From 0e84535c7a241fc32f4b904f019c807843dbb1a4 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Nov 20 2015 09:09:52 +0000
Subject: - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)

- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
- Allow setuid/setgid capabilities for abrt-hook-ccpp.
- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
- cockpit has grown content in /var/run directory
- Add support for /dev/mptctl device used to check RAID status.
- Allow systemd-hostnamed to communicate with dhcp via dbus.
- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
- Add userdom_destroy_unpriv_user_shared_mem() interface.
- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
- Access needed by systemd-machine to manage docker containers
- Allow systemd-logind to read /run/utmp when shutdown is invoked.

---

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 4bda657..b24750c 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index d896c23..f0068de 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6145,7 +6145,7 @@ index 3f6e168..340e49f 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..d500876 100644
+index b31c054..8722f6d 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -6190,15 +6190,17 @@ index b31c054..d500876 100644
  /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-@@ -72,6 +79,7 @@
+@@ -72,7 +79,9 @@
  /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
 +/dev/monwriter  -c  gen_context(system_u:object_r:monitor_device_t,s0)
  /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/mpt[0-9]*ctl         -c  gen_context(system_u:object_r:mptctl_device_t,s0)
  /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
  /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
-@@ -80,6 +88,8 @@
+ /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+@@ -80,6 +89,8 @@
  /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
  /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
  /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -6207,7 +6209,7 @@ index b31c054..d500876 100644
  /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
  /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -90,6 +100,7 @@
+@@ -90,6 +101,7 @@
  /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
  /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/pps.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
@@ -6215,7 +6217,7 @@ index b31c054..d500876 100644
  /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
-@@ -106,6 +117,7 @@
+@@ -106,6 +118,7 @@
  /dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
  /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -6223,7 +6225,7 @@ index b31c054..d500876 100644
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
  /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +130,12 @@
+@@ -118,6 +131,12 @@
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
  ')
@@ -6236,7 +6238,7 @@ index b31c054..d500876 100644
  /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
  /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +147,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +148,14 @@ ifdef(`distro_suse', `
  /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6251,7 +6253,7 @@ index b31c054..d500876 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -172,6 +192,8 @@ ifdef(`distro_suse', `
+@@ -172,6 +193,8 @@ ifdef(`distro_suse', `
  /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  
@@ -6260,7 +6262,7 @@ index b31c054..d500876 100644
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +220,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +221,27 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -6291,7 +6293,7 @@ index b31c054..d500876 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..68ef8e7 100644
+index 76f285e..b7a4271 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -8665,7 +8667,7 @@ index 76f285e..68ef8e7 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5896,966 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5896,978 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -8878,6 +8880,7 @@ index 76f285e..68ef8e7 100644
 +	type smartcard_device_t;
 +	type mtrr_device_t;
 +	type ecryptfs_device_t;
++    type mptctl_device_t;
 +')
 +
 +	dev_filetrans_printer_named_dev($1)
@@ -9147,6 +9150,17 @@ index 76f285e..68ef8e7 100644
 +	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
 +	filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
 +	filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mptctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt0ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt1ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt2ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt3ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt4ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt5ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt6ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt7ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt8ctl")
++	filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt9ctl")
 +	filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
 +	filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
 +	filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
@@ -9633,7 +9647,7 @@ index 76f285e..68ef8e7 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..f260e6f 100644
+index 0b1a871..db37cad 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -9701,7 +9715,7 @@ index 0b1a871..f260e6f 100644
  type loop_control_device_t;
  dev_node(loop_control_device_t)
  
-@@ -150,6 +161,12 @@ type modem_device_t;
+@@ -150,12 +161,24 @@ type modem_device_t;
  dev_node(modem_device_t)
  
  #
@@ -9714,7 +9728,19 @@ index 0b1a871..f260e6f 100644
  # A more general type for mouse devices.
  #
  type mouse_device_t;
-@@ -183,6 +200,12 @@ type nvram_device_t;
+ dev_node(mouse_device_t)
+ 
+ #
++# Type for /dev/mptctl used to check RAID status.
++#
++type mptctl_device_t;
++dev_node(mptctl_device_t)
++
++#
+ # Type for /dev/cpu/mtrr and /proc/mtrr
+ #
+ type mtrr_device_t;
+@@ -183,6 +206,12 @@ type nvram_device_t;
  dev_node(nvram_device_t)
  
  #
@@ -9727,7 +9753,7 @@ index 0b1a871..f260e6f 100644
  # Type for /dev/pmu
  #
  type power_device_t;
-@@ -227,6 +250,10 @@ files_mountpoint(sysfs_t)
+@@ -227,6 +256,10 @@ files_mountpoint(sysfs_t)
  fs_type(sysfs_t)
  genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
  
@@ -9738,7 +9764,7 @@ index 0b1a871..f260e6f 100644
  #
  # Type for /dev/tpm
  #
-@@ -266,6 +293,15 @@ dev_node(usbmon_device_t)
+@@ -266,6 +299,15 @@ dev_node(usbmon_device_t)
  type userio_device_t;
  dev_node(userio_device_t)
  
@@ -9754,7 +9780,7 @@ index 0b1a871..f260e6f 100644
  type v4l_device_t;
  dev_node(v4l_device_t)
  
-@@ -274,6 +310,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +316,7 @@ dev_node(v4l_device_t)
  #
  type vhost_device_t;
  dev_node(vhost_device_t)
@@ -9762,7 +9788,7 @@ index 0b1a871..f260e6f 100644
  
  # Type for vmware devices.
  type vmware_device_t;
-@@ -319,5 +356,6 @@ files_associate_tmp(device_node)
+@@ -319,5 +362,6 @@ files_associate_tmp(device_node)
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -32242,7 +32268,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..9769b64 100644
+index 79a45f6..af3877f 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -32586,20 +32612,37 @@ index 79a45f6..9769b64 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -576,10 +719,66 @@ interface(`init_sigchld',`
+@@ -576,12 +719,87 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
--		type init_t;
 +		type init_t, init_var_run_t;
- 	')
- 
--	allow $1 init_t:unix_stream_socket connectto;
++	')
++
 +	files_search_pids($1)
 +	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)    
 +	allow $1 init_t:unix_stream_socket getattr;
 +')
 +
++########################################
++## <summary>
++##	Connect to init with a unix socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_stream_connectto',`
++	gen_require(`
+ 		type init_t;
+ 	')
+ 
++	files_search_pids($1)
+ 	allow $1 init_t:unix_stream_socket connectto;
+ ')
+ 
 +#######################################
 +## <summary>
 +##  Dontaudit Connect to init with a unix socket.
@@ -32652,10 +32695,12 @@ index 79a45f6..9769b64 100644
 +    ')
 +
 +    dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl };
- ')
- 
++')
++
  ########################################
-@@ -743,22 +942,24 @@ interface(`init_write_initctl',`
+ ## <summary>
+ ##	Inherit and use file descriptors from init.
+@@ -743,22 +961,24 @@ interface(`init_write_initctl',`
  interface(`init_telinit',`
  	gen_require(`
  		type initctl_t;
@@ -32689,7 +32734,7 @@ index 79a45f6..9769b64 100644
  ')
  
  ########################################
-@@ -787,7 +988,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +1007,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -32698,7 +32743,7 @@ index 79a45f6..9769b64 100644
  ##	</summary>
  ## </param>
  #
-@@ -830,11 +1031,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1050,12 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -32713,7 +32758,7 @@ index 79a45f6..9769b64 100644
  
  	ifdef(`distro_gentoo',`
  		gen_require(`
-@@ -845,11 +1047,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1066,11 @@ interface(`init_spec_domtrans_script',`
  	')
  
  	ifdef(`enable_mcs',`
@@ -32727,7 +32772,7 @@ index 79a45f6..9769b64 100644
  	')
  ')
  
-@@ -865,19 +1067,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1086,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -32773,7 +32818,7 @@ index 79a45f6..9769b64 100644
  ')
  
  ########################################
-@@ -933,9 +1157,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1176,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -32788,161 +32833,267 @@ index 79a45f6..9769b64 100644
  	files_search_etc($1)
  ')
  
-@@ -1012,6 +1241,62 @@ interface(`init_read_state',`
+@@ -1012,26 +1260,27 @@ interface(`init_read_state',`
  
  ########################################
  ## <summary>
+-##	Ptrace init
 +##	Dontaudit read the process state (/proc/pid) of init.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`init_ptrace',`
 +interface(`init_dontaudit_read_state',`
-+	gen_require(`
-+		type init_t;
-+	')
-+
+ 	gen_require(`
+ 		type init_t;
+ 	')
+ 
+-	allow $1 init_t:process ptrace;
 +	dontaudit $1 init_t:dir search_dir_perms;
 +	dontaudit $1 init_t:file read_file_perms;
 +	dontaudit $1 init_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write an init script unnamed pipe.
 +##	Read the process keyring of init.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1039,17 +1288,17 @@ interface(`init_ptrace',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_write_script_pipes',`
 +interface(`init_read_key',`
-+	gen_require(`
+ 	gen_require(`
+-		type initrc_t;
 +		type init_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 initrc_t:fifo_file write;
 +	allow $1 init_t:key read;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attribute of init script entrypoint files.
 +##	Write the process keyring of init.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1057,37 +1306,38 @@ interface(`init_write_script_pipes',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_getattr_script_files',`
 +interface(`init_write_key',`
-+	gen_require(`
+ 	gen_require(`
+-		type initrc_exec_t;
 +		type init_t;
-+	')
-+
+ 	')
+ 
+-	files_list_etc($1)
+-	allow $1 initrc_exec_t:file getattr;
 +	allow $1 init_t:key read;
-+')
-+
-+########################################
-+## <summary>
- ##	Ptrace init
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read init scripts.
++##	Ptrace init
  ## </summary>
  ## <param name="domain">
-@@ -1026,7 +1311,9 @@ interface(`init_ptrace',`
- 		type init_t;
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`init_read_script_files',`
++interface(`init_ptrace',`
+ 	gen_require(`
+-		type initrc_exec_t;
++		type init_t;
  	')
  
--	allow $1 init_t:process ptrace;
+-	files_search_etc($1)
+-	allow $1 initrc_exec_t:file read_file_perms;
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 init_t:process ptrace;
 +	')
  ')
  
  ########################################
-@@ -1125,7 +1412,8 @@ interface(`init_getattr_all_script_files',`
+ ## <summary>
+-##	Execute init scripts in the caller domain.
++##	Write an init script unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1095,18 +1345,17 @@ interface(`init_read_script_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_exec_script_files',`
++interface(`init_write_script_pipes',`
+ 	gen_require(`
+-		type initrc_exec_t;
++		type initrc_t;
+ 	')
+ 
+-	files_list_etc($1)
+-	can_exec($1, initrc_exec_t)
++	allow $1 initrc_t:fifo_file write;
+ ')
  
  ########################################
  ## <summary>
--##	Read all init script files.
-+##	Allow the specified domain to modify the systemd configuration of 
-+##	all init scripts.
+-##	Get the attribute of all init script entrypoint files.
++##	Get the attribute of init script entrypoint files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1133,26 +1421,62 @@ interface(`init_getattr_all_script_files',`
+@@ -1114,18 +1363,18 @@ interface(`init_exec_script_files',`
  ##	</summary>
  ## </param>
  #
--interface(`init_read_all_script_files',`
-+interface(`init_config_all_script_files',`
+-interface(`init_getattr_all_script_files',`
++interface(`init_getattr_script_files',`
  	gen_require(`
- 		attribute init_script_file_type;
+-		attribute init_script_file_type;
++		type initrc_exec_t;
  	')
  
--	files_search_etc($1)
--	allow $1 init_script_file_type:file read_file_perms;
-+	allow $1 init_script_file_type:service all_service_perms;
+ 	files_list_etc($1)
+-	allow $1 init_script_file_type:file getattr;
++	allow $1 initrc_exec_t:file getattr;
  ')
  
--#######################################
-+########################################
+ ########################################
  ## <summary>
--##	Dontaudit read all init script files.
-+##	Read all init script files.
+-##	Read all init script files.
++##	Read init scripts.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -1133,7 +1382,83 @@ interface(`init_getattr_all_script_files',`
  ##	</summary>
  ## </param>
  #
--interface(`init_dontaudit_read_all_script_files',`
-+interface(`init_read_all_script_files',`
+-interface(`init_read_all_script_files',`
++interface(`init_read_script_files',`
 +	gen_require(`
-+		attribute init_script_file_type;
++		type initrc_exec_t;
 +	')
 +
 +	files_search_etc($1)
-+	allow $1 init_script_file_type:file read_file_perms;
++	allow $1 initrc_exec_t:file read_file_perms;
 +')
 +
-+#######################################
++########################################
 +## <summary>
-+##	Dontaudit getattr all init script files.
++##	Execute init scripts in the caller domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`init_dontaudit_getattr_all_script_files',`
++interface(`init_exec_script_files',`
++	gen_require(`
++		type initrc_exec_t;
++	')
++
++	files_list_etc($1)
++	can_exec($1, initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Get the attribute of all init script entrypoint files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_getattr_all_script_files',`
 +	gen_require(`
 +		attribute init_script_file_type;
 +	')
 +
-+	dontaudit $1 init_script_file_type:file getattr;
++	files_list_etc($1)
++	allow $1 init_script_file_type:file getattr;
 +')
 +
-+#######################################
++########################################
 +## <summary>
-+##	Dontaudit read all init script files.
++##	Allow the specified domain to modify the systemd configuration of 
++##	all init scripts.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`init_dontaudit_read_all_script_files',`
++interface(`init_config_all_script_files',`
++	gen_require(`
++		attribute init_script_file_type;
++	')
++
++	allow $1 init_script_file_type:service all_service_perms;
++')
++
++########################################
++## <summary>
++##	Read all init script files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_read_all_script_files',`
  	gen_require(`
  		attribute init_script_file_type;
  	')
-@@ -1195,12 +1519,7 @@ interface(`init_read_script_state',`
+@@ -1144,6 +1469,24 @@ interface(`init_read_all_script_files',`
+ 
+ #######################################
+ ## <summary>
++##	Dontaudit getattr all init script files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`init_dontaudit_getattr_all_script_files',`
++	gen_require(`
++		attribute init_script_file_type;
++	')
++
++	dontaudit $1 init_script_file_type:file getattr;
++')
++
++#######################################
++## <summary>
+ ##	Dontaudit read all init script files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1195,12 +1538,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -32956,7 +33107,7 @@ index 79a45f6..9769b64 100644
  ')
  
  ########################################
-@@ -1314,6 +1633,24 @@ interface(`init_signal_script',`
+@@ -1314,6 +1652,24 @@ interface(`init_signal_script',`
  
  ########################################
  ## <summary>
@@ -32981,7 +33132,7 @@ index 79a45f6..9769b64 100644
  ##	Send null signals to init scripts.
  ## </summary>
  ## <param name="domain">
-@@ -1440,6 +1777,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1796,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -33009,7 +33160,7 @@ index 79a45f6..9769b64 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1547,6 +1905,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1924,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -33035,7 +33186,7 @@ index 79a45f6..9769b64 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1605,6 +1982,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +2001,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -33060,7 +33211,7 @@ index 79a45f6..9769b64 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1677,6 +2072,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2091,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -33104,7 +33255,7 @@ index 79a45f6..9769b64 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1765,7 +2197,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2216,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -33113,7 +33264,7 @@ index 79a45f6..9769b64 100644
  ')
  
  ########################################
-@@ -1806,6 +2238,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,6 +2257,133 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -33247,7 +33398,7 @@ index 79a45f6..9769b64 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2399,492 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2418,492 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -42888,7 +43039,7 @@ index 2cea692..57c9025 100644
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..30cf590 100644
+index a392fc4..78fa512 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -43093,20 +43244,25 @@ index a392fc4..30cf590 100644
  ')
  
  optional_policy(`
-@@ -221,7 +257,11 @@ optional_policy(`
+@@ -221,7 +257,16 @@ optional_policy(`
  
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
 -	seutil_dontaudit_search_config(dhcpc_t)
 +	seutil_domtrans_setfiles(dhcpc_t)
 +')
++
++optional_policy(`
++	systemd_dbus_chat_hostnamed(dhcpc_t)
++')
++
 +optional_policy(`
 +	systemd_passwd_agent_domtrans(dhcpc_t)
 +	systemd_signal_passwd_agent(dhcpc_t)
  ')
  
  optional_policy(`
-@@ -233,6 +273,10 @@ optional_policy(`
+@@ -233,6 +278,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43117,7 +43273,7 @@ index a392fc4..30cf590 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -264,12 +308,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +313,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -43143,7 +43299,7 @@ index a392fc4..30cf590 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -279,14 +336,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +341,32 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -43176,7 +43332,7 @@ index a392fc4..30cf590 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +374,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +379,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -43234,7 +43390,7 @@ index a392fc4..30cf590 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -336,7 +429,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +434,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -43247,7 +43403,7 @@ index a392fc4..30cf590 100644
  ')
  
  optional_policy(`
-@@ -350,7 +447,16 @@ optional_policy(`
+@@ -350,7 +452,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43265,7 +43421,7 @@ index a392fc4..30cf590 100644
  ')
  
  optional_policy(`
-@@ -371,3 +477,13 @@ optional_policy(`
+@@ -371,3 +482,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -43281,10 +43437,10 @@ index a392fc4..30cf590 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..66b8608
+index 0000000..85ef000
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,56 @@
 +HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +/root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +
@@ -43333,6 +43489,7 @@ index 0000000..66b8608
 +/var/run/nologin		gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 +/var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 +/var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
++/var/run/systemd/shutdown(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 +/var/run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 +/var/run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
 +/var/run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
@@ -43342,10 +43499,10 @@ index 0000000..66b8608
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..697417b
+index 0000000..c253b33
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1639 @@
+@@ -0,0 +1,1640 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -44463,6 +44620,7 @@ index 0000000..697417b
 +	')
 +
 +	files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
++	files_pid_filetrans($1, systemd_logind_var_run_t, file, "shutdown")
 +	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
 +	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
 +	files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
@@ -44987,10 +45145,10 @@ index 0000000..697417b
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..dde1f34
+index 0000000..9afb637
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,780 @@
+@@ -0,0 +1,788 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -45198,6 +45356,7 @@ index 0000000..dde1f34
 +init_dbus_chat(systemd_logind_t)
 +init_dbus_chat_script(systemd_logind_t)
 +init_read_script_state(systemd_logind_t)
++init_read_utmp(systemd_logind_t)
 +init_rw_stream_sockets(systemd_logind_t)
 +
 +logging_send_syslog_msg(systemd_logind_t)
@@ -45205,6 +45364,7 @@ index 0000000..dde1f34
 +udev_read_db(systemd_logind_t)
 +udev_manage_rules_files(systemd_logind_t)
 +
++userdom_destroy_unpriv_user_shared_mem(systemd_logind_t)
 +userdom_read_all_users_state(systemd_logind_t)
 +userdom_use_user_ttys(systemd_logind_t)
 +userdom_manage_tmp_role(system_r, systemd_logind_t)
@@ -45291,6 +45451,11 @@ index 0000000..dde1f34
 +optional_policy(`
 +	virt_dbus_chat(systemd_machined_t)
 +	virt_sandbox_read_state(systemd_machined_t)
++	virt_signal_sandbox(systemd_machined_t)
++	virt_stream_connect_sandbox(systemd_machined_t)
++	virt_rw_svirt_dev(systemd_machined_t)
++	virt_getattr_sandbox_filesystem(systemd_machined_t)
++	virt_read_sandbox_files(systemd_machined_t)
 +')
 +
 +#######################################
@@ -45739,6 +45904,7 @@ index 0000000..dde1f34
 +# Common rules for systemd domains
 +#
 +allow systemd_domain self:process { setfscreate signal_perms };
++allow systemd_domain self:unix_dgram_socket { create_socket_perms sendto };
 +dontaudit systemd_domain self:capability net_admin;
 +
 +dev_read_urand(systemd_domain)
@@ -47184,7 +47350,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..14be41c 100644
+index 9dc60c6..c0265be 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -50019,123 +50185,123 @@ index 9dc60c6..14be41c 100644
  ')
  
  ########################################
-@@ -2955,69 +3955,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3955,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
--########################################
 +#####################################
- ## <summary>
--##	Execute an Xserver session in all unprivileged user domains.  This
--##	is an explicit transition, requiring the
--##	caller to use setexeccon().
++## <summary>
 +##  Allow domain dyntrans to unpriv userdomain.
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain allowed to transition.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
--interface(`userdom_xsession_spec_domtrans_unpriv_users',`
--	gen_require(`
--		attribute unpriv_userdomain;
--	')
++## </param>
++#
 +interface(`userdom_dyntransition_unpriv_users',`
 +    gen_require(`
 +        attribute unpriv_userdomain;
 +    ')
- 
--	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
--	allow unpriv_userdomain $1:fd use;
--	allow unpriv_userdomain $1:fifo_file rw_file_perms;
--	allow unpriv_userdomain $1:process sigchld;
++
 +    allow $1 unpriv_userdomain:process dyntransition;
++')
++
++####################################
++## <summary>
++##  Allow domain dyntrans to admin userdomain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`userdom_dyntransition_admin_users',`
++    gen_require(`
++        attribute admindomain;
++    ')
++
++    allow $1 admindomain:process dyntransition;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute an Xserver session in all unprivileged user domains.  This
+@@ -2978,24 +4014,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+ 	allow unpriv_userdomain $1:process sigchld;
  ')
  
 -#######################################
-+####################################
- ## <summary>
+-## <summary>
 -##	Read and write unpriviledged user SysV sempaphores.
-+##  Allow domain dyntrans to admin userdomain.
- ## </summary>
- ## <param name="domain">
+-## </summary>
+-## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
- ## </param>
- #
+-## </param>
+-#
 -interface(`userdom_rw_unpriv_user_semaphores',`
 -	gen_require(`
 -		attribute unpriv_userdomain;
 -	')
-+interface(`userdom_dyntransition_admin_users',`
-+    gen_require(`
-+        attribute admindomain;
-+    ')
- 
+-
 -	allow $1 unpriv_userdomain:sem rw_sem_perms;
-+    allow $1 admindomain:process dyntransition;
+-')
+-
+ ########################################
+ ## <summary>
+ ##	Manage unpriviledged user SysV sempaphores.
+@@ -3014,9 +4032,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ 	allow $1 unpriv_userdomain:sem create_sem_perms;
  ')
  
- ########################################
+-#######################################
++########################################
  ## <summary>
--##	Manage unpriviledged user SysV sempaphores.
-+##	Execute an Xserver session in all unprivileged user domains.  This
-+##	is an explicit transition, requiring the
-+##	caller to use setexeccon().
+-##	Read and write unpriviledged user SysV shared
++##	Manage unpriviledged user SysV shared
+ ##	memory segments.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed to transition.
+@@ -3025,17 +4043,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
--interface(`userdom_manage_unpriv_user_semaphores',`
-+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+-interface(`userdom_rw_unpriv_user_shared_mem',`
++interface(`userdom_manage_unpriv_user_shared_mem',`
  	gen_require(`
  		attribute unpriv_userdomain;
  	')
  
--	allow $1 unpriv_userdomain:sem create_sem_perms;
-+	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
-+	allow unpriv_userdomain $1:fd use;
-+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
-+	allow unpriv_userdomain $1:process sigchld;
+-	allow $1 unpriv_userdomain:shm rw_shm_perms;
++	allow $1 unpriv_userdomain:shm create_shm_perms;
  ')
  
--#######################################
-+########################################
+ ########################################
  ## <summary>
--##	Read and write unpriviledged user SysV shared
--##	memory segments.
-+##	Manage unpriviledged user SysV sempaphores.
+-##	Manage unpriviledged user SysV shared
++##	Destroy unpriviledged user SysV shared
+ ##	memory segments.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -3025,12 +4024,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3044,12 +4062,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
  ##	</summary>
  ## </param>
  #
--interface(`userdom_rw_unpriv_user_shared_mem',`
-+interface(`userdom_manage_unpriv_user_semaphores',`
+-interface(`userdom_manage_unpriv_user_shared_mem',`
++interface(`userdom_destroy_unpriv_user_shared_mem',`
  	gen_require(`
  		attribute unpriv_userdomain;
  	')
  
--	allow $1 unpriv_userdomain:shm rw_shm_perms;
-+	allow $1 unpriv_userdomain:sem create_sem_perms;
+-	allow $1 unpriv_userdomain:shm create_shm_perms;
++	allow $1 unpriv_userdomain:shm destroy;
  ')
  
  ########################################
-@@ -3094,7 +4093,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4112,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -50144,7 +50310,7 @@ index 9dc60c6..14be41c 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3110,29 +4109,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4128,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -50178,7 +50344,7 @@ index 9dc60c6..14be41c 100644
  ')
  
  ########################################
-@@ -3214,7 +4197,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4216,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -50205,7 +50371,7 @@ index 9dc60c6..14be41c 100644
  ')
  
  ########################################
-@@ -3269,12 +4270,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4289,13 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -50221,7 +50387,7 @@ index 9dc60c6..14be41c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3282,54 +4284,130 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4303,56 @@ interface(`userdom_write_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -50290,18 +50456,20 @@ index 9dc60c6..14be41c 100644
 -##	Inherit the file descriptors from all user domains
 +##	Allow domain to read/write inherited users
 +##	fifo files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3337,12 +4360,86 @@ interface(`userdom_getattr_all_users',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_use_all_users_fds',`
 +interface(`userdom_rw_inherited_user_pipes',`
-+	gen_require(`
-+		attribute userdomain;
-+	')
-+
+ 	gen_require(`
+ 		attribute userdomain;
+ 	')
+ 
+-	allow $1 userdomain:fd use;
 +	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
@@ -50364,10 +50532,23 @@ index 9dc60c6..14be41c 100644
 +########################################
 +## <summary>
 +##	Inherit the file descriptors from all user domains
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3382,6 +4460,42 @@ interface(`userdom_signal_all_users',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_use_all_users_fds',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	allow $1 userdomain:fd use;
+ ')
+ 
+ ########################################
+@@ -3382,6 +4479,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -50410,7 +50591,7 @@ index 9dc60c6..14be41c 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4516,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4535,60 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -50471,7 +50652,7 @@ index 9dc60c6..14be41c 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3435,4 +4603,1727 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4622,1727 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5c5030c..dc370d4 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..7ed1072 100644
+index eb50f07..5ad038c 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -608,7 +608,7 @@ index eb50f07..7ed1072 100644
  ## </desc>
  gen_tunable(abrt_anon_write, false)
  
-@@ -37,87 +36,98 @@ attribute abrt_domain;
+@@ -37,87 +36,99 @@ attribute abrt_domain;
  attribute_role abrt_helper_roles;
  roleattribute system_r abrt_helper_roles;
  
@@ -647,6 +647,7 @@ index eb50f07..7ed1072 100644
 -type abrt_dump_oops_exec_t;
 +abrt_basic_types_template(abrt_dump_oops)
  init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
++domain_obj_id_change_exemption(abrt_dump_oops_t)
  
 -type abrt_handle_event_t, abrt_domain;
 -type abrt_handle_event_exec_t;
@@ -737,7 +738,7 @@ index eb50f07..7ed1072 100644
  manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
  logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  
-@@ -125,48 +135,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,48 +136,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -804,7 +805,7 @@ index eb50f07..7ed1072 100644
  
  domain_getattr_all_domains(abrt_t)
  domain_read_all_domains_state(abrt_t)
-@@ -176,29 +197,43 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +198,43 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
@@ -851,7 +852,7 @@ index eb50f07..7ed1072 100644
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +241,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +242,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -868,7 +869,7 @@ index eb50f07..7ed1072 100644
  ')
  
  optional_policy(`
-@@ -222,6 +253,32 @@ optional_policy(`
+@@ -222,6 +254,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -901,7 +902,7 @@ index eb50f07..7ed1072 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -234,6 +291,11 @@ optional_policy(`
+@@ -234,6 +292,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -913,7 +914,7 @@ index eb50f07..7ed1072 100644
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
  	rpm_manage_cache(abrt_t)
-@@ -243,6 +305,7 @@ optional_policy(`
+@@ -243,6 +306,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -921,7 +922,7 @@ index eb50f07..7ed1072 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -253,9 +316,21 @@ optional_policy(`
+@@ -253,9 +317,21 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -944,7 +945,7 @@ index eb50f07..7ed1072 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +341,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +342,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -959,7 +960,7 @@ index eb50f07..7ed1072 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +360,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +361,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -967,7 +968,7 @@ index eb50f07..7ed1072 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +369,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +370,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -988,7 +989,7 @@ index eb50f07..7ed1072 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +390,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +391,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1015,7 +1016,7 @@ index eb50f07..7ed1072 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +426,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +427,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -1029,7 +1030,7 @@ index eb50f07..7ed1072 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +444,11 @@ optional_policy(`
+@@ -343,10 +445,11 @@ optional_policy(`
  
  #######################################
  #
@@ -1043,7 +1044,7 @@ index eb50f07..7ed1072 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +467,70 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +468,71 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1065,7 +1066,7 @@ index eb50f07..7ed1072 100644
  #
  
 -allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override };
++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
 +allow abrt_dump_oops_t self:process setfscreate;
  allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
 -allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
@@ -1100,6 +1101,7 @@ index eb50f07..7ed1072 100644
 +domain_signull_all_domains(abrt_dump_oops_t)
 +domain_ptrace_all_domains(abrt_dump_oops_t)
 +domain_read_all_domains_state(abrt_dump_oops_t)
++domain_getattr_all_domains(abrt_dump_oops_t)
  
 +files_manage_non_security_dirs(abrt_dump_oops_t)
 +files_manage_non_security_files(abrt_dump_oops_t)
@@ -1118,7 +1120,7 @@ index eb50f07..7ed1072 100644
  
  #######################################
  #
-@@ -404,25 +538,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +540,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1181,7 +1183,7 @@ index eb50f07..7ed1072 100644
  ')
  
  #######################################
-@@ -430,10 +599,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +601,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  
@@ -3164,10 +3166,10 @@ index 0000000..36251b9
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..6183b21
+index 0000000..12349f3
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,271 @@
+@@ -0,0 +1,272 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@@ -3281,6 +3283,7 @@ index 0000000..6183b21
 +corecmd_exec_shell(antivirus_domain)
 +
 +corenet_all_recvfrom_netlabel(antivirus_t)
++corenet_tcp_bind_all_unreserved_ports(antivirus_t)
 +corenet_tcp_sendrecv_generic_if(antivirus_t)
 +corenet_udp_sendrecv_generic_if(antivirus_t)
 +corenet_tcp_sendrecv_generic_node(antivirus_domain)
@@ -14722,10 +14725,10 @@ index 5f306dd..e01156f 100644
  ')
 diff --git a/cockpit.fc b/cockpit.fc
 new file mode 100644
-index 0000000..bb87537
+index 0000000..9ed6fdc
 --- /dev/null
 +++ b/cockpit.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,12 @@
 +# cockpit stuff
 +
 +/usr/lib/systemd/system/cockpit.*		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
@@ -14736,12 +14739,14 @@ index 0000000..bb87537
 +/usr/libexec/cockpit-session	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
 +
 +/var/lib/cockpit(/.*)?      gen_context(system_u:object_r:cockpit_var_lib_t,s0)
++
++/var/run/cockpit-ws(/.*)?   gen_context(system_u:object_r:cockpit_var_run_t,s0)
 diff --git a/cockpit.if b/cockpit.if
 new file mode 100644
-index 0000000..eb2739a
+index 0000000..d5920c0
 --- /dev/null
 +++ b/cockpit.if
-@@ -0,0 +1,184 @@
+@@ -0,0 +1,188 @@
 +## <summary>policy for cockpit</summary>
 +
 +########################################
@@ -14901,6 +14906,7 @@ index 0000000..eb2739a
 +		type cockpit_ws_t;
 +		type cockpit_session_t;
 +		type cockpit_var_lib_t;
++		type cockpit_var_run_t;
 +		type cockpit_unit_file_t;
 +	')
 +
@@ -14918,6 +14924,9 @@ index 0000000..eb2739a
 +	files_search_var_lib($1)
 +	admin_pattern($1, cockpit_var_lib_t)
 +
++	files_search_pids($1)
++	admin_pattern($1, cockpit_var_run_t)
++
 +	cockpit_systemctl($1)
 +	admin_pattern($1, cockpit_unit_file_t)
 +	allow $1 cockpit_unit_file_t:service all_service_perms;
@@ -14928,10 +14937,10 @@ index 0000000..eb2739a
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 0000000..4ae76c5
+index 0000000..77cdd5e
 --- /dev/null
 +++ b/cockpit.te
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,111 @@
 +policy_module(cockpit, 1.0.0)
 +
 +########################################
@@ -14946,6 +14955,9 @@ index 0000000..4ae76c5
 +type cockpit_tmp_t;
 +files_tmp_file(cockpit_tmp_t)
 +
++type cockpit_var_run_t;
++files_pid_file(cockpit_var_run_t)
++
 +type cockpit_unit_file_t;
 +systemd_unit_file(cockpit_unit_file_t)
 +
@@ -14982,6 +14994,12 @@ index 0000000..4ae76c5
 +manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
 +files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
 +
++manage_dirs_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
++manage_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
++manage_lnk_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
++manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
++files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file })
++
 +read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
 +list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
 +
@@ -30281,10 +30299,10 @@ index 0000000..cf9f7bf
 +')
 diff --git a/geoclue.te b/geoclue.te
 new file mode 100644
-index 0000000..cd197a6
+index 0000000..2d357a2
 --- /dev/null
 +++ b/geoclue.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,69 @@
 +policy_module(geoclue, 1.0.0)
 +
 +########################################
@@ -30341,6 +30359,9 @@ index 0000000..cd197a6
 +	dbus_system_domain(geoclue_t, geoclue_exec_t)
 +
 +	optional_policy(`
++		avahi_dbus_chat(geoclue_t)
++	')
++	optional_policy(`
 +		modemmanager_dbus_chat(geoclue_t)
 +	')
 +	optional_policy(`
@@ -67235,14 +67256,15 @@ index 0000000..509d898
 +        ')
 +')
 diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..d40433a 100644
+index dfd46e4..feaa8e1 100644
 --- a/pegasus.fc
 +++ b/pegasus.fc
-@@ -1,15 +1,32 @@
+@@ -1,15 +1,33 @@
 -/etc/Pegasus(/.*)?	gen_context(system_u:object_r:pegasus_conf_t,s0)
 +
 +/etc/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_conf_t,s0)
  /etc/Pegasus/pegasus_current\.conf	gen_context(system_u:object_r:pegasus_data_t,s0)
++/etc/Pegasus/cimserver_current\.conf   gen_context(system_u:object_r:pegasus_data_t,s0)
  
 -/etc/rc\.d/init\.d/tog-pegasus	--	gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
 +/usr/sbin/cimserver		--	gen_context(system_u:object_r:pegasus_exec_t,s0)
@@ -84222,7 +84244,7 @@ index 47de2d6..dfb3396 100644
 +/var/log/pacemaker\.log.*           --  gen_context(system_u:object_r:cluster_var_log_t,s0) 
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..29df561 100644
+index c8bdea2..1574225 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -84437,12 +84459,33 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -221,10 +252,28 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -221,10 +252,49 @@ interface(`rhcs_stream_connect_fenced',`
  	stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
  ')
  
 +######################################
 +## <summary>
++##  Send and receive messages from
++##  fenced over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rhcs_dbus_chat_fenced',`
++	gen_require(`
++		type fenced_t;
++		class dbus send_msg;
++	')
++
++	allow $1 fenced_t:dbus send_msg;
++	allow fenced_t $1:dbus send_msg;
++')
++
++######################################
++## <summary>
 +##	Execute a domain transition to run fenced.
 +## </summary>
 +## <param name="domain">
@@ -84468,7 +84511,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -243,7 +292,7 @@ interface(`rhcs_domtrans_gfs_controld',`
+@@ -243,7 +313,7 @@ interface(`rhcs_domtrans_gfs_controld',`
  
  ####################################
  ## <summary>
@@ -84477,7 +84520,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -264,7 +313,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
+@@ -264,7 +334,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
  
  ########################################
  ## <summary>
@@ -84486,7 +84529,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,8 +334,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -285,8 +355,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
  
  #####################################
  ## <summary>
@@ -84496,7 +84539,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -324,8 +372,8 @@ interface(`rhcs_domtrans_groupd',`
+@@ -324,8 +393,8 @@ interface(`rhcs_domtrans_groupd',`
  
  #####################################
  ## <summary>
@@ -84507,7 +84550,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -342,10 +390,51 @@ interface(`rhcs_stream_connect_groupd',`
+@@ -342,10 +411,51 @@ interface(`rhcs_stream_connect_groupd',`
  	stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
  ')
  
@@ -84561,7 +84604,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -366,8 +455,7 @@ interface(`rhcs_rw_cluster_shm',`
+@@ -366,8 +476,7 @@ interface(`rhcs_rw_cluster_shm',`
  
  ####################################
  ## <summary>
@@ -84571,7 +84614,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -383,9 +471,10 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -383,9 +492,10 @@ interface(`rhcs_rw_cluster_semaphores',`
  	allow $1 cluster_domain:sem { rw_sem_perms destroy };
  ')
  
@@ -84584,7 +84627,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -393,20 +482,44 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +503,44 @@ interface(`rhcs_rw_cluster_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -84635,7 +84678,7 @@ index c8bdea2..29df561 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -414,15 +527,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+@@ -414,15 +548,12 @@ interface(`rhcs_rw_groupd_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -84654,7 +84697,7 @@ index c8bdea2..29df561 100644
  ')
  
  ######################################
-@@ -446,52 +556,385 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +577,385 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -84686,14 +84729,22 @@ index c8bdea2..29df561 100644
  ##	<summary>
 -##	Role allowed access.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`rhcs_admin',`
 +interface(`rhcs_read_cluster_lib_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute cluster_domain, cluster_pid, cluster_tmpfs;
+-		attribute cluster_log;
+-		type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
+-		type fenced_tmp_t, qdiskd_var_lib_t;
 +		type cluster_var_lib_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 cluster_domain:process { ptrace signal_perms };
+-	ps_process_pattern($1, cluster_domain)
 +	files_search_var_lib($1)
 +	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
@@ -84712,11 +84763,17 @@ index c8bdea2..29df561 100644
 +    gen_require(`
 +        type cluster_var_lib_t;
 +    ')
-+
+ 
+-	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+-	domain_system_change_exemption($1)
+-	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+-	allow $2 system_r;
 +    files_search_var_lib($1)
 +    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
-+
+ 
+-	files_search_pids($1)
+-	admin_pattern($1, cluster_pid)
 +####################################
 +## <summary>
 +##  Allow domain to relabel cluster lib files
@@ -84736,7 +84793,9 @@ index c8bdea2..29df561 100644
 +    relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
-+
+ 
+-	files_search_locks($1)
+-	admin_pattern($1, fenced_lock_t)
 +######################################
 +## <summary>
 +##  Execute a domain transition to run cluster administrative domain.
@@ -84751,11 +84810,15 @@ index c8bdea2..29df561 100644
 +    gen_require(`
 +        type cluster_t, cluster_exec_t;
 +    ')
-+
+ 
+-	files_search_tmp($1)
+-	admin_pattern($1, fenced_tmp_t)
 +    corecmd_search_bin($1)
 +    domtrans_pattern($1, cluster_exec_t, cluster_t)
 +')
-+
+ 
+-	files_search_var_lib($1)
+-	admin_pattern($1, qdiskd_var_lib_t)
 +#######################################
 +## <summary>
 +##  Execute cluster init scripts in
@@ -84771,7 +84834,9 @@ index c8bdea2..29df561 100644
 +    gen_require(`
 +        type cluster_initrc_exec_t;
 +    ')
-+
+ 
+-	fs_search_tmpfs($1)
+-	admin_pattern($1, cluster_tmpfs)
 +    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +')
 +
@@ -84978,37 +85043,21 @@ index c8bdea2..29df561 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`rhcs_admin',`
++##	</summary>
++## </param>
++#
 +interface(`rhcs_dbus_chat_cluster',`
- 	gen_require(`
--		attribute cluster_domain, cluster_pid, cluster_tmpfs;
--		attribute cluster_log;
--		type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
--		type fenced_tmp_t, qdiskd_var_lib_t;
++	gen_require(`
 +		type cluster_t;
 +		class dbus send_msg;
- 	')
- 
--	allow $1 cluster_domain:process { ptrace signal_perms };
--	ps_process_pattern($1, cluster_domain)
++	')
++
 +	allow $1 cluster_t:dbus send_msg;
 +	allow cluster_t $1:dbus send_msg;
 +')
- 
--	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
--	domain_system_change_exemption($1)
--	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
--	allow $2 system_r;
- 
--	files_search_pids($1)
--	admin_pattern($1, cluster_pid)
- 
--	files_search_locks($1)
--	admin_pattern($1, fenced_lock_t)
++
++
++
 +#####################################
 +## <summary>
 +##  All of the rules required to administrate
@@ -85032,20 +85081,14 @@ index c8bdea2..29df561 100644
 +        type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
 +		type cluster_unit_file_t;
 +    ')
- 
--	files_search_tmp($1)
--	admin_pattern($1, fenced_tmp_t)
++
 +    allow $1 cluster_t:process signal_perms;
 +    ps_process_pattern($1, cluster_t)
- 
--	files_search_var_lib($1)
--	admin_pattern($1, qdiskd_var_lib_t)
++
 +    tunable_policy(`deny_ptrace',`',`
 +        allow $1 cluster_t:process ptrace;
 +    ')
- 
--	fs_search_tmpfs($1)
--	admin_pattern($1, cluster_tmpfs)
++
 +    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +    domain_system_change_exemption($1)
 +    role_transition $2 cluster_initrc_exec_t system_r;
@@ -85069,7 +85112,7 @@ index c8bdea2..29df561 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..2c7b543 100644
+index 6cf79c4..1fafe47 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -85540,7 +85583,7 @@ index 6cf79c4..2c7b543 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +535,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +535,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -85553,6 +85596,10 @@ index 6cf79c4..2c7b543 100644
  
  optional_policy(`
  	dbus_connect_system_bus(foghorn_t)
++
++    optional_policy(`
++        rhcs_dbus_chat_fenced(foghorn_t)
++    ')
  ')
  
  optional_policy(`
@@ -85561,7 +85608,7 @@ index 6cf79c4..2c7b543 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -247,16 +563,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +567,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
  stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
  stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -85583,7 +85630,7 @@ index 6cf79c4..2c7b543 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +595,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +599,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -85643,7 +85690,7 @@ index 6cf79c4..2c7b543 100644
  ######################################
  #
  # qdiskd local policy
-@@ -292,7 +659,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +663,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
  
@@ -85651,7 +85698,7 @@ index 6cf79c4..2c7b543 100644
  kernel_read_software_raid_state(qdiskd_t)
  kernel_getattr_core_if(qdiskd_t)
  
-@@ -321,6 +687,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +691,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -108362,7 +108409,7 @@ index a4f20bc..374e8ef 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..eae2073 100644
+index facdee8..19b6ffb 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,318 +1,226 @@
@@ -109184,7 +109231,7 @@ index facdee8..eae2073 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -673,54 +534,398 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +534,454 @@ interface(`virt_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -109556,6 +109603,26 @@ index facdee8..eae2073 100644
 +
 +#######################################
 +## <summary>
++##	Read Sandbox Files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_read_sandbox_files',`
++	gen_require(`
++		type svirt_sandbox_file_t;
++	')
++
++	list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++')
++
++#######################################
++## <summary>
 +##	Manage Sandbox Files
 +## </summary>
 +## <param name="domain">
@@ -109579,6 +109646,24 @@ index facdee8..eae2073 100644
 +
 +#######################################
 +## <summary>
++##	Getattr Sandbox File systems
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_getattr_sandbox_filesystem',`
++	gen_require(`
++		type svirt_sandbox_file_t;
++	')
++
++	allow $1 svirt_sandbox_file_t:filesystem getattr;
++')
++
++#######################################
++## <summary>
 +##	Relabel Sandbox File systems
 +## </summary>
 +## <param name="domain">
@@ -109590,6 +109675,24 @@ index facdee8..eae2073 100644
 +interface(`virt_relabel_sandbox_filesystem',`
 +	gen_require(`
 +		type svirt_sandbox_file_t;
++	')
++
++	allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
++')
++
++#######################################
++## <summary>
++##	Mounton Sandbox Files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_mounton_sandbox_file',`
++	gen_require(`
++		type svirt_sandbox_file_t;
  	')
  
 -	tunable_policy(`virt_use_samba',`
@@ -109597,25 +109700,26 @@ index facdee8..eae2073 100644
 -		fs_manage_cifs_files($1)
 -		fs_manage_cifs_symlinks($1)
 -	')
-+	allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
++	allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
  ')
  
 -########################################
 +#######################################
  ## <summary>
 -##	Relabel virt home content.
-+##	Mounton Sandbox Files
++##	Connect to virt over a unix domain stream socket.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -728,72 +933,98 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +989,80 @@ interface(`virt_manage_generic_virt_home_content',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_relabel_generic_virt_home_content',`
-+interface(`virt_mounton_sandbox_file',`
++interface(`virt_stream_connect_sandbox',`
  	gen_require(`
 -		type virt_home_t;
++		attribute svirt_sandbox_domain;
 +		type svirt_sandbox_file_t;
  	')
  
@@ -109625,66 +109729,43 @@ index facdee8..eae2073 100644
 -	allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
 -	allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
 -	allow $1 virt_home_t:sock_file relabel_sock_file_perms;
-+	allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
++	files_search_pids($1)
++	stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++	ps_process_pattern(svirt_sandbox_domain, $1)
  ')
  
--########################################
-+#######################################
+ ########################################
  ## <summary>
 -##	Create specified objects in user home
 -##	directories with the generic virt
 -##	home type.
-+##	Connect to virt over a unix domain stream socket.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="object_class">
-+#
-+interface(`virt_stream_connect_sandbox',`
-+	gen_require(`
-+		attribute svirt_sandbox_domain;
-+		type svirt_sandbox_file_t;
-+	')
-+
-+	files_search_pids($1)
-+	stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
-+	ps_process_pattern(svirt_sandbox_domain, $1)
-+')
-+
-+########################################
-+## <summary>
 +##	Execute qemu in the svirt domain, and
 +##	allow the specified role the svirt domain.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	Class of the object being created.
+-##	Domain allowed access.
 +##	Domain allowed access
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
+-## <param name="object_class">
 +## <param name="role">
  ##	<summary>
--##	The name of the object being created.
+-##	Class of the object being created.
 +##	The role to be allowed the sandbox domain.
  ##	</summary>
  ## </param>
+-## <param name="name" optional="true">
 +## <rolecap/>
- #
--interface(`virt_home_filetrans_virt_home',`
++#
 +interface(`virt_transition_svirt',`
- 	gen_require(`
--		type virt_home_t;
++	gen_require(`
 +		attribute virt_domain;
 +		type virt_bridgehelper_t;
 +		type svirt_image_t;
 +		type svirt_socket_t;
- 	')
- 
--	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
++	')
++
 +	allow $1 virt_domain:process transition;
 +	role $2 types virt_domain;
 +	role $2 types virt_bridgehelper_t;
@@ -109699,70 +109780,91 @@ index facdee8..eae2073 100644
 +	optional_policy(`
 +		ptchown_run(virt_domain, $2)
 +	')
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to write virt daemon unnamed pipes.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The name of the object being created.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_home_filetrans_virt_home',`
++interface(`virt_dontaudit_write_pipes',`
+ 	gen_require(`
+-		type virt_home_t;
++		type virtd_t;
+ 	')
+ 
+-	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
++	dontaudit $1 virtd_t:fd use;
++	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt pid files.
-+##	Do not audit attempts to write virt daemon unnamed pipes.
++##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -781,19 +1070,17 @@ interface(`virt_home_filetrans_virt_home',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_pid_files',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_kill_svirt',`
  	gen_require(`
 -		type virt_var_run_t;
-+		type virtd_t;
++		attribute virt_domain;
  	')
  
 -	files_search_pids($1)
 -	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	dontaudit $1 virtd_t:fd use;
-+	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++	allow $1 virt_domain:process sigkill;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt pid files.
-+##	Send a sigkill to virtual machines
++##	Send a sigkill to virtd daemon.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -801,18 +1032,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1088,17 @@ interface(`virt_read_pid_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_pid_files',`
-+interface(`virt_kill_svirt',`
++interface(`virt_kill',`
  	gen_require(`
 -		type virt_var_run_t;
-+		attribute virt_domain;
++		type virtd_t;
  	')
  
 -	files_search_pids($1)
 -	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	allow $1 virt_domain:process sigkill;
++	allow $1 virtd_t:process sigkill;
  ')
  
  ########################################
  ## <summary>
 -##	Search virt lib directories.
-+##	Send a sigkill to virtd daemon.
++##	Send a signal to virtd daemon.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -820,18 +1050,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1106,17 @@ interface(`virt_manage_pid_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_search_lib',`
-+interface(`virt_kill',`
++interface(`virt_signal',`
  	gen_require(`
 -		type virt_var_lib_t;
 +		type virtd_t;
@@ -109770,22 +109872,22 @@ index facdee8..eae2073 100644
  
 -	files_search_var_lib($1)
 -	allow $1 virt_var_lib_t:dir search_dir_perms;
-+	allow $1 virtd_t:process sigkill;
++	allow $1 virtd_t:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt lib files.
-+##	Send a signal to virtd daemon.
++##	Send null signal to virtd daemon.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -839,20 +1068,17 @@ interface(`virt_search_lib',`
+@@ -839,20 +1124,17 @@ interface(`virt_search_lib',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_lib_files',`
-+interface(`virt_signal',`
++interface(`virt_signull',`
  	gen_require(`
 -		type virt_var_lib_t;
 +		type virtd_t;
@@ -109794,38 +109896,38 @@ index facdee8..eae2073 100644
 -	files_search_var_lib($1)
 -	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 -	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-+	allow $1 virtd_t:process signal;
++	allow $1 virtd_t:process signull;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt lib files.
-+##	Send null signal to virtd daemon.
++##	Send a signal to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,94 +1086,93 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +1142,123 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_lib_files',`
-+interface(`virt_signull',`
++interface(`virt_signal_svirt',`
  	gen_require(`
 -		type virt_var_lib_t;
-+		type virtd_t;
++		attribute virt_domain;
  	')
  
 -	files_search_var_lib($1)
 -	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-+	allow $1 virtd_t:process signull;
++	allow $1 virt_domain:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Create objects in virt pid
 -##	directories with a private type.
-+##	Send a signal to virtual machines
++##	Send a signal to sandbox domains
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -109833,182 +109935,224 @@ index facdee8..eae2073 100644
  ##	</summary>
  ## </param>
 -## <param name="private type">
--##	<summary>
++#
++interface(`virt_signal_sandbox',`
++	gen_require(`
++		attribute svirt_sandbox_domain;
++	')
++
++	allow $1 svirt_sandbox_domain:process signal;
++')
++
++########################################
++## <summary>
++##	Manage virt home files.
++## </summary>
++## <param name="domain">
+ ##	<summary>
 -##	The type of the object to be created.
--##	</summary>
--## </param>
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 -## <param name="object">
--##	<summary>
++#
++interface(`virt_manage_home_files',`
++	gen_require(`
++		type virt_home_t;
++	')
++
++	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, virt_home_t, virt_home_t)
++')
++
++########################################
++## <summary>
++##	allow domain to read
++##	virt tmpfs files
++## </summary>
++## <param name="domain">
+ ##	<summary>
 -##	The object class of the object being created.
--##	</summary>
--## </param>
++##	Domain allowed access
+ ##	</summary>
+ ## </param>
 -## <param name="name" optional="true">
 +#
-+interface(`virt_signal_svirt',`
++interface(`virt_read_tmpfs_files',`
 +	gen_require(`
-+		attribute virt_domain;
++		attribute virt_tmpfs_type;
 +	')
 +
-+	allow $1 virt_domain:process signal;
++	allow $1 virt_tmpfs_type:file read_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Manage virt home files.
++##	allow domain to manage
++##	virt tmpfs files
 +## </summary>
 +## <param name="domain">
  ##	<summary>
 -##	The name of the object being created.
-+##	Domain allowed access.
++##	Domain allowed access
  ##	</summary>
  ## </param>
 -## <infoflow type="write" weight="10"/>
  #
 -interface(`virt_pid_filetrans',`
-+interface(`virt_manage_home_files',`
++interface(`virt_manage_tmpfs_files',`
  	gen_require(`
 -		type virt_var_run_t;
-+		type virt_home_t;
++		attribute virt_tmpfs_type;
  	')
  
 -	files_search_pids($1)
 -	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+	userdom_search_user_home_dirs($1)
-+	manage_files_pattern($1, virt_home_t, virt_home_t)
++	allow $1 virt_tmpfs_type:file manage_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt log files.
-+##	allow domain to read
-+##	virt tmpfs files
++##	Create .virt directory in the user home directory
++##	with an correct label.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
 -## <rolecap/>
  #
 -interface(`virt_read_log',`
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_filetrans_home_content',`
  	gen_require(`
 -		type virt_log_t;
-+		attribute virt_tmpfs_type;
++		type virt_home_t;
++		type svirt_home_t;
  	')
  
 -	logging_search_logs($1)
 -	read_files_pattern($1, virt_log_t, virt_log_t)
-+	allow $1 virt_tmpfs_type:file read_file_perms;
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++
++	optional_policy(`
++		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
++		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++		gnome_data_filetrans($1, svirt_home_t, dir, "images")
++		gnome_data_filetrans($1, svirt_home_t, dir, "boot")
++	')
  ')
  
  ########################################
  ## <summary>
 -##	Append virt log files.
-+##	allow domain to manage
-+##	virt tmpfs files
++##	Dontaudit attempts to Read virt_image_type devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
+@@ -935,117 +1266,133 @@ interface(`virt_read_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_append_log',`
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_dontaudit_read_chr_dev',`
  	gen_require(`
 -		type virt_log_t;
-+		attribute virt_tmpfs_type;
++		attribute virt_image_type;
  	')
  
 -	logging_search_logs($1)
 -	append_files_pattern($1, virt_log_t, virt_log_t)
-+	allow $1 virt_tmpfs_type:file manage_file_perms;
++	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt log files.
-+##	Create .virt directory in the user home directory
-+##	with an correct label.
++##	Creates types and rules for a basic
++##	virt_lxc process domain.
  ## </summary>
- ## <param name="domain">
+-## <param name="domain">
++## <param name="prefix">
  ##	<summary>
-@@ -955,20 +1180,29 @@ interface(`virt_append_log',`
+-##	Domain allowed access.
++##	Prefix for the domain.
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_log',`
-+interface(`virt_filetrans_home_content',`
++template(`virt_sandbox_domain_template',`
  	gen_require(`
 -		type virt_log_t;
-+		type virt_home_t;
-+		type svirt_home_t;
++		attribute svirt_sandbox_domain;
  	')
  
 -	logging_search_logs($1)
 -	manage_dirs_pattern($1, virt_log_t, virt_log_t)
 -	manage_files_pattern($1, virt_log_t, virt_log_t)
 -	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
++	type $1_t, svirt_sandbox_domain;
++	domain_type($1_t)
++	domain_user_exemption_target($1_t)
++	mls_rangetrans_target($1_t)
++	mcs_constrained($1_t)
++	role system_r types $1_t;
 +
-+	optional_policy(`
-+		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+		gnome_data_filetrans($1, svirt_home_t, dir, "images")
-+		gnome_data_filetrans($1, svirt_home_t, dir, "boot")
-+	')
++	logging_send_syslog_msg($1_t)
++
++	kernel_read_system_state($1_t)
  ')
  
  ########################################
  ## <summary>
 -##	Search virt image directories.
-+##	Dontaudit attempts to Read virt_image_type devices.
++##	Make the specified type usable as a lxc domain
  ## </summary>
- ## <param name="domain">
+-## <param name="domain">
++## <param name="type">
  ##	<summary>
-@@ -976,92 +1210,133 @@ interface(`virt_manage_log',`
+-##	Domain allowed access.
++##	Type to be used as a lxc domain
  ##	</summary>
  ## </param>
  #
 -interface(`virt_search_images',`
-+interface(`virt_dontaudit_read_chr_dev',`
++template(`virt_sandbox_domain',`
  	gen_require(`
- 		attribute virt_image_type;
+-		attribute virt_image_type;
++		attribute svirt_sandbox_domain;
  	')
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir search_dir_perms;
-+	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++	typeattribute  $1 svirt_sandbox_domain;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt image files.
-+##	Creates types and rules for a basic
-+##	virt_lxc process domain.
++##	Execute a qemu_exec_t in the callers domain
  ## </summary>
--## <param name="domain">
-+## <param name="prefix">
- ##	<summary>
--##	Domain allowed access.
-+##	Prefix for the domain.
- ##	</summary>
+ ## <param name="domain">
+-##	<summary>
++## <summary>
+ ##	Domain allowed access.
+-##	</summary>
++## </summary>
  ## </param>
  #
 -interface(`virt_read_images',`
-+template(`virt_sandbox_domain_template',`
++interface(`virt_exec_qemu',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		attribute svirt_sandbox_domain;
++		type qemu_exec_t;
  	')
  
 -	virt_search_lib($1)
@@ -110017,125 +110161,98 @@ index facdee8..eae2073 100644
 -	read_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+	type $1_t, svirt_sandbox_domain;
-+	domain_type($1_t)
-+	domain_user_exemption_target($1_t)
-+	mls_rangetrans_target($1_t)
-+	mcs_constrained($1_t)
-+	role system_r types $1_t;
++	can_exec($1, qemu_exec_t)
++')
  
 -	tunable_policy(`virt_use_nfs',`
 -		fs_list_nfs($1)
 -		fs_read_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
-+	logging_send_syslog_msg($1_t)
-+
-+	kernel_read_system_state($1_t)
-+')
-+
 +########################################
 +## <summary>
-+##	Make the specified type usable as a lxc domain
++##	Transition to virt named content
 +## </summary>
-+## <param name="type">
++## <param name="domain">
 +##	<summary>
-+##	Type to be used as a lxc domain
++##      Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+template(`virt_sandbox_domain',`
++interface(`virt_filetrans_named_content',`
 +	gen_require(`
-+		attribute svirt_sandbox_domain;
++		type virt_lxc_var_run_t;
++		type virt_var_run_t;
  	')
  
 -	tunable_policy(`virt_use_samba',`
 -		fs_list_cifs($1)
 -		fs_read_cifs_files($1)
 -		fs_read_cifs_symlinks($1)
-+	typeattribute  $1 svirt_sandbox_domain;
-+')
-+
-+########################################
-+## <summary>
-+##	Execute a qemu_exec_t in the callers domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_exec_qemu',`
-+	gen_require(`
-+		type qemu_exec_t;
- 	')
-+
-+	can_exec($1, qemu_exec_t)
+-	')
++	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
++	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
  ')
  
  ########################################
  ## <summary>
 -##	Read and write all virt image
 -##	character files.
-+##	Transition to virt named content
++##	Execute qemu in the svirt domain, and
++##	allow the specified role the svirt domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
-+##      Domain allowed access.
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
 -interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_filetrans_named_content',`
++interface(`virt_transition_svirt_sandbox',`
  	gen_require(`
 -		attribute virt_image_type;
-+		type virt_lxc_var_run_t;
-+		type virt_var_run_t;
++		attribute svirt_sandbox_domain;
  	')
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir list_dir_perms;
 -	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
-+	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
-+	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
++	allow $1 svirt_sandbox_domain:process { transition signal_perms };
++	role $2 types svirt_sandbox_domain;
++	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
++
++	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
++	allow svirt_sandbox_domain $1:process sigchld;
++	ps_process_pattern($1, svirt_sandbox_domain)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	svirt cache files.
-+##	Execute qemu in the svirt domain, and
-+##	allow the specified role the svirt domain.
++##	Read the process state of virt sandbox containers
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the sandbox domain.
+@@ -1053,15 +1400,17 @@ interface(`virt_rw_all_image_chr_files',`
  ##	</summary>
  ## </param>
-+## <rolecap/>
  #
 -interface(`virt_manage_svirt_cache',`
 -	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
 -	virt_manage_virt_cache($1)
-+interface(`virt_transition_svirt_sandbox',`
++interface(`virt_sandbox_read_state',`
 +	gen_require(`
 +		attribute svirt_sandbox_domain;
 +	')
 +
-+	allow $1 svirt_sandbox_domain:process { transition signal_perms };
-+	role $2 types svirt_sandbox_domain;
-+	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
-+
-+	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
-+	allow svirt_sandbox_domain $1:process sigchld;
 +	ps_process_pattern($1, svirt_sandbox_domain)
  ')
  
@@ -110147,7 +110264,7 @@ index facdee8..eae2073 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1069,21 +1344,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1418,17 @@ interface(`virt_manage_svirt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -110173,7 +110290,7 @@ index facdee8..eae2073 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +1362,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1436,36 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -110230,7 +110347,7 @@ index facdee8..eae2073 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1407,95 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1481,76 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -110269,20 +110386,26 @@ index facdee8..eae2073 100644
  
 -	fs_search_tmpfs($1)
 -	admin_pattern($1, virt_tmpfs_type)
-+	allow $1 virt_domain:process signal_perms;
- 
+-
 -	files_search_tmp($1)
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
+-
+-	files_search_etc($1)
+-	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
++	allow $1 virt_domain:process signal_perms;
+ 
+-	logging_search_logs($1)
+-	admin_pattern($1, virt_log_t)
 +	admin_pattern($1, virt_file_type)
 +	admin_pattern($1, svirt_file_type)
  
--	files_search_etc($1)
--	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+-	files_search_pids($1)
+-	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
 +	virt_systemctl($1)
 +	allow $1 virtd_unit_file_t:service all_service_perms;
  
--	logging_search_logs($1)
--	admin_pattern($1, virt_log_t)
+-	files_search_var($1)
+-	admin_pattern($1, svirt_cache_t)
 +	virt_stream_connect_sandbox($1)
 +	virt_stream_connect_svirt($1)
 +	virt_stream_connect($1)
@@ -110302,32 +110425,9 @@ index facdee8..eae2073 100644
 +		attribute sandbox_caps_domain;
 +	')
  
--	files_search_pids($1)
--	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-+	typeattribute $1 sandbox_caps_domain;
-+')
- 
--	files_search_var($1)
--	admin_pattern($1, svirt_cache_t)
-+########################################
-+## <summary>
-+##	Allow the domain to read svirt_sandbox_domain state files in /proc.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`virt_sandbox_read_state',`
-+	gen_require(`
-+		attribute svirt_sandbox_domain;
-+	')
- 
 -	files_search_var_lib($1)
 -	admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+	kernel_search_proc($1)
-+	ps_process_pattern($1, svirt_sandbox_domain)
++	typeattribute $1 sandbox_caps_domain;
 +')
  
 -	files_search_locks($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bd184dd..3520814 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 158%{?dist}
+Release: 159%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,22 @@ exit 0
 %endif
 
 %changelog
+* Fri Nov 20 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-159
+- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048)
+- Allow abrt-hook-ccpp to change SELinux user identity for created objects.
+- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.
+- Allow setuid/setgid capabilities for abrt-hook-ccpp.
+- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf.
+- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd.
+- cockpit has grown content in /var/run directory
+- Add support for /dev/mptctl device used to check RAID status.
+- Allow systemd-hostnamed to communicate with dhcp via dbus.
+- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
+- Add userdom_destroy_unpriv_user_shared_mem() interface.
+- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked.
+- Access needed by systemd-machine to manage docker containers
+- Allow systemd-logind to read /run/utmp when shutdown is invoked.
+
 * Tue Nov 10 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-158
 - Merge pull request #48 from lkundrak/contrib-openfortivpn
 - unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.