Description: misc patches for daemon policy
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-09-13

Index: refpolicy/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy/policy/modules/contrib/fetchmail.te
@@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchm
 setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
 
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
 allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
 mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
 
Index: refpolicy/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mysql.te
+++ refpolicy/policy/modules/contrib/mysql.te
@@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_t
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
+allow mysqld_t self:unix_stream_socket { connectto accept listen };
 allow mysqld_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -99,6 +99,7 @@ manage_sock_files_pattern(mysqld_t, mysq
 files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(mysqld_t)
+kernel_read_vm_sysctls(mysqld_t)
 kernel_read_network_state(mysqld_t)
 kernel_read_system_state(mysqld_t)
 
Index: refpolicy/policy/modules/contrib/tor.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/tor.te
+++ refpolicy/policy/modules/contrib/tor.te
@@ -41,7 +41,7 @@ systemd_unit_file(tor_unit_file_t)
 # Local policy
 #
 
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };
Index: refpolicy/policy/modules/contrib/cron.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.if
+++ refpolicy/policy/modules/contrib/cron.if
@@ -910,3 +910,21 @@ interface(`cron_manage_system_spool',`
 	files_search_spool($1)
 	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
 ')
+
+########################################
+## <summary>
+##      Access temporary files crond creates for script output
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`read_write_crond_tmp',`
+	gen_require(`
+		type crond_tmp_t;
+	')
+
+	allow $1 crond_tmp_t:file rw_file_perms;
+')
Index: refpolicy/policy/modules/contrib/sysstat.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/sysstat.te
+++ refpolicy/policy/modules/contrib/sysstat.te
@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_ov
 allow sysstat_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
 setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
 manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
 logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)
 kernel_read_rpc_sysctls(sysstat_t)
 
 corecmd_exec_bin(sysstat_t)
+corecmd_exec_shell(sysstat_t)
 
 dev_read_sysfs(sysstat_t)
+dev_getattr_sysfs(sysstat_t)
 dev_read_urand(sysstat_t)
 
 files_search_var(sysstat_t)
 files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
 
 fs_getattr_xattr_fs(sysstat_t)
 fs_list_inotifyfs(sysstat_t)
@@ -66,4 +68,5 @@ userdom_dontaudit_list_user_home_dirs(sy
 
 optional_policy(`
 	cron_system_entry(sysstat_t, sysstat_exec_t)
+	read_write_crond_tmp(sysstat_t)
 ')
Index: refpolicy/policy/modules/contrib/dirmngr.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/dirmngr.fc
+++ refpolicy/policy/modules/contrib/dirmngr.fc
@@ -7,6 +7,7 @@
 /var/log/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_log_t,s0)
 
 /var/lib/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
+/var/cache/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
 
 /var/run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
 
Index: refpolicy/policy/modules/contrib/xen.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/xen.te
+++ refpolicy/policy/modules/contrib/xen.te
@@ -173,6 +173,9 @@ allow xend_t self:tcp_socket { accept li
 allow xend_t self:packet_socket create_socket_perms;
 allow xend_t self:tun_socket create_socket_perms;
 
+# for lsscsi
+storage_getattr_fixed_disk_dev(xend_t)
+
 allow xend_t xen_image_t:dir list_dir_perms;
 manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
 manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t)
@@ -219,6 +222,7 @@ domtrans_pattern(xend_t, xenstored_exec_
 xen_stream_connect_xenstore(xend_t)
 
 kernel_read_kernel_sysctls(xend_t)
+kernel_read_vm_sysctls(xend_t)
 kernel_read_system_state(xend_t)
 kernel_write_xen_state(xend_t)
 kernel_read_xen_state(xend_t)
@@ -450,6 +454,7 @@ dev_read_sysfs(xenstored_t)
 
 files_read_etc_files(xenstored_t)
 files_read_usr_files(xenstored_t)
+corecmd_search_bin(xenstored_t)
 
 fs_search_xenfs(xenstored_t)
 fs_manage_xenfs_files(xenstored_t)
Index: refpolicy/policy/modules/system/udev.te
===================================================================
--- refpolicy.orig/policy/modules/system/udev.te
+++ refpolicy/policy/modules/system/udev.te
@@ -56,6 +56,9 @@ allow udev_t self:netlink_kobject_uevent
 allow udev_t self:rawip_socket create_socket_perms;
 fs_read_cgroup_files(udev_t)
 
+# for systemd-udevd to rename interfaces
+allow udev_t self:netlink_route_socket nlmsg_write;
+
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
 
@@ -204,6 +207,11 @@ ifdef(`distro_debian',`
 	')
 ')
 
+optional_policy(`
+	# for systemd-udevd when starting xen domu
+	virt_read_config(udev_t)
+')
+
 ifdef(`distro_gentoo',`
 	# during boot, init scripts use /dev/.rcsysinit
 	# existance to determine if we are in early booting
@@ -331,6 +339,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
+	fs_manage_xenfs_files(udev_t)
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/system/fstools.te
===================================================================
--- refpolicy.orig/policy/modules/system/fstools.te
+++ refpolicy/policy/modules/system/fstools.te
@@ -45,6 +45,9 @@ allow fsadm_t fsadm_tmp_t:dir manage_dir
 allow fsadm_t fsadm_tmp_t:file manage_file_perms;
 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
 
+# for /run/mount/utab
+stat_mount_var_run(fsadm_t)
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
@@ -195,6 +198,10 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(fsadm_t)
+
+	# Xen causes losetup to run with a presumably accidentally inherited
+	# file handle for /run/xen-hotplug/block
+	dontaudit_udev_pidfile_rw(fsadm_t)
 ')
 
 optional_policy(`
Index: refpolicy/policy/modules/system/udev.if
===================================================================
--- refpolicy.orig/policy/modules/system/udev.if
+++ refpolicy/policy/modules/system/udev.if
@@ -261,6 +261,24 @@ interface(`udev_search_pids',`
 
 ########################################
 ## <summary>
+##	dontaudit attempts to read/write udev pidfiles
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dontaudit_udev_pidfile_rw',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	dontaudit $1 udev_var_run_t:file { read write };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid directories
 ## </summary>
Index: refpolicy/policy/modules/contrib/apt.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/apt.if
+++ refpolicy/policy/modules/contrib/apt.if
@@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
 ##	</summary>
 ## </param>
 #
+interface(`apt_manage_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir manage_dir_perms;
+	allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`apt_read_cache',`
 	gen_require(`
 		type apt_var_cache_t;
Index: refpolicy/policy/modules/contrib/cron.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/cron.te
+++ refpolicy/policy/modules/contrib/cron.te
@@ -336,6 +336,18 @@ ifdef(`distro_debian',`
 	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
+	optional_policy(`
+		apt_manage_cache(system_cronjob_t)
+		apt_read_db(system_cronjob_t)
+	')
+')
+
+optional_policy(`
+	ntp_read_conf(system_cronjob_t)
+')
+
+optional_policy(`
+	apache_unlink_var_lib(system_cronjob_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -469,6 +481,7 @@ allow system_cronjob_t cron_spool_t:dir
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
 allow system_cronjob_t crond_tmp_t:file { read write };
+allow cronjob_t crond_tmp_t:file { read write };
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
@@ -736,3 +749,5 @@ tunable_policy(`cron_userdomain_transiti
 optional_policy(`
 	unconfined_domain(unconfined_cronjob_t)
 ')
+
+initrc_manage_service(unconfined_cronjob_t)
Index: refpolicy/policy/modules/contrib/ntp.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/ntp.if
+++ refpolicy/policy/modules/contrib/ntp.if
@@ -18,6 +18,23 @@ interface(`ntp_stub',`
 
 ########################################
 ## <summary>
+##	Read ntp.conf
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_read_conf',`
+	gen_require(`
+		type ntp_conf_t;
+	')
+	allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute ntp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/system/init.te
===================================================================
--- refpolicy.orig/policy/modules/system/init.te
+++ refpolicy/policy/modules/system/init.te
@@ -151,6 +151,7 @@ corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+logging_create_devlog_dev(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
 
@@ -1141,6 +1142,7 @@ tunable_policy(`init_systemd',`
 	allow init_t self:process { getcap setcap };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
 	# Until systemd is fixed
 	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
 	allow init_t self:udp_socket create_socket_perms;
@@ -1225,6 +1227,7 @@ tunable_policy(`init_systemd',`
 	systemd_manage_unit_dirs(init_t)
 	systemd_manage_all_unit_files(init_t)
 	systemd_logger_stream_connect(init_t)
+	systemd_manage_lnk_file_passwd_run(init_t)
 
 	create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
 
Index: refpolicy/policy/modules/system/systemd.if
===================================================================
--- refpolicy.orig/policy/modules/system/systemd.if
+++ refpolicy/policy/modules/system/systemd.if
@@ -497,6 +497,24 @@ interface(`systemd_read_fifo_file_passwd
     read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
 ')
 
+######################################
+## <summary>
+##  Allow to domain to create systemd-passwd symlink
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_manage_lnk_file_passwd_run',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
+')
+
 #######################################
 ## <summary>
 ##  Send generic signals to systemd_passwd_agent processes.
Index: refpolicy/policy/modules/contrib/clamav.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/clamav.te
+++ refpolicy/policy/modules/contrib/clamav.te
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
 # Clamd local policy
 #
 
-allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
 allow clamd_t self:process signal;
 allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -107,6 +107,7 @@ kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
 kernel_read_kernel_sysctls(clamd_t)
 kernel_read_system_state(clamd_t)
+kernel_read_vm_sysctls(clamd_t)
 
 corecmd_exec_shell(clamd_t)
 
@@ -215,6 +216,10 @@ corenet_sendrecv_http_client_packets(fre
 corenet_tcp_connect_http_port(freshclam_t)
 corenet_tcp_sendrecv_http_port(freshclam_t)
 
+corenet_sendrecv_http_cache_client_packets(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_sendrecv_http_cache_port(freshclam_t)
+
 corenet_sendrecv_squid_client_packets(freshclam_t)
 corenet_tcp_connect_squid_port(freshclam_t)
 corenet_tcp_sendrecv_squid_port(freshclam_t)
Index: refpolicy/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dpkg.te
+++ refpolicy/policy/modules/contrib/dpkg.te
@@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
 domain_interactive_fd(dpkg_script_t)
 role dpkg_roles types dpkg_script_t;
 
+spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+
 type dpkg_script_tmp_t;
 files_tmp_file(dpkg_script_tmp_t)
 
Index: refpolicy/policy/modules/kernel/devices.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/devices.if
+++ refpolicy/policy/modules/kernel/devices.if
@@ -589,6 +589,24 @@ interface(`dev_getattr_generic_chr_files
 
 ########################################
 ## <summary>
+##	Allow setattr for generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	Dontaudit getattr for generic character device files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/kernel.te
+++ refpolicy/policy/modules/kernel/kernel.te
@@ -263,6 +263,7 @@ dev_create_generic_blk_files(kernel_t)
 dev_delete_generic_blk_files(kernel_t)
 dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 
 # Mount root file system. Used when loading a policy
Index: refpolicy/policy/modules/contrib/postfix.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/postfix.te
+++ refpolicy/policy/modules/contrib/postfix.te
@@ -234,6 +234,8 @@ manage_files_pattern(postfix_master_t, p
 manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
 
+hostname_exec(postfix_master_t)
+
 create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -371,6 +373,7 @@ allow postfix_cleanup_t self:process set
 
 allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
 allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
 
 allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
 allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
@@ -400,6 +403,10 @@ optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
 ')
 
+optional_policy(`
+	dkim_stream_connect(postfix_cleanup_t)
+')
+
 ########################################
 #
 # Local local policy
@@ -432,6 +439,7 @@ tunable_policy(`postfix_local_write_mail
 optional_policy(`
 	clamav_search_lib(postfix_local_t)
 	clamav_exec_clamscan(postfix_local_t)
+	clamav_stream_connect(postfix_smtpd_t)
 ')
 
 optional_policy(`
@@ -654,6 +662,10 @@ optional_policy(`
 	ppp_sigchld(postfix_postqueue_t)
 ')
 
+optional_policy(`
+	userdom_sigchld_all_users(postfix_postqueue_t)
+')
+
 ########################################
 #
 # Qmgr local policy
Index: refpolicy/policy/modules/contrib/bind.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/bind.te
+++ refpolicy/policy/modules/contrib/bind.te
@@ -219,6 +219,7 @@ optional_policy(`
 #
 
 allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
 allow ndc_t self:process signal_perms;
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
Index: refpolicy/policy/modules/contrib/alsa.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/alsa.te
+++ refpolicy/policy/modules/contrib/alsa.te
@@ -24,6 +24,9 @@ files_tmpfs_file(alsa_tmpfs_t)
 type alsa_var_lib_t;
 files_type(alsa_var_lib_t)
 
+type alsa_lock_t;
+files_lock_file(alsa_lock_t)
+
 type alsa_home_t;
 userdom_user_home_content(alsa_home_t)
 
@@ -43,6 +46,9 @@ allow alsa_t self:unix_stream_socket { a
 
 allow alsa_t alsa_home_t:file read_file_perms;
 
+files_lock_filetrans(alsa_t, alsa_lock_t, file)
+allow alsa_t alsa_lock_t:file manage_file_perms;
+
 manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
 manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
 files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
Index: refpolicy/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy/policy/modules/contrib/kerneloops.te
@@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
 
 kernel_read_ring_buffer(kerneloops_t)
 kernel_read_system_state(kerneloops_t)
+dev_read_urand(kerneloops_t)
 
 domain_use_interactive_fds(kerneloops_t)
 
Index: refpolicy/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy.orig/policy/modules/admin/bootloader.te
+++ refpolicy/policy/modules/admin/bootloader.te
@@ -65,6 +65,9 @@ kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctls(bootloader_t)
 
+# for grub-probe
+kernel_request_load_module(bootloader_t)
+
 storage_raw_read_fixed_disk(bootloader_t)
 storage_raw_write_fixed_disk(bootloader_t)
 storage_raw_read_removable_device(bootloader_t)
@@ -149,6 +152,11 @@ ifdef(`distro_debian',`
 	fstools_relabelto_entry_files(bootloader_t)
 
 	libs_relabelto_lib_files(bootloader_t)
+
+	# for apt-cache
+	dpkg_read_db(bootloader_t)
+	apt_read_db(bootloader_t)
+	apt_read_cache(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
Index: refpolicy/policy/modules/services/ssh.te
===================================================================
--- refpolicy.orig/policy/modules/services/ssh.te
+++ refpolicy/policy/modules/services/ssh.te
@@ -244,6 +244,8 @@ optional_policy(`
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
 
+allow sshd_t self:capability net_admin;
+
 allow sshd_t sshd_keytab_t:file read_file_perms;
 
 manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
Index: refpolicy/policy/modules/contrib/gpg.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/gpg.te
+++ refpolicy/policy/modules/contrib/gpg.te
@@ -219,6 +219,11 @@ manage_sock_files_pattern(gpg_agent_t, g
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 
+xdm_sigchld(gpg_agent_t)
+dbus_system_bus_client(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+xserver_read_user_xauth(gpg_agent_t)
+
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
Index: refpolicy/policy/modules/services/xserver.if
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.if
+++ refpolicy/policy/modules/services/xserver.if
@@ -1364,3 +1364,21 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Allow domain to send sigchld to xdm_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdm_sigchld',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process sigchld;
+')
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.if
+++ refpolicy/policy/modules/system/userdomain.if
@@ -117,6 +117,10 @@ template(`userdom_base_user_template',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	optional_policy(`
+		kerneloops_dbus_chat($1_t)
+	')
 ')
 
 #######################################
Index: refpolicy/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.te
+++ refpolicy/policy/modules/system/selinuxutil.te
@@ -551,6 +551,7 @@ kernel_rw_unix_dgram_sockets(setfiles_t)
 kernel_dontaudit_list_all_proc(setfiles_t)
 kernel_dontaudit_list_all_sysctls(setfiles_t)
 
+dev_read_urand(setfiles_t)
 dev_relabel_all_dev_nodes(setfiles_t)
 # to handle when /dev/console needs to be relabeled
 dev_rw_generic_chr_files(setfiles_t)
Index: refpolicy/policy/modules/kernel/files.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/files.fc
+++ refpolicy/policy/modules/kernel/files.fc
@@ -256,6 +256,7 @@ ifndef(`distro_redhat',`
 /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*\.*pid		<<none>>
+/var/run/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
 
 /var/spool(/.*)?		gen_context(system_u:object_r:var_spool_t,s0)
 /var/spool/postfix/etc(/.*)?	gen_context(system_u:object_r:etc_t,s0)
Index: refpolicy/policy/modules/system/miscfiles.fc
===================================================================
--- refpolicy.orig/policy/modules/system/miscfiles.fc
+++ refpolicy/policy/modules/system/miscfiles.fc
@@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
-/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
 ifdef(`distro_debian',`
Index: refpolicy/policy/modules/contrib/dovecot.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/dovecot.fc
+++ refpolicy/policy/modules/contrib/dovecot.fc
@@ -19,6 +19,9 @@
 /usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/lib/dovecot/dovecot-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/log	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/ssl-params	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/anvil	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
 
 /usr/libexec/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/libexec/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
Index: refpolicy/policy/modules/system/locallogin.te
===================================================================
--- refpolicy.orig/policy/modules/system/locallogin.te
+++ refpolicy/policy/modules/system/locallogin.te
@@ -32,7 +32,7 @@ role system_r types sulogin_t;
 # Local login local policy
 #
 
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_admin sys_nice sys_resource sys_tty_config };
 allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow local_login_t self:process { setrlimit setexec };
 allow local_login_t self:fd use;
Index: refpolicy/policy/modules/contrib/alsa.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/alsa.fc
+++ refpolicy/policy/modules/contrib/alsa.fc
@@ -23,5 +23,7 @@ ifdef(`distro_debian',`
 /usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 /usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 
+/var/run/lock/asound.state.lock -- gen_context(system_u:object_r:alsa_lock_t,s0)
+
 /var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
 /lib/systemd/system/alsa.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
Index: refpolicy/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy/policy/modules/system/sysnetwork.fc
@@ -41,6 +41,7 @@ ifdef(`distro_redhat',`
 /sbin/dhclient.*	--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /sbin/dhcdbd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /sbin/dhcpcd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/usr/sbin/dhcp6c	--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ip		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -63,11 +64,13 @@ ifdef(`distro_redhat',`
 /var/lib/dhcp3?		-d	gen_context(system_u:object_r:dhcp_state_t,s0)
 /var/lib/dhcp3?/dhclient.*	gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpv6(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)
 
 /var/run/dhclient.*	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhcp6c.pid	--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
 /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
Index: refpolicy/policy/modules/system/getty.te
===================================================================
--- refpolicy.orig/policy/modules/system/getty.te
+++ refpolicy/policy/modules/system/getty.te
@@ -34,7 +34,7 @@ files_pid_file(getty_var_run_t)
 
 # Use capabilities.
 allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
-dontaudit getty_t self:capability sys_tty_config;
+dontaudit getty_t self:capability { sys_admin sys_tty_config };
 allow getty_t self:process { getpgid setpgid getsession signal_perms };
 allow getty_t self:fifo_file rw_fifo_file_perms;
 
Index: refpolicy/policy/modules/contrib/gnome.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/gnome.te
+++ refpolicy/policy/modules/contrib/gnome.te
@@ -90,6 +90,12 @@ userdom_user_tmp_filetrans(gconfd_t, gco
 userdom_manage_user_tmp_dirs(gconfd_t)
 userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
 
+# for /var/lib/gconf/defaults
+files_read_var_lib_files(gconfd_t)
+
+# for /proc/filesystems
+kernel_read_system_state(gconfd_t)
+
 optional_policy(`
 	dbus_all_session_domain(gconfd_t, gconfd_exec_t)
 
Index: refpolicy/policy/modules/system/mount.if
===================================================================
--- refpolicy.orig/policy/modules/system/mount.if
+++ refpolicy/policy/modules/system/mount.if
@@ -191,3 +191,21 @@ interface(`mount_read_loopback_files',`
 
 	allow $1 mount_loopback_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Getattr on mount_var_run_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`stat_mount_var_run',`
+	gen_require(`
+		type mount_var_run_t;
+	')
+
+	allow $1 mount_var_run_t:file getattr;
+')
Index: refpolicy/policy/modules/contrib/dovecot.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dovecot.te
+++ refpolicy/policy/modules/contrib/dovecot.te
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_doma
 # Local policy
 #
 
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot sys_resource };
 dontaudit dovecot_t self:capability sys_tty_config;
 allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
 allow dovecot_t self:tcp_socket { accept listen };
@@ -133,6 +133,9 @@ allow dovecot_t dovecot_auth_t:process s
 
 domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 
+files_list_usr(dovecot_t)
+files_read_usr_files(dovecot_t)
+
 corenet_all_recvfrom_unlabeled(dovecot_t)
 corenet_all_recvfrom_netlabel(dovecot_t)
 corenet_tcp_sendrecv_generic_if(dovecot_t)
@@ -242,6 +245,7 @@ files_tmp_filetrans(dovecot_auth_t, dove
 
 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
 manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
 
 allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
Index: refpolicy/policy/modules/contrib/dkim.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/dkim.te
+++ refpolicy/policy/modules/contrib/dkim.te
@@ -20,16 +20,20 @@ init_daemon_run_dir(dkim_milter_data_t,
 # Local policy
 #
 
-allow dkim_milter_t self:capability { setgid setuid };
+allow dkim_milter_t self:capability { dac_override setgid setuid };
 allow dkim_milter_t self:process signal;
 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
 
 kernel_read_kernel_sysctls(dkim_milter_t)
+kernel_read_vm_sysctls(dkim_milter_t)
 
 dev_read_urand(dkim_milter_t)
 
 files_search_spool(dkim_milter_t)
 
 mta_read_config(dkim_milter_t)
+
+corenet_udp_bind_generic_node(dkim_milter_t)
+corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
Index: refpolicy/policy/modules/contrib/perdition.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/perdition.fc
+++ refpolicy/policy/modules/contrib/perdition.fc
@@ -2,6 +2,6 @@
 
 /etc/perdition(/.*)?	gen_context(system_u:object_r:perdition_etc_t,s0)
 
-/usr/sbin/perdition	--	gen_context(system_u:object_r:perdition_exec_t,s0)
+/usr/sbin/perdition.*	--	gen_context(system_u:object_r:perdition_exec_t,s0)
 
 /var/run/perdition\.pid	--	gen_context(system_u:object_r:perdition_var_run_t,s0)
Index: refpolicy/policy/modules/contrib/nagios.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/nagios.te
+++ refpolicy/policy/modules/contrib/nagios.te
@@ -214,12 +214,15 @@ optional_policy(`
 # Nrpe local policy
 #
 
-allow nrpe_t self:capability { setuid setgid };
+allow nrpe_t self:capability { dac_override setuid setgid };
 dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
 allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
 allow nrpe_t self:fifo_file rw_fifo_file_perms;
 allow nrpe_t self:tcp_socket { accept listen };
 
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
 allow nrpe_t nagios_plugin_domain:process { signal sigkill };
 
 read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
Index: refpolicy/policy/modules/contrib/apache.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.te
+++ refpolicy/policy/modules/contrib/apache.te
@@ -285,6 +285,7 @@ role httpd_helper_roles types httpd_help
 
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
+init_rw_inherited_script_tmp_files(httpd_t)
 
 type httpd_keytab_t;
 files_type(httpd_keytab_t)
Index: refpolicy/policy/modules/contrib/dkim.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/dkim.if
+++ refpolicy/policy/modules/contrib/dkim.if
@@ -37,3 +37,23 @@ interface(`dkim_admin',`
 	files_search_pids($1)
 	admin_pattern($1, dkim_milter_data_t)
 ')
+
+########################################
+## <summary>
+##	Allow a domain to talk to dkim via Unix domain socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+	gen_require(`
+		type dkim_milter_data_t, dkim_milter_t;
+	')
+
+	allow $1 dkim_milter_data_t:dir search_dir_perms;
+	allow postfix_cleanup_t dkim_milter_data_t:sock_file write;
+	allow postfix_cleanup_t dkim_milter_t:unix_stream_socket connectto;
+')
Index: refpolicy/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy.orig/policy/support/obj_perm_sets.spt
+++ refpolicy/policy/support/obj_perm_sets.spt
@@ -159,6 +159,7 @@ define(`exec_file_perms',`{ getattr open
 define(`append_file_perms',`{ getattr open append lock ioctl }')
 define(`write_file_perms',`{ getattr open write append lock ioctl }')
 define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
 define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')
Index: refpolicy/policy/modules/contrib/perdition.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/perdition.te
+++ refpolicy/policy/modules/contrib/perdition.te
@@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
 # Local policy
 #
 
-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:capability { chown dac_override fowner setgid setuid };
 dontaudit perdition_t self:capability sys_tty_config;
 allow perdition_t self:process signal_perms;
 allow perdition_t self:tcp_socket { accept listen };
@@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file r
 allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;
 
 manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
-files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+allow perdition_t perdition_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(perdition_t)
 kernel_list_proc(perdition_t)
@@ -46,11 +47,18 @@ corenet_tcp_sendrecv_generic_node(perdit
 corenet_tcp_sendrecv_all_ports(perdition_t)
 corenet_tcp_bind_generic_node(perdition_t)
 
+corenet_tcp_connect_pop_port(perdition_t)
 corenet_sendrecv_pop_server_packets(perdition_t)
 corenet_tcp_bind_pop_port(perdition_t)
 corenet_tcp_sendrecv_pop_port(perdition_t)
 
+corenet_tcp_connect_sieve_port(perdition_t)
+corenet_sendrecv_sieve_server_packets(perdition_t)
+corenet_tcp_bind_sieve_port(perdition_t)
+corenet_tcp_sendrecv_sieve_port(perdition_t)
+
 dev_read_sysfs(perdition_t)
+dev_read_urand(perdition_t)
 
 domain_use_interactive_fds(perdition_t)
 
@@ -71,5 +79,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_tcp_connect(perdition_t)
+	mysql_stream_connect(perdition_t)
+')
+
+optional_policy(`
 	udev_read_db(perdition_t)
 ')
Index: refpolicy/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy/policy/modules/kernel/corecommands.fc
@@ -196,6 +196,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy/policy/modules/contrib/courier.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/courier.te
+++ refpolicy/policy/modules/contrib/courier.te
@@ -100,6 +100,7 @@ allow courier_authdaemon_t courier_tcpd_
 allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
 
 can_exec(courier_authdaemon_t, courier_exec_t)
+corecmd_exec_shell(courier_authdaemon_t)
 
 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
 
Index: refpolicy/policy/modules/contrib/milter.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/milter.te
+++ refpolicy/policy/modules/contrib/milter.te
@@ -94,6 +94,7 @@ mta_read_config(regex_milter_t)
 #
 
 allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+allow spamass_milter_t self:process sigkill;
 
 kernel_read_system_state(spamass_milter_t)
 
@@ -106,3 +107,7 @@ mta_send_mail(spamass_milter_t)
 optional_policy(`
 	spamassassin_domtrans_client(spamass_milter_t)
 ')
+
+optional_policy(`
+	postfix_search_spool(spamass_milter_t)
+')
Index: refpolicy/policy/modules/contrib/procmail.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/procmail.fc
+++ refpolicy/policy/modules/contrib/procmail.fc
@@ -1,6 +1,7 @@
 HOME_DIR/\.procmailrc	--	gen_context(system_u:object_r:procmail_home_t,s0)
 
 /usr/bin/procmail	--	gen_context(system_u:object_r:procmail_exec_t,s0)
+/usr/bin/maildrop	--	gen_context(system_u:object_r:procmail_exec_t,s0)
 
 /var/log/procmail\.log.*	--	gen_context(system_u:object_r:procmail_log_t,s0)
 /var/log/procmail(/.*)?	gen_context(system_u:object_r:procmail_log_t,s0)
Index: refpolicy/policy/modules/contrib/courier.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/courier.if
+++ refpolicy/policy/modules/contrib/courier.if
@@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',
 #
 interface(`courier_stream_connect_authdaemon',`
 	gen_require(`
-		type courier_authdaemon_t, courier_spool_t;
+		type courier_authdaemon_t, courier_var_run_t;
 	')
 
 	files_search_spool($1)
-	stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+	stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
 ')
 
 ########################################
Index: refpolicy/policy/modules/contrib/procmail.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/procmail.te
+++ refpolicy/policy/modules/contrib/procmail.te
@@ -145,3 +145,8 @@ optional_policy(`
 	spamassassin_domtrans_client(procmail_t)
 	spamassassin_read_lib_files(procmail_t)
 ')
+
+optional_policy(`
+	courier_read_config(procmail_t)
+	courier_stream_connect_authdaemon(procmail_t)
+')
Index: refpolicy/policy/modules/contrib/spamassassin.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/spamassassin.te
+++ refpolicy/policy/modules/contrib/spamassassin.te
@@ -46,6 +46,7 @@ type spamc_exec_t;
 typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
 typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
 userdom_user_application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
 
 type spamc_tmp_t;
 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
Index: refpolicy/policy/modules/contrib/mta.te
===================================================================
--- refpolicy.orig/policy/modules/contrib/mta.te
+++ refpolicy/policy/modules/contrib/mta.te
@@ -203,6 +203,10 @@ init_use_script_ptys(system_mail_t)
 userdom_use_user_terminals(system_mail_t)
 
 optional_policy(`
+	permit_in_unconfined_r(system_mail_t)
+')
+
+optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
 	apache_dontaudit_append_log(system_mail_t)
Index: refpolicy/policy/modules/contrib/apache.if
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.if
+++ refpolicy/policy/modules/contrib/apache.if
@@ -1346,3 +1346,22 @@ interface(`apache_admin',`
 	apache_run_all_scripts($1, $2)
 	apache_run_helper($1, $2)
 ')
+
+########################################
+## <summary>
+##	Unlink httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can unlink the files
+##	</summary>
+## </param>
+#
+interface(`apache_unlink_var_lib',`
+	gen_require(`
+		type httpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 httpd_var_lib_t:file unlink;
+')
Index: refpolicy/policy/modules/system/unconfined.if
===================================================================
--- refpolicy.orig/policy/modules/system/unconfined.if
+++ refpolicy/policy/modules/system/unconfined.if
@@ -318,6 +318,23 @@ interface(`unconfined_run_to',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to be in the unconfined role
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to permit in unconfined_r
+##	</summary>
+## </param>
+#
+interface(`permit_in_unconfined_r',`
+	gen_require(`
+		role unconfined_r;
+	')
+	role unconfined_r types $1;
+')
+
+########################################
+## <summary>
 ##	Inherit file descriptors from the unconfined domain.
 ## </summary>
 ## <param name="domain">
Index: refpolicy/policy/modules/contrib/xen.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/xen.fc
+++ refpolicy/policy/modules/contrib/xen.fc
@@ -14,7 +14,7 @@
 /usr/sbin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
 /usr/sbin/xl	--	gen_context(system_u:object_r:xm_exec_t,s0)
 /usr/sbin/xm	--	gen_context(system_u:object_r:xm_exec_t,s0)
-
+/usr/lib/xen-.*/xl --	gen_context(system_u:object_r:xm_exec_t,s0)
 /var/lib/xen(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xen/images(/.*)?	gen_context(system_u:object_r:xen_image_t,s0)
 /var/lib/xend(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
Index: refpolicy/policy/modules/contrib/apache.fc
===================================================================
--- refpolicy.orig/policy/modules/contrib/apache.fc
+++ refpolicy/policy/modules/contrib/apache.fc
@@ -106,6 +106,7 @@ ifdef(`distro_suse',`
 /var/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dav(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/dokuwiki(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/glpi(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
