config(unconfined_t)
-+')
-+
-+optional_policy(`
+ chrome_role_notrans(unconfined_r, unconfined_usertype)
+
+ tunable_policy(`unconfined_chrome_sandbox_transition',`
@@ -22475,7 +22562,6 @@ index 0000000..b1e60db
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
-+ gnome_filetrans_admin_home_content(unconfined_usertype)
+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+ ')
+
@@ -22505,10 +22591,6 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ dnsmasq_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r)
+')
+
@@ -22525,10 +22607,6 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ kerberos_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ livecd_run(unconfined_t, unconfined_r)
+')
+
@@ -22542,7 +22620,6 @@ index 0000000..b1e60db
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
-+ modules_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
@@ -22561,18 +22638,10 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ mta_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
-+ nx_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
@@ -22585,15 +22654,6 @@ index 0000000..b1e60db
+')
+
+optional_policy(`
-+ pulseaudio_filetrans_admin_home_content(unconfined_usertype)
-+ pulseaudio_filetrans_home_content(unconfined_usertype)
-+')
-+
-+optional_policy(`
-+ quota_filetrans_named_content(unconfined_t)
-+')
-+
-+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
@@ -22622,7 +22682,6 @@ index 0000000..b1e60db
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
-+ virt_filetrans_home_content(unconfined_t)
+')
+
+optional_policy(`
@@ -23069,7 +23128,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..6b739e6 100644
+index 0b827c5..b2d6129 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -23090,7 +23149,7 @@ index 0b827c5..6b739e6 100644
##
##
##
-@@ -169,12 +169,51 @@ interface(`abrt_run_helper',`
+@@ -169,12 +169,52 @@ interface(`abrt_run_helper',`
##
##
#
@@ -23139,11 +23198,12 @@ index 0b827c5..6b739e6 100644
')
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
')
####################################
-@@ -253,6 +292,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +293,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -23168,7 +23228,7 @@ index 0b827c5..6b739e6 100644
#####################################
##
## All of the rules required to administrate
-@@ -286,18 +343,116 @@ interface(`abrt_admin',`
+@@ -286,18 +344,116 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -24127,7 +24187,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..8002a1f 100644
+index 9e39aa5..a9959fa 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -24139,8 +24199,8 @@ index 9e39aa5..8002a1f 100644
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -24191,8 +24251,8 @@ index 9e39aa5..8002a1f 100644
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -24217,7 +24277,7 @@ index 9e39aa5..8002a1f 100644
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -29165,10 +29225,10 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..2c745ea
+index 0000000..b5058ac
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -29177,6 +29237,8 @@ index 0000000..2c745ea
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
+
++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
@@ -29185,6 +29247,11 @@ index 0000000..2c745ea
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+
++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
++
++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
++
++
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
new file mode 100644
index 0000000..917f8d4
@@ -29216,10 +29283,10 @@ index 0000000..917f8d4
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..1852397
+index 0000000..c7ee7dd
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,207 @@
+policy_module(cloudform, 1.0)
+
+########################################
@@ -29355,14 +29422,11 @@ index 0000000..1852397
+# mongod local policy
+#
+
-+#WHY?
-+allow mongod_t self:process execmem;
-+
-+allow mongod_t self:process setsched;
-+
-+allow mongod_t self:process { fork signal };
++allow mongod_t self:process { setsched signal };
+
++allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++allow mongod_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
@@ -29377,12 +29441,21 @@ index 0000000..1852397
+
+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++#needed by dbomatic
++files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+
+corenet_tcp_bind_generic_node(mongod_t)
-+#temporary
+corenet_tcp_bind_generic_port(mongod_t)
+
-+domain_use_interactive_fds(mongod_t)
++files_read_usr_files(mongod_t)
++
++optional_policy(`
++ mysql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(mongod_t)
++')
+
+optional_policy(`
+ sysnet_dns_name_resolve(mongod_t)
@@ -35304,7 +35377,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..87949e8 100644
+index acf6d4f..2fbb869 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -35395,15 +35468,17 @@ index acf6d4f..87949e8 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -180,7 +196,7 @@ optional_policy(`
+@@ -180,8 +196,8 @@ optional_policy(`
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
-+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid };
- allow dovecot_auth_t self:process { signal_perms getcap setcap };
+-allow dovecot_auth_t self:process { signal_perms getcap setcap };
++allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
++allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+ allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -38642,10 +38717,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..86ba356 100644
+index 4fde46b..8768e6b 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,18 +15,24 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -38659,8 +38734,10 @@ index 4fde46b..86ba356 100644
corecmd_exec_bin(gnomeclock_t)
+corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
++
++dev_read_sysfs(gnomeclock_t)
- files_read_etc_files(gnomeclock_t)
+-files_read_etc_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
@@ -38672,7 +38749,7 @@ index 4fde46b..86ba356 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +41,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -41059,7 +41136,7 @@ index 3aa8fa7..40b10fa 100644
+ ldap_systemctl($1)
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
-index 64fd1ff..211180e 100644
+index 64fd1ff..0f5d0b7 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -41119,6 +41196,14 @@ index 64fd1ff..211180e 100644
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
+@@ -106,6 +123,7 @@ files_read_usr_files(slapd_t)
+ files_list_var_lib(slapd_t)
+
+ auth_use_nsswitch(slapd_t)
++auth_rw_cache(slapd_t)
+
+ logging_send_syslog_msg(slapd_t)
+
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 771e04b..81d98b3 100644
--- a/policy/modules/services/likewise.if
@@ -41984,13 +42069,14 @@ index 0000000..5b84980
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..ac84e59
+index 0000000..7f36870
--- /dev/null
+++ b/policy/modules/services/matahari.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+
+/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
@@ -41998,6 +42084,8 @@ index 0000000..ac84e59
+
+/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
++/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
++
+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+
+/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
@@ -42017,10 +42105,10 @@ index 0000000..ac84e59
+/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if
new file mode 100644
-index 0000000..0432f2e
+index 0000000..0d771fd
--- /dev/null
+++ b/policy/modules/services/matahari.if
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,250 @@
+## policy for matahari
+
+######################################
@@ -42039,10 +42127,10 @@ index 0000000..0432f2e
+ attribute matahari_domain;
+ ')
+
-+ ##############################
-+ #
-+ # Declarations
-+ #
++ ##############################
++ #
++ # Declarations
++ #
+
+ type matahari_$1_t, matahari_domain;
+ type matahari_$1_exec_t;
@@ -42261,6 +42349,9 @@ index 0000000..0432f2e
+ allow $1 matahari_serviced_t:process { ptrace signal_perms };
+ ps_process_pattern($1, matahari_serviced_t)
+
++ allow $1 matahari_sysconfigd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_sysconfigd_t)
++
+ files_search_var_lib($1)
+ admin_pattern($1, matahari_var_lib_t)
+
@@ -42270,10 +42361,10 @@ index 0000000..0432f2e
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..19d82c3
+index 0000000..215407c
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,100 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -42286,6 +42377,7 @@ index 0000000..19d82c3
+matahari_domain_template(hostd)
+matahari_domain_template(netd)
+matahari_domain_template(serviced)
++matahari_domain_template(sysconfigd)
+
+type matahari_initrc_exec_t;
+init_script_file(matahari_initrc_exec_t)
@@ -42330,9 +42422,25 @@ index 0000000..19d82c3
+#
+# matahari_serviced local policy
+#
++allow matahari_serviced_t self:process setpgid;
++
++kernel_read_network_state(matahari_serviced_t)
++
++dev_read_sysfs(matahari_serviced_t)
+
+domain_use_interactive_fds(matahari_serviced_t)
-+init_spec_domtrans_script(matahari_serviced_t)
++
++files_read_etc_runtime_files(matahari_serviced_t)
++
++init_domtrans_script(matahari_serviced_t)
++
++systemd_config_all_services(matahari_serviced_t)
++
++########################################
++#
++# matahari_sysconfigd local policy
++#
++dev_read_sysfs(matahari_sysconfigd_t)
+
+#######################################
+#
@@ -48079,7 +48187,7 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..4f9a575 100644
+index 06e217d..ab25c8c 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1)
@@ -48116,7 +48224,7 @@ index 06e217d..4f9a575 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +68,25 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,26 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -48135,6 +48243,7 @@ index 06e217d..4f9a575 100644
+
+optional_policy(`
+ xserver_xdm_manage_spool(plymouthd_t)
++ xserver_read_state_xdm(plymouthd_t)
+')
+
+term_use_unallocated_ttys(plymouthd_t)
@@ -48142,7 +48251,7 @@ index 06e217d..4f9a575 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +97,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +98,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -48150,7 +48259,7 @@ index 06e217d..4f9a575 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +111,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +112,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -49046,7 +49155,7 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..c22af86 100644
+index 46bee12..ca32d30 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -49095,6 +49204,15 @@ index 46bee12..c22af86 100644
')
########################################
+@@ -215,7 +219,7 @@ interface(`postfix_config_filetrans',`
+ ')
+
+ files_search_etc($1)
+- filetrans_pattern($1, postfix_etc_t, $2, $3)
++ filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -49282,7 +49400,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,125 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -49359,6 +49477,8 @@ index 46bee12..c22af86 100644
+ admin_pattern($1, postfix_prng_t)
+
+ admin_pattern($1, postfix_public_t)
++
++ postfix_filetrans_named_content($1)
+')
+
+########################################
@@ -49386,6 +49506,26 @@ index 46bee12..c22af86 100644
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+')
++
++########################################
++##
++## Transition to postfix named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_filetrans_named_content',`
++ gen_require(`
++ type postfix_exec_t;
++ type postfix_prng_t;
++ ')
++
++ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
++ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
++')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index a32c4b3..3a59bac 100644
--- a/policy/modules/services/postfix.te
@@ -50251,7 +50391,7 @@ index b524673..921a60f 100644
+ ppp_systemctl($1)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..399a452 100644
+index 2af42e7..20f5d6b 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -50378,7 +50518,7 @@ index 2af42e7..399a452 100644
')
optional_policy(`
-@@ -243,14 +252,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +252,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -50391,13 +50531,14 @@ index 2af42e7..399a452 100644
kernel_list_proc(pptp_t)
+kernel_signal(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
++kernel_read_network_state(pptp_t)
kernel_read_proc_symlinks(pptp_t)
kernel_read_system_state(pptp_t)
+kernel_signal(pptp_t)
dev_read_sysfs(pptp_t)
-@@ -265,9 +277,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +278,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
@@ -60476,7 +60617,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..b944b61 100644
+index 2124b6a..d935248 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -60488,7 +60629,7 @@ index 2124b6a..b944b61 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,37 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,38 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -60521,6 +60662,7 @@ index 2124b6a..b944b61 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
+# support for AEOLUS project
++/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
@@ -61075,7 +61217,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..d2d599b 100644
+index 3eca020..96e71d4 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -61608,7 +61750,7 @@ index 3eca020..d2d599b 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +614,359 @@ files_search_all(virt_domain)
+@@ -440,25 +614,362 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -61772,6 +61914,7 @@ index 3eca020..d2d599b 100644
+allow virtd_lxc_t self:packet_socket create_socket_perms;
+
+allow virtd_lxc_t virt_image_type:dir mounton;
++manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
@@ -61790,6 +61933,8 @@ index 3eca020..d2d599b 100644
+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
+
++storage_manage_fixed_disk(virtd_lxc_t)
++
+kernel_read_network_state(virtd_lxc_t)
+kernel_search_network_sysctl(virtd_lxc_t)
+kernel_read_sysctl(virtd_lxc_t)
@@ -65592,7 +65737,7 @@ index 73554ec..6a25dd6 100644
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..a53db2b 100644
+index b7a5f00..2c39af1 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
@@ -65635,7 +65780,7 @@ index b7a5f00..a53db2b 100644
seutil_dontaudit_use_newrole_fds(chkpwd_t)
-userdom_use_user_terminals(chkpwd_t)
-+userdom_use_inherited_user_terminals(chkpwd_t)
++userdom_dontaudit_use_user_ttys(chkpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -68952,7 +69097,7 @@ index 560dc48..4986f1b 100644
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..8f5a243 100644
+index 808ba93..eb621fd 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
@@ -69050,7 +69195,7 @@ index 808ba93..8f5a243 100644
+##
+##
+#
-+interface(`lib_filetrans_named_content',`
++interface(`libs_filetrans_named_content',`
+ gen_require(`
+ type ld_so_cache_t;
+ ')
@@ -72966,10 +73111,10 @@ index 0000000..db57bc7
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..79c358c
+index 0000000..5571350
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,503 @@
+## SELinux policy for systemd components
+
+#######################################
@@ -73018,6 +73163,7 @@ index 0000000..79c358c
+ can_exec($1, systemd_systemctl_exec_t)
+
+ fs_list_cgroup_dirs($1)
++ fs_read_cgroup_files($1)
+ systemd_list_unit_dirs($1)
+ init_list_pid_dirs($1)
+ init_read_state($1)
@@ -75062,7 +75208,7 @@ index db75976..494ec08 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..af43357 100644
+index 4b2878a..9b49159 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -77186,10 +77332,16 @@ index 4b2878a..af43357 100644
')
########################################
-@@ -2644,6 +3313,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
- ')
+@@ -2640,8 +3309,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+ type user_tty_device_t, user_devpts_t;
+ ')
+- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
++ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
+
+########################################
+##
@@ -77207,11 +77359,9 @@ index 4b2878a..af43357 100644
+ ')
+
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
-+')
-+
+ ')
+
########################################
- ##
- ## Execute a shell in all user domains. This
@@ -2713,6 +3401,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -77387,6 +77537,15 @@ index 4b2878a..af43357 100644
')
########################################
+@@ -3045,7 +3736,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+ type user_tty_device_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
@@ -3064,6 +3755,7 @@ interface(`userdom_read_all_users_state',`
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5e85083..4376690 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -466,6 +466,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Nov 1 2011 Miroslav Grepl 3.10.0-53
+- Fix abrt_manage_cache() interface
+- Make filetrans rules optional so base policy will build
+- Dontaudit chkpwd_t access to inherited TTYS
+- Make sure postfix content gets created with the correct label
+- Allow gnomeclock to read cgroup
+- Fixes for cloudform policy
+
* Thu Oct 27 2011 Miroslav Grepl 3.10.0-52
- Check in fixed for Chrome nacl support