diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ef917e0..3977b25 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9321,7 +9321,7 @@ index cf04cb5..32d58ca 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..bbd0e79 100644
+index b876c48..0f99fae 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9412,7 +9412,12 @@ index b876c48..bbd0e79 100644
  #
  /lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
  
-@@ -129,6 +133,8 @@ ifdef(`distro_debian',`
+@@ -125,10 +129,12 @@ ifdef(`distro_debian',`
+ #
+ # Mount points; do not relabel subdirectories, since
+ # we don't want to change any removable media by default.
+-/media(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
++/media(/[^/]*)?		-l	gen_context(system_u:object_r:mnt_t,s0)
  /media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
  /media/[^/]*/.*			<<none>>
  /media/\.hal-.*		--	gen_context(system_u:object_r:mnt_t,s0)
@@ -9421,6 +9426,15 @@ index b876c48..bbd0e79 100644
  
  #
  # /misc
+@@ -138,7 +144,7 @@ ifdef(`distro_debian',`
+ #
+ # /mnt
+ #
+-/mnt(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
++/mnt(/[^/]*)?		-l	gen_context(system_u:object_r:mnt_t,s0)
+ /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
+ /mnt/[^/]*/.*			<<none>>
+ 
 @@ -150,10 +156,10 @@ ifdef(`distro_debian',`
  #
  # /opt
@@ -9568,7 +9582,7 @@ index b876c48..bbd0e79 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..51c5d2c 100644
+index f962f76..1f7b192 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -10203,7 +10217,7 @@ index f962f76..51c5d2c 100644
  ##	Do not audit attempts to write to mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1709,6 +2115,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1709,6 +2115,60 @@ interface(`files_dontaudit_write_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10225,6 +10239,24 @@ index f962f76..51c5d2c 100644
 +
 +########################################
 +## <summary>
++##	Read  all mountpoint symbolic links.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_all_mountpoint_symlinks',`
++	gen_require(`
++		attribute mountpoint;
++	')
++
++    allow $1 mountpoint:lnk_file read_lnk_file_perms;
++')
++
++########################################
++## <summary>
 +##	Write all file type directories.
 +## </summary>
 +## <param name="domain">
@@ -10246,7 +10278,7 @@ index f962f76..51c5d2c 100644
  ##	List the contents of the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -1725,6 +2167,23 @@ interface(`files_list_root',`
+@@ -1725,6 +2185,23 @@ interface(`files_list_root',`
  	allow $1 root_t:dir list_dir_perms;
  	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
  ')
@@ -10270,7 +10302,7 @@ index f962f76..51c5d2c 100644
  
  ########################################
  ## <summary>
-@@ -1765,6 +2224,26 @@ interface(`files_dontaudit_rw_root_dir',`
+@@ -1765,6 +2242,26 @@ interface(`files_dontaudit_rw_root_dir',`
  
  ########################################
  ## <summary>
@@ -10297,7 +10329,7 @@ index f962f76..51c5d2c 100644
  ##	Create an object in the root directory, with a private
  ##	type using a type transition.
  ## </summary>
-@@ -1892,25 +2371,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1892,25 +2389,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -10329,7 +10361,7 @@ index f962f76..51c5d2c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1923,7 +2402,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2420,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -10338,7 +10370,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -1946,6 +2425,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2443,42 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -10381,7 +10413,7 @@ index f962f76..51c5d2c 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2181,6 +2696,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2714,24 @@ interface(`files_relabelfrom_boot_files',`
  	relabelfrom_files_pattern($1, boot_t, boot_t)
  ')
  
@@ -10406,7 +10438,7 @@ index f962f76..51c5d2c 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2645,6 +3178,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3196,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -10431,7 +10463,7 @@ index f962f76..51c5d2c 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2716,6 +3267,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3285,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10439,7 +10471,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -2724,7 +3276,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3294,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -10448,7 +10480,7 @@ index f962f76..51c5d2c 100644
  ##	</summary>
  ## </param>
  #
-@@ -2780,6 +3332,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3350,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -10474,7 +10506,7 @@ index f962f76..51c5d2c 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2798,6 +3369,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3387,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -10499,7 +10531,7 @@ index f962f76..51c5d2c 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2963,24 +3552,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,26 +3570,8 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -10521,10 +10553,14 @@ index f962f76..51c5d2c 100644
 -
 -########################################
 -## <summary>
- ##	Read files in /etc that are dynamically
- ##	created on boot, such as mtab.
+-##	Read files in /etc that are dynamically
+-##	created on boot, such as mtab.
++##	Read files in /etc that are dynamically
++##	created on boot, such as mtab.
  ## </summary>
-@@ -3021,9 +3592,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ##	<p>
+@@ -3021,9 +3610,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -10535,7 +10571,7 @@ index f962f76..51c5d2c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3031,18 +3600,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3618,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -10557,7 +10593,7 @@ index f962f76..51c5d2c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3060,6 +3628,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3646,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -10584,7 +10620,7 @@ index f962f76..51c5d2c 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3077,6 +3665,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3683,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10592,7 +10628,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3098,6 +3687,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3705,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10600,7 +10636,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3142,10 +3732,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3750,48 @@ interface(`files_etc_filetrans_etc_runtime',`
  #
  interface(`files_getattr_isid_type_dirs',`
  	gen_require(`
@@ -10625,8 +10661,9 @@ index f962f76..51c5d2c 100644
 +interface(`files_getattr_isid_type',`
 +	gen_require(`
 +		type unlabeled_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 file_t:dir getattr;
 +	allow $1 unlabeled_t:dir_file_class_set getattr;
 +')
 +
@@ -10644,14 +10681,13 @@ index f962f76..51c5d2c 100644
 +interface(`files_setattr_isid_type_dirs',`
 +	gen_require(`
 +		type unlabeled_t;
- 	')
- 
--	allow $1 file_t:dir getattr;
++	')
++
 +	allow $1 unlabeled_t:dir setattr;
  ')
  
  ########################################
-@@ -3161,10 +3789,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3807,10 @@ interface(`files_getattr_isid_type_dirs',`
  #
  interface(`files_dontaudit_search_isid_type_dirs',`
  	gen_require(`
@@ -10664,7 +10700,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3180,10 +3808,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3826,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
  #
  interface(`files_list_isid_type_dirs',`
  	gen_require(`
@@ -10677,7 +10713,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3199,10 +3827,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3845,10 @@ interface(`files_list_isid_type_dirs',`
  #
  interface(`files_rw_isid_type_dirs',`
  	gen_require(`
@@ -10690,7 +10726,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3218,10 +3846,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3864,66 @@ interface(`files_rw_isid_type_dirs',`
  #
  interface(`files_delete_isid_type_dirs',`
  	gen_require(`
@@ -10759,7 +10795,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3237,10 +3921,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3939,10 @@ interface(`files_delete_isid_type_dirs',`
  #
  interface(`files_manage_isid_type_dirs',`
  	gen_require(`
@@ -10772,7 +10808,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3256,10 +3940,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +3958,29 @@ interface(`files_manage_isid_type_dirs',`
  #
  interface(`files_mounton_isid_type_dirs',`
  	gen_require(`
@@ -10804,7 +10840,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3275,10 +3978,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +3996,10 @@ interface(`files_mounton_isid_type_dirs',`
  #
  interface(`files_read_isid_type_files',`
  	gen_require(`
@@ -10817,7 +10853,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3294,10 +3997,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4015,10 @@ interface(`files_read_isid_type_files',`
  #
  interface(`files_delete_isid_type_files',`
  	gen_require(`
@@ -10830,7 +10866,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3313,10 +4016,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4034,10 @@ interface(`files_delete_isid_type_files',`
  #
  interface(`files_delete_isid_type_symlinks',`
  	gen_require(`
@@ -10843,7 +10879,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3332,10 +4035,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4053,10 @@ interface(`files_delete_isid_type_symlinks',`
  #
  interface(`files_delete_isid_type_fifo_files',`
  	gen_require(`
@@ -10856,7 +10892,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3351,10 +4054,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4072,10 @@ interface(`files_delete_isid_type_fifo_files',`
  #
  interface(`files_delete_isid_type_sock_files',`
  	gen_require(`
@@ -10869,7 +10905,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3370,10 +4073,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4091,10 @@ interface(`files_delete_isid_type_sock_files',`
  #
  interface(`files_delete_isid_type_blk_files',`
  	gen_require(`
@@ -10882,7 +10918,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3389,10 +4092,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4110,10 @@ interface(`files_delete_isid_type_blk_files',`
  #
  interface(`files_dontaudit_write_isid_chr_files',`
  	gen_require(`
@@ -10895,7 +10931,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3408,10 +4111,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4129,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
  #
  interface(`files_delete_isid_type_chr_files',`
  	gen_require(`
@@ -10908,7 +10944,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3427,10 +4130,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4148,10 @@ interface(`files_delete_isid_type_chr_files',`
  #
  interface(`files_manage_isid_type_files',`
  	gen_require(`
@@ -10921,7 +10957,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3446,10 +4149,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4167,10 @@ interface(`files_manage_isid_type_files',`
  #
  interface(`files_manage_isid_type_symlinks',`
  	gen_require(`
@@ -10934,7 +10970,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3465,10 +4168,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4186,29 @@ interface(`files_manage_isid_type_symlinks',`
  #
  interface(`files_rw_isid_type_blk_files',`
  	gen_require(`
@@ -10966,7 +11002,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3484,10 +4206,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4224,10 @@ interface(`files_rw_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_blk_files',`
  	gen_require(`
@@ -10979,7 +11015,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3503,10 +4225,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4243,10 @@ interface(`files_manage_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_chr_files',`
  	gen_require(`
@@ -10992,7 +11028,7 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -3814,20 +4536,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4554,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -11036,64 +11072,98 @@ index f962f76..51c5d2c 100644
  ')
  
  ########################################
-@@ -4217,6 +4957,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,192 +4975,215 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Allow the specified type to associate
+-##	to a filesystem with the type of the
+-##	temporary directory (/tmp).
 +##  Read manageable system configuration files in /etc
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+-##	<summary>
+-##	Type of the file to associate.
+-##	</summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_associate_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_read_system_conf_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:filesystem associate;
 +    allow $1 etc_t:dir list_dir_perms;
 +    read_files_pattern($1, etc_t, system_conf_t)
 +    read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Get the	attributes of the tmp directory (/tmp).
 +##  Manage manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_getattr_tmp_dirs',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_manage_system_conf_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir getattr;
 +    manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
 +    files_filetrans_system_conf_named_files($1)
-+')
-+
+ ')
+ 
+-########################################
 +#####################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to get the
+-##	attributes of the tmp directory (/tmp).
 +##  File name transition for system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_filetrans_system_conf_named_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir getattr;
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -11111,162 +11181,253 @@ index f962f76..51c5d2c 100644
 +    filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_search_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_relabelto_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir search_dir_perms;
 +    relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain to not audit.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_relabelfrom_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir search_dir_perms;
 +    relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +###################################
-+## <summary>
+ ## <summary>
+-##	Read the tmp directory (/tmp).
 +##  Create files in /etc with the type used for
 +##  the manageable system config files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  The type of the process performing this action.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_list_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_etc_filetrans_system_conf',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir list_dir_perms;
 +    filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit listing of the tmp directory (/tmp).
 +##  Manage manageable system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain not to audit.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_list_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_manage_system_db_files',`
 +     gen_require(`
 +         type var_lib_t, system_db_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir list_dir_perms;
 +     manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
 +     files_filetrans_system_db_named_files($1)
-+')
-+
+ ')
+ 
+-########################################
 +#####################################
-+## <summary>
+ ## <summary>
+-##	Remove entries from the tmp directory.
 +##  File name transition for system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_filetrans_system_db_named_files',`
 +    gen_require(`
 +        type var_lib_t, system_db_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir del_entry_dir_perms;
 +    filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
 +    filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
-+')
-+
+ ')
+ 
  ########################################
  ## <summary>
- ##	Allow the specified type to associate
-@@ -4239,6 +5145,26 @@ interface(`files_associate_tmp',`
+-##	Read files in the tmp directory (/tmp).
++##	Allow the specified type to associate
++##	to a filesystem with the type of the
++##	temporary directory (/tmp).
+ ## </summary>
+-## <param name="domain">
++## <param name="file_type">
+ ##	<summary>
+-##	Domain allowed access.
++##	Type of the file to associate.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_files',`
++interface(`files_associate_tmp',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	read_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:filesystem associate;
+ ')
  
  ########################################
  ## <summary>
+-##	Manage temporary directories in /tmp.
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	/ file system
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type of the file to associate.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_dirs',`
 +interface(`files_associate_rootfs',`
-+	gen_require(`
+ 	gen_require(`
+-		type tmp_t;
 +		type root_t;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, tmp_t, tmp_t)
 +	allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ##	Get the	attributes of the tmp directory (/tmp).
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage temporary files and directories in /tmp.
++##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -4252,17 +5178,37 @@ interface(`files_getattr_tmp_dirs',`
+ ##	<summary>
+@@ -4410,53 +5191,56 @@ interface(`files_manage_generic_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_getattr_tmp_dirs',`
+ 	gen_require(`
  		type tmp_t;
  	')
  
+-	manage_files_pattern($1, tmp_t, tmp_t)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir getattr;
++	allow $1 tmp_t:dir getattr;
  ')
  
  ########################################
  ## <summary>
+-##	Read symbolic links in the tmp directory (/tmp).
 +##	Do not audit attempts to check the 
 +##	access on tmp files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
 +interface(`files_dontaudit_access_check_tmp',`
-+	gen_require(`
+ 	gen_require(`
+-		type tmp_t;
 +		type etc_t;
-+	')
-+
+ 	')
+ 
+-	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	dontaudit $1 tmp_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to get the
- ##	attributes of the tmp directory (/tmp).
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic named sockets in the tmp directory (/tmp).
++##	Do not audit attempts to get the
++##	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -11275,24 +11436,95 @@ index f962f76..51c5d2c 100644
  ##	</summary>
  ## </param>
  #
-@@ -4289,6 +5235,8 @@ interface(`files_search_tmp',`
+-interface(`files_rw_generic_tmp_sockets',`
++interface(`files_dontaudit_getattr_tmp_dirs',`
+ 	gen_require(`
  		type tmp_t;
  	')
  
+-	rw_sock_files_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmp_t:dir getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of all tmp directories.
++##	Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4464,77 +5248,93 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_search_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
 +    fs_search_tmpfs($1)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir search_dir_perms;
++	allow $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4325,6 +5273,7 @@ interface(`files_list_tmp',`
- 		type tmp_t;
+ ########################################
+ ## <summary>
+-##	List all tmp directories.
++##	Do not audit attempts to search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_dontaudit_search_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
++	dontaudit $1 tmp_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	directory types.
++##	Read the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_list_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
+-		type var_t;
++		type tmp_t;
  	')
  
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir list_dir_perms;
++	allow $1 tmp_t:dir list_dir_perms;
  ')
  
-@@ -4334,7 +5283,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
++##	Do not audit listing of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -11301,10 +11533,17 @@ index f962f76..51c5d2c 100644
  ##	</summary>
  ## </param>
  #
-@@ -4346,6 +5295,25 @@ interface(`files_dontaudit_list_tmp',`
- 	dontaudit $1 tmp_t:dir list_dir_perms;
- ')
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_dontaudit_list_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
  
+-	dontaudit $1 tmpfile:file getattr;
++	dontaudit $1 tmp_t:dir list_dir_perms;
++')
++
 +#######################################
 +## <summary>
 +##  Allow read and write to the tmp directory (/tmp).
@@ -11322,25 +11561,87 @@ index f962f76..51c5d2c 100644
 +
 +    files_search_tmp($1)
 +    allow $1 tmp_t:dir rw_dir_perms;
-+')
-+
+ ')
+ 
  ########################################
  ## <summary>
- ##	Remove entries from the tmp directory.
-@@ -4361,6 +5329,7 @@ interface(`files_delete_tmp_dir_entry',`
- 		type tmp_t;
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
++##	Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4542,110 +5342,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_delete_tmp_dir_entry',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
  	')
  
+-	allow $1 tmpfile:file getattr;
 +	files_search_tmp($1)
- 	allow $1 tmp_t:dir del_entry_dir_perms;
++	allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	file types.
++##	Read files in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_read_generic_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
+-		type var_t;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_files_pattern($1, tmpfile, tmpfile)
++	read_files_pattern($1, tmp_t, tmp_t)
  ')
  
-@@ -4402,6 +5371,32 @@ interface(`files_manage_generic_tmp_dirs',`
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp sock_file.
++##	Manage temporary directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_manage_generic_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	dontaudit $1 tmpfile:sock_file getattr;
++	manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
  
  ########################################
  ## <summary>
+-##	Read all tmp files.
 +##	Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
 +## <desc>
 +##	<p>
 +##	Allow shared library text relocations in tmp files.
@@ -11349,968 +11650,1060 @@ index f962f76..51c5d2c 100644
 +##	This is added to support java policy.
 +##	</p>
 +## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
 +interface(`files_execmod_tmp',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	read_files_pattern($1, tmpfile, tmpfile)
 +	allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+## <summary>
- ##	Manage temporary files and directories in /tmp.
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the tmp directories, with a private
+-##	type using a type transition.
++##	Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_manage_generic_tmp_files',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	filetrans_pattern($1, tmp_t, $2, $3, $4)
++	manage_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete the contents of /tmp.
++##	Read symbolic links in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4653,22 +5441,17 @@ interface(`files_tmp_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_purge_tmp',`
++interface(`files_read_generic_tmp_symlinks',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
+-	delete_dirs_pattern($1, tmpfile, tmpfile)
+-	delete_files_pattern($1, tmpfile, tmpfile)
+-	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+-	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+-	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the /usr directory.
++##	Read and write generic named sockets in the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -4456,6 +5451,42 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	<summary>
+@@ -4676,17 +5459,17 @@ interface(`files_purge_tmp',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_usr_dirs',`
++interface(`files_rw_generic_tmp_sockets',`
+ 	gen_require(`
+-		type usr_t;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 usr_t:dir setattr;
++	rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
  
  ########################################
  ## <summary>
+-##	Search the content of /usr.
 +##	Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4694,18 +5477,17 @@ interface(`files_setattr_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_usr',`
 +interface(`files_relabelfrom_tmp_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		type tmp_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 usr_t:dir search_dir_perms;
 +	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of generic
+-##	directories in /usr.
 +##	Relabel a file from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4713,35 +5495,35 @@ interface(`files_search_usr',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_usr',`
 +interface(`files_relabelfrom_tmp_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		type tmp_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
 +	relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Set the attributes of all tmp directories.
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit write of /usr dirs
++##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
-@@ -4474,6 +5505,60 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 usr_t:dir write;
++	allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
  
  ########################################
  ## <summary>
+-##	Add and remove entries from /usr directories.
 +##	Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4749,36 +5531,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_usr_dirs',`
 +interface(`files_read_inherited_tmp_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 usr_t:dir rw_dir_perms;
 +	allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to add and remove
+-##	entries from /usr directories.
 +##	Allow caller to append inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_usr_dirs',`
 +interface(`files_append_inherited_tmp_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 usr_t:dir rw_dir_perms;
 +	allow $1 tmpfile:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic directories in /usr in the caller domain.
 +##	Allow caller to read and write inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4786,17 +5567,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_dirs',`
 +interface(`files_rw_inherited_tmp_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	delete_dirs_pattern($1, usr_t, usr_t)
 +	allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4519,7 +5604,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic files in /usr in the caller domain.
++##	List all tmp directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
+@@ -4804,73 +5585,59 @@ interface(`files_delete_usr_dirs',`
  ##	</summary>
  ## </param>
  #
-@@ -4579,7 +5664,7 @@ interface(`files_relabel_all_tmp_files',`
+-interface(`files_delete_usr_files',`
++interface(`files_list_all_tmp',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	delete_files_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of files in /usr.
++##	Relabel to and from all temporary
++##	directory types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
-@@ -4611,6 +5696,44 @@ interface(`files_read_all_tmp_files',`
+-interface(`files_getattr_usr_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	getattr_files_pattern($1, usr_t, usr_t)
++	allow $1 var_t:dir search_dir_perms;
++	relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
  
  ########################################
  ## <summary>
-+##	Do not audit attempts to read or write
-+##	all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_tmp_file_leaks',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
-+	dontaudit $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Do allow attempts to read or write
-+##	all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+-##	Read generic files in /usr.
++##	Do not audit attempts to get the attributes
++##	of all tmp files.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read generic
+-##	files in /usr. These files are various program
+-##	files that do not have more specific SELinux types.
+-##	Some examples of these files are:
+-##	</p>
+-##	<ul>
+-##		<li>/usr/include/*</li>
+-##		<li>/usr/share/doc/*</li>
+-##		<li>/usr/share/info/*</li>
+-##	</ul>
+-##	<p>
+-##	Generally, it is safe for many domains to have
+-##	this access.
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_rw_tmp_file_leaks',`
-+	gen_require(`
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_read_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
-+	allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Create an object in the tmp directories, with a private
- ##	type using a type transition.
- ## </summary>
-@@ -4664,6 +5787,16 @@ interface(`files_purge_tmp',`
- 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
- 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
- 	delete_sock_files_pattern($1, tmpfile, tmpfile)
-+	delete_chr_files_pattern($1, tmpfile, tmpfile)
-+	delete_blk_files_pattern($1, tmpfile, tmpfile)
-+	files_list_isid_type_dirs($1)
-+	files_delete_isid_type_dirs($1)
-+	files_delete_isid_type_files($1)
-+	files_delete_isid_type_symlinks($1)
-+	files_delete_isid_type_fifo_files($1)
-+	files_delete_isid_type_sock_files($1)
-+	files_delete_isid_type_blk_files($1)
-+	files_delete_isid_type_chr_files($1)
- ')
+ 	')
  
- ########################################
-@@ -5112,6 +6245,24 @@ interface(`files_create_kernel_symbol_table',`
+-	allow $1 usr_t:dir list_dir_perms;
+-	read_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:file getattr;
+ ')
  
  ########################################
  ## <summary>
-+##	Dontaudit getattr attempts on the system.map file
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
-+	gen_require(`
-+		type system_map_t;
-+	')
-+
-+	dontaudit $1 system_map_t:file getattr;
-+')
-+
-+########################################
-+## <summary>
- ##	Read system.map in the /boot directory.
+-##	Execute generic programs in /usr in the caller domain.
++##	Allow attempts to get the attributes
++##	of all tmp files.
  ## </summary>
  ## <param name="domain">
-@@ -5241,6 +6392,24 @@ interface(`files_list_var',`
+ ##	<summary>
+@@ -4878,55 +5645,58 @@ interface(`files_read_usr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_files',`
++interface(`files_getattr_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
+-	exec_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:file getattr;
+ ')
  
  ########################################
  ## <summary>
-+##	Do not audit listing of the var directory (/var).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_list_var',`
-+	gen_require(`
-+		type var_t;
-+	')
-+
-+	dontaudit $1 var_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Create, read, write, and delete directories
- ##	in the /var directory.
+-##	dontaudit write of /usr files
++##	Relabel to and from all temporary
++##	file types.
  ## </summary>
-@@ -5328,7 +6497,7 @@ interface(`files_dontaudit_rw_var_files',`
- 		type var_t;
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_write_usr_files',`
++interface(`files_relabel_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
++		type var_t;
  	')
  
--	dontaudit $1 var_t:file rw_file_perms;
-+	dontaudit $1 var_t:file rw_inherited_file_perms;
+-	dontaudit $1 usr_t:file write;
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
  ')
  
  ########################################
-@@ -5527,6 +6696,25 @@ interface(`files_rw_var_lib_dirs',`
- 
- ########################################
  ## <summary>
-+##	Create directories in /var/lib
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_create_var_lib_dirs',`
-+	gen_require(`
-+		type var_lib_t;
-+	')
-+
-+	allow $1 var_lib_t:dir { create rw_dir_perms };
-+')
-+
-+
-+########################################
-+## <summary>
- ##	Create objects in the /var/lib directory
+-##	Create, read, write, and delete files in the /usr directory.
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
  ## </summary>
  ## <param name="domain">
-@@ -5596,6 +6784,25 @@ interface(`files_read_var_lib_symlinks',`
- 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
- 
-+########################################
-+## <summary>
-+##	manage generic symbolic links
-+##	in the /var/lib directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+	gen_require(`
-+		type var_lib_t;
-+	')
-+
-+	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way.  They really neeed their own types.
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
  
-@@ -5641,7 +6848,7 @@ interface(`files_manage_mounttab',`
+-	manage_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:sock_file getattr;
+ ')
  
  ########################################
  ## <summary>
--##	Set the attributes of the generic lock directories.
-+##	List generic lock directories.
+-##	Relabel a file to the type used in /usr.
++##	Read all tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5649,12 +6856,13 @@ interface(`files_manage_mounttab',`
+@@ -4934,67 +5704,70 @@ interface(`files_manage_usr_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
+-interface(`files_relabelto_usr_files',`
++interface(`files_read_all_tmp_files',`
  	gen_require(`
- 		type var_t, var_lock_t;
+-		type usr_t;
++		attribute tmpfile;
  	')
  
--	setattr_dirs_pattern($1, var_t, var_lock_t)
-+	files_search_locks($1)
-+	list_dirs_pattern($1, var_t, var_lock_t)
+-	relabelto_files_pattern($1, usr_t, usr_t)
++	read_files_pattern($1, tmpfile, tmpfile)
  ')
  
  ########################################
-@@ -5672,6 +6880,7 @@ interface(`files_search_locks',`
- 		type var_t, var_lock_t;
+ ## <summary>
+-##	Relabel a file from the type used in /usr.
++##	Do not audit attempts to read or write
++##	all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_relabelfrom_usr_files',`
++interface(`files_dontaudit_tmp_file_leaks',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
  	')
  
-+	files_search_pids($1)
- 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- 	search_dirs_pattern($1, var_t, var_lock_t)
+-	relabelfrom_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:file rw_inherited_file_perms;
  ')
-@@ -5698,7 +6907,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
--##	List generic lock directories.
-+##	Do not audit attempts to read/write inherited
-+##	locks (/var/lock).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+	gen_require(`
-+		type var_lock_t;
-+	')
-+
-+	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Set the attributes of the /var/lock directory.
+-##	Read symbolic links in /usr.
++##	Do allow attempts to read or write
++##	all leaked tmpfiles files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5706,13 +6934,12 @@ interface(`files_dontaudit_search_locks',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_list_locks',`
-+interface(`files_setattr_lock_dirs',`
+-interface(`files_read_usr_symlinks',`
++interface(`files_rw_tmp_file_leaks',`
  	gen_require(`
--		type var_t, var_lock_t;
-+		type var_lock_t;
+-		type usr_t;
++		attribute tmpfile;
  	')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_lock_t)
-+	allow $1 var_lock_t:dir setattr;
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:file rw_inherited_file_perms;
  ')
  
  ########################################
-@@ -5731,7 +6958,7 @@ interface(`files_rw_lock_dirs',`
- 		type var_t, var_lock_t;
+ ## <summary>
+-##	Create objects in the /usr directory
++##	Create an object in the tmp directories, with a private
++##	type using a type transition.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
++## <param name="private type">
+ ##	<summary>
+-##	The type of the object to be created
++##	The type of the object to be created.
+ ##	</summary>
+ ## </param>
+-## <param name="object_class">
++## <param name="object">
+ ##	<summary>
+-##	The object class.
++##	The object class of the object being created.
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -5003,35 +5776,50 @@ interface(`files_read_usr_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_usr_filetrans',`
++interface(`files_tmp_filetrans',`
+ 	gen_require(`
+-		type usr_t;
++		type tmp_t;
  	')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	files_search_locks($1)
- 	rw_dirs_pattern($1, var_t, var_lock_t)
+-	filetrans_pattern($1, usr_t, $2, $3, $4)
++	filetrans_pattern($1, tmp_t, $2, $3, $4)
  ')
  
-@@ -5764,7 +6991,6 @@ interface(`files_create_lock_dirs',`
- ##	Domain allowed access.
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search /usr/src.
++##	Delete the contents of /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <rolecap/>
  #
- interface(`files_relabel_all_lock_dirs',`
+-interface(`files_dontaudit_search_src',`
++interface(`files_purge_tmp',`
  	gen_require(`
-@@ -5779,7 +7005,7 @@ interface(`files_relabel_all_lock_dirs',`
+-		type src_t;
++		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 src_t:dir search_dir_perms;
++	allow $1 tmpfile:dir list_dir_perms;
++	delete_dirs_pattern($1, tmpfile, tmpfile)
++	delete_files_pattern($1, tmpfile, tmpfile)
++	delete_lnk_files_pattern($1, tmpfile, tmpfile)
++	delete_fifo_files_pattern($1, tmpfile, tmpfile)
++	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	delete_chr_files_pattern($1, tmpfile, tmpfile)
++	delete_blk_files_pattern($1, tmpfile, tmpfile)
++	files_list_isid_type_dirs($1)
++	files_delete_isid_type_dirs($1)
++	files_delete_isid_type_files($1)
++	files_delete_isid_type_symlinks($1)
++	files_delete_isid_type_fifo_files($1)
++	files_delete_isid_type_sock_files($1)
++	files_delete_isid_type_blk_files($1)
++	files_delete_isid_type_chr_files($1)
+ ')
  
  ########################################
  ## <summary>
--##	Get the attributes of generic lock files.
-+##	Relabel to and from all lock file types.
+-##	Get the attributes of files in /usr/src.
++##	Set the attributes of the /usr directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5787,13 +7013,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5039,20 +5827,17 @@ interface(`files_dontaudit_search_src',`
  ##	</summary>
  ## </param>
  #
--interface(`files_getattr_generic_locks',`
-+interface(`files_relabel_all_lock_files',`
+-interface(`files_getattr_usr_src_files',`
++interface(`files_setattr_usr_dirs',`
  	gen_require(`
-+		attribute lockfile;
- 		type var_t, var_lock_t;
+-		type usr_t, src_t;
++		type usr_t;
  	')
  
- 	allow $1 var_t:dir search_dir_perms;
- 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	relabel_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of generic lock files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_getattr_generic_locks',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
- 	allow $1 var_lock_t:dir list_dir_perms;
- 	getattr_files_pattern($1, var_lock_t, var_lock_t)
+-	getattr_files_pattern($1, src_t, src_t)
+-
+-	# /usr/src/linux symlink:
+-	read_lnk_files_pattern($1, usr_t, src_t)
++	allow $1 usr_t:dir setattr;
  ')
-@@ -5809,13 +7055,12 @@ interface(`files_getattr_generic_locks',`
+ 
+ ########################################
+ ## <summary>
+-##	Read files in /usr/src.
++##	Search the content of /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5060,20 +5845,18 @@ interface(`files_getattr_usr_src_files',`
+ ##	</summary>
  ## </param>
  #
- interface(`files_delete_generic_locks',`
--	gen_require(`
-+       gen_require(`
- 		type var_t, var_lock_t;
--	')
-+       ')
+-interface(`files_read_usr_src_files',`
++interface(`files_search_usr',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, var_lock_t, var_lock_t)
-+       files_search_locks($1)
-+       delete_files_pattern($1, var_lock_t, var_lock_t)
+ 	allow $1 usr_t:dir search_dir_perms;
+-	read_files_pattern($1, { usr_t src_t }, src_t)
+-	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+-	allow $1 src_t:dir list_dir_perms;
  ')
  
  ########################################
-@@ -5834,9 +7079,7 @@ interface(`files_manage_generic_locks',`
- 		type var_t, var_lock_t;
+ ## <summary>
+-##	Execute programs in /usr/src in the caller domain.
++##	List the contents of generic
++##	directories in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5081,38 +5864,35 @@ interface(`files_read_usr_src_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_src_files',`
++interface(`files_list_usr',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	manage_dirs_pattern($1, var_lock_t, var_lock_t)
-+	files_search_locks($1)
- 	manage_files_pattern($1, var_lock_t, var_lock_t)
+-	list_dirs_pattern($1, usr_t, src_t)
+-	exec_files_pattern($1, src_t, src_t)
+-	read_lnk_files_pattern($1, src_t, src_t)
++	allow $1 usr_t:dir list_dir_perms;
  ')
  
-@@ -5878,8 +7121,7 @@ interface(`files_read_all_locks',`
- 		type var_t, var_lock_t;
+ ########################################
+ ## <summary>
+-##	Install a system.map into the /boot directory.
++##	Do not audit write of /usr dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_create_kernel_symbol_table',`
++interface(`files_dontaudit_write_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
  	')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+	files_search_locks($1)
- 	allow $1 lockfile:dir list_dir_perms;
- 	read_files_pattern($1, lockfile, lockfile)
- 	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7143,7 @@ interface(`files_manage_all_locks',`
- 		type var_t, var_lock_t;
- 	')
+-	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+-	allow $1 system_map_t:file { create_file_perms rw_file_perms };
++	dontaudit $1 usr_t:dir write;
+ ')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+	files_search_locks($1)
- 	manage_dirs_pattern($1, lockfile, lockfile)
- 	manage_files_pattern($1, lockfile, lockfile)
- 	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7180,7 @@ interface(`files_lock_filetrans',`
- 		type var_t, var_lock_t;
+ ########################################
+ ## <summary>
+-##	Read system.map in the /boot directory.
++##	Add and remove entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5120,37 +5900,36 @@ interface(`files_create_kernel_symbol_table',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_kernel_symbol_table',`
++interface(`files_rw_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	files_search_locks($1)
- 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
+-	allow $1 boot_t:dir list_dir_perms;
+-	read_files_pattern($1, boot_t, system_map_t)
++	allow $1 usr_t:dir rw_dir_perms;
  ')
  
-@@ -5979,7 +7219,7 @@ interface(`files_setattr_pid_dirs',`
- 		type var_run_t;
+ ########################################
+ ## <summary>
+-##	Delete a system.map in the /boot directory.
++##	Do not audit attempts to add and remove
++##	entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_rw_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
  	')
  
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+	files_search_pids($1)
- 	allow $1 var_run_t:dir setattr;
+-	allow $1 boot_t:dir list_dir_perms;
+-	delete_files_pattern($1, boot_t, system_map_t)
++	dontaudit $1 usr_t:dir rw_dir_perms;
  ')
  
-@@ -5999,10 +7239,48 @@ interface(`files_search_pids',`
- 		type var_t, var_run_t;
- 	')
- 
-+	allow $1 var_t:lnk_file read_lnk_file_perms;
- 	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	search_dirs_pattern($1, var_t, var_run_t)
- ')
- 
-+######################################
-+## <summary>
-+## Add and remove entries from pid directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_pid_dirs',`
-+    gen_require(`
-+        type var_run_t;
-+    ')
-+
-+    allow $1 var_run_t:dir rw_dir_perms;
-+')
-+
-+#######################################
-+## <summary>
-+##      Create generic pid directory.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`files_create_var_run_dirs',`
-+        gen_require(`
-+                type var_t, var_run_t;
-+        ')
-+
-+        allow $1 var_t:dir search_dir_perms;
-+        allow $1 var_run_t:dir create_dir_perms;
-+')
-+
- ########################################
- ## <summary>
- ##	Do not audit attempts to search
-@@ -6025,6 +7303,25 @@ interface(`files_dontaudit_search_pids',`
- 
- ########################################
- ## <summary>
-+##	Do not audit attempts to search
-+##	the all /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
-+	dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	List the contents of the runtime process
- ##	ID directories (/var/run).
- ## </summary>
-@@ -6039,7 +7336,7 @@ interface(`files_list_pids',`
- 		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+	files_search_pids($1)
- 	list_dirs_pattern($1, var_t, var_run_t)
- ')
- 
-@@ -6058,7 +7355,7 @@ interface(`files_read_generic_pids',`
- 		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+	files_search_pids($1)
- 	list_dirs_pattern($1, var_t, var_run_t)
- 	read_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6078,7 +7375,7 @@ interface(`files_write_generic_pid_pipes',`
- 		type var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+	files_search_pids($1)
- 	allow $1 var_run_t:fifo_file write;
- ')
- 
-@@ -6140,7 +7437,6 @@ interface(`files_pid_filetrans',`
- 	')
- 
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
- 
-@@ -6169,6 +7465,24 @@ interface(`files_pid_filetrans_lock_dir',`
- 
  ########################################
  ## <summary>
-+##	rw generic pid files inherited from another process
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_rw_inherited_generic_pid_files',`
-+	gen_require(`
-+		type var_run_t;
-+	')
-+
-+	allow $1 var_run_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Read and write generic process ID files.
+-##	Search the contents of /var.
++##	Delete generic directories in /usr in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -6182,7 +7496,7 @@ interface(`files_rw_generic_pids',`
- 		type var_t, var_run_t;
+ ##	<summary>
+@@ -5158,35 +5937,35 @@ interface(`files_delete_kernel_symbol_table',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_var',`
++interface(`files_delete_usr_dirs',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
  	')
  
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+	files_search_pids($1)
- 	list_dirs_pattern($1, var_t, var_run_t)
- 	rw_files_pattern($1, var_run_t, var_run_t)
+-	allow $1 var_t:dir search_dir_perms;
++	delete_dirs_pattern($1, usr_t, usr_t)
  ')
-@@ -6249,55 +7563,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
--##	Read all process ID files.
-+##	Relable all pid directories
+-##	Do not audit attempts to write to /var.
++##	Delete generic files in /usr in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <rolecap/>
  #
--interface(`files_read_all_pids',`
-+interface(`files_relabel_all_pid_dirs',`
+-interface(`files_dontaudit_write_var_dirs',`
++interface(`files_delete_usr_files',`
  	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
+-		type var_t;
++		type usr_t;
  	')
  
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, pidfile)
--	read_files_pattern($1, pidfile, pidfile)
-+	relabel_dirs_pattern($1, pidfile, pidfile)
+-	dontaudit $1 var_t:dir write;
++	delete_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Delete all process IDs.
-+##	Delete all pid sockets
+-##	Allow attempts to write to /var.dirs
++##	Get the attributes of files in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -5194,36 +5973,55 @@ interface(`files_dontaudit_write_var_dirs',`
  ##	</summary>
  ## </param>
--## <rolecap/>
  #
--interface(`files_delete_all_pids',`
-+interface(`files_delete_all_pid_sockets',`
+-interface(`files_write_var_dirs',`
++interface(`files_getattr_usr_files',`
  	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
+-		type var_t;
++		type usr_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:dir rmdir;
--	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
--	delete_files_pattern($1, pidfile, pidfile)
--	delete_fifo_files_pattern($1, pidfile, pidfile)
--	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+	allow $1 pidfile:sock_file delete_sock_file_perms;
+-	allow $1 var_t:dir write;
++	getattr_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Delete all process ID directories.
-+##	Create all pid sockets
+-##	Do not audit attempts to search
+-##	the contents of /var.
++##	Read generic files in /usr.
  ## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read generic
++##	files in /usr. These files are various program
++##	files that do not have more specific SELinux types.
++##	Some examples of these files are:
++##	</p>
++##	<ul>
++##		<li>/usr/include/*</li>
++##		<li>/usr/share/doc/*</li>
++##		<li>/usr/share/info/*</li>
++##	</ul>
++##	<p>
++##	Generally, it is safe for many domains to have
++##	this access.
++##	</p>
++## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -6305,42 +7607,35 @@ interface(`files_delete_all_pids',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <infoflow type="read" weight="10"/>
  #
--interface(`files_delete_all_pid_dirs',`
-+interface(`files_create_all_pid_sockets',`
+-interface(`files_dontaudit_search_var',`
++interface(`files_read_usr_files',`
  	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
+-		type var_t;
++		type usr_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	delete_dirs_pattern($1, pidfile, pidfile)
-+	allow $1 pidfile:sock_file create_sock_file_perms;
+-	dontaudit $1 var_t:dir search_dir_perms;
++	allow $1 usr_t:dir list_dir_perms;
++	read_files_pattern($1, usr_t, usr_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write and delete all
--##	var_run (pid) content
-+##	Create all pid named pipes
+-##	List the contents of /var.
++##	Execute generic programs in /usr in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain alloed access.
-+##	Domain allowed access.
+@@ -5231,36 +6029,37 @@ interface(`files_dontaudit_search_var',`
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_pid_pipes',`
+-interface(`files_list_var',`
++interface(`files_exec_usr_files',`
  	gen_require(`
- 		attribute pidfile;
+-		type var_t;
++		type usr_t;
  	')
  
--	manage_dirs_pattern($1, pidfile, pidfile)
--	manage_files_pattern($1, pidfile, pidfile)
--	manage_lnk_files_pattern($1, pidfile, pidfile)
-+	allow $1 pidfile:fifo_file create_fifo_file_perms;
+-	allow $1 var_t:dir list_dir_perms;
++	allow $1 usr_t:dir list_dir_perms;
++	exec_files_pattern($1, usr_t, usr_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Mount filesystems on all polyinstantiation
--##	member directories.
-+##	Delete all pid named pipes
+-##	Create, read, write, and delete directories
+-##	in the /var directory.
++##	dontaudit write of /usr files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6348,18 +7643,18 @@ interface(`files_manage_all_pids',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_pid_pipes',`
+-interface(`files_manage_var_dirs',`
++interface(`files_dontaudit_write_usr_files',`
  	gen_require(`
--		attribute polymember;
-+		attribute pidfile;
+-		type var_t;
++		type usr_t;
  	')
  
--	allow $1 polymember:dir mounton;
-+	allow $1 pidfile:fifo_file delete_fifo_file_perms;
+-	allow $1 var_t:dir manage_dir_perms;
++	dontaudit $1 usr_t:file write;
  ')
  
  ########################################
  ## <summary>
--##	Search the contents of generic spool
--##	directories (/var/spool).
-+##	manage all pidfile directories
-+##	in the /var/run directory.
+-##	Read files in the /var directory.
++##	Create, read, write, and delete files in the /usr directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6367,37 +7662,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -5268,17 +6067,17 @@ interface(`files_manage_var_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_search_spool',`
-+interface(`files_manage_all_pid_dirs',`
+-interface(`files_read_var_files',`
++interface(`files_manage_usr_files',`
  	gen_require(`
--		type var_t, var_spool_t;
-+		attribute pidfile;
+-		type var_t;
++		type usr_t;
  	')
  
--	search_dirs_pattern($1, var_t, var_spool_t)
-+	manage_dirs_pattern($1,pidfile,pidfile)
+-	read_files_pattern($1, var_t, var_t)
++	manage_files_pattern($1, usr_t, usr_t)
  ')
  
-+
  ########################################
  ## <summary>
--##	Do not audit attempts to search generic
--##	spool directories.
-+##	Read all process ID files.
+-##	Append files in the /var directory.
++##	Relabel a file to the type used in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -5286,17 +6085,17 @@ interface(`files_read_var_files',`
  ##	</summary>
  ## </param>
-+## <rolecap/>
  #
--interface(`files_dontaudit_search_spool',`
-+interface(`files_read_all_pids',`
+-interface(`files_append_var_files',`
++interface(`files_relabelto_usr_files',`
  	gen_require(`
--		type var_spool_t;
-+		attribute pidfile;
-+		type var_t;
+-		type var_t;
++		type usr_t;
  	')
  
--	dontaudit $1 var_spool_t:dir search_dir_perms;
-+	list_dirs_pattern($1, var_t, pidfile)
-+	read_files_pattern($1, pidfile, pidfile)
-+	read_lnk_files_pattern($1, pidfile, pidfile)
+-	append_files_pattern($1, var_t, var_t)
++	relabelto_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	List the contents of generic spool
--##	(/var/spool) directories.
-+##	Relable all pid files
+-##	Read and write files in the /var directory.
++##	Relabel a file from the type used in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6405,18 +7703,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -5304,73 +6103,86 @@ interface(`files_append_var_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_list_spool',`
-+interface(`files_relabel_all_pid_files',`
+-interface(`files_rw_var_files',`
++interface(`files_relabelfrom_usr_files',`
  	gen_require(`
--		type var_t, var_spool_t;
-+		attribute pidfile;
+-		type var_t;
++		type usr_t;
  	')
  
--	list_dirs_pattern($1, var_t, var_spool_t)
-+	relabel_files_pattern($1, pidfile, pidfile)
+-	rw_files_pattern($1, var_t, var_t)
++	relabelfrom_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete generic
--##	spool directories (/var/spool).
-+##	Execute generic programs in /var/run in the caller domain.
+-##	Do not audit attempts to read and write
+-##	files in the /var directory.
++##	Read symbolic links in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6424,18 +7721,18 @@ interface(`files_list_spool',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_generic_spool_dirs',`
-+interface(`files_exec_generic_pid_files',`
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_usr_symlinks',`
  	gen_require(`
--		type var_t, var_spool_t;
-+		type var_run_t;
+-		type var_t;
++		type usr_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+	exec_files_pattern($1, var_run_t, var_run_t)
+-	dontaudit $1 var_t:file rw_file_perms;
++	read_lnk_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Read generic spool files.
-+##	manage all pidfiles 
-+##	in the /var/run directory.
+-##	Create, read, write, and delete files in the /var directory.
++##	Create objects in the /usr directory
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6443,19 +7740,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
- #
--interface(`files_read_generic_spool',`
-+interface(`files_manage_all_pids',`
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_manage_var_files',`
++interface(`files_usr_filetrans',`
  	gen_require(`
--		type var_t, var_spool_t;
-+		attribute pidfile;
+-		type var_t;
++		type usr_t;
  	')
  
--	list_dirs_pattern($1, var_t, var_spool_t)
--	read_files_pattern($1, var_spool_t, var_spool_t)
-+	manage_files_pattern($1,pidfile,pidfile)
+-	manage_files_pattern($1, var_t, var_t)
++	filetrans_pattern($1, usr_t, $2, $3, $4)
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete generic
--##	spool files.
-+##	Mount filesystems on all polyinstantiation
-+##	member directories.
+-##	Read symbolic links in the /var directory.
++##	Do not audit attempts to search /usr/src.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6463,55 +7759,43 @@ interface(`files_read_generic_spool',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_generic_spool',`
-+interface(`files_mounton_all_poly_members',`
+-interface(`files_read_var_symlinks',`
++interface(`files_dontaudit_search_src',`
  	gen_require(`
--		type var_t, var_spool_t;
-+		attribute polymember;
+-		type var_t;
++		type src_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	manage_files_pattern($1, var_spool_t, var_spool_t)
-+	allow $1 polymember:dir mounton;
+-	read_lnk_files_pattern($1, var_t, var_t)
++	dontaudit $1 src_t:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Create objects in the spool directory
--##	with a private type with a type transition.
-+##	Delete all process IDs.
+-##	Create, read, write, and delete symbolic
+-##	links in the /var directory.
++##	Get the attributes of files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5378,50 +6190,41 @@ interface(`files_read_var_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_getattr_usr_src_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	manage_lnk_files_pattern($1, var_t, var_t)
++	getattr_files_pattern($1, src_t, src_t)
++
++	# /usr/src/linux symlink:
++	read_lnk_files_pattern($1, usr_t, src_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /var directory
++##	Read files in /usr/src.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="file">
+-## <param name="file_type">
 -##	<summary>
--##	Type to which the created node will be transitioned.
+-##	The type of the object to be created
 -##	</summary>
 -## </param>
--## <param name="class">
+-## <param name="object_class">
 -##	<summary>
--##	Object class(es) (single or set including {}) for which this
--##	the transition will occur.
+-##	The object class.
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
@@ -12318,216 +12711,1997 @@ index f962f76..51c5d2c 100644
 -##	The name of the object being created.
 -##	</summary>
 -## </param>
-+## <rolecap/>
  #
--interface(`files_spool_filetrans',`
-+interface(`files_delete_all_pids',`
+-interface(`files_var_filetrans',`
++interface(`files_read_usr_src_files',`
  	gen_require(`
--		type var_t, var_spool_t;
-+		attribute pidfile;
-+		type var_t, var_run_t;
+-		type var_t;
++		type usr_t, src_t;
  	')
  
-+	files_search_pids($1)
- 	allow $1 var_t:dir search_dir_perms;
--	filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+	allow $1 var_run_t:dir rmdir;
-+	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+	delete_files_pattern($1, pidfile, pidfile)
-+	delete_fifo_files_pattern($1, pidfile, pidfile)
-+	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+-	filetrans_pattern($1, var_t, $2, $3, $4)
++	allow $1 usr_t:dir search_dir_perms;
++	read_files_pattern($1, { usr_t src_t }, src_t)
++	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++	allow $1 src_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Allow access to manage all polyinstantiated
--##	directories on the system.
-+##	Delete all process ID directories.
+-##	Get the attributes of the /var/lib directory.
++##	Execute programs in /usr/src in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6519,53 +7803,68 @@ interface(`files_spool_filetrans',`
+@@ -5429,69 +6232,56 @@ interface(`files_var_filetrans',`
  ##	</summary>
  ## </param>
  #
--interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_pid_dirs',`
+-interface(`files_getattr_var_lib_dirs',`
++interface(`files_exec_usr_src_files',`
  	gen_require(`
--		attribute polydir, polymember, polyparent;
--		type poly_t;
-+		attribute pidfile;
-+		type var_t, var_run_t;
+-		type var_t, var_lib_t;
++		type usr_t, src_t;
  	')
  
--	# Need to give access to /selinux/member
--	selinux_compute_member($1)
--
--	# Need sys_admin capability for mounting
--	allow $1 self:capability { chown fsetid sys_admin fowner };
--
--	# Need to give access to the directories to be polyinstantiated
--	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
--	# Need to give access to the polyinstantiated subdirectories
--	allow $1 polymember:dir search_dir_perms;
--
--	# Need to give access to parent directories where original
--	# is remounted for polyinstantiation aware programs (like gdm)
--	allow $1 polyparent:dir { getattr mounton };
--
--	# Need to give permission to create directories where applicable
--	allow $1 self:process setfscreate;
--	allow $1 polymember: dir { create setattr relabelto };
--	allow $1 polydir: dir { write add_name open };
--	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
--	# Default type for mountpoints
--	allow $1 poly_t:dir { create mounton };
--	fs_unmount_xattr_fs($1)
--
--	fs_mount_tmpfs($1)
--	fs_unmount_tmpfs($1)
-+	files_search_pids($1)
-+	allow $1 var_t:dir search_dir_perms;
-+	delete_dirs_pattern($1, pidfile, pidfile)
-+')
+-	getattr_dirs_pattern($1, var_t, var_lib_t)
++	list_dirs_pattern($1, usr_t, src_t)
++	exec_files_pattern($1, src_t, src_t)
++	read_lnk_files_pattern($1, src_t, src_t)
+ ')
  
--	ifdef(`distro_redhat',`
--		# namespace.init
--		files_search_tmp($1)
--		files_search_home($1)
--		corecmd_exec_bin($1)
--		seutil_domtrans_setfiles($1)
-+########################################
-+## <summary>
-+##	Make the specified type a file
-+##	used for spool files.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Make the specified type usable for spool files.
-+##	This will also make the type usable for files, making
-+##	calls to files_type() redundant.  Failure to use this interface
-+##	for a spool file may result in problems with
-+##	purging spool files.
-+##	</p>
-+##	<p>
-+##	Related interfaces:
-+##	</p>
-+##	<ul>
-+##		<li>files_spool_filetrans()</li>
-+##	</ul>
-+##	<p>
-+##	Example usage with a domain that can create and
-+##	write its spool file in the system spool file
-+##	directories (/var/spool):
-+##	</p>
-+##	<p>
-+##	type myspoolfile_t;
-+##	files_spool_file(myfile_spool_t)
-+##	allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+##	files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+##	</p>
-+## </desc>
-+## <param name="file_type">
-+##	<summary>
-+##	Type of the file to be used as a
-+##	spool file.
-+##	</summary>
-+## </param>
-+## <infoflow type="none"/>
-+#
-+interface(`files_spool_file',`
-+	gen_require(`
-+		attribute spoolfile;
+ ########################################
+ ## <summary>
+-##	Search the /var/lib directory.
++##	Install a system.map into the /boot directory.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Search the /var/lib directory.  This is
+-##	necessary to access files or directories under
+-##	/var/lib that have a private type.  For example, a
+-##	domain accessing a private library file in the
+-##	/var/lib directory:
+-##	</p>
+-##	<p>
+-##	allow mydomain_t mylibfile_t:file read_file_perms;
+-##	files_search_var_lib(mydomain_t)
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_search_var_lib',`
++interface(`files_create_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type boot_t, system_map_t;
  	')
-+
-+	files_type($1)
-+	typeattribute $1 spoolfile;
+ 
+-	search_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++	allow $1 system_map_t:file { create_file_perms rw_file_perms };
  ')
  
  ########################################
  ## <summary>
--##	Unconfined access to files.
-+##	Create all spool sockets
+-##	Do not audit attempts to search the
+-##	contents of /var/lib.
++##	Dontaudit getattr attempts on the system.map file
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6573,10 +7872,784 @@ interface(`files_polyinstantiate_all',`
+ ##	Domain to not audit.
  ##	</summary>
  ## </param>
+-## <infoflow type="read" weight="5"/>
  #
--interface(`files_unconfined',`
-+interface(`files_create_all_spool_sockets',`
+-interface(`files_dontaudit_search_var_lib',`
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
  	gen_require(`
--		attribute files_unconfined_type;
-+		attribute spoolfile;
+-		type var_lib_t;
++		type system_map_t;
  	')
  
--	typeattribute $1 files_unconfined_type;
-+	allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all spool sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_delete_all_spool_sockets',`
-+	gen_require(`
-+		attribute spoolfile;
-+	')
-+
-+	allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel to and from all spool
-+##	directory types.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_relabel_all_spool_dirs',`
-+	gen_require(`
-+		attribute spoolfile;
-+		type var_t;
-+	')
-+
-+	relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
+-	dontaudit $1 var_lib_t:dir search_dir_perms;
++	dontaudit $1 system_map_t:file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the /var/lib directory.
++##	Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5499,17 +6289,18 @@ interface(`files_dontaudit_search_var_lib',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_var_lib',`
++interface(`files_read_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 boot_t:dir list_dir_perms;
++	read_files_pattern($1, boot_t, system_map_t)
+ ')
+ 
+-###########################################
 +########################################
-+## <summary>
-+##	Search the contents of generic spool
-+##	directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## <summary>
+-##	Read-write /var/lib directories
++##	Delete a system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5517,70 +6308,54 @@ interface(`files_list_var_lib',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_delete_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	rw_dirs_pattern($1, var_lib_t, var_lib_t)
++	allow $1 boot_t:dir list_dir_perms;
++	delete_files_pattern($1, boot_t, system_map_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /var/lib directory
++##	Search the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
+-##	The object class.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_var_lib_filetrans',`
++interface(`files_search_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+ 	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic files in /var/lib.
++##	Do not audit attempts to write to /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_files',`
++interface(`files_dontaudit_write_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lib_t:dir list_dir_perms;
+-	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	dontaudit $1 var_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic symbolic links in /var/lib
++##	Allow attempts to write to /var.dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5588,41 +6363,36 @@ interface(`files_read_var_lib_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_symlinks',`
++interface(`files_write_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	allow $1 var_t:dir write;
+ ')
+ 
+-# cjp: the next two interfaces really need to be fixed
+-# in some way.  They really neeed their own types.
+-
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete the
+-##	pseudorandom number generator seed.
++##	Do not audit attempts to search
++##	the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_urandom_seed',`
++interface(`files_dontaudit_search_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_lib_t, var_lib_t)
++	dontaudit $1 var_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow domain to manage mount tables
+-##	necessary for rpcd, nfsd, etc.
++##	List the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5630,36 +6400,36 @@ interface(`files_manage_urandom_seed',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_list_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_lib_t, var_lib_t)
++	allow $1 var_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the generic lock directories.
++##	Do not audit listing of the var directory (/var).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_dontaudit_list_var',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	setattr_dirs_pattern($1, var_t, var_lock_t)
++	dontaudit $1 var_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the locks directory (/var/lock).
++##	Create, read, write, and delete directories
++##	in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5667,38 +6437,35 @@ interface(`files_setattr_lock_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
++interface(`files_manage_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_lock_t)
++	allow $1 var_t:dir manage_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search the
+-##	locks directory (/var/lock).
++##	Read files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_read_var_files',`
+ 	gen_require(`
+-		type var_lock_t;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_lock_t:dir search_dir_perms;
++	read_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List generic lock directories.
++##	Append files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5706,19 +6473,17 @@ interface(`files_dontaudit_search_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_locks',`
++interface(`files_append_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_lock_t)
++	append_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Add and remove entries in the /var/lock
+-##	directories.
++##	Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5726,60 +6491,54 @@ interface(`files_list_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_lock_dirs',`
++interface(`files_rw_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	rw_dirs_pattern($1, var_t, var_lock_t)
++	rw_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-## 	Create lock directories
++##	Do not audit attempts to read and write
++##	files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+-## 	<summary>
+-##	Domain allowed access
++##	<summary>
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_create_lock_dirs',`
++interface(`files_dontaudit_rw_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	create_dirs_pattern($1, var_lock_t, var_lock_t)
++	dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all lock directory types.
++##	Create, read, write, and delete files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_lock_dirs',`
++interface(`files_manage_var_files',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	relabel_dirs_pattern($1, lockfile, lockfile)
++	manage_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of generic lock files.
++##	Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5787,20 +6546,18 @@ interface(`files_relabel_all_lock_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_read_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_lock_t:dir list_dir_perms;
+-	getattr_files_pattern($1, var_lock_t, var_lock_t)
++	read_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic lock files.
++##	Create, read, write, and delete symbolic
++##	links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5808,165 +6565,156 @@ interface(`files_getattr_generic_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_manage_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, var_lock_t, var_lock_t)
++	manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	lock files.
++##	Create objects in the /var directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_manage_generic_locks',`
++interface(`files_var_filetrans',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	manage_dirs_pattern($1, var_lock_t, var_lock_t)
+-	manage_files_pattern($1, var_lock_t, var_lock_t)
++	filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all lock files.
++##	Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_locks',`
++interface(`files_getattr_var_lib_dirs',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, lockfile, lockfile)
++	getattr_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all lock files.
++##	Search the /var/lib directory.
+ ## </summary>
++## <desc>
++##	<p>
++##	Search the /var/lib directory.  This is
++##	necessary to access files or directories under
++##	/var/lib that have a private type.  For example, a
++##	domain accessing a private library file in the
++##	/var/lib directory:
++##	</p>
++##	<p>
++##	allow mydomain_t mylibfile_t:file read_file_perms;
++##	files_search_var_lib(mydomain_t)
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_search_var_lib',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	allow $1 lockfile:dir list_dir_perms;
+-	read_files_pattern($1, lockfile, lockfile)
+-	read_lnk_files_pattern($1, lockfile, lockfile)
++	search_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	manage all lock files.
++##	Do not audit attempts to search the
++##	contents of /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_manage_all_locks',`
++interface(`files_dontaudit_search_var_lib',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	manage_dirs_pattern($1, lockfile, lockfile)
+-	manage_files_pattern($1, lockfile, lockfile)
+-	manage_lnk_files_pattern($1, lockfile, lockfile)
++	dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the locks directory, with a private
+-##	type using a type transition.
++##	List the contents of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_lock_filetrans',`
++interface(`files_list_var_lib',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	filetrans_pattern($1, var_lock_t, $2, $3, $4)
++	list_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+-########################################
++###########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of the /var/run directory.
++##	Read-write /var/lib directories
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_pid_dirs',`
++interface(`files_rw_var_lib_dirs',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_lib_t;
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir getattr;
++	rw_dirs_pattern($1, var_lib_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the /var/run directory.
++##	Create directories in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5974,59 +6722,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_pid_dirs',`
++interface(`files_create_var_lib_dirs',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir setattr;
++	allow $1 var_lib_t:dir { create rw_dir_perms };
+ ')
+ 
++
+ ########################################
+ ## <summary>
+-##	Search the contents of runtime process
+-##	ID directories (/var/run).
++##	Create objects in the /var/lib directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_search_pids',`
++interface(`files_var_lib_filetrans',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_run_t)
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search
+-##	the /var/run directory.
++##	Read generic files in /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
++interface(`files_read_var_lib_files',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir search_dir_perms;
++	allow $1 var_lib_t:dir list_dir_perms;
++	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the runtime process
+-##	ID directories (/var/run).
++##	Read generic symbolic links in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6034,18 +6794,18 @@ interface(`files_dontaudit_search_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_read_var_lib_symlinks',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
++	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic process ID files.
++##	manage generic symbolic links
++##	in the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6053,19 +6813,21 @@ interface(`files_list_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_manage_var_lib_symlinks',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
++	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+ ')
+ 
++# cjp: the next two interfaces really need to be fixed
++# in some way.  They really neeed their own types.
++
+ ########################################
+ ## <summary>
+-##	Write named generic process ID pipes
++##	Create, read, write, and delete the
++##	pseudorandom number generator seed.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6073,58 +6835,1243 @@ interface(`files_read_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
++interface(`files_manage_urandom_seed',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:fifo_file write;
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++##	Allow domain to manage mount tables
++##	necessary for rpcd, nfsd, etc.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_mounttab',`
++	gen_require(`
++		type var_t, var_lib_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++##	List generic lock directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Search the locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	search_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search the
++##	locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_locks',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_lock_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read/write inherited
++##	locks (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the /var/lock directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_lock_dirs',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	allow $1 var_lock_t:dir setattr;
++')
++
++########################################
++## <summary>
++##	Add and remove entries in the /var/lock
++##	directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_rw_lock_dirs',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	rw_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## 	Create lock directories
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	create_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Relabel to and from all lock directory types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_all_lock_dirs',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Relabel to and from all lock file types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_all_lock_files',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Get the attributes of generic lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_getattr_generic_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	allow $1 var_lock_t:dir list_dir_perms;
++	getattr_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Delete generic lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_generic_locks',`
++       gen_require(`
++		type var_t, var_lock_t;
++       ')
++
++       files_search_locks($1)
++       delete_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	manage_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Delete all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	delete_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Read all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	allow $1 lockfile:dir list_dir_perms;
++	read_files_pattern($1, lockfile, lockfile)
++	read_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	manage all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	manage_dirs_pattern($1, lockfile, lockfile)
++	manage_files_pattern($1, lockfile, lockfile)
++	manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Create an object in the locks directory, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_lock_filetrans',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	filetrans_pattern($1, var_lock_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_run_t:dir getattr;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_run_t:dir setattr;
++')
++
++########################################
++## <summary>
++##	Search the contents of runtime process
++##	ID directories (/var/run).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_t:lnk_file read_lnk_file_perms;
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	search_dirs_pattern($1, var_t, var_run_t)
++')
++
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++    gen_require(`
++        type var_run_t;
++    ')
++
++    allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++## <summary>
++##      Create generic pid directory.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`files_create_var_run_dirs',`
++        gen_require(`
++                type var_t, var_run_t;
++        ')
++
++        allow $1 var_t:dir search_dir_perms;
++        allow $1 var_run_t:dir create_dir_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search
++##	the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_pids',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search
++##	the all /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_all_pids',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	List the contents of the runtime process
++##	ID directories (/var/run).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	files_search_pids($1)
++	list_dirs_pattern($1, var_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Read generic process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_generic_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	files_search_pids($1)
++	list_dirs_pattern($1, var_t, var_run_t)
++	read_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Write named generic process ID pipes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_write_generic_pid_pipes',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_run_t:fifo_file write;
++')
++
++########################################
++## <summary>
++##	Create an object in the process ID directory, with a private type.
++## </summary>
++## <desc>
++##	<p>
++##	Create an object in the process ID directory (e.g., /var/run)
++##	with a private type.  Typically this is used for creating
++##	private PID files in /var/run with the private type instead
++##	of the general PID file type. To accomplish this goal,
++##	either the program must be SELinux-aware, or use this interface.
++##	</p>
++##	<p>
++##	Related interfaces:
++##	</p>
++##	<ul>
++##		<li>files_pid_file()</li>
++##	</ul>
++##	<p>
++##	Example usage with a domain that can create and
++##	write its PID file with a private PID file type in the
++##	/var/run directory:
++##	</p>
++##	<p>
++##	type mypidfile_t;
++##	files_pid_file(mypidfile_t)
++##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
++##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`files_pid_filetrans',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_run_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## 	Create a generic lock directory within the run directories
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_pid_filetrans_lock_dir',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	files_pid_filetrans($1, var_lock_t, dir, $2)
++')
++
++########################################
++## <summary>
++##	rw generic pid files inherited from another process
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_rw_inherited_generic_pid_files',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	allow $1 var_run_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++##	Read and write generic process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_rw_generic_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	files_search_pids($1)
++	list_dirs_pattern($1, var_t, var_run_t)
++	rw_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes of
++##	daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file getattr;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to write to daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_write_all_pids',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file write;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to ioctl daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_ioctl_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file ioctl;
++')
++
++########################################
++## <summary>
++##	Relable all pid directories
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_all_pid_dirs',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	relabel_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++##	Delete all pid sockets
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_pid_sockets',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	allow $1 pidfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++## <summary>
++##	Create all pid sockets
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_create_all_pid_sockets',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	allow $1 pidfile:sock_file create_sock_file_perms;
++')
++
++########################################
++## <summary>
++##	Create all pid named pipes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_create_all_pid_pipes',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	allow $1 pidfile:fifo_file create_fifo_file_perms;
++')
++
++########################################
++## <summary>
++##	Delete all pid named pipes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_pid_pipes',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	allow $1 pidfile:fifo_file delete_fifo_file_perms;
++')
++
++########################################
++## <summary>
++##	manage all pidfile directories
++##	in the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_all_pid_dirs',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	manage_dirs_pattern($1,pidfile,pidfile)
++')
++
++
++########################################
++## <summary>
++##	Read all process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_search_spool',`
++interface(`files_read_all_pids',`
 +	gen_require(`
-+		type var_t, var_spool_t;
++		attribute pidfile;
++		type var_t;
 +	')
 +
-+	search_dirs_pattern($1, var_t, var_spool_t)
++	list_dirs_pattern($1, var_t, pidfile)
++	read_files_pattern($1, pidfile, pidfile)
++	read_lnk_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++##	Relable all pid files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_all_pid_files',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	relabel_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++##	Execute generic programs in /var/run in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_exec_generic_pid_files',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	exec_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	manage all pidfiles 
++##	in the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_all_pids',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	manage_files_pattern($1,pidfile,pidfile)
++')
++
++########################################
++## <summary>
++##	Mount filesystems on all polyinstantiation
++##	member directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_mounton_all_poly_members',`
++	gen_require(`
++		attribute polymember;
++	')
++
++	allow $1 polymember:dir mounton;
++')
++
++########################################
++## <summary>
++##	Delete all process IDs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_t, var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_run_t:dir rmdir;
++	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++	delete_files_pattern($1, pidfile, pidfile)
++	delete_fifo_files_pattern($1, pidfile, pidfile)
++	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++##	Delete all process ID directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++	gen_require(`
++		attribute pidfile;
++		type var_t, var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_t:dir search_dir_perms;
++	delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++##	Make the specified type a file
++##	used for spool files.
++## </summary>
++## <desc>
++##	<p>
++##	Make the specified type usable for spool files.
++##	This will also make the type usable for files, making
++##	calls to files_type() redundant.  Failure to use this interface
++##	for a spool file may result in problems with
++##	purging spool files.
++##	</p>
++##	<p>
++##	Related interfaces:
++##	</p>
++##	<ul>
++##		<li>files_spool_filetrans()</li>
++##	</ul>
++##	<p>
++##	Example usage with a domain that can create and
++##	write its spool file in the system spool file
++##	directories (/var/spool):
++##	</p>
++##	<p>
++##	type myspoolfile_t;
++##	files_spool_file(myfile_spool_t)
++##	allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++##	files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++##	</p>
++## </desc>
++## <param name="file_type">
++##	<summary>
++##	Type of the file to be used as a
++##	spool file.
++##	</summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`files_spool_file',`
++	gen_require(`
++		attribute spoolfile;
++	')
++
++	files_type($1)
++	typeattribute $1 spoolfile;
++')
++
++########################################
++## <summary>
++##	Create all spool sockets
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_create_all_spool_sockets',`
++	gen_require(`
++		attribute spoolfile;
++	')
++
++	allow $1 spoolfile:sock_file create_sock_file_perms;
++')
++
++########################################
++## <summary>
++##	Delete all spool sockets
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_spool_sockets',`
++	gen_require(`
++		attribute spoolfile;
++	')
++
++	allow $1 spoolfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++## <summary>
++##	Relabel to and from all spool
++##	directory types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_spool_dirs',`
++	gen_require(`
++		attribute spoolfile;
++		type var_t;
++	')
++
++	relabel_dirs_pattern($1, spoolfile, spoolfile)
 +')
 +
 +########################################
 +## <summary>
++##	Search the contents of generic spool
++##	directories (/var/spool).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	search_dirs_pattern($1, var_t, var_spool_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the process ID directory, with a private type.
 +##	Do not audit attempts to search generic
 +##	spool directories.
 +## </summary>
@@ -12549,12 +14723,39 @@ index f962f76..51c5d2c 100644
 +## <summary>
 +##	List the contents of generic spool
 +##	(/var/spool) directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Create an object in the process ID directory (e.g., /var/run)
+-##	with a private type.  Typically this is used for creating
+-##	private PID files in /var/run with the private type instead
+-##	of the general PID file type. To accomplish this goal,
+-##	either the program must be SELinux-aware, or use this interface.
+-##	</p>
+-##	<p>
+-##	Related interfaces:
+-##	</p>
+-##	<ul>
+-##		<li>files_pid_file()</li>
+-##	</ul>
+-##	<p>
+-##	Example usage with a domain that can create and
+-##	write its PID file with a private PID file type in the
+-##	/var/run directory:
+-##	</p>
+-##	<p>
+-##	type mypidfile_t;
+-##	files_pid_file(mypidfile_t)
+-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
 +#
 +interface(`files_list_spool',`
 +	gen_require(`
@@ -12570,10 +14771,12 @@ index f962f76..51c5d2c 100644
 +##	spool directories (/var/spool).
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The type of the object to be created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="object">
 +#
 +interface(`files_manage_generic_spool_dirs',`
 +	gen_require(`
@@ -12589,7 +14792,8 @@ index f962f76..51c5d2c 100644
 +##	Read generic spool files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The object class of the object being created.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@@ -12642,14 +14846,19 @@ index f962f76..51c5d2c 100644
 +##	<summary>
 +##	Object class(es) (single or set including {}) for which this
 +##	the transition will occur.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -6132,44 +8079,165 @@ interface(`files_write_generic_pid_pipes',`
+ ##	The name of the object being created.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`files_pid_filetrans',`
+-	gen_require(`
+-		type var_t, var_run_t;
+-	')
 +interface(`files_spool_filetrans',`
 +	gen_require(`
 +		type var_t, var_spool_t;
@@ -12776,296 +14985,401 @@ index f962f76..51c5d2c 100644
 +       gen_require(`
 +               type default_t;
 +       ')
-+
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	filetrans_pattern($1, var_run_t, $2, $3, $4)
 +       allow $1 default_t:dir create;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-## 	Create a generic lock directory within the run directories
 +##	Create, default_t objects with an automatic
 +##	type transition.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## 	<summary>
+-##	Domain allowed access
 +##	<summary>
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +## <param name="object">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	The class of the object being created.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_pid_filetrans_lock_dir',`
+-	gen_require(`
+-		type var_lock_t;
+-	')
 +interface(`files_root_filetrans_default',`
 +       gen_require(`
 +               type root_t, default_t;
 +       ')
-+
+ 
+-	files_pid_filetrans($1, var_lock_t, dir, $2)
 +       filetrans_pattern($1, root_t, default_t, $2)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic process ID files.
 +##	manage generic symbolic links
 +##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6177,20 +8245,18 @@ interface(`files_pid_filetrans_lock_dir',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
 +interface(`files_manage_generic_pids_symlinks',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		type var_run_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	rw_files_pattern($1, var_run_t, var_run_t)
 +	manage_lnk_files_pattern($1,var_run_t,var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes of
+-##	daemon runtime data files.
 +##	Do not audit attempts to getattr
 +##	all tmpfs files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6198,19 +8264,17 @@ interface(`files_rw_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_pids',`
 +interface(`files_dontaudit_getattr_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_run_t;
 +		attribute tmpfsfile;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file getattr;
 +	allow $1 tmpfsfile:file getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write to daemon runtime data files.
 +##	Allow read write all tmpfs files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6218,18 +8282,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_pids',`
 +interface(`files_rw_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
 +		attribute tmpfsfile;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file write;
 +	allow $1 tmpfsfile:file { read write };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to ioctl daemon runtime data files.
 +##	Do not audit attempts to read security files 
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6237,41 +8300,43 @@ interface(`files_dontaudit_write_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_ioctl_all_pids',`
 +interface(`files_dontaudit_read_security_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_run_t;
 +		attribute security_file_type;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file ioctl;
 +	dontaudit $1 security_file_type:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all process ID files.
 +##	rw any files inherited from another process
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
 +## <param name="object_type">
 +##  <summary>
 +##  Object type.
 +##  </summary>
 +## </param>
-+#
+ #
+-interface(`files_read_all_pids',`
 +interface(`files_rw_all_inherited_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, pidfile)
+-	read_files_pattern($1, pidfile, pidfile)
 +	allow $1 { file_type $2 }:file rw_inherited_file_perms;
 +	allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
 +	allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
 +	allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process IDs.
 +##	Allow any file point to be the entrypoint of this domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6280,67 +8345,55 @@ interface(`files_read_all_pids',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
 +interface(`files_entrypoint_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute file_type;
-+	')
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir rmdir;
+-	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+-	delete_files_pattern($1, pidfile, pidfile)
+-	delete_fifo_files_pattern($1, pidfile, pidfile)
+-	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
 +	allow $1 file_type:file entrypoint;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process ID directories.
 +##	Do not audit attempts to rw inherited file perms
 +##	of non security files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
 +interface(`files_dontaudit_all_non_security_leaks',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute non_security_file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	delete_dirs_pattern($1, pidfile, pidfile)
 +	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write and delete all
+-##	var_run (pid) content
 +##	Do not audit attempts to read or write
 +##	all leaked files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain alloed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
 +interface(`files_dontaudit_leaks',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, pidfile, pidfile)
+-	manage_files_pattern($1, pidfile, pidfile)
+-	manage_lnk_files_pattern($1, pidfile, pidfile)
 +	dontaudit $1 file_type:file rw_inherited_file_perms;
 +	dontaudit $1 file_type:lnk_file { read };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount filesystems on all polyinstantiation
+-##	member directories.
 +##	Allow domain to create_file_ass all types
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6348,37 +8401,37 @@ interface(`files_manage_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
 +interface(`files_create_as_is_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polymember;
 +		attribute file_type;
 +		class kernel_service create_files_as;
-+	')
-+
+ 	')
+ 
+-	allow $1 polymember:dir mounton;
 +	allow $1 file_type:kernel_service create_files_as;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of generic spool
+-##	directories (/var/spool).
 +##	Do not audit attempts to check the 
 +##	access on all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
 +interface(`files_dontaudit_all_access_check',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_spool_t)
 +	dontaudit $1 file_type:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search generic
+-##	spool directories.
 +##	Do not audit attempts to write to all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6386,132 +8439,206 @@ interface(`files_search_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
 +interface(`files_dontaudit_write_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_spool_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_spool_t:dir search_dir_perms;
 +	dontaudit $1 file_type:dir_file_class_set write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of generic spool
+-##	(/var/spool) directories.
 +##	Allow domain to delete to all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
 +interface(`files_delete_all_non_security_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute non_security_file_type;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
 +	allow $1 non_security_file_type:dir del_entry_dir_perms;
 +	allow $1 non_security_file_type:file_class_set delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool directories (/var/spool).
 +##	Allow domain to delete to all dirs
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
 +interface(`files_delete_all_non_security_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute non_security_file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_dirs_pattern($1, var_spool_t, var_spool_t)
 +	allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic spool files.
 +##	Transition named content in the var_run_t directory
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##      Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##      Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
 +interface(`files_filetrans_named_content',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +        type etc_t;
 +		type mnt_t;
 +		type usr_t;
@@ -13074,8 +15388,10 @@ index f962f76..51c5d2c 100644
 +		type var_run_t;
 +        type var_lock_t;
 +		type tmp_t;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
+-	read_files_pattern($1, var_spool_t, var_spool_t)
 +	files_pid_filetrans($1, mnt_t, dir, "media")
 +	files_root_filetrans($1, etc_runtime_t, file, ".readahead")
 +	files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -13112,13 +15428,16 @@ index f962f76..51c5d2c 100644
 +	files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
 +	files_var_filetrans($1, tmp_t, dir, "tmp")
 +    files_var_filetrans($1, var_run_t, dir, "run")
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool files.
 +##	Make the specified type a
 +##	base file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <desc>
 +##	<p>
 +##	Identify file type as base file type.  Tools will use this attribute,
@@ -13126,35 +15445,51 @@ index f962f76..51c5d2c 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type to be used as a base files.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <infoflow type="none"/>
-+#
+ #
+-interface(`files_manage_generic_spool',`
 +interface(`files_base_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute base_file_type;
-+	')
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_spool_t, var_spool_t)
 +	files_type($1)
 +	typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the spool directory
+-##	with a private type with a type transition.
 +##	Make the specified type a
 +##	base read only file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="file">
 +## <desc>
 +##	<p>
 +##	Make the specified type readable for all domains.
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Type to which the created node will be transitioned.
 +##	Type to be used as a base read only files.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="class">
 +## <infoflow type="none"/>
 +#
 +interface(`files_ro_base_file',`
@@ -13170,10 +15505,13 @@ index f962f76..51c5d2c 100644
 +##	Read all ro base files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Object class(es) (single or set including {}) for which this
+-##	the transition will occur.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +## <rolecap/>
 +#
 +interface(`files_read_all_base_ro_files',`
@@ -13191,54 +15529,104 @@ index f962f76..51c5d2c 100644
 +##	Execute all base ro files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`files_spool_filetrans',`
 +interface(`files_exec_all_base_ro_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute base_ro_file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
 +	can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow access to manage all polyinstantiated
+-##	directories on the system.
 +##	Allow the specified domain to modify the systemd configuration of 
 +##	any file.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6519,53 +8646,17 @@ interface(`files_spool_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
 +interface(`files_config_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polydir, polymember, polyparent;
+-		type poly_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	# Need to give access to /selinux/member
+-	selinux_compute_member($1)
+-
+-	# Need sys_admin capability for mounting
+-	allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+-	# Need to give access to the directories to be polyinstantiated
+-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+-	# Need to give access to the polyinstantiated subdirectories
+-	allow $1 polymember:dir search_dir_perms;
+-
+-	# Need to give access to parent directories where original
+-	# is remounted for polyinstantiation aware programs (like gdm)
+-	allow $1 polyparent:dir { getattr mounton };
+-
+-	# Need to give permission to create directories where applicable
+-	allow $1 self:process setfscreate;
+-	allow $1 polymember: dir { create setattr relabelto };
+-	allow $1 polydir: dir { write add_name open };
+-	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+-	# Default type for mountpoints
+-	allow $1 poly_t:dir { create mounton };
+-	fs_unmount_xattr_fs($1)
+-
+-	fs_mount_tmpfs($1)
+-	fs_unmount_tmpfs($1)
+-
+-	ifdef(`distro_redhat',`
+-		# namespace.init
+-		files_search_tmp($1)
+-		files_search_home($1)
+-		corecmd_exec_bin($1)
+-		seutil_domtrans_setfiles($1)
+-	')
 +	allow $1 file_type:service all_service_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unconfined access to files.
 +##	Get the status of etc_t files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6573,10 +8664,10 @@ interface(`files_polyinstantiate_all',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
 +interface(`files_status_etc',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute files_unconfined_type;
 +		type etc_t;
-+	')
-+
+ 	')
+ 
+-	typeattribute $1 files_unconfined_type;
 +	allow $1 etc_t:service status;
  ')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
@@ -19006,7 +21394,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..0ad95e4 100644
+index 2522ca6..d58ced2 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,86 @@ policy_module(sysadm, 2.6.1)
@@ -19159,7 +21547,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -122,11 +170,19 @@ optional_policy(`
+@@ -122,11 +170,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19178,10 +21566,16 @@ index 2522ca6..0ad95e4 100644
 +
 +optional_policy(`
 +	dbus_role_template(sysadm, sysadm_r, sysadm_t)
++
++    optional_policy(`
++        systemd_dbus_chat_timedated(sysadm_t)
++        systemd_dbus_chat_hostnamed(sysadm_t)
++        systemd_dbus_chat_localed(sysadm_t)
++    ')
  ')
  
  optional_policy(`
-@@ -140,6 +196,10 @@ optional_policy(`
+@@ -140,6 +202,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19192,7 +21586,7 @@ index 2522ca6..0ad95e4 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,6 +216,10 @@ optional_policy(`
+@@ -156,6 +222,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19203,7 +21597,7 @@ index 2522ca6..0ad95e4 100644
  	fstools_run(sysadm_t, sysadm_r)
  ')
  
-@@ -175,6 +239,13 @@ optional_policy(`
+@@ -175,6 +245,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -19217,7 +21611,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -182,15 +253,20 @@ optional_policy(`
+@@ -182,15 +259,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19229,19 +21623,19 @@ index 2522ca6..0ad95e4 100644
 -	libs_run_ldconfig(sysadm_t, sysadm_r)
 +	kerberos_exec_kadmind(sysadm_t)
 +	kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++	kudzu_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	lockdev_role(sysadm_r, sysadm_t)
-+	kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
 +	libs_run_ldconfig(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
-@@ -210,22 +286,20 @@ optional_policy(`
+@@ -210,22 +292,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -19270,7 +21664,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -237,14 +311,27 @@ optional_policy(`
+@@ -237,14 +317,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19298,7 +21692,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -252,10 +339,20 @@ optional_policy(`
+@@ -252,10 +345,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19319,7 +21713,7 @@ index 2522ca6..0ad95e4 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +363,41 @@ optional_policy(`
+@@ -266,35 +369,41 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19368,7 +21762,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -308,6 +411,7 @@ optional_policy(`
+@@ -308,6 +417,7 @@ optional_policy(`
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -19376,7 +21770,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -315,12 +419,20 @@ optional_policy(`
+@@ -315,12 +425,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19398,7 +21792,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -345,7 +457,18 @@ optional_policy(`
+@@ -345,7 +463,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19418,7 +21812,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -356,19 +479,11 @@ optional_policy(`
+@@ -356,19 +485,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19439,7 +21833,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -380,10 +495,6 @@ optional_policy(`
+@@ -380,10 +501,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19450,7 +21844,7 @@ index 2522ca6..0ad95e4 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +502,9 @@ optional_policy(`
+@@ -391,6 +508,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -19460,7 +21854,7 @@ index 2522ca6..0ad95e4 100644
  ')
  
  optional_policy(`
-@@ -398,31 +512,34 @@ optional_policy(`
+@@ -398,31 +518,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19501,7 +21895,7 @@ index 2522ca6..0ad95e4 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -435,10 +552,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +558,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -19512,7 +21906,7 @@ index 2522ca6..0ad95e4 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -459,15 +572,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +578,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -33091,7 +35485,7 @@ index b50c5fe..e55a556 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..b144ffe 100644
+index 4e94884..8de26ad 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
 @@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -33250,12 +35644,7 @@ index 4e94884..b144ffe 100644
 +    read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 +    list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 +')
- 
--	# the type of socket depends on the syslog daemon
--	allow $1 syslogd_t:unix_dgram_socket sendto;
--	allow $1 syslogd_t:unix_stream_socket connectto;
--	allow $1 self:unix_dgram_socket create_socket_perms;
--	allow $1 self:unix_stream_socket create_socket_perms;
++
 +########################################
 +## <summary>
 +##	Relabel the syslog pid sock_file.
@@ -33270,14 +35659,15 @@ index 4e94884..b144ffe 100644
 +	gen_require(`
 +		type syslogd_var_run_t;
 +	')
- 
--	# If syslog is down, the glibc syslog() function
--	# will write to the console.
--	term_write_console($1)
--	term_dontaudit_read_console($1)
++
 +	allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
 +')
-+
+ 
+-	# the type of socket depends on the syslog daemon
+-	allow $1 syslogd_t:unix_dgram_socket sendto;
+-	allow $1 syslogd_t:unix_stream_socket connectto;
+-	allow $1 self:unix_dgram_socket create_socket_perms;
+-	allow $1 self:unix_stream_socket create_socket_perms;
 +########################################
 +## <summary>
 +##	Connect to the syslog control unix stream socket.
@@ -33292,13 +35682,43 @@ index 4e94884..b144ffe 100644
 +	gen_require(`
 +		type syslogd_t, syslogd_var_run_t;
 +	')
-+
+ 
+-	# If syslog is down, the glibc syslog() function
+-	# will write to the console.
+-	term_write_console($1)
+-	term_dontaudit_read_console($1)
 +	files_search_pids($1)
 +	stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
  ')
  
  ########################################
-@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',`
+@@ -571,6 +715,25 @@ interface(`logging_read_audit_config',`
+ 
+ ########################################
+ ## <summary>
++##	dontaudit search of auditd log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_dontaudit_search_audit_logs',`
++	gen_require(`
++		type auditd_log_t;
++	')
++
++	dontaudit $1 auditd_log_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	dontaudit search of auditd configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -609,6 +772,25 @@ interface(`logging_read_syslog_config',`
  
  ########################################
  ## <summary>
@@ -33324,7 +35744,7 @@ index 4e94884..b144ffe 100644
  ##	Allows the domain to open a file in the
  ##	log directory, but does not allow the listing
  ##	of the contents of the log directory.
-@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',`
+@@ -722,6 +904,25 @@ interface(`logging_setattr_all_log_dirs',`
  	allow $1 logfile:dir setattr;
  ')
  
@@ -33350,7 +35770,7 @@ index 4e94884..b144ffe 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to get the attributes
-@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +977,25 @@ interface(`logging_append_all_logs',`
  	')
  
  	files_search_var($1)
@@ -33377,7 +35797,7 @@ index 4e94884..b144ffe 100644
  ')
  
  ########################################
-@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1078,7 @@ interface(`logging_manage_all_logs',`
  
  	files_search_var($1)
  	manage_files_pattern($1, logfile, logfile)
@@ -33386,7 +35806,7 @@ index 4e94884..b144ffe 100644
  ')
  
  ########################################
-@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1104,44 @@ interface(`logging_read_generic_logs',`
  
  ########################################
  ## <summary>
@@ -33431,7 +35851,7 @@ index 4e94884..b144ffe 100644
  ##	Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1162,24 @@ interface(`logging_write_generic_logs',`
  
  ########################################
  ## <summary>
@@ -33456,7 +35876,7 @@ index 4e94884..b144ffe 100644
  ##	Dontaudit Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1259,16 @@ interface(`logging_admin_audit',`
  		type auditd_t, auditd_etc_t, auditd_log_t;
  		type auditd_var_run_t;
  		type auditd_initrc_exec_t;
@@ -33474,7 +35894,7 @@ index 4e94884..b144ffe 100644
  	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
  	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
  
-@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1284,33 @@ interface(`logging_admin_audit',`
  	domain_system_change_exemption($1)
  	role_transition $2 auditd_initrc_exec_t system_r;
  	allow $2 system_r;
@@ -33508,7 +35928,7 @@ index 4e94884..b144ffe 100644
  ')
  
  ########################################
-@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1339,15 @@ interface(`logging_admin_syslog',`
  		type syslogd_initrc_exec_t;
  	')
  
@@ -33526,7 +35946,7 @@ index 4e94884..b144ffe 100644
  
  	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
  	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1369,8 @@ interface(`logging_admin_syslog',`
  	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
  
  	logging_manage_all_logs($1)
@@ -33535,7 +35955,7 @@ index 4e94884..b144ffe 100644
  
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1085,3 +1380,54 @@ interface(`logging_admin',`
+@@ -1085,3 +1399,54 @@ interface(`logging_admin',`
  	logging_admin_audit($1, $2)
  	logging_admin_syslog($1, $2)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f447195..0f72f5b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9084,7 +9084,7 @@ index 531a8f2..67b6c3d 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 1241123..ad2dccc 100644
+index 1241123..a0b7423 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9182,7 +9182,17 @@ index 1241123..ad2dccc 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -257,7 +268,7 @@ init_use_script_ptys(ndc_t)
+@@ -242,6 +253,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+ corenet_tcp_connect_rndc_port(ndc_t)
+ corenet_sendrecv_rndc_client_packets(ndc_t)
+ 
++dev_read_rand(ndc_t)
++dev_read_urand(ndc_t)
++
+ domain_use_interactive_fds(ndc_t)
+ 
+ files_search_pids(ndc_t)
+@@ -257,7 +271,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -26659,7 +26669,7 @@ index 50d0084..94e1936 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..fed8792 100644
+index cf0e567..2b435ed 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -26687,9 +26697,11 @@ index cf0e567..fed8792 100644
  files_list_var(fail2ban_t)
  files_dontaudit_list_tmp(fail2ban_t)
  
-@@ -94,22 +92,33 @@ auth_use_nsswitch(fail2ban_t)
+@@ -93,23 +91,35 @@ auth_use_nsswitch(fail2ban_t)
+ 
  logging_read_all_logs(fail2ban_t)
  logging_send_syslog_msg(fail2ban_t)
++logging_dontaudit_search_audit_logs(fail2ban_t)
  
 -miscfiles_read_localization(fail2ban_t)
 +mta_send_mail(fail2ban_t)
@@ -26725,7 +26737,7 @@ index cf0e567..fed8792 100644
  	iptables_domtrans(fail2ban_t)
  ')
  
-@@ -118,6 +127,10 @@ optional_policy(`
+@@ -118,6 +128,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26736,7 +26748,7 @@ index cf0e567..fed8792 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -131,22 +144,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +145,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -26761,9 +26773,10 @@ index cf0e567..fed8792 100644
 +
  logging_getattr_all_logs(fail2ban_client_t)
  logging_search_all_logs(fail2ban_client_t)
- 
--miscfiles_read_localization(fail2ban_client_t)
 -
+-miscfiles_read_localization(fail2ban_client_t)
++logging_dontaudit_search_audit_logs(fail2ban_client_t)
+ 
  userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
  userdom_use_user_terminals(fail2ban_client_t)
 +
@@ -27484,10 +27497,10 @@ index 5010f04..3b73741 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index 92a6479..e37a473 100644
+index 92a6479..addf8a6 100644
 --- a/fprintd.te
 +++ b/fprintd.te
-@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
+@@ -20,23 +20,26 @@ files_type(fprintd_var_lib_t)
  allow fprintd_t self:capability sys_nice;
  allow fprintd_t self:process { getsched setsched signal sigkill };
  allow fprintd_t self:fifo_file rw_fifo_file_perms;
@@ -27496,8 +27509,11 @@ index 92a6479..e37a473 100644
  
  manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
  manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t)
  
+ kernel_read_system_state(fprintd_t)
+ 
++corecmd_exec_bin(fprintd_t)
++
  dev_list_usbfs(fprintd_t)
  dev_read_sysfs(fprintd_t)
 +dev_read_urand(fprintd_t)
@@ -27514,7 +27530,7 @@ index 92a6479..e37a473 100644
  
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +55,17 @@ optional_policy(`
+@@ -54,8 +57,17 @@ optional_policy(`
  	')
  ')
  
@@ -29431,10 +29447,10 @@ index 9eacb2c..2f3fa34 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index 5cd0909..f07f415 100644
+index 5cd0909..e405249 100644
 --- a/glance.te
 +++ b/glance.te
-@@ -5,10 +5,16 @@ policy_module(glance, 1.1.0)
+@@ -5,10 +5,23 @@ policy_module(glance, 1.1.0)
  # Declarations
  #
  
@@ -29445,6 +29461,13 @@ index 5cd0909..f07f415 100644
 +## </desc>
 +gen_tunable(glance_use_fusefs, false)
 +
++## <desc>
++## <p>
++## Allow glance domain to use executable memory and executable stack
++## </p>
++## </desc>
++gen_tunable(glance_use_execmem, false)
++
  attribute glance_domain;
  
 -type glance_registry_t, glance_domain;
@@ -29453,7 +29476,7 @@ index 5cd0909..f07f415 100644
  init_daemon_domain(glance_registry_t, glance_registry_exec_t)
  
  type glance_registry_initrc_exec_t;
-@@ -17,13 +23,21 @@ init_script_file(glance_registry_initrc_exec_t)
+@@ -17,13 +30,21 @@ init_script_file(glance_registry_initrc_exec_t)
  type glance_registry_tmp_t;
  files_tmp_file(glance_registry_tmp_t)
  
@@ -29477,7 +29500,7 @@ index 5cd0909..f07f415 100644
  type glance_log_t;
  logging_log_file(glance_log_t)
  
-@@ -41,6 +55,7 @@ files_pid_file(glance_var_run_t)
+@@ -41,6 +62,7 @@ files_pid_file(glance_var_run_t)
  # Common local policy
  #
  
@@ -29485,7 +29508,7 @@ index 5cd0909..f07f415 100644
  allow glance_domain self:fifo_file rw_fifo_file_perms;
  allow glance_domain self:unix_stream_socket create_stream_socket_perms;
  allow glance_domain self:tcp_socket { accept listen };
-@@ -56,29 +71,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +78,40 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
  manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  
@@ -29523,7 +29546,9 @@ index 5cd0909..f07f415 100644
 +	fs_getattr_fusefs(glance_domain)
 +')
 +
-+
++tunable_policy(`glance_use_execmem',`
++    allow glance_domain self:process { execmem execstack };
++')
 +
 +optional_policy(`
 +    mysql_read_db_lnk_files(glance_domain)
@@ -29532,7 +29557,7 @@ index 5cd0909..f07f415 100644
  ########################################
  #
  # Registry local policy
-@@ -88,8 +112,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +121,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
  manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
  files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
  
@@ -29547,7 +29572,7 @@ index 5cd0909..f07f415 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,13 +138,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +147,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
@@ -47842,7 +47867,7 @@ index f42896c..1e1a679 100644
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/smtpd(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..8f217ea 100644
+index ed81cac..837a43a 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -47994,11 +48019,13 @@ index ed81cac..8f217ea 100644
  ')
  
 -#######################################
--## <summary>
++######################################
+ ## <summary>
 -##	Read mta mail home files.
--## </summary>
--## <param name="domain">
--##	<summary>
++##  Dontaudit read and write an leaked file descriptors
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
@@ -48085,15 +48112,13 @@ index ed81cac..8f217ea 100644
 -')
 -
 -########################################
-+######################################
- ## <summary>
+-## <summary>
 -##	Create specified objects in user home
 -##	directories with the generic mail
 -##	home rw type.
-+##  Dontaudit read and write an leaked file descriptors
- ## </summary>
- ## <param name="domain">
- ##	<summary>
+-## </summary>
+-## <param name="domain">
+-##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
@@ -48782,7 +48807,7 @@ index ed81cac..8f217ea 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1051,177 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1051,200 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -48813,6 +48838,29 @@ index ed81cac..8f217ea 100644
 +
 +######################################
 +## <summary>
++##	ALlow domain to append mail content in the homedir
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mta_append_home',`
++	gen_require(`
++		type mail_home_t;
++	')
++
++	userdom_search_user_home_dirs($1)
++	append_files_pattern($1, mail_home_t, mail_home_t)
++
++	ifdef(`distro_redhat',`
++		userdom_search_admin_dir($1)
++	')
++')
++
++######################################
++## <summary>
 +##	ALlow domain to read mail content in the homedir
 +## </summary>
 +## <param name="domain">
@@ -48961,7 +49009,7 @@ index ed81cac..8f217ea 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index ff1d68c..4cf1204 100644
+index ff1d68c..45bdd6f 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -49278,7 +49326,7 @@ index ff1d68c..4cf1204 100644
  
  allow mailserver_delivery mail_spool_t:dir list_dir_perms;
  create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,40 +368,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,44 +368,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -49302,50 +49350,53 @@ index ff1d68c..4cf1204 100644
 -	fs_manage_cifs_dirs(mailserver_delivery)
 -	fs_manage_cifs_files(mailserver_delivery)
 -	fs_read_cifs_symlinks(mailserver_delivery)
--')
--
--tunable_policy(`use_nfs_home_dirs',`
--	fs_manage_nfs_dirs(mailserver_delivery)
--	fs_manage_nfs_files(mailserver_delivery)
--	fs_read_nfs_symlinks(mailserver_delivery)
--')
--
- optional_policy(`
--	arpwatch_search_data(mailserver_delivery)
++optional_policy(`
 +	dovecot_manage_spool(mailserver_delivery)
 +	dovecot_domtrans_deliver(mailserver_delivery)
  ')
  
- optional_policy(`
--	dovecot_manage_spool(mailserver_delivery)
--	dovecot_domtrans_deliver(mailserver_delivery)
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mailserver_delivery)
+-	fs_manage_nfs_files(mailserver_delivery)
+-	fs_read_nfs_symlinks(mailserver_delivery)
++optional_policy(`
 +	logwatch_search_cache_dir(mailserver_delivery)
  ')
  
  optional_policy(`
+-	arpwatch_search_data(mailserver_delivery)
 +	# so MTA can access /var/lib/mailman/mail/wrapper
- 	files_search_var_lib(mailserver_delivery)
- 
- 	mailman_domtrans(mailserver_delivery)
-@@ -372,6 +395,17 @@ optional_policy(`
++	files_search_var_lib(mailserver_delivery)
++
++	mailman_domtrans(mailserver_delivery)
++	mailman_read_data_symlinks(mailserver_delivery)
  ')
  
  optional_policy(`
+-	dovecot_manage_spool(mailserver_delivery)
+-	dovecot_domtrans_deliver(mailserver_delivery)
 +	mailman_manage_data_files(mailserver_domain)
 +	mailman_domtrans(mailserver_domain)
 +	mailman_append_log(mailserver_domain)
 +	mailman_read_log(mailserver_domain)
+ ')
+ 
+ optional_policy(`
+-	files_search_var_lib(mailserver_delivery)
++    mta_filetrans_home_content(mailserver_domain)
++    mta_filetrans_admin_home_content(mailserver_domain)
++    mta_read_home(mailserver_domain)
++    mta_append_home(mailserver_domain)
 +')
-+
+ 
+-	mailman_domtrans(mailserver_delivery)
+-	mailman_read_data_symlinks(mailserver_delivery)
 +optional_policy(`
 +    pcp_read_lib_files(mailserver_delivery)
-+')
-+
-+optional_policy(`
- 	postfix_rw_inherited_master_pipes(mailserver_delivery)
  ')
  
-@@ -381,24 +415,49 @@ optional_policy(`
+ optional_policy(`
+@@ -381,24 +422,49 @@ optional_policy(`
  
  ########################################
  #
@@ -56564,10 +56615,10 @@ index 57c0161..dae3360 100644
 +    ps_process_pattern($1, nut_t)
  ')
 diff --git a/nut.te b/nut.te
-index 5b2cb0d..6871201 100644
+index 5b2cb0d..09484a9 100644
 --- a/nut.te
 +++ b/nut.te
-@@ -22,139 +22,162 @@ type nut_upsdrvctl_t, nut_domain;
+@@ -22,139 +22,150 @@ type nut_upsdrvctl_t, nut_domain;
  type nut_upsdrvctl_exec_t;
  init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
  
@@ -56596,9 +56647,11 @@ index 5b2cb0d..6871201 100644
 -allow nut_domain nut_conf_t:dir list_dir_perms;
 -allow nut_domain nut_conf_t:file read_file_perms;
 -allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
--
--manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
--manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
++allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
+ 
++# pid file
+ manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
+ manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
 -files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
 -
 -kernel_read_kernel_sysctls(nut_domain)
@@ -56606,7 +56659,8 @@ index 5b2cb0d..6871201 100644
 -logging_send_syslog_msg(nut_domain)
 -
 -miscfiles_read_localization(nut_domain)
-+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
++manage_sock_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_domain, nut_var_run_t, dir)
  
  ########################################
  #
@@ -56636,19 +56690,13 @@ index 5b2cb0d..6871201 100644
  
 -corenet_sendrecv_ups_server_packets(nut_upsd_t)
 -corenet_tcp_bind_ups_port(nut_upsd_t)
-+# pid file
-+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
- 
--corenet_sendrecv_generic_server_packets(nut_upsd_t)
--corenet_tcp_bind_generic_port(nut_upsd_t)
 +kernel_read_kernel_sysctls(nut_upsd_t)
  
--files_read_usr_files(nut_upsd_t)
+-corenet_sendrecv_generic_server_packets(nut_upsd_t)
 +corenet_tcp_bind_ups_port(nut_upsd_t)
-+corenet_tcp_bind_generic_port(nut_upsd_t)
+ corenet_tcp_bind_generic_port(nut_upsd_t)
+-
+-files_read_usr_files(nut_upsd_t)
 +corenet_tcp_bind_all_nodes(nut_upsd_t)
  
  auth_use_nsswitch(nut_upsd_t)
@@ -56668,14 +56716,8 @@ index 5b2cb0d..6871201 100644
 +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
 +allow nut_upsmon_t self:tcp_socket create_socket_perms;
-+
-+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
  
-+# pid file
-+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
-+manage_sock_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
-+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
 +
 +kernel_read_kernel_sysctls(nut_upsmon_t)
  kernel_read_system_state(nut_upsmon_t)
@@ -56732,20 +56774,15 @@ index 5b2cb0d..6871201 100644
 +allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
 +allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
-+
+ 
+-manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
 +can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
  
 +read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
 +
-+# pid file
-+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
- manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
--files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
-+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
-+
 +kernel_read_kernel_sysctls(nut_upsdrvctl_t)
- 
++
 +# /sbin/upsdrvctl executes other drivers
  corecmd_exec_bin(nut_upsdrvctl_t)
  
@@ -60310,7 +60347,7 @@ index 0000000..0493b99
 +')
 diff --git a/osad.fc b/osad.fc
 new file mode 100644
-index 0000000..1e1eceb
+index 0000000..cf911d5
 --- /dev/null
 +++ b/osad.fc
 @@ -0,0 +1,7 @@
@@ -60318,7 +60355,7 @@ index 0000000..1e1eceb
 +
 +/usr/sbin/osad		--	gen_context(system_u:object_r:osad_exec_t,s0)
 +
-+/var/log/osad		--	gen_context(system_u:object_r:osad_log_t,s0)
++/var/log/osad.*		--	gen_context(system_u:object_r:osad_log_t,s0)
 +
 +/var/run/osad.*		--	gen_context(system_u:object_r:osad_var_run_t,s0)
 diff --git a/osad.if b/osad.if
@@ -60494,10 +60531,10 @@ index 0000000..05648bd
 +')
 diff --git a/osad.te b/osad.te
 new file mode 100644
-index 0000000..a40fcc3
+index 0000000..310d672
 --- /dev/null
 +++ b/osad.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,48 @@
 +policy_module(osad, 1.0.0)
 +
 +########################################
@@ -60522,20 +60559,23 @@ index 0000000..a40fcc3
 +#
 +# osad local policy
 +#
++
 +allow osad_t self:process setpgid;
 +
 +manage_files_pattern(osad_t, osad_log_t, osad_log_t)
-+logging_log_filetrans(osad_t, osad_log_t, { file })
++logging_log_filetrans(osad_t, osad_log_t, file)
 +
 +manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t)
-+files_pid_filetrans(osad_t, osad_var_run_t, { file})
++files_pid_filetrans(osad_t, osad_var_run_t, file)
 +
 +kernel_read_system_state(osad_t)
 +
-+auth_read_passwd(osad_t)
++corenet_tcp_connect_http_port(osad_t)
 +
 +dev_read_urand(osad_t)
 +
++auth_use_nsswitch(osad_t)
++
 +optional_policy(`
 +    gnome_dontaudit_search_config(osad_t)
 +')
@@ -78960,7 +79000,7 @@ index c8bdea2..e6bcb25 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..e975469 100644
+index 6cf79c4..dacec90 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -79471,7 +79511,7 @@ index 6cf79c4..e975469 100644
 +# bug in haproxy and process vs pid owner
 +allow haproxy_t self:capability { dac_override kill };
 +
-+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
++allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource net_admin net_raw };
 +allow haproxy_t self:capability2 block_suspend;
 +allow haproxy_t self:process { fork setrlimit signal_perms };
 +allow haproxy_t self:fifo_file rw_fifo_file_perms;
@@ -86741,10 +86781,10 @@ index 0000000..a2cb772
 +')
 diff --git a/sandbox.te b/sandbox.te
 new file mode 100644
-index 0000000..62a9666
+index 0000000..eb990f6
 --- /dev/null
 +++ b/sandbox.te
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,64 @@
 +policy_module(sandbox,1.0.0)
 +
 +attribute sandbox_domain;
@@ -86801,6 +86841,7 @@ index 0000000..62a9666
 +
 +files_read_config_files(sandbox_domain)
 +files_read_var_files(sandbox_domain)
++files_read_all_mountpoint_symlinks(sandbox_domain)
 +files_dontaudit_search_all_dirs(sandbox_domain)
 +
 +fs_dontaudit_getattr_all_fs(sandbox_domain)
@@ -102410,7 +102451,7 @@ index facdee8..88dcafb 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..8cfc7f4 100644
+index f03dcf5..67904c0 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,150 +1,212 @@
@@ -103877,7 +103918,7 @@ index f03dcf5..8cfc7f4 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1138,307 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1138,308 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -103967,6 +104008,7 @@ index f03dcf5..8cfc7f4 100644
 +kernel_read_all_sysctls(svirt_sandbox_domain)
 +kernel_rw_net_sysctls(svirt_sandbox_domain)
 +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
 +
 +corecmd_exec_all_executables(svirt_sandbox_domain)
 +
@@ -104322,7 +104364,7 @@ index f03dcf5..8cfc7f4 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1451,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1452,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -104337,7 +104379,7 @@ index f03dcf5..8cfc7f4 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,9 +1469,8 @@ optional_policy(`
+@@ -1192,9 +1470,8 @@ optional_policy(`
  
  ########################################
  #
@@ -104348,7 +104390,7 @@ index f03dcf5..8cfc7f4 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1483,216 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1484,216 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -107851,7 +107893,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..6a63c90 100644
+index 7f496c6..f2b5fa6 100644
 --- a/zabbix.te
 +++ b/zabbix.te
 @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@@ -108041,15 +108083,16 @@ index 7f496c6..6a63c90 100644
  
  rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
  fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +161,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
  manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
  
 -kernel_read_all_sysctls(zabbix_agent_t)
  kernel_read_system_state(zabbix_agent_t)
- 
--corecmd_read_all_executables(zabbix_agent_t)
 -
+-corecmd_read_all_executables(zabbix_agent_t)
++kernel_read_network_state(zabbix_agent_t)
+ 
  corenet_all_recvfrom_unlabeled(zabbix_agent_t)
  corenet_all_recvfrom_netlabel(zabbix_agent_t)
 -corenet_tcp_sendrecv_generic_if(zabbix_agent_t)
@@ -108060,7 +108103,7 @@ index 7f496c6..6a63c90 100644
  
  corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
  corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +184,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
  dev_getattr_all_blk_files(zabbix_agent_t)
  dev_getattr_all_chr_files(zabbix_agent_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9d68c96..41aeac8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 64%{?dist}
+Release: 65%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -600,6 +600,26 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jul 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-65
+- Allow sysadm to dbus chat with systemd
+- Add logging_dontaudit_search_audit_logs()
+- Add new files_read_all_mountpoint_symlinks() 
+- Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo.
+- Allow ndc to read random and urandom device (#1110397)
+- Allow zabbix to read system network state
+- Allow fprintd to execute usr_t/bin_t
+- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t
+- Add glance_use_execmem boolean to have glance configured to use Ceph/rbd
+- Dontaudit search audit logs for fail2ban
+- Allow mailserver_domain domains to create mail home content with right labeling
+- Dontaudit svirt_sandbox_domain doing access checks on /proc
+- Fix  files_pid_filetrans() calling in nut.te to reflect allow rules.
+- Use nut_domain attribute for files_pid_filetrans() for nut domains.
+- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs
+- Fix nut domains only have type transition on dirs in /run/nut directory.
+- Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt()
+- Clean up osad policy. Remove additional interfaces/rules
+
 * Mon Jul 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-64
 - Allow systemd domains to check lvm status
 - Allow getty to execute plymouth.#1112870