centos-7.0-vs-7.1.diff

diff -ru centos-7.0.1406/usr/share/selinux/devel/include/admin/bootloader.if centos-7.1.1503/usr/share/selinux/devel/include/admin/bootloader.if
--- centos-7.0.1406/usr/share/selinux/devel/include/admin/bootloader.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/admin/bootloader.if	2015-03-06 06:53:47.000000000 +0100
@@ -57,20 +57,12 @@
 interface(`bootloader_run',`
 	gen_require(`
 		type bootloader_t;
-		#attribute_role bootloader_roles;
+		attribute_role bootloader_roles;
 	')
 
-	#bootloader_domtrans($1)
-	#roleattribute $2 bootloader_roles;
-
 	bootloader_domtrans($1)
+	roleattribute $2 bootloader_roles;
 
-        role $2 types bootloader_t;
-
-        ifdef(`distro_redhat',`
-                # for mke2fs
-		mount_run(bootloader_t, $2)
-	')
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/admin/su.if centos-7.1.1503/usr/share/selinux/devel/include/admin/su.if
--- centos-7.0.1406/usr/share/selinux/devel/include/admin/su.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/admin/su.if	2015-03-06 06:53:47.000000000 +0100
@@ -58,6 +58,7 @@
 	allow $2 $1_su_t:fifo_file rw_file_perms;
 	allow $2 $1_su_t:process sigchld;
 
+    kernel_getattr_core_if($1_su_t)
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
 	kernel_search_key($1_su_t)
@@ -86,6 +87,7 @@
 	# Write to utmp.
 	init_rw_utmp($1_su_t)
 	init_search_script_keys($1_su_t)
+    init_getattr_initctl($1_su_t)
 
 	logging_send_syslog_msg($1_su_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/admin/usermanage.if centos-7.1.1503/usr/share/selinux/devel/include/admin/usermanage.if
--- centos-7.0.1406/usr/share/selinux/devel/include/admin/usermanage.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/admin/usermanage.if	2015-03-06 06:53:47.000000000 +0100
@@ -37,16 +37,12 @@
 #
 interface(`usermanage_run_chfn',`
 	gen_require(`
-		#attribute_role chfn_roles;
+		attribute_role chfn_roles;
 		type chfn_t;
 	')
 
-	#usermanage_domtrans_chfn($1)
-	#roleattribute $2 chfn_roles;
-
 	usermanage_domtrans_chfn($1)
-        role $2 types chfn_t;
-
+	roleattribute $2 chfn_roles;
 ')
 
 ########################################
@@ -107,18 +103,11 @@
 interface(`usermanage_run_groupadd',`
 	gen_require(`
 		type groupadd_t;
-		#attribute_role groupadd_roles;
+		attribute_role groupadd_roles;
 	')
 
-	#usermanage_domtrans_groupadd($1)
-	#roleattribute $2 groupadd_roles;
 	usermanage_domtrans_groupadd($1)
-        role $2 types groupadd_t;
-
-        optional_policy(`
-                nscd_run(groupadd_t, $2)
-        ')
-
+	roleattribute $2 groupadd_roles;
 ')
 
 ########################################
@@ -195,15 +184,11 @@
 interface(`usermanage_run_passwd',`
 	gen_require(`
 		type passwd_t;
-		#attribute_role passwd_roles;
+		attribute_role passwd_roles;
 	')
 
-	#usermanage_domtrans_passwd($1)
-	#roleattribute $2 passwd_roles;
-
 	usermanage_domtrans_passwd($1)
-        role $2 types passwd_t;
-        auth_run_chk_passwd(passwd_t, $2)
+	roleattribute $2 passwd_roles;
 ')
 
 ########################################
@@ -266,19 +251,11 @@
 interface(`usermanage_run_admin_passwd',`
 	gen_require(`
 		type sysadm_passwd_t;
-		#attribute_role sysadm_passwd_roles;
+		attribute_role sysadm_passwd_roles;
 	')
 
-	#usermanage_domtrans_admin_passwd($1)
-	#roleattribute $2 sysadm_passwd_roles;
-
 	usermanage_domtrans_admin_passwd($1)
-        role $2 types sysadm_passwd_t;
-
-        optional_policy(`
-                nscd_run(sysadm_passwd_t, $2)
-        ')
-
+	roleattribute $2 sysadm_passwd_roles;
 ')
 
 ########################################
@@ -355,19 +332,12 @@
 #
 interface(`usermanage_run_useradd',`
 	gen_require(`
-		#attribute_role useradd_roles;
+		attribute_role useradd_roles;
 		type useradd_t;
 	')
 
-	#usermanage_domtrans_useradd($1)
-	#roleattribute $2 useradd_roles;
-
 	usermanage_domtrans_useradd($1)
-    role $2 types useradd_t;
-
-    optional_policy(`
-         nscd_run(useradd_t, $2)
-    ')
+	roleattribute $2 useradd_roles;
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/abrt.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/abrt.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/abrt.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/abrt.if	2015-03-06 06:53:47.000000000 +0100
@@ -62,24 +62,6 @@
 
 ########################################
 ## <summary>
-##	Send a signal to abrt.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`abrt_signal',`
-	gen_require(`
-		type abrt_t;
-	')
-
-	allow $1 abrt_t:process signal;
-')
-
-########################################
-## <summary>
 ##	Send a null signal to abrt.
 ## </summary>
 ## <param name="domain">
@@ -192,11 +174,11 @@
 #
 interface(`abrt_run_helper',`
 	gen_require(`
-		type abrt_helper_t;
+		attribute_role abrt_helper_roles;
 	')
 
 	abrt_domtrans_helper($1)
-	role $2 types abrt_helper_t;
+	roleattribute $2 abrt_helper_roles;
 ')
 
 ########################################
@@ -407,6 +389,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 abrt_unit_file_t:file manage_file_perms;
 	allow $1 abrt_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/accountsd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/accountsd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/accountsd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/accountsd.if	2015-03-06 06:53:47.000000000 +0100
@@ -137,6 +137,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 accountsd_unit_file_t:file read_file_perms;
 	allow $1 accountsd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/alsa.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/alsa.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/alsa.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/alsa.if	2015-03-06 06:53:47.000000000 +0100
@@ -288,8 +288,28 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 alsa_unit_file_t:file read_file_perms;
 	allow $1 alsa_unit_file_t:service manage_service_perms;
 
 	ps_process_pattern($1, alsa_t)
 ')
+
+#########################################
+## <summary>
+##	Write Alsa lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_write_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/anaconda.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/anaconda.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/anaconda.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/anaconda.if	2015-03-06 06:53:47.000000000 +0100
@@ -52,3 +52,81 @@
 	')
 ')
 
+########################################
+## <summary>
+##	Execute preupgrade in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_exec_preupgrade',`
+	gen_require(`
+		type preupgrade_exec_t;
+	')
+
+	corecmd_search_bin($1)
+    can_exec($1, preupgrade_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run preupgrade.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_domtrans_preupgrade',`
+	gen_require(`
+		type preupgrade_t, preupgrade_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
+')
+
+########################################
+## <summary>
+##	Read preupgrade lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_read_lib_files_preupgrade',`
+	gen_require(`
+		type preupgrade_data_t;
+	')
+
+	read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage preupgrade lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_manage_lib_files_preupgrade',`
+	gen_require(`
+		type preupgrade_data_t;
+	')
+
+	manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	files_search_var_lib($1)
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/antivirus.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/antivirus.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/antivirus.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/antivirus.if	2015-03-06 06:53:47.000000000 +0100
@@ -17,6 +17,8 @@
         ')
 
         typeattribute $1 antivirus_domain;
+
+        kernel_read_system_state($1)
 ')
 
 #######################################
@@ -252,6 +254,7 @@
         ')
 
         systemd_exec_systemctl($1)
+	init_reload_services($1)
         systemd_read_fifo_file_passwd_run($1)
         allow $1 antivirus_unit_file_t:file read_file_perms;
         allow $1 antivirus_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/apache.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/apache.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/apache.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/apache.if	2015-03-06 06:53:47.000000000 +0100
@@ -14,99 +14,124 @@
 template(`apache_content_template',`
 	gen_require(`
 		attribute httpd_exec_scripts, httpd_script_exec_type;
-		type httpd_t, httpd_suexec_t, httpd_log_t;
-		type httpd_sys_content_t;
+		type httpd_t, httpd_suexec_t;
 		attribute httpd_script_type, httpd_content_type;
 	')
 
 	#This type is for webpages
-	type httpd_$1_content_t; # customizable;
-	typeattribute httpd_$1_content_t httpd_content_type;
-	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
-	files_type(httpd_$1_content_t)
+	type $1_content_t; # customizable;
+	typeattribute $1_content_t httpd_content_type;
+	typealias $1_content_t alias httpd_$1_script_ro_t;
+	files_type($1_content_t)
 
 	# This type is used for .htaccess files
-	type httpd_$1_htaccess_t, httpd_content_type; # customizable;
-	typeattribute httpd_$1_htaccess_t httpd_content_type;
-	files_type(httpd_$1_htaccess_t)
+	type $1_htaccess_t, httpd_content_type; # customizable;
+	typeattribute $1_htaccess_t httpd_content_type;
+	files_type($1_htaccess_t)
 
 	# Type that CGI scripts run as
-	type httpd_$1_script_t,	httpd_script_type;
-	domain_type(httpd_$1_script_t)
-	role system_r types httpd_$1_script_t;
+	type $1_script_t,	httpd_script_type;
+	domain_type($1_script_t)
+	role system_r types $1_script_t;
 
-	kernel_read_system_state(httpd_$1_script_t)
+	kernel_read_system_state($1_script_t)
 
 	# This type is used for executable scripts files
-	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
-	typeattribute httpd_$1_script_exec_t httpd_content_type;
-	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
-
-	type httpd_$1_rw_content_t; # customizable
-	typeattribute httpd_$1_rw_content_t httpd_content_type;
-	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
-	files_type(httpd_$1_rw_content_t)
-
-	type httpd_$1_ra_content_t, httpd_content_type; # customizable
-	typeattribute httpd_$1_ra_content_t httpd_content_type;
-	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
-	files_type(httpd_$1_ra_content_t)
+	type $1_script_exec_t, httpd_script_exec_type; # customizable;
+	typeattribute $1_script_exec_t httpd_content_type;
+	domain_entry_file($1_script_t, $1_script_exec_t)
+
+	type $1_rw_content_t; # customizable
+	typeattribute $1_rw_content_t httpd_content_type;
+	typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+	files_type($1_rw_content_t)
+
+	type $1_ra_content_t, httpd_content_type; # customizable
+	typeattribute $1_ra_content_t httpd_content_type;
+	typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
+	files_type($1_ra_content_t)
 
 	# Allow the script process to search the cgi directory, and users directory
-	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+	allow $1_script_t $1_content_t:dir search_dir_perms;
 
-	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
+	can_exec($1_script_t, $1_script_exec_t)
+	allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+	allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+	read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+	allow $1_script_t $1_content_t:dir list_dir_perms;
+	read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+	read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+	manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
 
-	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
-	read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-	append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-	create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-
-	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
-	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
-	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
-
-	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
 
 	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
-		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-
-		allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
-		read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-		append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-		create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-		read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+		manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+
+		allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+		read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
 
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
-		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+		allow $1_script_t $1_script_exec_t:file entrypoint;
 
-		domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+		domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
 
 		# privileged users run the script:
-		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
 
-		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
 
 		# apache runs the script:
-		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-		allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
+		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+		allow httpd_t $1_script_t:unix_dgram_socket sendto;
 	')
 ')
 
 ########################################
 ## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving new type names.
+##	</summary>
+## </param>
+## <param name="oldprefix">
+##	<summary>
+##	The prefix to be used for deriving old type names.
+##	</summary>
+## </param>
+#
+template(`apache_content_alias_template',`
+	typealias $1_htaccess_t alias httpd_$2_htaccess_t;
+	typealias $1_script_t alias httpd_$2_script_t;
+	typealias $1_script_exec_t alias httpd_$2_script_exec_t;
+	typealias $1_content_t alias httpd_$2_content_t;
+	typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
+	typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
+')
+
+########################################
+## <summary>
 ##	Role access for apache
 ## </summary>
 ## <param name="role">
@@ -369,6 +394,25 @@
 
 ########################################
 ## <summary>
+##	Allow attempts to read and write Apache
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:unix_stream_socket { getattr read write };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and write Apache
 ##	unix domain stream sockets.
 ## </summary>
@@ -383,7 +427,7 @@
 		type httpd_t;
 	')
 
-	dontaudit $1 httpd_t:unix_stream_socket { read write };
+	dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
@@ -1097,7 +1141,7 @@
 		type httpd_sys_script_t;
 	')
 
-	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+	dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
@@ -1394,6 +1438,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 httpd_unit_file_t:file read_file_perms;
 	allow $1 httpd_unit_file_t:service manage_service_perms;
 
@@ -1491,7 +1536,7 @@
 	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
 	dontaudit $1 httpd_t:tcp_socket { read write };
 	dontaudit $1 httpd_t:unix_dgram_socket { read write };
-	dontaudit $1 httpd_t:unix_stream_socket { read write };
+	dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
 	dontaudit $1 httpd_tmp_t:file { read write };
 ')
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/apcupsd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/apcupsd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/apcupsd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/apcupsd.if	2015-03-06 06:53:47.000000000 +0100
@@ -102,7 +102,7 @@
 ########################################
 ## <summary>
 ##	Execute a domain transition to
-##	run httpd_apcupsd_cgi_script.
+##	run apcupsd_cgi_script.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -112,11 +112,11 @@
 #
 interface(`apcupsd_cgi_script_domtrans',`
 	gen_require(`
-		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+		type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
 	')
 
 	files_search_var($1)
-	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
+	domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
 
 	optional_policy(`
 		apache_search_sys_content($1)
@@ -140,6 +140,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 apcupsd_unit_file_t:file read_file_perms;
 	allow $1 apcupsd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/apm.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/apm.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/apm.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/apm.if	2015-03-06 06:53:47.000000000 +0100
@@ -156,6 +156,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 apmd_unit_file_t:file read_file_perms;
 	allow $1 apmd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/apt.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/apt.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/apt.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/apt.if	2015-03-06 06:53:47.000000000 +0100
@@ -21,6 +21,25 @@
 
 ########################################
 ## <summary>
+##	Execute the apt in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_exec',`
+	gen_require(`
+		type apt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, apt_exec_t)
+')
+
+########################################
+## <summary>
 ##	Execute apt programs in the apt domain.
 ## </summary>
 ## <param name="domain">
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/arpwatch.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/arpwatch.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/arpwatch.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/arpwatch.if	2015-03-06 06:53:47.000000000 +0100
@@ -134,6 +134,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 arpwatch_unit_file_t:file read_file_perms;
 	allow $1 arpwatch_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/asterisk.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/asterisk.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/asterisk.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/asterisk.if	2015-03-06 06:53:47.000000000 +0100
@@ -136,6 +136,8 @@
 	role_transition $2 asterisk_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	asterisk_exec($1)
+
 	files_list_tmp($1)
 	admin_pattern($1, asterisk_tmp_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/automount.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/automount.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/automount.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/automount.if	2015-03-06 06:53:47.000000000 +0100
@@ -167,6 +167,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 automount_unit_file_t:file read_file_perms;
 	allow $1 automount_unit_file_t:service manage_service_perms;
 
@@ -194,7 +195,7 @@
 	gen_require(`
 		type automount_t, automount_lock_t, automount_tmp_t;
 		type automount_var_run_t, automount_initrc_exec_t;
-		type automount_unit_file_t;
+		type automount_unit_file_t, automount_keytab_t;
 	')
 
 	allow $1 automount_t:process signal_perms;
@@ -209,6 +210,9 @@
 	role_transition $2 automount_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_list_etc($1)
+	admin_pattern($1, automount_keytab_t)
+
 	files_list_var($1)
 	admin_pattern($1, automount_lock_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/avahi.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/avahi.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/avahi.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/avahi.if	2015-03-06 06:53:47.000000000 +0100
@@ -21,6 +21,25 @@
 
 ########################################
 ## <summary>
+##	Execute avahi init scripts in the
+##	init script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`avahi_initrc_domtrans',`
+	gen_require(`
+		type avahi_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Send generic signals to avahi.
 ## </summary>
 ## <param name="domain">
@@ -116,6 +135,63 @@
 
 ########################################
 ## <summary>
+##	Create avahi pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_create_pid_dirs',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 avahi_var_run_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Set attributes of avahi pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_setattr_pid_dirs',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 avahi_var_run_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, and write avahi pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_manage_pid_files',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search
 ##	avahi pid directories.
 ## </summary>
@@ -150,6 +226,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 avahi_unit_file_t:file read_file_perms;
 	allow $1 avahi_unit_file_t:service manage_service_perms;
 
@@ -158,6 +235,35 @@
 
 ########################################
 ## <summary>
+##	Create specified objects in generic
+##	pid directories with the avahi pid file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`avahi_filetrans_pid',`
+	gen_require(`
+		type avahi_var_run_t;
+	')
+
+	files_pid_filetrans($1, avahi_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an avahi environment.
 ## </summary>
@@ -187,7 +293,7 @@
 		allow $1 avahi_t:process ptrace;
 	')
 
-	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+	avahi_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 avahi_initrc_exec_t system_r;
 	allow $2 system_r;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/backup.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/backup.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/backup.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/backup.if	2015-03-06 06:53:47.000000000 +0100
@@ -45,3 +45,23 @@
 	backup_domtrans($1)
 	roleattribute $2 backup_roles;
 ')
+
+########################################
+## <summary>
+##	Create, read, and write backup
+##	store files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`backup_manage_store_files',`
+	gen_require(`
+		type backup_store_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, backup_store_t, backup_store_t)
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/bcfg2.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/bcfg2.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/bcfg2.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/bcfg2.if	2015-03-06 06:53:47.000000000 +0100
@@ -132,6 +132,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_read_fifo_file_passwd_run($1)
 	allow $1 bcfg2_unit_file_t:file read_file_perms;
 	allow $1 bcfg2_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/bind.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/bind.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/bind.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/bind.if	2015-03-06 06:53:47.000000000 +0100
@@ -35,6 +35,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 named_unit_file_t:file read_file_perms;
 	allow $1 named_unit_file_t:service manage_service_perms;
 
@@ -408,6 +409,25 @@
 
 ########################################
 ## <summary>
+##	Allow the domain to read bind state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_state',`
+	gen_require(`
+		type named_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an bind environment.
 ## </summary>
@@ -426,10 +446,9 @@
 interface(`bind_admin',`
 	gen_require(`
 		type named_t, named_tmp_t, named_log_t;
-		type named_conf_t, named_var_run_t, named_cache_t;
-		type named_zone_t, named_initrc_exec_t;
-		type dnssec_t, ndc_t, named_keytab_t;
-		type named_unit_file_t;
+		type named_cache_t, named_zone_t, named_initrc_exec_t;
+		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+		type named_keytab_t, named_unit_file_t;
 	')
 
 	allow $1 named_t:process signal_perms;
@@ -453,7 +472,7 @@
 	admin_pattern($1, named_log_t)
 
 	files_list_etc($1)
-	admin_pattern($1, named_conf_t)
+	admin_pattern($1, { named_keytab_t named_conf_t })
 
 	admin_pattern($1, named_keytab_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/bluetooth.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/bluetooth.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/bluetooth.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/bluetooth.if	2015-03-06 06:53:47.000000000 +0100
@@ -233,6 +233,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 bluetooth_unit_file_t:file read_file_perms;
 	allow $1 bluetooth_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/boinc.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/boinc.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/boinc.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/boinc.if	2015-03-06 06:53:47.000000000 +0100
@@ -150,6 +150,7 @@
     ')
 
     systemd_exec_systemctl($1)
+	init_reload_services($1)
     allow $1 boinc_unit_file_t:file read_file_perms;
     allow $1 boinc_unit_file_t:service manage_service_perms;
 
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: brltty.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/bugzilla.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/bugzilla.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/bugzilla.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/bugzilla.if	2015-03-06 06:53:47.000000000 +0100
@@ -12,10 +12,10 @@
 #
 interface(`bugzilla_search_content',`
 	gen_require(`
-		type httpd_bugzilla_content_t;
+		type bugzilla_content_t;
 	')
 
-	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+	allow $1 bugzilla_content_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -32,10 +32,10 @@
 #
 interface(`bugzilla_dontaudit_rw_stream_sockets',`
 	gen_require(`
-		type httpd_bugzilla_script_t;
+		type bugzilla_script_t;
 	')
 
-	dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+	dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
 ')
 
 ########################################
@@ -51,32 +51,32 @@
 #
 interface(`bugzilla_admin',`
 	gen_require(`
-		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-		type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
+		type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
+		type bugzilla_rw_content_t, bugzilla_script_exec_t;
+		type bugzilla_htaccess_t, bugzilla_tmp_t;
 	')
 
-	allow $1 httpd_bugzilla_script_t:process signal_perms;
-	ps_process_pattern($1, httpd_bugzilla_script_t)
+	allow $1 bugzilla_script_t:process signal_perms;
+	ps_process_pattern($1, bugzilla_script_t)
 
 	tunable_policy(`deny_ptrace',`',`
-		allow $1 httpd_bugzilla_script_t:process ptrace;
+		allow $1 bugzilla_script_t:process ptrace;
 	')
 
 	files_list_tmp($1)
-	admin_pattern($1, httpd_bugzilla_tmp_t)
+	admin_pattern($1, bugzilla_tmp_t)
 
-	files_list_var_lib(httpd_bugzilla_script_t)
+	files_list_var_lib(bugzilla_script_t)
 
-	admin_pattern($1, httpd_bugzilla_script_exec_t)
-	admin_pattern($1, httpd_bugzilla_script_t)
-	admin_pattern($1, httpd_bugzilla_content_t)
-	admin_pattern($1, httpd_bugzilla_htaccess_t)
-	admin_pattern($1, httpd_bugzilla_ra_content_t)
+	admin_pattern($1, bugzilla_script_exec_t)
+	admin_pattern($1, bugzilla_script_t)
+	admin_pattern($1, bugzilla_content_t)
+	admin_pattern($1, bugzilla_htaccess_t)
+	admin_pattern($1, bugzilla_ra_content_t)
 
 	files_search_tmp($1)
 	files_search_var_lib($1)
-	admin_pattern($1, httpd_bugzilla_rw_content_t)
+	admin_pattern($1, bugzilla_rw_content_t)
 
 	optional_policy(`
 		apache_list_sys_content($1)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/bumblebee.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/bumblebee.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/bumblebee.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/bumblebee.if	2015-03-06 06:53:47.000000000 +0100
@@ -55,6 +55,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 bumblebee_unit_file_t:file read_file_perms;
 	allow $1 bumblebee_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/chrome.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/chrome.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/chrome.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/chrome.if	2015-03-06 06:53:47.000000000 +0100
@@ -87,9 +87,9 @@
 
 	allow chrome_sandbox_t $2:unix_dgram_socket { read write };
 	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-	allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
-	dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
-	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+	allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;
+	allow chrome_sandbox_t $2:udp_socket rw_socket_perms;;
+	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
 	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
 	allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/chronyd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/chronyd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/chronyd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/chronyd.if	2015-03-06 06:53:47.000000000 +0100
@@ -151,6 +151,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 chronyd_unit_file_t:file read_file_perms;
 	allow $1 chronyd_unit_file_t:service manage_service_perms;
 
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: cinder.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/clamav.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/clamav.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/clamav.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/clamav.if	2015-03-06 06:53:47.000000000 +0100
@@ -187,6 +187,7 @@
         ')
 
         systemd_exec_systemctl($1)
+	init_reload_services($1)
         systemd_read_fifo_file_passwd_run($1)
         allow $1 clamd_unit_file_t:file read_file_perms;
         allow $1 clamd_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/cloudform.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/cloudform.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/cloudform.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/cloudform.if	2015-03-06 06:53:47.000000000 +0100
@@ -40,3 +40,21 @@
 
     can_exec($1, mongod_exec_t)
 ')
+
+######################################
+## <summary>
+##	Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudform_dontaudit_write_cloud_log',`
+    gen_require(`
+	type cloud_log_t;
+    ')
+
+    dontaudit $1 cloud_log_t:file write_inherited_file_perms;
+')
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: cockpit.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/collectd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/collectd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/collectd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/collectd.if	2015-03-06 06:53:47.000000000 +0100
@@ -130,6 +130,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 collectd_unit_file_t:file read_file_perms;
 	allow $1 collectd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/colord.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/colord.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/colord.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/colord.if	2015-03-06 06:53:47.000000000 +0100
@@ -76,6 +76,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 colord_unit_file_t:file read_file_perms;
 	allow $1 colord_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/condor.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/condor.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/condor.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/condor.if	2015-03-06 06:53:47.000000000 +0100
@@ -310,6 +310,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_read_fifo_file_passwd_run($1)
 	allow $1 condor_unit_file_t:file read_file_perms;
 	allow $1 condor_unit_file_t:service manage_service_perms;
@@ -372,7 +373,7 @@
 interface(`condor_admin',`
     gen_require(`
         attribute condor_domain;
-        type condor_initrc_exec_t, condor_log_t;
+        type condor_initrc_exec_t, condor_log_t, condor_conf_t;
         type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
         type condor_var_run_t, condor_startd_tmp_t;
 		type condor_unit_file_t;
@@ -386,6 +387,9 @@
     role_transition $2 condor_initrc_exec_t system_r;
     allow $2 system_r;
 
+	files_search_etc($1)
+	admin_pattern($1, condor_conf_t)
+
 	logging_search_logs($1)
 	admin_pattern($1, condor_log_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/conman.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/conman.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/conman.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/conman.if	2015-03-06 06:53:47.000000000 +0100
@@ -94,6 +94,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 conman_unit_file_t:file read_file_perms;
 	allow $1 conman_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/consolekit.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/consolekit.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/consolekit.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/consolekit.if	2015-03-06 06:53:47.000000000 +0100
@@ -193,6 +193,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 consolekit_unit_file_t:file read_file_perms;
 	allow $1 consolekit_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/corosync.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/corosync.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/corosync.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/corosync.if	2015-03-06 06:53:47.000000000 +0100
@@ -154,6 +154,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 corosync_unit_file_t:file read_file_perms;
 	allow $1 corosync_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/couchdb.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/couchdb.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/couchdb.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/couchdb.if	2015-03-06 06:53:47.000000000 +0100
@@ -175,6 +175,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_read_fifo_file_passwd_run($1)
 	allow $1 couchdb_unit_file_t:file read_file_perms;
 	allow $1 couchdb_unit_file_t:service manage_service_perms;
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: cpuplug.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/cron.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/cron.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/cron.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/cron.if	2015-03-06 06:53:47.000000000 +0100
@@ -68,26 +68,32 @@
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
 		type user_cron_spool_t, crond_t;
+        bool cron_userdomain_transition;
 	')
 
+    ##############################
+    #
+    # Declarations
+    #
+
 	role $1 types { cronjob_t crontab_t };
 
-	# cronjob shows up in user ps
-	ps_process_pattern($2, cronjob_t)
+    ##############################
+    #
+    # Local policy
+    #
 
 	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, crontab_t)
 
-	allow crond_t $2:process transition;
 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 	allow $2 crond_t:process sigchld;
 
-	# needs to be authorized SELinux context for cron
-	allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
+    allow $2 user_cron_spool_t:file { getattr read write ioctl };
 
 	# crontab shows up in user ps
-	ps_process_pattern($2, crontab_t)
 	allow $2 crontab_t:process signal_perms;
+	ps_process_pattern($2, crontab_t)
 
 	tunable_policy(`deny_ptrace',`',`
 		allow $2 crontab_t:process ptrace;
@@ -99,6 +105,30 @@
 	corecmd_exec_bin(crontab_t)
 	corecmd_exec_shell(crontab_t)
 
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
+
+	    # needs to be authorized SELinux context for cron
+	    allow $2 user_cron_spool_t:file entrypoint;
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+        allow $2 cronjob_t:process { signal_perms };
+
+        ps_process_pattern($2, cronjob_t)
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
+
+        dontaudit $2 user_cron_spool_t:file entrypoint;
+
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+
+        dontaudit $2 cronjob_t:process { signal_perms };
+    ')
+
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
@@ -128,18 +158,55 @@
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
-		type unconfined_cronjob_t;
+		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+        type crond_t, user_cron_spool_t;
+        bool cron_userdomain_transition;
 	')
 
-	role $1 types unconfined_cronjob_t;
+    ##############################
+    #
+    # Declarations
+    #
+    
+    role $1 types unconfined_cronjob_t;
+
+    ##############################
+    #
+    # Local policy
+    #
+
+    dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+
+    allow $2 crond_t:process sigchld;
+
+    allow $2 user_cron_spool_t:file { getattr read write ioctl };
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
 	allow $2 unconfined_cronjob_t:process signal_perms;
+
 	tunable_policy(`deny_ptrace',`',`
 		allow $2 unconfined_cronjob_t:process ptrace;
 	')
 
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
+
+        allow $2 user_cron_spool_t:file entrypoint;
+
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
+
+        dontaudit $2 user_cron_spool_t:file entrypoint;
+
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+    ')
+
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
@@ -171,40 +238,63 @@
 		type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
 		type user_cron_spool_t, crond_t;
 		class passwd crontab;
+        bool cron_userdomain_transition;
 	')
 
-	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
+    ##############################
+    #
+    # Declarations
+    #
 
-	# cronjob shows up in user ps
-	ps_process_pattern($2, cronjob_t)
+	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
 
-	# Manipulate other users crontab.
-	allow $2 self:passwd crontab;
+    ##############################
+    #
+    # Local policy
+    #
 
 	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
 
+	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+
+	allow $2 crond_t:process sigchld;
+
 	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
 	allow $2 admin_crontab_t:process signal_perms;
+
 	tunable_policy(`deny_ptrace',`',`
 		allow $2 admin_crontab_t:process ptrace;
 	')
 
-	allow $2 crond_t:process sigchld;
-	allow crond_t $2:process transition;
-
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-
-	# needs to be authorized SELinux context for cron
-	allow $2 user_cron_spool_t:file entrypoint;
+	# Manipulate other users crontab.
+	allow $2 self:passwd crontab;
 
-	# Run helper programs as the user domain
-	#corecmd_bin_domtrans(admin_crontab_t, $2)
-	#corecmd_shell_domtrans(admin_crontab_t, $2)
 	corecmd_exec_bin(admin_crontab_t)
 	corecmd_exec_shell(admin_crontab_t)
 
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
+
+        allow $2 user_cron_spool_t:file entrypoint;
+
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+        allow $2 cronjob_t:process { signal_perms };
+        ps_process_pattern($2, cronjob_t)
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
+
+        dontaudit $2 user_cron_spool_t:file entrypoint;
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+        dontaudit $2 cronjob_t:process { signal_perms };
+    ')
+
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
@@ -317,6 +407,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 crond_unit_file_t:file read_file_perms;
 	allow $1 crond_unit_file_t:service manage_service_perms;
 
@@ -474,6 +565,24 @@
 ')
 
 ########################################
+## <summary>
+##	Do not audit attempts to setattr cron daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`cron_dontaudit_setattr_pipes',`
+	gen_require(`
+		type crond_t;
+	')
+
+	dontaudit $1 crond_t:fifo_file setattr;
+')
+
+########################################
 ## <summary>
 ##	Read and write inherited user spool files.
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/cups.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/cups.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/cups.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/cups.if	2015-03-06 06:53:47.000000000 +0100
@@ -324,6 +324,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 cupsd_unit_file_t:file read_file_perms;
 	allow $1 cupsd_unit_file_t:service manage_service_perms;
 
@@ -332,6 +333,26 @@
 
 ########################################
 ## <summary>
+##	Read the process state (/proc/pid) of cupsd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_read_state',`
+	gen_require(`
+		type cupsd_t;
+	')
+
+	allow $1 cupsd_t:dir search_dir_perms;
+	allow $1 cupsd_t:file read_file_perms;
+	allow $1 cupsd_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an cups environment.
 ## </summary>
@@ -421,22 +442,3 @@
 	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
 	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 ')
-
-########################################
-## <summary>
-##	Allow the domain to read cups state files in /proc.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cups_read_state',`
-	gen_require(`
-		type cupsd_t;
-	')
-
-	kernel_search_proc($1)
-	ps_process_pattern($1, cupsd_t)
-')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/cvs.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/cvs.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/cvs.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/cvs.if	2015-03-06 06:53:47.000000000 +0100
@@ -112,6 +112,9 @@
 	role_transition $2 cvs_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_etc($1)
+	admin_pattern($1, cvs_keytab_t)
+
 	files_list_tmp($1)
 	admin_pattern($1, cvs_tmp_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/cyrus.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/cyrus.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/cyrus.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/cyrus.if	2015-03-06 06:53:47.000000000 +0100
@@ -80,6 +80,7 @@
 	gen_require(`
 		type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
 		type cyrus_var_run_t, cyrus_initrc_exec_t;
+		type cyrus_keytab_t;
 	')
 
 	allow $1 cyrus_t:process signal_perms;
@@ -94,6 +95,9 @@
 	role_transition $2 cyrus_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_list_etc($1)
+	admin_pattern($1, cyrus_keytab_t)
+
 	files_list_tmp($1)
 	admin_pattern($1, cyrus_tmp_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/dbus.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/dbus.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/dbus.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/dbus.if	2015-03-06 06:53:47.000000000 +0100
@@ -85,7 +85,7 @@
 	#
 
 	# For connecting to the bus
-	allow $3 $1_dbusd_t:unix_stream_socket connectto;
+	allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
 
 	# SE-DBus specific permissions
 	allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
@@ -142,10 +142,16 @@
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 	files_search_var_lib($1)
 
+	dev_read_urand($1)
+
 	# For connecting to the bus
 	files_search_pids($1)
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
 	dbus_read_config($1)
+
+    optional_policy(`
+        unconfined_server_dbus_chat($1)
+    ')
 ')
 
 #######################################
@@ -257,6 +263,7 @@
 
 	files_search_var_lib($1)
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
 ########################################
@@ -600,6 +607,27 @@
 	dontaudit system_bus_type $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Allow attempts to send dbus
+##	messages to system bus types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dbus_chat_system_bus',`
+	gen_require(`
+		attribute system_bus_type;
+		class dbus send_msg;
+	')
+
+	allow $1 system_bus_type:dbus send_msg;
+	allow system_bus_type $1:dbus send_msg;
+')
+
 #######################################
 ## <summary>
 ##      Transition to dbus named content
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/devicekit.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/devicekit.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/devicekit.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/devicekit.if	2015-03-06 06:53:47.000000000 +0100
@@ -177,6 +177,25 @@
 
 #######################################
 ## <summary>
+##  Use and inherit devicekit power
+##  file descriptors.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`devicekit_use_fds_power',`
+    gen_require(`
+        type devicekit_power_t;
+    ')
+
+        allow $1 devicekit_power_t:fd use;
+')
+
+#######################################
+## <summary>
 ##  Append inherited devicekit log files.
 ## </summary>
 ## <param name="domain">
@@ -190,7 +209,29 @@
 		type devicekit_var_log_t;
 	')
 
+	logging_search_logs($1)
 	allow $1 devicekit_var_log_t:file append_inherited_file_perms;
+
+	devicekit_use_fds_power($1)
+')
+
+#######################################
+## <summary>
+##  Allow read devicekit log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`devicekit_read_log_files',`
+	gen_require(`
+		type devicekit_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 devicekit_var_log_t:file read_file_perms;
 ')
 
 #######################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/dhcp.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/dhcp.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/dhcp.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/dhcp.if	2015-03-06 06:53:47.000000000 +0100
@@ -75,6 +75,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_search_unit_dirs($1)
 	allow $1 dhcpd_unit_file_t:file read_file_perms;
 	allow $1 dhcpd_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/dirsrv-admin.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/dirsrv-admin.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/dirsrv-admin.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/dirsrv-admin.if	2015-03-06 06:53:47.000000000 +0100
@@ -29,13 +29,13 @@
 ##	</summary>
 ## </param>
 #
-interface(`dirsrvadmin_run_httpd_script_exec',`
+interface(`dirsrvadmin_run_script_exec',`
 	gen_require(`
-		type httpd_dirsrvadmin_script_exec_t;
+		type dirsrvadmin_script_exec_t;
 	')
 
-	allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
-	can_exec($1, httpd_dirsrvadmin_script_exec_t)
+	allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
+	can_exec($1, dirsrvadmin_script_exec_t)
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/dnsmasq.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/dnsmasq.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/dnsmasq.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/dnsmasq.if	2015-03-06 06:53:47.000000000 +0100
@@ -92,6 +92,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 dnsmasq_unit_file_t:file read_file_perms;
 	allow $1 dnsmasq_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/dnssec.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/dnssec.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/dnssec.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/dnssec.if	2015-03-06 06:53:47.000000000 +0100
@@ -38,6 +38,27 @@
 	allow $1 dnssec_trigger_var_run_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Manage dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_manage_pid_files',`
+	gen_require(`
+		type dnssec_trigger_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+	manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+	manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+')
+
 
 ########################################
 ## <summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/docker.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/docker.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/docker.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/docker.if	2015-03-06 06:53:47.000000000 +0100
@@ -22,6 +22,25 @@
 
 ########################################
 ## <summary>
+##	Execute docker in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`docker_exec',`
+	gen_require(`
+		type docker_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, docker_exec_t)
+')
+
+########################################
+## <summary>
 ##	Search docker lib directories.
 ## </summary>
 ## <param name="domain">
@@ -206,6 +225,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
         systemd_read_fifo_file_passwd_run($1)
 	allow $1 docker_unit_file_t:file read_file_perms;
 	allow $1 docker_unit_file_t:service manage_service_perms;
@@ -264,18 +284,22 @@
     gen_require(`
         type docker_var_lib_t;
         type docker_share_t;
-	type docker_log_t;
-	type docker_var_run_t;
+    	type docker_log_t;
+	    type docker_var_run_t;
+        type docker_home_t;
     ')
 
     files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
     files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
+    files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
     logging_log_filetrans($1, docker_log_t, dir, "lxc")
     files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
+    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
     filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
+    userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
 ')
 
 ########################################
@@ -316,11 +340,14 @@
 		type docker_unit_file_t;
 		type docker_lock_t;
 		type docker_log_t;
+		type docker_config_t;
 	')
 
 	allow $1 docker_t:process { ptrace signal_perms };
 	ps_process_pattern($1, docker_t)
 
+	admin_pattern($1, docker_config_t)
+
 	files_search_var_lib($1)
 	admin_pattern($1, docker_var_lib_t)
 
@@ -342,3 +369,4 @@
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
+
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/dovecot.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/dovecot.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/dovecot.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/dovecot.if	2015-03-06 06:53:47.000000000 +0100
@@ -175,14 +175,16 @@
 #
 interface(`dovecot_admin',`
 	gen_require(`
-		type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
-		type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
-		type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
-		type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
+		type dovecot_t, dovecot_etc_t, dovecot_var_log_t;
+		type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
+		type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
+		type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
+		type dovecot_keytab_t;
 	')
 
 	allow $1 dovecot_t:process signal_perms;
 	ps_process_pattern($1, dovecot_t)
+
 	tunable_policy(`deny_ptrace',`',`
 		allow $1 dovecot_t:process ptrace;
 	')
@@ -193,7 +195,7 @@
 	allow $2 system_r;
 
 	files_list_etc($1)
-	admin_pattern($1, dovecot_etc_t)
+	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
 
 	files_list_tmp($1)
 	admin_pattern($1, dovecot_auth_tmp_t)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/dpkg.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/dpkg.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/dpkg.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/dpkg.if	2015-03-06 06:53:47.000000000 +0100
@@ -21,6 +21,25 @@
 
 ########################################
 ## <summary>
+##	Execute the dkpg in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_exec',`
+	gen_require(`
+		type dpkg_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, dpkg_exec_t)
+')
+
+########################################
+## <summary>
 ##	Execute dpkg_script programs in
 ##	the dpkg_script domain.
 ## </summary>
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: etcd.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/exim.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/exim.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/exim.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/exim.if	2015-03-06 06:53:47.000000000 +0100
@@ -241,8 +241,46 @@
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate
-##	an exim environment.
+##	Read exim var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_read_var_lib_files',`
+	gen_require(`
+		type exim_var_lib_t;
+	')
+
+	read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create, read, and write exim var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_manage_var_lib_files',`
+	gen_require(`
+		type exim_var_lib_t;
+	')
+
+	manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an exim environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -257,8 +295,9 @@
 #
 interface(`exim_admin',`
 	gen_require(`
-		type exim_t, exim_initrc_exec_t, exim_log_t;
-		type exim_tmp_t, exim_spool_t, exim_var_run_t;
+		type exim_t, exim_spool_t, exim_log_t;
+		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
+		type exim_keytab_t;
 	')
 
 	allow $1 exim_t:process signal_perms;
@@ -273,6 +312,9 @@
 	role_transition $2 exim_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_etc($1)
+	admin_pattern($1, exim_keytab_t)
+
 	files_search_spool($1)
 	admin_pattern($1, exim_spool_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/fail2ban.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/fail2ban.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/fail2ban.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/fail2ban.if	2015-03-06 06:53:47.000000000 +0100
@@ -123,6 +123,44 @@
 	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
 ')
 
+#######################################
+## <summary>
+##  Do not audit attempts to use
+##  fail2ban file descriptors.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_use_fds',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    dontaudit $1 fail2ban_t:fd use;
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to read and
+##  write fail2ban unix stream sockets
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##	Read fail2ban lib files.
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/firewalld.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/firewalld.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/firewalld.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/firewalld.if	2015-03-06 06:53:47.000000000 +0100
@@ -54,6 +54,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 firewalld_unit_file_t:file read_file_perms;
 	allow $1 firewalld_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/freeipmi.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/freeipmi.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/freeipmi.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/freeipmi.if	2015-03-06 06:53:47.000000000 +0100
@@ -44,8 +44,6 @@
 	corenet_all_recvfrom_netlabel(freeipmi_$1_t)
 	corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
 
-    dev_read_raw_memory(freeipmi_$1_t)
-
     auth_use_nsswitch(freeipmi_$1_t)
 
     logging_send_syslog_msg(freeipmi_$1_t)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/ftp.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/ftp.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/ftp.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/ftp.if	2015-03-06 06:53:47.000000000 +0100
@@ -55,6 +55,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 ftpd_unit_file_t:file read_file_perms;
 	allow $1 ftpd_unit_file_t:service manage_service_perms;
 
@@ -237,6 +238,7 @@
 		type ftpd_etc_t, ftpd_lock_t, sftpd_t;
 		type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
 		type ftpd_initrc_exec_t, ftpdctl_tmp_t;
+		type ftpd_keytab_t;
 	')
 
 	allow $1 ftpd_t:process signal_perms;
@@ -256,7 +258,7 @@
 	admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
 
 	files_list_etc($1)
-	admin_pattern($1, ftpd_etc_t)
+	admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
 
 	files_list_var($1)
 	admin_pattern($1, ftpd_lock_t)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/games.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/games.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/games.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/games.if	2015-03-06 06:53:47.000000000 +0100
@@ -58,3 +58,23 @@
 	files_search_var_lib($1)
 	rw_files_pattern($1, games_data_t, games_data_t)
 ')
+
+########################################
+## <summary>
+##	Manage games data files.
+##	games data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`games_manage_data_files',`
+	gen_require(`
+		type games_data_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, games_data_t, games_data_t)
+')
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: gdomap.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/gear.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/gear.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/gear.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/gear.if	2015-03-06 06:53:47.000000000 +0100
@@ -187,6 +187,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
         systemd_read_fifo_file_passwd_run($1)
 	allow $1 gear_unit_file_t:file read_file_perms;
 	allow $1 gear_unit_file_t:service manage_service_perms;
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: geoclue.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/glance.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/glance.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/glance.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/glance.if	2015-03-06 06:53:47.000000000 +0100
@@ -19,10 +19,18 @@
 	type $1_t, glance_domain;
 	type $1_exec_t;
 
+    type $1_unit_file_t;
+    systemd_unit_file($1_unit_file_t)
+
 	kernel_read_system_state($1_t)
 
 	corenet_all_recvfrom_unlabeled($1_t)
 	corenet_all_recvfrom_netlabel($1_t)
+
+    logging_send_syslog_msg($1_t)
+
+    auth_use_nsswitch($1_t)
+
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/glusterd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/glusterd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/glusterd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/glusterd.if	2015-03-06 06:53:47.000000000 +0100
@@ -40,7 +40,6 @@
 	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Read glusterd's log files.
@@ -80,6 +79,23 @@
 	append_files_pattern($1, glusterd_log_t, glusterd_log_t)
 ')
 
+#######################################
+## <summary>
+##  Transition content labels to glusterd named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`glusterd_filetrans_named_pid',`
+    gen_require(`
+        type glusterd_var_run_t;
+    ')
+    files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
+')
+
 ########################################
 ## <summary>
 ##	Manage glusterd log files
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/gnome.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/gnome.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/gnome.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/gnome.if	2015-03-06 06:53:47.000000000 +0100
@@ -1,40 +1,24 @@
 ## <summary>GNU network object model environment (GNOME)</summary>
 
-###########################################################
+#######################################
 ## <summary>
-##  Role access for gnome
+##  Role access for gnome.  (Deprecated)
 ## </summary>
 ## <param name="role">
 ##  <summary>
-##  Role allowed access
+##  Role allowed access.
 ##  </summary>
 ## </param>
 ## <param name="domain">
 ##  <summary>
-##  User domain for the role
+##  User domain for the role.
 ##  </summary>
 ## </param>
 #
 interface(`gnome_role',`
-    gen_require(`
-        type gconfd_t, gconfd_exec_t;
-        type gconf_tmp_t;
+    refpolicywarn(`$0($*) has been deprecated')
     ')
 
-    role $1 types gconfd_t;
-
-    domain_auto_trans($2, gconfd_exec_t, gconfd_t)
-    allow gconfd_t $2:fd use;
-    allow gconfd_t $2:fifo_file write;
-    allow gconfd_t $2:unix_stream_socket connectto;
-
-    ps_process_pattern($2, gconfd_t)
-
-	#gnome_stream_connect_gconf_template($1, $2)
-	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
-	allow $2 gconfd_t:unix_stream_socket connectto;
-')
-
 ######################################
 ## <summary>
 ##      The role template for the gnome-keyring-daemon.
@@ -56,59 +40,112 @@
 ## </param>
 #
 interface(`gnome_role_gkeyringd',`
-        gen_require(`
-                attribute gkeyringd_domain;
-                attribute gnomedomain;
-                type gnome_home_t;
-                type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
+    refpolicywarn(`$0($*) has been deprecated')
+')
+
+######################################
+## <summary>
+##  The role template for gnome.
+## </summary>
+## <param name="role_prefix">
+##  <summary>
+##  The prefix of the user domain (e.g., user
+##  is the prefix for user_t).
+##  </summary>
+## </param>
+## <param name="user_role">
+##  <summary>
+##  The role associated with the user domain.
+##  </summary>
+## </param>
+## <param name="user_domain">
+##  <summary>
+##  The type of the user domain.
+##  </summary>
+## </param>
+#
+template(`gnome_role_template',`
+    gen_require(`
+		attribute gnomedomain, gkeyringd_domain, gnome_home_type;
+		attribute_role gconfd_roles;
+		type gkeyringd_exec_t, gkeyringd_tmp_t;
+		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
 		class dbus send_msg;
-        ')
+	')
+
+	########################################
+	#
+	# Gconf declarations
+	#
+
+	roleattribute $2 gconfd_roles;
+
+	########################################
+	#
+	# Gkeyringd declarations
+	#
 
 	type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
-	typealias $1_gkeyringd_t alias gkeyringd_$1_t;
-	application_domain($1_gkeyringd_t, gkeyringd_exec_t)
-	ubac_constrained($1_gkeyringd_t)
+	userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
 	domain_user_exemption_target($1_gkeyringd_t)
 
-	userdom_home_manager($1_gkeyringd_t)
-
 	role $2 types $1_gkeyringd_t;
 
+	########################################
+	#
+	# Gconf policy
+	#
+
+	domtrans_pattern($3, gconfd_exec_t, gconfd_t)
+
+	allow $3 gconfd_t:process { signal_perms };
+	allow $3 gconfd_t:unix_stream_socket connectto;
+	ps_process_pattern($3, gconfd_t)
+
+
+	########################################
+	#
+	# Gkeyringd policy
+	#
+
 	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
 
-	allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
-	allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
+	allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+	allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms };
+
+	userdom_home_manager($1_gkeyringd_t)
 
-	allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
 	allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
 
-	corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
-	corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
+	ps_process_pattern($3, $1_gkeyringd_t)
+	allow $3 $1_gkeyringd_t:process signal_perms;
+	dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
 	allow $1_gkeyringd_t $3:process sigkill;
 	allow $3 $1_gkeyringd_t:fd use;
 	allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
-	dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
 
+	dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
+	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
 
 	kernel_read_system_state($1_gkeyringd_t)
 
+	corecmd_bin_domtrans($1_gkeyringd_t, $3)
+	corecmd_shell_domtrans($1_gkeyringd_t, $3)
+
+	gnome_stream_connect_gkeyringd($3)
+
 	ps_process_pattern($1_gkeyringd_t, $3)
 
 	auth_use_nsswitch($1_gkeyringd_t)
 
 	logging_send_syslog_msg($1_gkeyringd_t)
 
-	ps_process_pattern($3, $1_gkeyringd_t)
-	allow $3 $1_gkeyringd_t:process signal_perms;
-	dontaudit $3 gkeyringd_exec_t:file entrypoint;
-
-	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
-
 	allow $1_gkeyringd_t $3:dbus send_msg;
 	allow $3 $1_gkeyringd_t:dbus send_msg;
+
 	optional_policy(`
-	       	dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
-		dbus_session_bus_client($1_gkeyringd_t)
+        dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
 		gnome_manage_generic_home_dirs($1_gkeyringd_t)
 		gnome_read_generic_data_home_files($1_gkeyringd_t)
 		gnome_read_generic_data_home_dirs($1_gkeyringd_t)
@@ -1531,6 +1568,25 @@
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Check whether sendmail executable
+##	files are executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_access_check_usr_config',`
+	gen_require(`
+		type config_usr_t;
+	')
+
+	allow $1 config_usr_t:dir_file_class_set audit_access;;
+')
+
 ######################################
 ## <summary>
 ##      Allow read kde config content
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/gpg.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/gpg.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/gpg.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/gpg.if	2015-03-06 06:53:47.000000000 +0100
@@ -17,6 +17,7 @@
 #
 interface(`gpg_role',`
 	gen_require(`
+        attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
 		type gpg_t, gpg_exec_t;
 		type gpg_agent_t, gpg_agent_exec_t;
 		type gpg_agent_tmp_t;
@@ -24,7 +25,10 @@
 		type gpg_pinentry_tmp_t;
 	')
 
-	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
+    roleattribute $1 gpg_roles;
+    roleattribute $1 gpg_agent_roles;
+    roleattribute $1 gpg_helper_roles;
+    roleattribute $1 gpg_pinentry_roles;
 
 	# transition from the userdomain to the derived domain
 	domtrans_pattern($2, gpg_exec_t, gpg_t)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/gssproxy.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/gssproxy.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/gssproxy.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/gssproxy.if	2015-03-06 06:53:47.000000000 +0100
@@ -132,6 +132,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 gssproxy_unit_file_t:file read_file_perms;
 	allow $1 gssproxy_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/hypervkvp.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/hypervkvp.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/hypervkvp.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/hypervkvp.if	2015-03-06 06:53:47.000000000 +0100
@@ -96,6 +96,7 @@
     ')
 
     systemd_exec_systemctl($1)
+	init_reload_services($1)
     allow $1 hypervkvp_unit_file_t:file read_file_perms;
     allow $1 hypervkvp_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/iodine.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/iodine.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/iodine.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/iodine.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
     ')
 
         systemd_exec_systemctl($1)
+	init_reload_services($1)
         systemd_read_fifo_file_passwd_run($1)
         allow $1 iodined_unit_file_t:file read_file_perms;
         allow $1 iodined_unit_file_t:service manage_service_perms;
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: iotop.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/ipa.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/ipa.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/ipa.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/ipa.if	2015-03-06 06:53:47.000000000 +0100
@@ -46,6 +46,24 @@
 ##	</summary>
 ## </param>
 #
+interface(`ipa_search_lib',`
+	gen_require(`
+		type ipa_var_lib_t;
+	')
+
+    search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`ipa_manage_lib',`
 	gen_require(`
 		type ipa_var_lib_t;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/iscsi.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/iscsi.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/iscsi.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/iscsi.if	2015-03-06 06:53:47.000000000 +0100
@@ -117,6 +117,29 @@
     files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
 ')
 
+########################################
+## <summary>
+##     Execute iscsi server in the iscsi domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`iscsi_systemctl',`
+       gen_require(`
+               type iscsid_t;
+               type iscsi_unit_file_t;
+       ')
+
+       systemd_exec_systemctl($1)
+	init_reload_services($1)
+       allow $1 iscsi_unit_file_t:file read_file_perms;
+       allow $1 iscsi_unit_file_t:service manage_service_perms;
+
+       ps_process_pattern($1, iscsid_t)
+')
 
 ########################################
 ## <summary>
@@ -141,6 +164,7 @@
 	ps_process_pattern($1, iscsid_t)
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 iscsi_unit_file_t:file manage_file_perms;
 	allow $1 iscsi_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/jabber.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/jabber.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/jabber.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/jabber.if	2015-03-06 06:53:47.000000000 +0100
@@ -163,6 +163,15 @@
 	role_transition $2 jabberd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_list_var_lib($1)
+	files_search_locks($1)
+	admin_pattern($1, jabberd_lock_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, jabberd_log_t)
+
+	files_search_spool($1)
+	admin_pattern($1, jabberd_spool_t)
+
+	files_search_var_lib($1)
 	admin_pattern($1, jabberd_var_lib_t)
 ')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/journalctl.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/journalctl.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/journalctl.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/journalctl.if	2015-03-06 06:53:47.000000000 +0100
@@ -20,6 +20,25 @@
 	domtrans_pattern($1, journalctl_exec_t, journalctl_t)
 ')
 
+######################################
+## <summary>
+##	Execute journalctl in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`journalctl_exec',`
+	gen_require(`
+		type journalctl_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, journalctl_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute journalctl in the journalctl domain, and
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/kdump.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/kdump.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/kdump.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/kdump.if	2015-03-06 06:53:47.000000000 +0100
@@ -74,6 +74,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_search_unit_dirs($1)
 	allow $1 kdump_unit_file_t:file read_file_perms;
 	allow $1 kdump_unit_file_t:service all_service_perms;
@@ -197,6 +198,25 @@
 ')
 
 ###################################
+## <summary>
+##      Read/write inherited kdump /var/tmp named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kdump_rw_inherited_kdumpctl_tmp_pipes',`
+        gen_require(`
+                type kdumpctl_tmp_t;
+        ')
+
+    files_search_tmp($1)
+    allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+###################################
 ## <summary>
 ##      Manage kdump /var/tmp files.
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/keepalived.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/keepalived.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/keepalived.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/keepalived.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 keepalived_unit_file_t:file read_file_perms;
 	allow $1 keepalived_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/kerberos.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/kerberos.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/kerberos.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/kerberos.if	2015-03-06 06:53:47.000000000 +0100
@@ -255,22 +255,7 @@
 ## </param>
 #
 template(`kerberos_keytab_template',`
-    gen_require(`
-        attribute kerberos_keytab_domain;
-    ')
-
-    typeattribute $2 kerberos_keytab_domain;
-
-	type $1_keytab_t;
-	files_type($1_keytab_t)
-
-	allow $2 self:process setfscreate;
- 	allow $2 $1_keytab_t:file read_file_perms;
-
-	seutil_read_file_contexts($2)
-	seutil_read_config($2)
-	selinux_get_enforce_mode($2)
-
+	refpolicywarn(`$0($*) has been deprecated.')
 	kerberos_read_keytab($2)
 	kerberos_use($2)
 ')
@@ -286,12 +271,13 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`kerberos_keytab_domains',`
-    gen_require(`
-        attribute kerberos_keytab_domain;
-    ')
+interface(`kerberos_read_kdc_config',`
+	gen_require(`
+		type krb5kdc_conf_t;
+	')
 
-    typeattribute $1 kerberos_keytab_domain;
+	files_search_etc($1)
+	read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
 ')
 
 ########################################
@@ -303,15 +289,12 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`kerberos_read_kdc_config',`
+interface(`kerberos_read_host_rcache',`
 	gen_require(`
-		type krb5kdc_conf_t;
+		type krb5_host_rcache_t;
 	')
-
-	files_search_etc($1)
-	read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+    read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
 ')
 
 ########################################
@@ -442,6 +425,31 @@
 
 ########################################
 ## <summary>
+##	Type transition files created in /tmp
+##	to the kadmind_tmp type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`kerberos_tmp_filetrans_kadmin',`
+	gen_require(`
+		type kadmind_tmp_t;
+	')
+
+	manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
+	files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
+')
+
+########################################
+## <summary>
 ##	read kerberos homedir content (.k5login)
 ## </summary>
 ## <param name="domain">
@@ -476,6 +484,7 @@
 	')
 
 	userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+	userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
 ')
 
 ########################################
@@ -494,6 +503,7 @@
 	')
 
 	userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+	userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/keystone.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/keystone.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/keystone.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/keystone.if	2015-03-06 06:53:47.000000000 +0100
@@ -172,6 +172,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_read_fifo_file_passwd_run($1)
 	allow $1 keystone_unit_file_t:file read_file_perms;
 	allow $1 keystone_unit_file_t:service manage_service_perms;
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: kmscon.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/ksmtuned.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/ksmtuned.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/ksmtuned.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/ksmtuned.if	2015-03-06 06:53:47.000000000 +0100
@@ -55,6 +55,7 @@
     ')
 
     systemd_exec_systemctl($1)
+	init_reload_services($1)
     allow $1 ksmtuned_unit_file_t:file read_file_perms;
     allow $1 ksmtuned_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/ktalk.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/ktalk.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/ktalk.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/ktalk.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 ktalkd_unit_file_t:file read_file_perms;
 	allow $1 ktalkd_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/ldap.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/ldap.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/ldap.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/ldap.if	2015-03-06 06:53:47.000000000 +0100
@@ -53,6 +53,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 slapd_unit_file_t:file read_file_perms;
 	allow $1 slapd_unit_file_t:service manage_service_perms;
 
@@ -193,7 +194,8 @@
 	gen_require(`
 		type slapd_t, slapd_tmp_t, slapd_replog_t;
 		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
-		type slapd_initrc_exec_t;
+		type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
+		type slapd_db_t, slapd_keytab_t;
 		type slapd_unit_file_t;
 	')
 
@@ -210,7 +212,7 @@
 	allow $2 system_r;
 
 	files_list_etc($1)
-	admin_pattern($1, slapd_etc_t)
+	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
 
 	admin_pattern($1, slapd_lock_t)
 
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: linuxptp.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/livecd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/livecd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/livecd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/livecd.if	2015-03-06 06:53:47.000000000 +0100
@@ -46,6 +46,10 @@
 	livecd_domtrans($1)
 	roleattribute $2 livecd_roles;
 	role_transition $2 livecd_exec_t system_r;
+
+	optional_policy(`
+		rpm_transition_script(livecd_t, $2)
+	')
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/lsm.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/lsm.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/lsm.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/lsm.if	2015-03-06 06:53:47.000000000 +0100
@@ -55,6 +55,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 lsmd_unit_file_t:file read_file_perms;
 	allow $1 lsmd_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/man2html.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/man2html.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/man2html.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/man2html.if	2015-03-06 06:53:47.000000000 +0100
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Transition to httpd_man2html_script.
+##	Transition to man2html_script.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -10,18 +10,18 @@
 ## </summary>
 ## </param>
 #
-interface(`httpd_man2html_script_domtrans',`
+interface(`man2html_script_domtrans',`
 	gen_require(`
-		type httpd_man2html_script_t, httpd_man2html_script_exec_t;
+		type man2html_script_t, man2html_script_exec_t;
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
+	domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
 ')
 
 ########################################
 ## <summary>
-##	Search httpd_man2html_script cache directories.
+##	Search man2html_script content directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -29,18 +29,19 @@
 ##	</summary>
 ## </param>
 #
-interface(`httpd_man2html_script_search_cache',`
+interface(`man2html_search_content',`
 	gen_require(`
-		type httpd_man2html_script_cache_t;
+		type man2html_content_t;
+		type man2html_rw_content_t;
 	')
 
-	allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
+	allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
 	files_search_var($1)
 ')
 
 ########################################
 ## <summary>
-##	Read httpd_man2html_script cache files.
+##	Read man2html cache files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -48,19 +49,22 @@
 ##	</summary>
 ## </param>
 #
-interface(`httpd_man2html_script_read_cache_files',`
+interface(`man2html_read_content_files',`
 	gen_require(`
-		type httpd_man2html_script_cache_t;
+		type man2html_content_t;
+		type man2html_rw_content_t;
 	')
 
 	files_search_var($1)
-	read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+	allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+	read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+	read_files_pattern($1, man2html_content_t, man2html_content_t)
 ')
 
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	httpd_man2html_script cache files.
+##	man2html content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -68,18 +72,21 @@
 ##	</summary>
 ## </param>
 #
-interface(`httpd_man2html_script_manage_cache_files',`
+interface(`man2html_manage_content_files',`
 	gen_require(`
-		type httpd_man2html_script_cache_t;
+		type man2html_content_t;
+		type man2html_rw_content_t;
 	')
 
 	files_search_var($1)
-	manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+	manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+	manage_files_pattern($1, man2html_content_t, man2html_content_t)
 ')
 
 ########################################
 ## <summary>
-##	Manage httpd_man2html_script cache dirs.
+##	Create, read, write, and delete
+##	man2html content dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -87,20 +94,21 @@
 ##	</summary>
 ## </param>
 #
-interface(`httpd_man2html_script_manage_cache_dirs',`
+interface(`man2html_manage_content_dirs',`
 	gen_require(`
-		type httpd_man2html_script_cache_t;
+		type man2html_content_t;
+		type man2html_rw_content_t;
 	')
 
 	files_search_var($1)
-	manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+	manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+	manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
-##	an httpd_man2html_script environment
+##	an man2html environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -108,17 +116,19 @@
 ##	</summary>
 ## </param>
 #
-interface(`httpd_man2html_script_admin',`
+interface(`man2html_admin',`
 	gen_require(`
-		type httpd_man2html_script_t;
-		type httpd_man2html_script_cache_t;
+		type man2html_script_t;
+		type man2html_rw_content_t;
+		type man2html_content_t;
 	')
 
-	allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
-	ps_process_pattern($1, httpd_man2html_script_t)
+	allow $1 man2html_script_t:process { ptrace signal_perms };
+	ps_process_pattern($1, man2html_script_t)
 
 	files_search_var($1)
-	admin_pattern($1, httpd_man2html_script_cache_t)
+	admin_pattern($1, man2html_content_t)
+	admin_pattern($1, man2html_rw_content_t)
 
 	optional_policy(`
 		systemd_passwd_agent_exec($1)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/mediawiki.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/mediawiki.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/mediawiki.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/mediawiki.if	2015-03-06 06:53:47.000000000 +0100
@@ -13,12 +13,12 @@
 #
 interface(`mediawiki_read_tmp_files',`
         gen_require(`
-                type httpd_mediawiki_tmp_t;
+                type mediawiki_tmp_t;
         ')
 
         files_search_tmp($1)
-        read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
-	read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+        read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+	read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
 ')
 
 #######################################
@@ -33,8 +33,8 @@
 #
 interface(`mediawiki_delete_tmp_files',`
         gen_require(`
-                type httpd_mediawiki_tmp_t;
+                type mediawiki_tmp_t;
         ')
 
-        delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+        delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
 ')
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: minidlna.if
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: minissdpd.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/mip6d.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/mip6d.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/mip6d.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/mip6d.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 mip6d_unit_file_t:file read_file_perms;
 	allow $1 mip6d_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/mirrormanager.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/mirrormanager.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/mirrormanager.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/mirrormanager.if	2015-03-06 06:53:47.000000000 +0100
@@ -197,6 +197,25 @@
 
 ########################################
 ## <summary>
+##     Manage mirrormanager PID sock files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mirrormanager_manage_pid_sock_files',`
+       gen_require(`
+               type mirrormanager_var_run_t;
+       ')
+
+       files_search_pids($1)
+       manage_sock_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate
 ##	an mirrormanager environment
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/mock.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/mock.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/mock.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/mock.if	2015-03-06 06:53:47.000000000 +0100
@@ -53,6 +53,7 @@
 	')
 
 	files_search_var_lib($1)
+    list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
 	read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
 ')
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/modemmanager.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/modemmanager.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/modemmanager.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/modemmanager.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 modemmanager_unit_file_t:file read_file_perms;
 	allow $1 modemmanager_unit_file_t:service manage_service_perms;
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: mon_statd.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/motion.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/motion.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/motion.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/motion.if	2015-03-06 06:53:47.000000000 +0100
@@ -134,6 +134,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 motion_unit_file_t:file read_file_perms;
 	allow $1 motion_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/mozilla.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/mozilla.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/mozilla.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/mozilla.if	2015-03-06 06:53:47.000000000 +0100
@@ -256,7 +256,8 @@
 	allow $1 mozilla_plugin_t:shm rw_shm_perms;
 
 	ps_process_pattern($1, mozilla_plugin_t)
-	allow $1 mozilla_plugin_t:process signal_perms;
+	ps_process_pattern(mozilla_plugin_t, $1)
+	allow $1 mozilla_plugin_t:process { signal_perms noatsecure };
 
 	list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 	read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
@@ -489,6 +490,24 @@
     dontaudit $1 mozilla_plugin_tmp_t:file { read write };
 ')
 
+#######################################
+## <summary>
+##  Allow read/write to a mozilla_plugin tmp files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`mozilla_plugin_rw_tmp_files',`
+    gen_require(`
+        type mozilla_plugin_tmp_t;
+    ')
+
+    dontaudit $1 mozilla_plugin_tmp_t:file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
@@ -541,9 +560,10 @@
 interface(`mozilla_filetrans_home_content',`
 
 	gen_require(`
-		type mozilla_home_t;
+		type mozilla_home_t, mozilla_plugin_rw_t;
 	')
 
+	files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so")
 	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
 	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
 	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
@@ -573,3 +593,22 @@
 	')
 ')
 
+########################################
+## <summary>
+##	Allow the domain to read mozilla_plugin state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_plugin_read_state',`
+	gen_require(`
+		type mozilla_plugin_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, mozilla_plugin_t)
+')
+
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/mta.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/mta.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/mta.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/mta.if	2015-03-06 06:53:47.000000000 +0100
@@ -392,6 +392,24 @@
 
 ########################################
 ## <summary>
+##	Allow role to access system_mail_t.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_role_access_system_mail',`
+	gen_require(`
+		type system_mail_t;
+	')
+
+	role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
 ##	Send all user mail client a signal
 ## </summary>
 ## <param name="domain">
@@ -1078,6 +1096,29 @@
 
 ######################################
 ## <summary>
+##	ALlow domain to append mail content in the homedir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_append_home',`
+	gen_require(`
+		type mail_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	append_files_pattern($1, mail_home_t, mail_home_t)
+
+	ifdef(`distro_redhat',`
+		userdom_search_admin_dir($1)
+	')
+')
+
+######################################
+## <summary>
 ##	ALlow domain to read mail content in the homedir
 ## </summary>
 ## <param name="domain">
@@ -1174,6 +1215,7 @@
 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
 ')
 
 ########################################
@@ -1198,6 +1240,7 @@
 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/munin.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/munin.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/munin.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/munin.if	2015-03-06 06:53:47.000000000 +0100
@@ -110,6 +110,26 @@
 
 ')
 
+#######################################
+## <summary>
+##	Append munin library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_append_var_lib_files',`
+	gen_require(`
+		type munin_var_lib_t;
+	')
+
+	files_search_var_lib($1)	
+	append_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
 ######################################
 ## <summary>
 ##	dontaudit read and write an leaked file descriptors
@@ -209,7 +229,7 @@
 		attribute munin_plugin_domain, munin_plugin_tmp_content;
 		type munin_t, munin_etc_t, munin_tmp_t;
 		type munin_log_t, munin_var_lib_t, munin_var_run_t;
-		type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
+		type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
 	')
 
 	allow $1 munin_t:process signal_perms;
@@ -239,5 +259,5 @@
 	files_list_pids($1)
 	admin_pattern($1, munin_var_run_t)
 
-	admin_pattern($1, httpd_munin_content_t)
+	admin_pattern($1, munin_content_t)
 ')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/mysql.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/mysql.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/mysql.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/mysql.if	2015-03-06 06:53:47.000000000 +0100
@@ -233,6 +233,24 @@
 	files_search_var_lib($1)
 	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
 ')
+#######################################
+## <summary>
+##	Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_read_db_lnk_files',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+    read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
 
 #######################################
 ## <summary>
@@ -403,6 +421,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 mysqld_unit_file_t:file read_file_perms;
 	allow $1 mysqld_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/mythtv.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/mythtv.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/mythtv.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/mythtv.if	2015-03-06 06:53:47.000000000 +0100
@@ -1,9 +1,9 @@
 
-## <summary>policy for httpd_mythtv_script</summary>
+## <summary>policy for mythtv_script</summary>
 
 ########################################
 ## <summary>
-##	Execute TEMPLATE in the httpd_mythtv_script domin.
+##	Execute TEMPLATE in the mythtv_script domin.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -11,13 +11,13 @@
 ## </summary>
 ## </param>
 #
-interface(`httpd_mythtv_script_domtrans',`
+interface(`mythtv_script_domtrans',`
 	gen_require(`
-		type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
+		type mythtv_script_t, mythtv_script_exec_t;
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
+	domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
 ')
 
 #######################################
@@ -133,15 +133,15 @@
 #
 interface(`mythtv_admin',`
 	gen_require(`
-		type httpd_mythtv_script_t, mythtv_var_lib_t;
+		type mythtv_script_t, mythtv_var_lib_t;
 		type mythtv_var_log_t;
 	')
 
-	allow $1 httpd_mythtv_script_t:process signal_perms;
-	ps_process_pattern($1, httpd_mythtv_script_t)
+	allow $1 mythtv_script_t:process signal_perms;
+	ps_process_pattern($1, mythtv_script_t)
 
 	tunable_policy(`deny_ptrace',`',`
-		allow $1 httpd_mythtv_script_t:process ptrace;
+		allow $1 mythtv_script_t:process ptrace;
 	')
 
 	logging_list_logs($1)
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: naemon.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/nagios.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/nagios.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/nagios.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/nagios.if	2015-03-06 06:53:47.000000000 +0100
@@ -131,6 +131,25 @@
 
 ########################################
 ## <summary>
+##	Append nagios spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_append_spool',`
+	gen_require(`
+		type nagios_spool_t;
+	')
+
+	allow $1 nagios_spool_t:file append_file_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read
 ##	nagios temporary files.
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/networkmanager.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/networkmanager.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/networkmanager.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/networkmanager.if	2015-03-06 06:53:47.000000000 +0100
@@ -131,6 +131,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 NetworkManager_unit_file_t:file read_file_perms;
 	allow $1 NetworkManager_unit_file_t:service manage_service_perms;
 
@@ -158,6 +159,26 @@
 	allow NetworkManager_t $1:dbus send_msg;
 ')
 
+#######################################
+## <summary>
+##	Read metworkmanager process state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_read_state',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:dir search_dir_perms;
+	allow $1 NetworkManager_t:file read_file_perms;
+	allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to send and
@@ -200,7 +221,27 @@
 
 ########################################
 ## <summary>
-##	Read NetworkManager lib files.
+##	Create, read, and write
+##	networkmanager library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_manage_lib_files',`
+	gen_require(`
+		type NetworkManager_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read networkmanager lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -277,6 +318,45 @@
 
 ########################################
 ## <summary>
+##	Manage NetworkManager PID sock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_manage_pid_sock_files',`
+	gen_require(`
+		type NetworkManager_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+####################################
+## <summary>
+##  Connect to networkmanager over
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`networkmanager_stream_connect',`
+	gen_require(`
+		type NetworkManager_t, NetworkManager_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
+########################################
+## <summary>
 ##	Delete NetworkManager PID files.
 ## </summary>
 ## <param name="domain">
@@ -360,26 +440,6 @@
     manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 ')
 
-####################################
-## <summary>
-##  Connect to NM over a unix domain
-##  stream socket.
-## </summary>
-## <param name="domain">
-##  <summary>
-##  Domain allowed access.
-##  </summary>
-## </param>
-#
-interface(`networkmanager_stream_connect',`
-    gen_require(`
-        type NetworkManager_t, NetworkManager_var_run_t;
-    ')
-
-    files_search_pids($1)
-    stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
-')
-
 #######################################
 ## <summary>
 ##      Read the process state (/proc/pid) of NetworkManager.
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/ninfod.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/ninfod.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/ninfod.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/ninfod.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 ninfod_unit_file_t:file read_file_perms;
 	allow $1 ninfod_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/nis.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/nis.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/nis.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/nis.if	2015-03-06 06:53:47.000000000 +0100
@@ -364,6 +364,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 ypbind_unit_file_t:file read_file_perms;
 	allow $1 ypbind_unit_file_t:service manage_service_perms;
 
@@ -387,6 +388,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 nis_unit_file_t:file read_file_perms;
 	allow $1 nis_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/nova.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/nova.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/nova.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/nova.if	2015-03-06 06:53:47.000000000 +0100
@@ -47,7 +47,9 @@
 
 	manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
 	manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
-	files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
+	manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
+	files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
+	fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
 	can_exec(nova_$1_t, nova_$1_tmp_t)
 
 	kernel_read_system_state(nova_$1_t)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/nscd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/nscd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/nscd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/nscd.if	2015-03-06 06:53:47.000000000 +0100
@@ -311,6 +311,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 nscd_unit_file_t:file read_file_perms;
 	allow $1 nscd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/ntp.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/ntp.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/ntp.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/ntp.if	2015-03-06 06:53:47.000000000 +0100
@@ -153,6 +153,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 ntpd_unit_file_t:file read_file_perms;
 	allow $1 ntpd_unit_file_t:service manage_service_perms;
 
@@ -161,6 +162,25 @@
 
 ########################################
 ## <summary>
+##	Read ntp drift files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_read_drift_files',`
+	gen_require(`
+		type ntp_drift_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, ntp_drift_t, ntp_drift_t)
+')
+
+########################################
+## <summary>
 ##	Read and write ntpd shared memory.
 ## </summary>
 ## <param name="domain">
@@ -219,13 +239,14 @@
 #
 interface(`ntp_admin',`
 	gen_require(`
-		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+		type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t;
 		type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
 		type ntpd_unit_file_t;
 	')
 
 	allow $1 ntpd_t:process signal_perms;
 	ps_process_pattern($1, ntpd_t)
+
 	tunable_policy(`deny_ptrace',`',`
 		allow $1 ntpd_t:process ptrace;
 	')
@@ -235,6 +256,7 @@
 	role_transition $2 ntpd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_list_etc($1)
 	admin_pattern($1, ntpd_key_t)
 
 	logging_list_logs($1)
@@ -243,6 +265,9 @@
 	files_list_tmp($1)
 	admin_pattern($1, ntpd_tmp_t)
 
+	files_list_var_lib($1)
+	admin_pattern($1, ntp_drift_t)
+
 	files_list_pids($1)
 	admin_pattern($1, ntpd_var_run_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/numad.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/numad.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/numad.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/numad.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_read_fifo_file_passwd_run($1)
 	allow $1 numad_unit_file_t:file read_file_perms;
 	allow $1 numad_unit_file_t:service all_service_perms;
@@ -43,6 +44,26 @@
 	ps_process_pattern($1, numad_t)
 ')
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	numad over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`numad_dbus_chat',`
+	gen_require(`
+		type numad_t;
+		class dbus send_msg;
+	')
+
+	allow $1 numad_t:dbus send_msg;
+	allow numad_t $1:dbus send_msg;
+')
 
 ########################################
 ## <summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/nut.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/nut.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/nut.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/nut.if	2015-03-06 06:53:47.000000000 +0100
@@ -2,6 +2,41 @@
 
 #######################################
 ## <summary>
+##  Creates types and rules for a basic
+##  Network UPS Tools systemd daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`nut_domain_template',`
+	gen_require(`
+		attribute nut_domain;
+	')
+
+	type nut_$1_t, nut_domain;
+	type nut_$1_exec_t;
+	init_daemon_domain(nut_$1_t, nut_$1_exec_t)
+
+	type nut_$1_tmp_t;
+	files_tmp_file(nut_$1_tmp_t)
+
+	manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+	manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+	manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+	files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
+	fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
+
+    auth_use_nsswitch(nut_$1_t)
+
+    logging_send_syslog_msg(nut_$1_t)
+
+')
+
+#######################################
+## <summary>
 ##  Execute swift server in the swift domain.
 ## </summary>
 ## <param name="domain">
@@ -17,6 +52,7 @@
     ')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     allow $1 nut_unit_file_t:file read_file_perms;
     allow $1 nut_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/oddjob.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/oddjob.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/oddjob.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/oddjob.if	2015-03-06 06:53:47.000000000 +0100
@@ -165,6 +165,7 @@
     ')
 
     systemd_exec_systemctl($1)
+	init_reload_services($1)
     allow $1 oddjob_unit_file_t:file read_file_perms;
     allow $1 oddjob_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/openshift.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/openshift.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/openshift.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/openshift.if	2015-03-06 06:53:47.000000000 +0100
@@ -362,6 +362,26 @@
 	manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
 ')
 
+########################################
+## <summary>
+##	Relabel openshift library files 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_relabelfrom_lib',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+	relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
 #######################################
 ## <summary>
 ##	Create private objects in the
@@ -416,7 +436,6 @@
 	allow $1 openshift_var_run_t:file read_file_perms;
 ')
 
-
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
@@ -619,11 +638,11 @@
 interface(`openshift_dontaudit_rw_inherited_fifo_files',`
 	gen_require(`
 		type openshift_initrc_t;
-        type openshift_t;
+		type openshift_t;
 	')
 
 	dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
-    dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/opensm.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/opensm.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/opensm.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/opensm.if	2015-03-06 06:53:47.000000000 +0100
@@ -172,6 +172,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 opensm_unit_file_t:file read_file_perms;
 	allow $1 opensm_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/openvpn.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/openvpn.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/openvpn.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/openvpn.if	2015-03-06 06:53:47.000000000 +0100
@@ -142,6 +142,26 @@
 	allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
 ')
 
+####################################
+## <summary>
+##  Connect to openvpn over
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`openvpn_stream_connect',`
+	gen_require(`
+		type openvpn_t, openvpn_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/openvswitch.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/openvswitch.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/openvswitch.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/openvswitch.if	2015-03-06 06:53:47.000000000 +0100
@@ -211,6 +211,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 openvswitch_unit_file_t:file read_file_perms;
 	allow $1 openvswitch_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/openwsman.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/openwsman.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/openwsman.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/openwsman.if	2015-03-06 06:53:47.000000000 +0100
@@ -35,6 +35,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 openwsman_unit_file_t:file read_file_perms;
 	allow $1 openwsman_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/pacemaker.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/pacemaker.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/pacemaker.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/pacemaker.if	2015-03-06 06:53:47.000000000 +0100
@@ -149,6 +149,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_read_fifo_file_passwd_run($1)
 	allow $1 pacemaker_unit_file_t:file read_file_perms;
 	allow $1 pacemaker_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/passenger.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/passenger.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/passenger.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/passenger.if	2015-03-06 06:53:47.000000000 +0100
@@ -16,6 +16,7 @@
 	')
 
 	domtrans_pattern($1, passenger_exec_t, passenger_t)
+	allow passenger_t $1:unix_stream_socket { accept getattr read write };
 ')
 
 ######################################
@@ -159,3 +160,22 @@
 	manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
 	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
 ')
+
+########################################
+## <summary>
+##	Send kill signals to passenger.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`passenger_kill',`
+	gen_require(`
+		type passenger_t;
+	')
+
+	allow $1 passenger_t:process sigkill;
+')
+
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/pcp.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/pcp.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/pcp.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/pcp.if	2015-03-06 06:53:47.000000000 +0100
@@ -23,13 +23,14 @@
     type pcp_$1_initrc_exec_t;
     init_script_file(pcp_$1_initrc_exec_t)
 
+    auth_use_nsswitch(pcp_$1_t)
 ')
 
 ######################################
 ## <summary>
 ##  Allow domain to read pcp lib files
 ## </summary>
-## <param name="prefix">
+## <param name="domain">
 ##  <summary>
 ##  Prefix for the domain.
 ##  </summary>
@@ -39,7 +40,7 @@
     gen_require(`
         type pcp_var_lib_t;
     ')
-    libs_search_lib($1)
+    files_search_var_lib($1)
     read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
 ')
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/pcscd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/pcscd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/pcscd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/pcscd.if	2015-03-06 06:53:47.000000000 +0100
@@ -17,6 +17,8 @@
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+
+	ps_process_pattern(pcscd_t, $1)
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/pegasus.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/pegasus.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/pegasus.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/pegasus.if	2015-03-06 06:53:47.000000000 +0100
@@ -32,6 +32,7 @@
 	#
 	
 	domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
+    allow pegasus_t pegasus_openlmi_$1_exec_t:file ioctl;
 
 	kernel_read_system_state(pegasus_openlmi_$1_t)
 	logging_send_syslog_msg(pegasus_openlmi_$1_t)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/pesign.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/pesign.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/pesign.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/pesign.if	2015-03-06 06:53:47.000000000 +0100
@@ -55,6 +55,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 pesign_unit_file_t:file read_file_perms;
 	allow $1 pesign_unit_file_t:service manage_service_perms;
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: pkcs.if
Only in centos-7.0.1406/usr/share/selinux/devel/include/contrib: pkcsslotd.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/pki.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/pki.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/pki.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/pki.if	2015-03-06 06:53:47.000000000 +0100
@@ -134,13 +134,6 @@
 
 	# need to resolve addresses?
 	auth_use_nsswitch($1_t)
-
-		#pki_apache_domain_signal(httpd_t)
-		#pki_apache_domain_signal(httpd_t)
-		#pki_manage_apache_run(httpd_t)
-		#pki_manage_apache_config_files(httpd_t)
-		#pki_manage_apache_log_files(httpd_t)
-		#pki_manage_apache_lib(httpd_t)
 ')
 
 #######################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/polipo.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/polipo.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/polipo.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/polipo.if	2015-03-06 06:53:47.000000000 +0100
@@ -161,6 +161,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 polipo_unit_file_t:file read_file_perms;
 	allow $1 polipo_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/postfix.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/postfix.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/postfix.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/postfix.if	2015-03-06 06:53:47.000000000 +0100
@@ -365,11 +365,13 @@
 interface(`postfix_domtrans_master',`
 	gen_require(`
 		type postfix_master_t, postfix_master_exec_t;
+		attribute postfix_domain;
 	')
 
 	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
 ')
 
+
 ########################################
 ## <summary>
 ##	Execute the master postfix in the postfix master domain.
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/ppp.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/ppp.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/ppp.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/ppp.if	2015-03-06 06:53:47.000000000 +0100
@@ -439,6 +439,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 pppd_unit_file_t:file read_file_perms;
 	allow $1 pppd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/prosody.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/prosody.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/prosody.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/prosody.if	2015-03-06 06:53:47.000000000 +0100
@@ -132,6 +132,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
         systemd_read_fifo_file_passwd_run($1)
 	allow $1 prosody_unit_file_t:file read_file_perms;
 	allow $1 prosody_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/pulseaudio.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/pulseaudio.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/pulseaudio.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/pulseaudio.if	2015-03-06 06:53:47.000000000 +0100
@@ -17,7 +17,8 @@
 #
 interface(`pulseaudio_role',`
 	gen_require(`
-		type pulseaudio_t, pulseaudio_exec_t;
+        attribute pulseaudio_tmpfsfile;
+		type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
 		class dbus { acquire_svc send_msg };
 	')
 
@@ -35,6 +36,9 @@
 	allow pulseaudio_t $2:unix_stream_socket connectto;
 	allow $2 pulseaudio_t:unix_stream_socket connectto;
 
+	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
+
 	userdom_manage_tmp_role($1, pulseaudio_t)
 	userdom_manage_tmpfs_role($1, pulseaudio_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/qemu.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/qemu.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/qemu.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/qemu.if	2015-03-06 06:53:47.000000000 +0100
@@ -24,6 +24,9 @@
 	type $1_tmp_t;
 	files_tmp_file($1_tmp_t)
 
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
 	##############################
 	#
 	# Local Policy
@@ -41,6 +44,10 @@
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
 
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir })
+
 	kernel_read_system_state($1_t)
 
 	corenet_all_recvfrom_netlabel($1_t)
@@ -62,7 +69,6 @@
 
 	fs_list_inotifyfs($1_t)
 	fs_rw_anon_inodefs_files($1_t)
-	fs_rw_tmpfs_files($1_t)
 
 	storage_raw_write_removable_device($1_t)
 	storage_raw_read_removable_device($1_t)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/quantum.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/quantum.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/quantum.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/quantum.if	2015-03-06 06:53:47.000000000 +0100
@@ -171,6 +171,7 @@
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+    manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
 ')
 
 ########################################
@@ -248,6 +249,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	systemd_read_fifo_file_passwd_run($1)
 	allow $1 neutron_unit_file_t:file read_file_perms;
 	allow $1 neutron_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rabbitmq.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rabbitmq.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rabbitmq.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rabbitmq.if	2015-03-06 06:53:47.000000000 +0100
@@ -10,13 +10,13 @@
 ## </summary>
 ## </param>
 #
-interface(`rabbitmq_domtrans_beam',`
+interface(`rabbitmq_domtrans',`
 	gen_require(`
-		type rabbitmq_beam_t, rabbitmq_beam_exec_t;
+		type rabbitmq_t, rabbitmq_exec_t;
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
+	domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
 ')
 
 ########################################
@@ -38,12 +38,12 @@
 #
 interface(`rabbitmq_admin',`
 	gen_require(`
-		type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t;
+		type rabbitmq_t, rabbitmq_initrc_exec_t;
 		type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t;
 	')
 
-	allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
+	allow $1 { rabbitmq_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, rabbitmq_t)
 
 	init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
 	domain_system_change_exemption($1)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/radius.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/radius.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/radius.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/radius.if	2015-03-06 06:53:47.000000000 +0100
@@ -31,6 +31,7 @@
     ')
 
     systemd_exec_systemctl($1)
+	init_reload_services($1)
     allow $1 radiusd_unit_file_t:file read_file_perms;
     allow $1 radiusd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/raid.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/raid.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/raid.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/raid.if	2015-03-06 06:53:47.000000000 +0100
@@ -62,6 +62,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 mdadm_unit_file_t:file read_file_perms;
 	allow $1 mdadm_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rasdaemon.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rasdaemon.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rasdaemon.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rasdaemon.if	2015-03-06 06:53:47.000000000 +0100
@@ -113,6 +113,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
         systemd_read_fifo_file_passwd_run($1)
 	allow $1 rasdaemon_unit_file_t:file read_file_perms;
 	allow $1 rasdaemon_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rdisc.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rdisc.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rdisc.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rdisc.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
         ')
 
         systemd_exec_systemctl($1)
+	init_reload_services($1)
         systemd_read_fifo_file_passwd_run($1)
         allow $1 rdisc_unit_file_t:file read_file_perms;
         allow $1 rdisc_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/redis.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/redis.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/redis.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/redis.if	2015-03-06 06:53:47.000000000 +0100
@@ -208,6 +208,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 redis_unit_file_t:file read_file_perms;
 	allow $1 redis_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rhcs.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rhcs.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rhcs.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rhcs.if	2015-03-06 06:53:47.000000000 +0100
@@ -51,6 +51,8 @@
 	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
 	files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
 
+    kernel_read_system_state($1_t)
+
 	auth_use_nsswitch($1_t)
 
 	logging_send_syslog_msg($1_t)
@@ -97,6 +99,44 @@
 
 #####################################
 ## <summary>
+##	Connect to haproxy over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_stream_connect_haproxy',`
+	gen_require(`
+		type haproxy_t, haproxy_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t)
+')
+
+########################################
+## <summary>
+##	Send a null signal to haproxy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_signull_haproxy',`
+	gen_require(`
+		type haproxy_t;
+	')
+
+	allow $1 haproxy_t:process signull;
+')
+
+#####################################
+## <summary>
 ##	Allow read and write access to dlm_controld semaphores.
 ## </summary>
 ## <param name="domain">
@@ -212,6 +252,25 @@
 	stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
 ')
 
+######################################
+## <summary>
+##	Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rhcs_domtrans_haproxy',`
+	gen_require(`
+		type haproxy_t, haproxy_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, haproxy_exec_t, haproxy_t)
+')
+
 #####################################
 ## <summary>
 ##	Execute a domain transition to run gfs_controld.
@@ -798,6 +857,7 @@
     ')
 
     systemd_exec_systemctl($1)
+	init_reload_services($1)
     allow $1 cluster_unit_file_t:file read_file_perms;
     allow $1 cluster_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rhnsd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rhnsd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rhnsd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rhnsd.if	2015-03-06 06:53:47.000000000 +0100
@@ -54,6 +54,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 rhnsd_unit_file_t:file read_file_perms;
 	allow $1 rhnsd_unit_file_t:service manage_service_perms;
@@ -79,6 +80,7 @@
 
     files_search_etc($1)
     manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t)
+    manage_lnk_files_pattern($1, rhnsd_conf_t, rhnsd_conf_t)
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rngd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rngd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rngd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rngd.if	2015-03-06 06:53:47.000000000 +0100
@@ -16,6 +16,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 rngd_unit_file_t:file read_file_perms;
 	allow $1 rngd_unit_file_t:service manage_service_perms;
 
@@ -41,7 +42,7 @@
 #
 interface(`rng_admin',`
 	gen_require(`
-		type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
+		type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t;
 	')
 
 	allow $1 rngd_t:process signal_perms;
@@ -56,6 +57,9 @@
 	role_transition $2 rngd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_pids($1)
+	admin_pattern($1, rngd_var_run_t)
+
 	rng_systemctl_rngd($1)
 	admin_pattern($1, rngd_unit_file_t)
 	allow $1 rngd_unit_file_t:service all_service_perms;
Only in centos-7.1.1503/usr/share/selinux/devel/include/contrib: rolekit.if
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rpc.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rpc.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rpc.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rpc.if	2015-03-06 06:53:47.000000000 +0100
@@ -34,7 +34,7 @@
 #
 template(`rpc_domain_template',`
 	gen_require(`
-		type var_lib_nfs_t;
+        attribute rpc_domain;
 	')
 
 	########################################
@@ -42,9 +42,10 @@
 	# Declarations
 	#
 
-	type $1_t;
+	type $1_t, rpc_domain;
 	type $1_exec_t;
 	init_daemon_domain($1_t, $1_exec_t)
+
 	domain_use_interactive_fds($1_t)
 
 	####################################
@@ -52,76 +53,14 @@
 	# Local Policy
 	#
 
-	dontaudit $1_t self:capability { net_admin sys_tty_config };
-	allow $1_t self:capability net_bind_service;
-	allow $1_t self:process signal_perms;
-	allow $1_t self:unix_dgram_socket create_socket_perms;
-	allow $1_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_t self:tcp_socket create_stream_socket_perms;
-	allow $1_t self:udp_socket create_socket_perms;
-
-	manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
-	manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
-
-	kernel_list_proc($1_t)
-	kernel_read_proc_symlinks($1_t)
-	kernel_read_kernel_sysctls($1_t)
-	# bind to arbitary unused ports
-	kernel_rw_rpc_sysctls($1_t)
-
-	dev_read_sysfs($1_t)
-	dev_read_urand($1_t)
-	dev_read_rand($1_t)
-
-	corenet_all_recvfrom_netlabel($1_t)
-	corenet_tcp_sendrecv_generic_if($1_t)
-	corenet_udp_sendrecv_generic_if($1_t)
-	corenet_tcp_sendrecv_generic_node($1_t)
-	corenet_udp_sendrecv_generic_node($1_t)
-	corenet_tcp_sendrecv_all_ports($1_t)
-	corenet_udp_sendrecv_all_ports($1_t)
-	corenet_tcp_bind_generic_node($1_t)
-	corenet_udp_bind_generic_node($1_t)
-	corenet_tcp_bind_reserved_port($1_t)
-	corenet_tcp_connect_all_ports($1_t)
-	corenet_sendrecv_portmap_client_packets($1_t)
-	# do not log when it tries to bind to a port belonging to another domain
-	corenet_dontaudit_tcp_bind_all_ports($1_t)
-	corenet_dontaudit_udp_bind_all_ports($1_t)
-	# bind to arbitary unused ports
-	corenet_tcp_bind_generic_port($1_t)
-	corenet_udp_bind_generic_port($1_t)
-	corenet_tcp_bind_all_rpc_ports($1_t)
-	corenet_udp_bind_all_rpc_ports($1_t)
-	corenet_sendrecv_generic_server_packets($1_t)
-
-	fs_rw_rpc_named_pipes($1_t)
-	fs_search_auto_mountpoints($1_t)
-
-	files_read_etc_files($1_t)
-	files_read_etc_runtime_files($1_t)
-	files_search_var($1_t)
-	files_search_var_lib($1_t)
-	files_list_home($1_t)
+    kernel_read_system_state($1_t)
+
+    corenet_all_recvfrom_unlabeled($1_t)
+    corenet_all_recvfrom_netlabel($1_t)
 
 	auth_use_nsswitch($1_t)
 
 	logging_send_syslog_msg($1_t)
-
-
-	userdom_dontaudit_use_unpriv_user_fds($1_t)
-
-	optional_policy(`
-		rpcbind_stream_connect($1_t)
-	')
-
-	optional_policy(`
-		seutil_sigchld_newrole($1_t)
-	')
-
-	optional_policy(`
-		udev_read_db($1_t)
-	')
 ')
 
 ########################################
@@ -246,6 +185,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 nfsd_unit_file_t:file read_file_perms;
 	allow $1 nfsd_unit_file_t:service manage_service_perms;
 
@@ -350,6 +290,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 rpcd_unit_file_t:file read_file_perms;
 	allow $1 rpcd_unit_file_t:service manage_service_perms;
 
@@ -464,3 +405,54 @@
 	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
 	allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')
+
+#######################################
+## <summary>
+##  All of the rules required to
+##  administrate an rpc environment.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_admin',`
+    gen_require(`
+		attribute rpc_domain;
+		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
+		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
+		type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+	')
+
+	allow $1 rpc_domain:process { ptrace signal_perms };
+	ps_process_pattern($1, rpc_domain)
+
+	init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
+ 	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, { gssd_keytab_t exports_t })
+
+	files_list_var_lib($1)
+	admin_pattern($1, var_lib_nfs_t)
+
+	files_list_pids($1)
+	admin_pattern($1, rpcd_var_run_t)
+
+	files_list_all($1)
+	admin_pattern($1, { nfsd_ro_t nfsd_rw_t })
+
+	files_list_tmp($1)
+	admin_pattern($1, gssd_tmp_t)
+
+	fs_search_nfsd_fs($1)
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rpm.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rpm.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rpm.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rpm.if	2015-03-06 06:53:47.000000000 +0100
@@ -742,18 +742,82 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
 #
 interface(`rpm_transition_script',`
 	gen_require(`
 		type rpm_script_t;
 		attribute rpm_transition_domain;
+		attribute_role rpm_script_roles;
 	')
 
 	typeattribute $1 rpm_transition_domain;
 	allow $1 rpm_script_t:process transition;
+	roleattribute $2 rpm_script_roles;
 
 	allow $1 rpm_script_t:fd use;
 	allow rpm_script_t $1:fd use;
 	allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
 	allow rpm_script_t $1:process sigchld;
 ')
+
+#######################################
+## <summary>
+##  All of the rules required to
+##  administrate an rpm environment.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpm_admin',`
+    gen_require(`
+        type rpm_t, rpm_script_t, rpm_initrc_exec_t;
+        type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
+
+        type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+        type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
+    ')
+
+    allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
+    ps_process_pattern($1, { rpm_t rpm_script_t })
+
+	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 rpm_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, rpm_file_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
+
+	files_list_var_lib($1)
+	admin_pattern($1, rpm_var_lib_t)
+
+	files_search_locks($1)
+	admin_pattern($1, rpm_lock_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, rpm_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, rpm_var_run_t)
+
+	fs_search_tmpfs($1)
+	admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t })
+
+	rpm_run($1, $2)
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rsync.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rsync.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rsync.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rsync.if	2015-03-06 06:53:47.000000000 +0100
@@ -10,10 +10,10 @@
 ##      </summary>
 ## </param>
 #
-interface(`sendmail_stub',`
-gen_require(`
-type sendmail_t;
-')
+interface(`rsync_stub',`
+    gen_require(`
+        type rsync_t;
+    ')
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rtas.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rtas.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rtas.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rtas.if	2015-03-06 06:53:47.000000000 +0100
@@ -116,6 +116,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 rtas_errd_unit_file_t:file read_file_perms;
 	allow $1 rtas_errd_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/rtkit.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/rtkit.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/rtkit.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/rtkit.if	2015-03-06 06:53:47.000000000 +0100
@@ -76,8 +76,12 @@
 		type rtkit_daemon_t;
 	')
 
+	allow rtkit_daemon_t $1:process { getsched setsched };
+
 	kernel_search_proc($1)
 	ps_process_pattern(rtkit_daemon_t, $1)
-	allow rtkit_daemon_t $1:process { getsched setsched };
-	rtkit_daemon_dbus_chat($1)
+
+	optional_policy(`
+		rtkit_daemon_dbus_chat($1)
+	')
 ')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/samba.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/samba.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/samba.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/samba.if	2015-03-06 06:53:47.000000000 +0100
@@ -113,6 +113,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 samba_unit_file_t:file read_file_perms;
 	allow $1 samba_unit_file_t:service manage_service_perms;
 
@@ -840,16 +841,18 @@
 interface(`samba_admin',`
 	gen_require(`
 		type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
-		type smbd_t, smbd_tmp_t, samba_secrets_t;
-		type samba_initrc_exec_t, samba_log_t, samba_var_t;
-		type samba_etc_t, samba_share_t, winbind_log_t;
-		type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
-		type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
-		type samba_unit_file_t;
+		type smbd_t, smbd_tmp_t, smbd_spool_t;
+		type samba_log_t, samba_var_t, samba_secrets_t;
+		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
+		type swat_var_run_t, swat_tmp_t, winbind_log_t;
+		type winbind_var_run_t, winbind_tmp_t;
+		type smbd_keytab_t, samba_unit_file_t;
+        type samba_unconfined_script_t;
 	')
 
 	allow $1 smbd_t:process signal_perms;
 	ps_process_pattern($1, smbd_t)
+
 	tunable_policy(`deny_ptrace',`',`
 		allow $1 smbd_t:process ptrace;
 		allow $1 nmbd_t:process ptrace;
@@ -872,10 +875,8 @@
 	role_transition $2 samba_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	admin_pattern($1, nmbd_var_run_t)
-
-	admin_pattern($1, samba_etc_t)
 	files_list_etc($1)
+	admin_pattern($1, { samba_etc_t smbd_keytab_t })
 
 	admin_pattern($1, samba_log_t)
 	logging_list_logs($1)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/samhain.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/samhain.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/samhain.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/samhain.if	2015-03-06 06:53:47.000000000 +0100
@@ -24,7 +24,7 @@
 
 	mls_file_write_all_levels($1_t)
 
-	logging_send_sylog_msg($1_t)
+	logging_send_syslog_msg($1_t)
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sandbox.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sandbox.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sandbox.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sandbox.if	2015-03-06 06:53:47.000000000 +0100
@@ -22,14 +22,42 @@
 		attribute sandbox_domain;
 	')
 
-	allow $1 sandbox_domain:process transition;
-	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
-	role $2 types sandbox_domain;
-	allow sandbox_domain $1:process { sigchld signull };
-	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
-	dontaudit sandbox_domain $1:process signal;
-	dontaudit sandbox_domain $1:key { link read search view };
-	dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+    sandbox_dyntransition($1) #885288
+    allow $1 sandbox_domain:process transition;
+    dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+
+    role $2 types sandbox_domain;
+
+    allow sandbox_domain $1:process { sigchld signull };
+    allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+    dontaudit sandbox_domain $1:process signal;
+    dontaudit sandbox_domain $1:key { link read search view };
+    dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Execute sandbox in the sandbox domain, and
+##	allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the sandbox domain.
+##	</summary>
+## </param>
+#
+interface(`sandbox_dyntransition',`
+	gen_require(`
+		attribute sandbox_domain;
+	')
+
+	allow $1 sandbox_domain:process dyntransition;
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sandboxX.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sandboxX.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sandboxX.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sandboxX.if	2015-03-06 06:53:47.000000000 +0100
@@ -26,6 +26,7 @@
 	')
 
 	allow $1 sandbox_x_domain:process { signal_perms transition };
+	allow $1 sandbox_x_domain:process dyntransition;
 	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
 	allow sandbox_x_domain $1:process { sigchld signull };
 	allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sanlock.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sanlock.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sanlock.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sanlock.if	2015-03-06 06:53:47.000000000 +0100
@@ -93,6 +93,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 sanlock_unit_file_t:file read_file_perms;
 	allow $1 sanlock_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sasl.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sasl.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sasl.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sasl.if	2015-03-06 06:53:47.000000000 +0100
@@ -38,12 +38,13 @@
 #
 interface(`sasl_admin',`
 	gen_require(`
-		type saslauthd_t, saslauthd_var_run_t;
-		type saslauthd_initrc_exec_t;
+		type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
+		type saslauthd_keytab_t;
 	')
 
 	allow $1 saslauthd_t:process signal_perms;
 	ps_process_pattern($1, saslauthd_t)
+
 	tunable_policy(`deny_ptrace',`',`
 		allow $1 saslauthd_t:process ptrace;
 	')
@@ -53,6 +54,9 @@
 	role_transition $2 saslauthd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_list_etc($1)
+	admin_pattern($1, saslauthd_keytab_t)
+
 	files_list_pids($1)
 	admin_pattern($1, saslauthd_var_run_t)
 ')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sblim.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sblim.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sblim.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sblim.if	2015-03-06 06:53:47.000000000 +0100
@@ -86,6 +86,84 @@
 
 ########################################
 ## <summary>
+##	Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcbd',`
+	gen_require(`
+		type sblim_sfcb_t, sblim_var_lib_t;
+        type sblim_tmp_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
+')
+
+#######################################
+## <summary>
+##  Getattr on sblim executable.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`sblim_getattr_exec_sfcbd',`
+    gen_require(`
+        type sblim_sfcbd_exec_t;
+    ')
+
+	allow $1 sblim_sfcbd_exec_t:file getattr;
+')
+
+
+########################################
+## <summary>
+##	Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcb',`
+	gen_require(`
+		type sblim_sfcb_t, sblim_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+')
+
+#######################################
+## <summary>
+##	Allow read and write access to sblim semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_rw_semaphores_sfcbd',`
+	gen_require(`
+		type sblim_sfcbd_t;
+	')
+
+	allow $1 sblim_sfcbd_t:sem rw_sem_perms;
+')
+
+
+########################################
+## <summary>
 ##	All of the rules required to administrate
 ##	an gatherd environment
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/screen.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/screen.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/screen.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/screen.if	2015-03-06 06:53:47.000000000 +0100
@@ -60,6 +60,10 @@
 	relabel_files_pattern($3, screen_home_t, screen_home_t)
 	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
 
+	userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
+	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
+	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
+
 	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
 	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sendmail.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sendmail.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sendmail.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sendmail.if	2015-03-06 06:53:47.000000000 +0100
@@ -10,7 +10,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`rsync_stub',`
+interface(`sendmail_stub',`
 	gen_require(`
 		type sendmail_t;
 	')
@@ -89,11 +89,11 @@
 #
 interface(`sendmail_run',`
 	gen_require(`
-		type sendmail_t;
+		attribute_role sendmail_roles;
 	')
 
 	sendmail_domtrans($1)
-	role $2 types sendmail_t;
+    roleattribute $2 sendmail_roles;
 ')
 
 ########################################
@@ -116,6 +116,53 @@
 
 ########################################
 ## <summary>
+##	Execute sendmail in the sendmail_unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t, sendmail_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
+#######################################
+## <summary>
+##  Execute sendmail in the unconfined
+##  sendmail domain, and allow the
+##  specified role the unconfined
+##  sendmail domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+    gen_require(`
+        attribute_role sendmail_unconfined_roles;
+    ')
+
+    sendmail_domtrans_unconfined($1)
+    roleattribute $2 sendmail_unconfined_roles;
+')
+
+########################################
+## <summary>
 ##	Read and write sendmail TCP sockets.
 ## </summary>
 ## <param name="domain">
@@ -239,11 +286,37 @@
 ## </param>
 #
 interface(`sendmail_create_log',`
+	refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.')
+	sendmail_log_filetrans_sendmail_log($1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	log directories sendmail log file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`sendmail_log_filetrans_sendmail_log',`
 	gen_require(`
 		type sendmail_log_t;
 	')
 
-	logging_log_filetrans($1, sendmail_log_t, file)
+	logging_log_filetrans($1, sendmail_log_t, $2, $3)
 ')
 
 ########################################
@@ -304,12 +377,14 @@
 interface(`sendmail_admin',`
 	gen_require(`
 		type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
-		type sendmail_tmp_t, sendmail_var_run_t;
+		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+		type sendmail_keytab_t;
 		type mail_spool_t;
 	')
 
 	allow $1 sendmail_t:process signal_perms;
 	ps_process_pattern($1, sendmail_t)
+
 	tunable_policy(`deny_ptrace',`',`
 		allow $1 sendmail_t:process ptrace;
 	')
@@ -318,6 +393,9 @@
 	domain_system_change_exemption($1)
 	role_transition $2 sendmail_initrc_exec_t system_r;
 
+	files_list_etc($1)
+	admin_pattern($1, sendmail_keytab_t)
+
 	logging_list_logs($1)
 	admin_pattern($1, sendmail_log_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sensord.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sensord.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sensord.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sensord.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 sensord_unit_file_t:file read_file_perms;
 	allow $1 sensord_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/shutdown.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/shutdown.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/shutdown.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/shutdown.if	2015-03-06 06:53:47.000000000 +0100
@@ -23,6 +23,7 @@
 
 	optional_policy(`
 		systemd_exec_systemctl($1)
+	init_reload_services($1)
 		init_stream_connect($1)
 		systemd_login_reboot($1)
 		systemd_login_halt($1)
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/snapper.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/snapper.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/snapper.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/snapper.if	2015-03-06 06:53:47.000000000 +0100
@@ -40,3 +40,23 @@
 	allow $1 snapperd_t:dbus send_msg;
 	allow snapperd_t $1:dbus send_msg;
 ')
+
+#######################################
+## <summary>
+##      Allow domain to create .smapshot
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`snapper_filetrans_named_content',`
+
+    gen_require(`
+        type snapperd_data_t;
+    ')
+    
+    files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots")
+')
+
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/snmp.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/snmp.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/snmp.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/snmp.if	2015-03-06 06:53:47.000000000 +0100
@@ -136,6 +136,26 @@
 
 ########################################
 ## <summary>
+##	Manage snmpd libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snmp_manage_var_lib_sock_files',`
+	gen_require(`
+		type snmpd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 snmpd_var_lib_t:dir list_dir_perms;
+	manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read
 ##	snmpd lib content.
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sosreport.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sosreport.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sosreport.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sosreport.if	2015-03-06 06:53:47.000000000 +0100
@@ -127,3 +127,22 @@
 	files_delete_tmp_dir_entry($1)
 	delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
 ')
+
+########################################
+## <summary>
+##	Send a null signal to sosreport.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sosreport_signull',`
+	gen_require(`
+		type sosreport_t;
+	')
+
+	allow $1 sosreport_t:process signull;
+')
+
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/speech-dispatcher.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/speech-dispatcher.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/speech-dispatcher.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/speech-dispatcher.if	2015-03-06 06:53:47.000000000 +0100
@@ -95,6 +95,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
 	allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/sssd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/sssd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/sssd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/sssd.if	2015-03-06 06:53:47.000000000 +0100
@@ -71,6 +71,7 @@
        ')
 
        systemd_exec_systemctl($1)
+	init_reload_services($1)
        allow $1 sssd_unit_file_t:file read_file_perms;
        allow $1 sssd_unit_file_t:service manage_service_perms;
 
@@ -176,6 +177,25 @@
 
 ########################################
 ## <summary>
+##	Delete sssd public files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_delete_public_files',`
+	gen_require(`
+		type sssd_public_t;
+	')
+
+	sssd_search_lib($1)
+	allow $1 sssd_public_t:file unlink;
+')
+
+########################################
+## <summary>
 ##	Dontaudit read sssd public files.
 ## </summary>
 ## <param name="domain">
@@ -405,7 +425,7 @@
 	dontaudit $1 sssd_var_lib_t:sock_file { read write };
 ')
 
-########################################
+#######################################
 ## <summary>
 ##     Manage keys for all user domains.
 ## </summary>
@@ -416,12 +436,31 @@
 ## </param>
 #
 interface(`sssd_manage_keys',`
-       gen_require(`
-               type sssd_t;
-       ')
+    gen_require(`
+        type sssd_t;
+    ')
+
+    allow $1 sssd_t:key manage_key_perms;
+    allow sssd_t $1:key manage_key_perms;
+')
+
+#######################################
+## <summary>
+##  Allow attempts to read and write to
+##  sssd pipes
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sssd_rw_inherited_pipes',`
+    gen_require(`
+        type sssd_t;
+    ')
 
-       allow $1 sssd_t:key manage_key_perms;
-       allow sssd_t $1:key manage_key_perms;
+    allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/svnserve.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/svnserve.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/svnserve.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/svnserve.if	2015-03-06 06:53:47.000000000 +0100
@@ -57,6 +57,7 @@
         ')
 
         systemd_exec_systemctl($1)
+	init_reload_services($1)
         allow $1 svnserve_unit_file_t:file read_file_perms;
         allow $1 svnserve_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/swift.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/swift.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/swift.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/swift.if	2015-03-06 06:53:47.000000000 +0100
@@ -59,6 +59,43 @@
 	manage_dirs_pattern($1, swift_data_t, swift_data_t)
 ')
 
+#####################################
+## <summary>
+##	Read and write swift lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`swift_manage_lock',`
+	gen_require(`
+		type swift_lock_t;
+	')
+
+	files_search_locks($1)
+    manage_files_pattern($1, swift_lock_t, swift_lock_t)
+')
+
+#######################################
+## <summary>
+##  Transition content labels to swift named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`swift_filetrans_named_lock',`
+    gen_require(`
+        type swift_lock_t;
+    ')
+
+    files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
+')
+
 ########################################
 ## <summary>
 ##	Execute swift server in the swift domain.
@@ -76,6 +113,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 swift_unit_file_t:file read_file_perms;
 	allow $1 swift_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/tftp.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/tftp.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/tftp.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/tftp.if	2015-03-06 06:53:47.000000000 +0100
@@ -46,6 +46,44 @@
 
 ########################################
 ## <summary>
+##	Allow read tftp /var/lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tftp_read_rw_content',`
+	gen_require(`
+		type tftpdir_rw_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
+##	Allow write tftp /var/lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tftp_write_rw_content',`
+	gen_require(`
+		type tftpdir_rw_t;
+	')
+
+	files_search_var_lib($1)
+	write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
 ##	Manage tftp /var/lib files.
 ## </summary>
 ## <param name="domain">
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/thumb.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/thumb.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/thumb.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/thumb.if	2015-03-06 06:53:47.000000000 +0100
@@ -18,6 +18,7 @@
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, thumb_exec_t, thumb_t)
+	dontaudit thumb_t $1:unix_stream_socket { getattr read write };
 ')
 
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/tomcat.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/tomcat.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/tomcat.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/tomcat.if	2015-03-06 06:53:47.000000000 +0100
@@ -341,6 +341,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 tomcat_unit_file_t:file read_file_perms;
 	allow $1 tomcat_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/tor.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/tor.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/tor.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/tor.if	2015-03-06 06:53:47.000000000 +0100
@@ -36,6 +36,7 @@
         ')
 
         systemd_exec_systemctl($1)
+	init_reload_services($1)
         allow $1 tor_unit_file_t:file read_file_perms;
         allow $1 tor_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/usbmuxd.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/usbmuxd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/usbmuxd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/usbmuxd.if	2015-03-06 06:53:47.000000000 +0100
@@ -56,6 +56,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 usbmuxd_unit_file_t:file read_file_perms;
 	allow $1 usbmuxd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/userhelper.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/userhelper.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/userhelper.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/userhelper.if	2015-03-06 06:53:47.000000000 +0100
@@ -315,7 +315,7 @@
 
 	auth_use_pam($1_consolehelper_t)
 
-	userdom_manage_tmpfs_role($2, $1_consolehelper_t)
+	userdom_manage_tmp_role($2, $1_consolehelper_t)
 
 	optional_policy(`
 		dbus_connect_session_bus($1_consolehelper_t)
@@ -338,7 +338,8 @@
 
 ########################################
 ## <summary>
-##	Execute the consolehelper program in the caller domain.
+##	Execute the consolehelper program
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -346,10 +347,11 @@
 ##	</summary>
 ## </param>
 #
-interface(`userhelper_exec_console',`
+interface(`userhelper_exec_consolehelper',`
 	gen_require(`
 		type consolehelper_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	can_exec($1, consolehelper_exec_t)
 ')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/virt.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/virt.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/virt.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/virt.if	2015-03-06 06:53:47.000000000 +0100
@@ -288,6 +288,7 @@
 	read_files_pattern($1, virt_content_t, virt_content_t)
 	read_lnk_files_pattern($1, virt_content_t, virt_content_t)
 	read_blk_files_pattern($1, virt_content_t, virt_content_t)
+    read_chr_files_pattern($1, virt_content_t, virt_content_t)
 
 	tunable_policy(`virt_use_nfs',`
 		fs_list_nfs($1)
@@ -770,6 +771,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
 	allow $1 virtd_unit_file_t:file read_file_perms;
 	allow $1 virtd_unit_file_t:service manage_service_perms;
 
@@ -832,6 +834,7 @@
 	manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
 	manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
 	manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+	allow $1 svirt_sandbox_file_t:dir_file_class_set { relabelfrom relabelto };
 ')
 
 #######################################
@@ -989,6 +992,42 @@
 
 ########################################
 ## <summary>
+##	Send a signal to virtd daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_signal',`
+	gen_require(`
+		type virtd_t;
+	')
+
+	allow $1 virtd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send null signal to virtd daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_signull',`
+	gen_require(`
+		type virtd_t;
+	')
+
+	allow $1 virtd_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Send a signal to virtual machines
 ## </summary>
 ## <param name="domain">
@@ -1332,3 +1371,20 @@
 	virt_stream_connect_svirt($1)
 	virt_stream_connect($1)
 ')
+#######################################
+## <summary>
+##  Getattr on virt executable.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`virt_default_capabilities',`
+	gen_require(`
+		attribute sandbox_caps_domain;
+	')
+
+	typeattribute $1 sandbox_caps_domain;
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/vmtools.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/vmtools.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/vmtools.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/vmtools.if	2015-03-06 06:53:47.000000000 +0100
@@ -79,6 +79,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+	init_reload_services($1)
     systemd_read_fifo_file_passwd_run($1)
 	allow $1 vmtools_unit_file_t:file read_file_perms;
 	allow $1 vmtools_unit_file_t:service manage_service_perms;
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/wine.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/wine.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/wine.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/wine.if	2015-03-06 06:53:47.000000000 +0100
@@ -52,6 +52,7 @@
 	relabel_dirs_pattern($2, wine_home_t, wine_home_t)
 	relabel_files_pattern($2, wine_home_t, wine_home_t)
 	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+
 ')
 
 #######################################
@@ -99,6 +100,7 @@
 
 	userdom_unpriv_usertype($1, $1_wine_t)
 	userdom_manage_tmpfs_role($2, $1_wine_t)
+	userdom_manage_home_role($2 ,$1_wine_t)
 
 	domain_mmap_low($1_wine_t)
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/contrib/zebra.if centos-7.1.1503/usr/share/selinux/devel/include/contrib/zebra.if
--- centos-7.0.1406/usr/share/selinux/devel/include/contrib/zebra.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/contrib/zebra.if	2015-03-06 06:53:47.000000000 +0100
@@ -58,6 +58,7 @@
     ')
 
         systemd_exec_systemctl($1)
+	init_reload_services($1)
         allow $1 zebra_unit_file_t:file read_file_perms;
         allow $1 zebra_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/corenetwork.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/corenetwork.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/corenetwork.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/corenetwork.if	2015-03-06 06:53:47.000000000 +0100
@@ -2295,6 +2295,24 @@
 
 ########################################
 ## <summary>
+##	Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_t;
+	')
+
+	allow $1 unreserved_port_t:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Bind UDP sockets to all ports > 1024.
 ## </summary>
 ## <param name="domain">
@@ -3918,6 +3936,23 @@
 
 ########################################
 ## <summary>
+##	Dontaudit bind tcp sockets to defined ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_defined_ports',`
+	gen_require(`
+		attribute defined_port_type;
+	')
+	dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Create all network named devices with the correct label
 ## </summary>
 ## <param name="domain">
@@ -12609,7 +12644,7 @@
 
 ########################################
 ## <summary>
-##	Send and receive TCP traffic on the bgp port.
+##	Send and receive TCP traffic on the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12618,17 +12653,17 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_tcp_sendrecv_bgp_port',`
+interface(`corenet_tcp_sendrecv_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	allow $1 bgp_port_t:tcp_socket { send_msg recv_msg };
+	allow $1 bacula_port_t:tcp_socket { send_msg recv_msg };
 ')
 
 ########################################
 ## <summary>
-##	Send UDP traffic on the bgp port.
+##	Send UDP traffic on the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12637,17 +12672,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_udp_send_bgp_port',`
+interface(`corenet_udp_send_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	allow $1 bgp_port_t:udp_socket send_msg;
+	allow $1 bacula_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send UDP traffic on the bgp port.
+##	Do not audit attempts to send UDP traffic on the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12656,17 +12691,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_send_bgp_port',`
+interface(`corenet_dontaudit_udp_send_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	dontaudit $1 bgp_port_t:udp_socket send_msg;
+	dontaudit $1 bacula_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Receive UDP traffic on the bgp port.
+##	Receive UDP traffic on the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12675,17 +12710,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_udp_receive_bgp_port',`
+interface(`corenet_udp_receive_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	allow $1 bgp_port_t:udp_socket recv_msg;
+	allow $1 bacula_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive UDP traffic on the bgp port.
+##	Do not audit attempts to receive UDP traffic on the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12694,17 +12729,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_receive_bgp_port',`
+interface(`corenet_dontaudit_udp_receive_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	dontaudit $1 bgp_port_t:udp_socket recv_msg;
+	dontaudit $1 bacula_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive UDP traffic on the bgp port.
+##	Send and receive UDP traffic on the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12713,15 +12748,15 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_udp_sendrecv_bgp_port',`
-	corenet_udp_send_bgp_port($1)
-	corenet_udp_receive_bgp_port($1)
+interface(`corenet_udp_sendrecv_bacula_port',`
+	corenet_udp_send_bacula_port($1)
+	corenet_udp_receive_bacula_port($1)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to send and receive
-##	UDP traffic on the bgp port.
+##	UDP traffic on the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12730,14 +12765,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_sendrecv_bgp_port',`
-	corenet_dontaudit_udp_send_bgp_port($1)
-	corenet_dontaudit_udp_receive_bgp_port($1)
+interface(`corenet_dontaudit_udp_sendrecv_bacula_port',`
+	corenet_dontaudit_udp_send_bacula_port($1)
+	corenet_dontaudit_udp_receive_bacula_port($1)
 ')
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to the bgp port.
+##	Bind TCP sockets to the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12746,18 +12781,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_tcp_bind_bgp_port',`
+interface(`corenet_tcp_bind_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	allow $1 bgp_port_t:tcp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+	allow $1 bacula_port_t:tcp_socket name_bind;
+	
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to the bgp port.
+##	Bind UDP sockets to the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12766,18 +12801,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_udp_bind_bgp_port',`
+interface(`corenet_udp_bind_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	allow $1 bgp_port_t:udp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+	allow $1 bacula_port_t:udp_socket name_bind;
+	
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to sbind to bgp port.
+##	Do not audit attempts to sbind to bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12786,18 +12821,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_bind_bgp_port',`
+interface(`corenet_dontaudit_udp_bind_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	dontaudit $1 bgp_port_t:udp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+	dontaudit $1 bacula_port_t:udp_socket name_bind;
+	
 ')
 
 ########################################
 ## <summary>
-##	Make a TCP connection to the bgp port.
+##	Make a TCP connection to the bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12805,16 +12840,16 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_bgp_port',`
+interface(`corenet_tcp_connect_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	allow $1 bgp_port_t:tcp_socket name_connect;
+	allow $1 bacula_port_t:tcp_socket name_connect;
 ')
 ########################################
 ## <summary>
-##	Do not audit attempts to make a TCP connection to bgp port.
+##	Do not audit attempts to make a TCP connection to bacula port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12822,18 +12857,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_bgp_port',`
+interface(`corenet_dontaudit_tcp_connect_bacula_port',`
 	gen_require(`
-		type bgp_port_t;
+		type bacula_port_t;
 	')
 
-	dontaudit $1 bgp_port_t:tcp_socket name_connect;
+	dontaudit $1 bacula_port_t:tcp_socket name_connect;
 ')
 
 
 ########################################
 ## <summary>
-##	Send bgp_client packets.
+##	Send bacula_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12842,17 +12877,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_bgp_client_packets',`
+interface(`corenet_send_bacula_client_packets',`
 	gen_require(`
-		type bgp_client_packet_t;
+		type bacula_client_packet_t;
 	')
 
-	allow $1 bgp_client_packet_t:packet send;
+	allow $1 bacula_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send bgp_client packets.
+##	Do not audit attempts to send bacula_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12861,17 +12896,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_bgp_client_packets',`
+interface(`corenet_dontaudit_send_bacula_client_packets',`
 	gen_require(`
-		type bgp_client_packet_t;
+		type bacula_client_packet_t;
 	')
 
-	dontaudit $1 bgp_client_packet_t:packet send;
+	dontaudit $1 bacula_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive bgp_client packets.
+##	Receive bacula_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12880,17 +12915,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_bgp_client_packets',`
+interface(`corenet_receive_bacula_client_packets',`
 	gen_require(`
-		type bgp_client_packet_t;
+		type bacula_client_packet_t;
 	')
 
-	allow $1 bgp_client_packet_t:packet recv;
+	allow $1 bacula_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive bgp_client packets.
+##	Do not audit attempts to receive bacula_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12899,17 +12934,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_bgp_client_packets',`
+interface(`corenet_dontaudit_receive_bacula_client_packets',`
 	gen_require(`
-		type bgp_client_packet_t;
+		type bacula_client_packet_t;
 	')
 
-	dontaudit $1 bgp_client_packet_t:packet recv;
+	dontaudit $1 bacula_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive bgp_client packets.
+##	Send and receive bacula_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12918,14 +12953,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_bgp_client_packets',`
-	corenet_send_bgp_client_packets($1)
-	corenet_receive_bgp_client_packets($1)
+interface(`corenet_sendrecv_bacula_client_packets',`
+	corenet_send_bacula_client_packets($1)
+	corenet_receive_bacula_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive bgp_client packets.
+##	Do not audit attempts to send and receive bacula_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12934,14 +12969,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_bgp_client_packets',`
-	corenet_dontaudit_send_bgp_client_packets($1)
-	corenet_dontaudit_receive_bgp_client_packets($1)
+interface(`corenet_dontaudit_sendrecv_bacula_client_packets',`
+	corenet_dontaudit_send_bacula_client_packets($1)
+	corenet_dontaudit_receive_bacula_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to bgp_client the packet type.
+##	Relabel packets to bacula_client the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12949,18 +12984,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_bgp_client_packets',`
+interface(`corenet_relabelto_bacula_client_packets',`
 	gen_require(`
-		type bgp_client_packet_t;
+		type bacula_client_packet_t;
 	')
 
-	allow $1 bgp_client_packet_t:packet relabelto;
+	allow $1 bacula_client_packet_t:packet relabelto;
 ')
 
 
 ########################################
 ## <summary>
-##	Send bgp_server packets.
+##	Send bacula_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12969,17 +13004,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_bgp_server_packets',`
+interface(`corenet_send_bacula_server_packets',`
 	gen_require(`
-		type bgp_server_packet_t;
+		type bacula_server_packet_t;
 	')
 
-	allow $1 bgp_server_packet_t:packet send;
+	allow $1 bacula_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send bgp_server packets.
+##	Do not audit attempts to send bacula_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -12988,17 +13023,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_bgp_server_packets',`
+interface(`corenet_dontaudit_send_bacula_server_packets',`
 	gen_require(`
-		type bgp_server_packet_t;
+		type bacula_server_packet_t;
 	')
 
-	dontaudit $1 bgp_server_packet_t:packet send;
+	dontaudit $1 bacula_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive bgp_server packets.
+##	Receive bacula_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13007,17 +13042,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_bgp_server_packets',`
+interface(`corenet_receive_bacula_server_packets',`
 	gen_require(`
-		type bgp_server_packet_t;
+		type bacula_server_packet_t;
 	')
 
-	allow $1 bgp_server_packet_t:packet recv;
+	allow $1 bacula_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive bgp_server packets.
+##	Do not audit attempts to receive bacula_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13026,17 +13061,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_bgp_server_packets',`
+interface(`corenet_dontaudit_receive_bacula_server_packets',`
 	gen_require(`
-		type bgp_server_packet_t;
+		type bacula_server_packet_t;
 	')
 
-	dontaudit $1 bgp_server_packet_t:packet recv;
+	dontaudit $1 bacula_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive bgp_server packets.
+##	Send and receive bacula_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13045,14 +13080,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_bgp_server_packets',`
-	corenet_send_bgp_server_packets($1)
-	corenet_receive_bgp_server_packets($1)
+interface(`corenet_sendrecv_bacula_server_packets',`
+	corenet_send_bacula_server_packets($1)
+	corenet_receive_bacula_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive bgp_server packets.
+##	Do not audit attempts to send and receive bacula_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13061,14 +13096,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_bgp_server_packets',`
-	corenet_dontaudit_send_bgp_server_packets($1)
-	corenet_dontaudit_receive_bgp_server_packets($1)
+interface(`corenet_dontaudit_sendrecv_bacula_server_packets',`
+	corenet_dontaudit_send_bacula_server_packets($1)
+	corenet_dontaudit_receive_bacula_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to bgp_server the packet type.
+##	Relabel packets to bacula_server the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13076,12 +13111,12 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_bgp_server_packets',`
+interface(`corenet_relabelto_bacula_server_packets',`
 	gen_require(`
-		type bgp_server_packet_t;
+		type bacula_server_packet_t;
 	')
 
-	allow $1 bgp_server_packet_t:packet relabelto;
+	allow $1 bacula_server_packet_t:packet relabelto;
 ')
 
 
@@ -13089,7 +13124,7 @@
 
 ########################################
 ## <summary>
-##	Send and receive TCP traffic on the bacula port.
+##	Send and receive TCP traffic on the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13098,17 +13133,17 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_tcp_sendrecv_bacula_port',`
+interface(`corenet_tcp_sendrecv_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	allow $1 bacula_port_t:tcp_socket { send_msg recv_msg };
+	allow $1 bgp_port_t:tcp_socket { send_msg recv_msg };
 ')
 
 ########################################
 ## <summary>
-##	Send UDP traffic on the bacula port.
+##	Send UDP traffic on the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13117,17 +13152,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_udp_send_bacula_port',`
+interface(`corenet_udp_send_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	allow $1 bacula_port_t:udp_socket send_msg;
+	allow $1 bgp_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send UDP traffic on the bacula port.
+##	Do not audit attempts to send UDP traffic on the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13136,17 +13171,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_send_bacula_port',`
+interface(`corenet_dontaudit_udp_send_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	dontaudit $1 bacula_port_t:udp_socket send_msg;
+	dontaudit $1 bgp_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Receive UDP traffic on the bacula port.
+##	Receive UDP traffic on the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13155,17 +13190,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_udp_receive_bacula_port',`
+interface(`corenet_udp_receive_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	allow $1 bacula_port_t:udp_socket recv_msg;
+	allow $1 bgp_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive UDP traffic on the bacula port.
+##	Do not audit attempts to receive UDP traffic on the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13174,17 +13209,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_receive_bacula_port',`
+interface(`corenet_dontaudit_udp_receive_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	dontaudit $1 bacula_port_t:udp_socket recv_msg;
+	dontaudit $1 bgp_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive UDP traffic on the bacula port.
+##	Send and receive UDP traffic on the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13193,15 +13228,15 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_udp_sendrecv_bacula_port',`
-	corenet_udp_send_bacula_port($1)
-	corenet_udp_receive_bacula_port($1)
+interface(`corenet_udp_sendrecv_bgp_port',`
+	corenet_udp_send_bgp_port($1)
+	corenet_udp_receive_bgp_port($1)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to send and receive
-##	UDP traffic on the bacula port.
+##	UDP traffic on the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13210,14 +13245,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_sendrecv_bacula_port',`
-	corenet_dontaudit_udp_send_bacula_port($1)
-	corenet_dontaudit_udp_receive_bacula_port($1)
+interface(`corenet_dontaudit_udp_sendrecv_bgp_port',`
+	corenet_dontaudit_udp_send_bgp_port($1)
+	corenet_dontaudit_udp_receive_bgp_port($1)
 ')
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to the bacula port.
+##	Bind TCP sockets to the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13226,18 +13261,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_tcp_bind_bacula_port',`
+interface(`corenet_tcp_bind_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	allow $1 bacula_port_t:tcp_socket name_bind;
-	
+	allow $1 bgp_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to the bacula port.
+##	Bind UDP sockets to the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13246,18 +13281,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_udp_bind_bacula_port',`
+interface(`corenet_udp_bind_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	allow $1 bacula_port_t:udp_socket name_bind;
-	
+	allow $1 bgp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to sbind to bacula port.
+##	Do not audit attempts to sbind to bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13266,18 +13301,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_bind_bacula_port',`
+interface(`corenet_dontaudit_udp_bind_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	dontaudit $1 bacula_port_t:udp_socket name_bind;
-	
+	dontaudit $1 bgp_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
 ')
 
 ########################################
 ## <summary>
-##	Make a TCP connection to the bacula port.
+##	Make a TCP connection to the bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13285,16 +13320,16 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_bacula_port',`
+interface(`corenet_tcp_connect_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	allow $1 bacula_port_t:tcp_socket name_connect;
+	allow $1 bgp_port_t:tcp_socket name_connect;
 ')
 ########################################
 ## <summary>
-##	Do not audit attempts to make a TCP connection to bacula port.
+##	Do not audit attempts to make a TCP connection to bgp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13302,18 +13337,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_bacula_port',`
+interface(`corenet_dontaudit_tcp_connect_bgp_port',`
 	gen_require(`
-		type bacula_port_t;
+		type bgp_port_t;
 	')
 
-	dontaudit $1 bacula_port_t:tcp_socket name_connect;
+	dontaudit $1 bgp_port_t:tcp_socket name_connect;
 ')
 
 
 ########################################
 ## <summary>
-##	Send bacula_client packets.
+##	Send bgp_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13322,17 +13357,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_bacula_client_packets',`
+interface(`corenet_send_bgp_client_packets',`
 	gen_require(`
-		type bacula_client_packet_t;
+		type bgp_client_packet_t;
 	')
 
-	allow $1 bacula_client_packet_t:packet send;
+	allow $1 bgp_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send bacula_client packets.
+##	Do not audit attempts to send bgp_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13341,17 +13376,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_bacula_client_packets',`
+interface(`corenet_dontaudit_send_bgp_client_packets',`
 	gen_require(`
-		type bacula_client_packet_t;
+		type bgp_client_packet_t;
 	')
 
-	dontaudit $1 bacula_client_packet_t:packet send;
+	dontaudit $1 bgp_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive bacula_client packets.
+##	Receive bgp_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13360,17 +13395,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_bacula_client_packets',`
+interface(`corenet_receive_bgp_client_packets',`
 	gen_require(`
-		type bacula_client_packet_t;
+		type bgp_client_packet_t;
 	')
 
-	allow $1 bacula_client_packet_t:packet recv;
+	allow $1 bgp_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive bacula_client packets.
+##	Do not audit attempts to receive bgp_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13379,17 +13414,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_bacula_client_packets',`
+interface(`corenet_dontaudit_receive_bgp_client_packets',`
 	gen_require(`
-		type bacula_client_packet_t;
+		type bgp_client_packet_t;
 	')
 
-	dontaudit $1 bacula_client_packet_t:packet recv;
+	dontaudit $1 bgp_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive bacula_client packets.
+##	Send and receive bgp_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13398,14 +13433,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_bacula_client_packets',`
-	corenet_send_bacula_client_packets($1)
-	corenet_receive_bacula_client_packets($1)
+interface(`corenet_sendrecv_bgp_client_packets',`
+	corenet_send_bgp_client_packets($1)
+	corenet_receive_bgp_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive bacula_client packets.
+##	Do not audit attempts to send and receive bgp_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13414,14 +13449,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_bacula_client_packets',`
-	corenet_dontaudit_send_bacula_client_packets($1)
-	corenet_dontaudit_receive_bacula_client_packets($1)
+interface(`corenet_dontaudit_sendrecv_bgp_client_packets',`
+	corenet_dontaudit_send_bgp_client_packets($1)
+	corenet_dontaudit_receive_bgp_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to bacula_client the packet type.
+##	Relabel packets to bgp_client the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13429,18 +13464,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_bacula_client_packets',`
+interface(`corenet_relabelto_bgp_client_packets',`
 	gen_require(`
-		type bacula_client_packet_t;
+		type bgp_client_packet_t;
 	')
 
-	allow $1 bacula_client_packet_t:packet relabelto;
+	allow $1 bgp_client_packet_t:packet relabelto;
 ')
 
 
 ########################################
 ## <summary>
-##	Send bacula_server packets.
+##	Send bgp_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13449,17 +13484,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_bacula_server_packets',`
+interface(`corenet_send_bgp_server_packets',`
 	gen_require(`
-		type bacula_server_packet_t;
+		type bgp_server_packet_t;
 	')
 
-	allow $1 bacula_server_packet_t:packet send;
+	allow $1 bgp_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send bacula_server packets.
+##	Do not audit attempts to send bgp_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13468,17 +13503,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_bacula_server_packets',`
+interface(`corenet_dontaudit_send_bgp_server_packets',`
 	gen_require(`
-		type bacula_server_packet_t;
+		type bgp_server_packet_t;
 	')
 
-	dontaudit $1 bacula_server_packet_t:packet send;
+	dontaudit $1 bgp_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive bacula_server packets.
+##	Receive bgp_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13487,17 +13522,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_bacula_server_packets',`
+interface(`corenet_receive_bgp_server_packets',`
 	gen_require(`
-		type bacula_server_packet_t;
+		type bgp_server_packet_t;
 	')
 
-	allow $1 bacula_server_packet_t:packet recv;
+	allow $1 bgp_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive bacula_server packets.
+##	Do not audit attempts to receive bgp_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13506,17 +13541,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_bacula_server_packets',`
+interface(`corenet_dontaudit_receive_bgp_server_packets',`
 	gen_require(`
-		type bacula_server_packet_t;
+		type bgp_server_packet_t;
 	')
 
-	dontaudit $1 bacula_server_packet_t:packet recv;
+	dontaudit $1 bgp_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive bacula_server packets.
+##	Send and receive bgp_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13525,14 +13560,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_bacula_server_packets',`
-	corenet_send_bacula_server_packets($1)
-	corenet_receive_bacula_server_packets($1)
+interface(`corenet_sendrecv_bgp_server_packets',`
+	corenet_send_bgp_server_packets($1)
+	corenet_receive_bgp_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive bacula_server packets.
+##	Do not audit attempts to send and receive bgp_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13541,14 +13576,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_bacula_server_packets',`
-	corenet_dontaudit_send_bacula_server_packets($1)
-	corenet_dontaudit_receive_bacula_server_packets($1)
+interface(`corenet_dontaudit_sendrecv_bgp_server_packets',`
+	corenet_dontaudit_send_bgp_server_packets($1)
+	corenet_dontaudit_receive_bgp_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to bacula_server the packet type.
+##	Relabel packets to bgp_server the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13556,12 +13591,12 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_bacula_server_packets',`
+interface(`corenet_relabelto_bgp_server_packets',`
 	gen_require(`
-		type bacula_server_packet_t;
+		type bgp_server_packet_t;
 	')
 
-	allow $1 bacula_server_packet_t:packet relabelto;
+	allow $1 bgp_server_packet_t:packet relabelto;
 ')
 
 
@@ -14529,7 +14564,7 @@
 
 ########################################
 ## <summary>
-##	Send and receive TCP traffic on the biff port.
+##	Send and receive TCP traffic on the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14538,17 +14573,17 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_tcp_sendrecv_biff_port',`
+interface(`corenet_tcp_sendrecv_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	allow $1 biff_port_t:tcp_socket { send_msg recv_msg };
+	allow $1 brlp_port_t:tcp_socket { send_msg recv_msg };
 ')
 
 ########################################
 ## <summary>
-##	Send UDP traffic on the biff port.
+##	Send UDP traffic on the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14557,17 +14592,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_udp_send_biff_port',`
+interface(`corenet_udp_send_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	allow $1 biff_port_t:udp_socket send_msg;
+	allow $1 brlp_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send UDP traffic on the biff port.
+##	Do not audit attempts to send UDP traffic on the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14576,17 +14611,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_send_biff_port',`
+interface(`corenet_dontaudit_udp_send_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	dontaudit $1 biff_port_t:udp_socket send_msg;
+	dontaudit $1 brlp_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Receive UDP traffic on the biff port.
+##	Receive UDP traffic on the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14595,17 +14630,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_udp_receive_biff_port',`
+interface(`corenet_udp_receive_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	allow $1 biff_port_t:udp_socket recv_msg;
+	allow $1 brlp_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive UDP traffic on the biff port.
+##	Do not audit attempts to receive UDP traffic on the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14614,17 +14649,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_receive_biff_port',`
+interface(`corenet_dontaudit_udp_receive_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	dontaudit $1 biff_port_t:udp_socket recv_msg;
+	dontaudit $1 brlp_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive UDP traffic on the biff port.
+##	Send and receive UDP traffic on the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14633,15 +14668,15 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_udp_sendrecv_biff_port',`
-	corenet_udp_send_biff_port($1)
-	corenet_udp_receive_biff_port($1)
+interface(`corenet_udp_sendrecv_brlp_port',`
+	corenet_udp_send_brlp_port($1)
+	corenet_udp_receive_brlp_port($1)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to send and receive
-##	UDP traffic on the biff port.
+##	UDP traffic on the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14650,14 +14685,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_sendrecv_biff_port',`
-	corenet_dontaudit_udp_send_biff_port($1)
-	corenet_dontaudit_udp_receive_biff_port($1)
+interface(`corenet_dontaudit_udp_sendrecv_brlp_port',`
+	corenet_dontaudit_udp_send_brlp_port($1)
+	corenet_dontaudit_udp_receive_brlp_port($1)
 ')
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to the biff port.
+##	Bind TCP sockets to the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14666,18 +14701,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_tcp_bind_biff_port',`
+interface(`corenet_tcp_bind_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	allow $1 biff_port_t:tcp_socket name_bind;
+	allow $1 brlp_port_t:tcp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to the biff port.
+##	Bind UDP sockets to the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14686,18 +14721,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_udp_bind_biff_port',`
+interface(`corenet_udp_bind_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	allow $1 biff_port_t:udp_socket name_bind;
+	allow $1 brlp_port_t:udp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to sbind to biff port.
+##	Do not audit attempts to sbind to brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14706,18 +14741,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_bind_biff_port',`
+interface(`corenet_dontaudit_udp_bind_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	dontaudit $1 biff_port_t:udp_socket name_bind;
+	dontaudit $1 brlp_port_t:udp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Make a TCP connection to the biff port.
+##	Make a TCP connection to the brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14725,16 +14760,16 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_biff_port',`
+interface(`corenet_tcp_connect_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	allow $1 biff_port_t:tcp_socket name_connect;
+	allow $1 brlp_port_t:tcp_socket name_connect;
 ')
 ########################################
 ## <summary>
-##	Do not audit attempts to make a TCP connection to biff port.
+##	Do not audit attempts to make a TCP connection to brlp port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14742,18 +14777,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_biff_port',`
+interface(`corenet_dontaudit_tcp_connect_brlp_port',`
 	gen_require(`
-		type biff_port_t;
+		type brlp_port_t;
 	')
 
-	dontaudit $1 biff_port_t:tcp_socket name_connect;
+	dontaudit $1 brlp_port_t:tcp_socket name_connect;
 ')
 
 
 ########################################
 ## <summary>
-##	Send biff_client packets.
+##	Send brlp_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14762,17 +14797,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_biff_client_packets',`
+interface(`corenet_send_brlp_client_packets',`
 	gen_require(`
-		type biff_client_packet_t;
+		type brlp_client_packet_t;
 	')
 
-	allow $1 biff_client_packet_t:packet send;
+	allow $1 brlp_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send biff_client packets.
+##	Do not audit attempts to send brlp_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -14781,17 +14816,497 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_biff_client_packets',`
+interface(`corenet_dontaudit_send_brlp_client_packets',`
 	gen_require(`
-		type biff_client_packet_t;
+		type brlp_client_packet_t;
 	')
 
-	dontaudit $1 biff_client_packet_t:packet send;
+	dontaudit $1 brlp_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive biff_client packets.
+##	Receive brlp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_brlp_client_packets',`
+	gen_require(`
+		type brlp_client_packet_t;
+	')
+
+	allow $1 brlp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive brlp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_brlp_client_packets',`
+	gen_require(`
+		type brlp_client_packet_t;
+	')
+
+	dontaudit $1 brlp_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive brlp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_brlp_client_packets',`
+	corenet_send_brlp_client_packets($1)
+	corenet_receive_brlp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive brlp_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_brlp_client_packets',`
+	corenet_dontaudit_send_brlp_client_packets($1)
+	corenet_dontaudit_receive_brlp_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to brlp_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_brlp_client_packets',`
+	gen_require(`
+		type brlp_client_packet_t;
+	')
+
+	allow $1 brlp_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send brlp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_brlp_server_packets',`
+	gen_require(`
+		type brlp_server_packet_t;
+	')
+
+	allow $1 brlp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send brlp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_brlp_server_packets',`
+	gen_require(`
+		type brlp_server_packet_t;
+	')
+
+	dontaudit $1 brlp_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive brlp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_brlp_server_packets',`
+	gen_require(`
+		type brlp_server_packet_t;
+	')
+
+	allow $1 brlp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive brlp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_brlp_server_packets',`
+	gen_require(`
+		type brlp_server_packet_t;
+	')
+
+	dontaudit $1 brlp_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive brlp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_brlp_server_packets',`
+	corenet_send_brlp_server_packets($1)
+	corenet_receive_brlp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive brlp_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_brlp_server_packets',`
+	corenet_dontaudit_send_brlp_server_packets($1)
+	corenet_dontaudit_receive_brlp_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to brlp_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_brlp_server_packets',`
+	gen_require(`
+		type brlp_server_packet_t;
+	')
+
+	allow $1 brlp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	dontaudit $1 biff_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	dontaudit $1 biff_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_biff_port',`
+	corenet_udp_send_biff_port($1)
+	corenet_udp_receive_biff_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_biff_port',`
+	corenet_dontaudit_udp_send_biff_port($1)
+	corenet_dontaudit_udp_receive_biff_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	dontaudit $1 biff_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	allow $1 biff_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to biff port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_biff_port',`
+	gen_require(`
+		type biff_port_t;
+	')
+
+	dontaudit $1 biff_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send biff_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_biff_client_packets',`
+	gen_require(`
+		type biff_client_packet_t;
+	')
+
+	allow $1 biff_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send biff_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_biff_client_packets',`
+	gen_require(`
+		type biff_client_packet_t;
+	')
+
+	dontaudit $1 biff_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive biff_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54849,7 +55364,7 @@
 
 ########################################
 ## <summary>
-##	Send and receive TCP traffic on the rlogin port.
+##	Send and receive TCP traffic on the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54858,17 +55373,17 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_tcp_sendrecv_rlogin_port',`
+interface(`corenet_tcp_sendrecv_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	allow $1 rlogin_port_t:tcp_socket { send_msg recv_msg };
+	allow $1 kubernetes_port_t:tcp_socket { send_msg recv_msg };
 ')
 
 ########################################
 ## <summary>
-##	Send UDP traffic on the rlogin port.
+##	Send UDP traffic on the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54877,17 +55392,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_udp_send_rlogin_port',`
+interface(`corenet_udp_send_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	allow $1 rlogin_port_t:udp_socket send_msg;
+	allow $1 kubernetes_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send UDP traffic on the rlogin port.
+##	Do not audit attempts to send UDP traffic on the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54896,17 +55411,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_send_rlogin_port',`
+interface(`corenet_dontaudit_udp_send_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	dontaudit $1 rlogin_port_t:udp_socket send_msg;
+	dontaudit $1 kubernetes_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Receive UDP traffic on the rlogin port.
+##	Receive UDP traffic on the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54915,17 +55430,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_udp_receive_rlogin_port',`
+interface(`corenet_udp_receive_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	allow $1 rlogin_port_t:udp_socket recv_msg;
+	allow $1 kubernetes_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive UDP traffic on the rlogin port.
+##	Do not audit attempts to receive UDP traffic on the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54934,17 +55449,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_receive_rlogin_port',`
+interface(`corenet_dontaudit_udp_receive_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	dontaudit $1 rlogin_port_t:udp_socket recv_msg;
+	dontaudit $1 kubernetes_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive UDP traffic on the rlogin port.
+##	Send and receive UDP traffic on the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54953,15 +55468,15 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_udp_sendrecv_rlogin_port',`
-	corenet_udp_send_rlogin_port($1)
-	corenet_udp_receive_rlogin_port($1)
+interface(`corenet_udp_sendrecv_kubernetes_port',`
+	corenet_udp_send_kubernetes_port($1)
+	corenet_udp_receive_kubernetes_port($1)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to send and receive
-##	UDP traffic on the rlogin port.
+##	UDP traffic on the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54970,14 +55485,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_sendrecv_rlogin_port',`
-	corenet_dontaudit_udp_send_rlogin_port($1)
-	corenet_dontaudit_udp_receive_rlogin_port($1)
+interface(`corenet_dontaudit_udp_sendrecv_kubernetes_port',`
+	corenet_dontaudit_udp_send_kubernetes_port($1)
+	corenet_dontaudit_udp_receive_kubernetes_port($1)
 ')
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to the rlogin port.
+##	Bind TCP sockets to the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54986,18 +55501,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_tcp_bind_rlogin_port',`
+interface(`corenet_tcp_bind_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	allow $1 rlogin_port_t:tcp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+	allow $1 kubernetes_port_t:tcp_socket name_bind;
+	
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to the rlogin port.
+##	Bind UDP sockets to the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55006,18 +55521,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_udp_bind_rlogin_port',`
+interface(`corenet_udp_bind_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	allow $1 rlogin_port_t:udp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+	allow $1 kubernetes_port_t:udp_socket name_bind;
+	
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to sbind to rlogin port.
+##	Do not audit attempts to sbind to kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55026,18 +55541,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_bind_rlogin_port',`
+interface(`corenet_dontaudit_udp_bind_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	dontaudit $1 rlogin_port_t:udp_socket name_bind;
-	allow $1 self:capability net_bind_service;
+	dontaudit $1 kubernetes_port_t:udp_socket name_bind;
+	
 ')
 
 ########################################
 ## <summary>
-##	Make a TCP connection to the rlogin port.
+##	Make a TCP connection to the kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55045,16 +55560,16 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_rlogin_port',`
+interface(`corenet_tcp_connect_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	allow $1 rlogin_port_t:tcp_socket name_connect;
+	allow $1 kubernetes_port_t:tcp_socket name_connect;
 ')
 ########################################
 ## <summary>
-##	Do not audit attempts to make a TCP connection to rlogin port.
+##	Do not audit attempts to make a TCP connection to kubernetes port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55062,18 +55577,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_rlogin_port',`
+interface(`corenet_dontaudit_tcp_connect_kubernetes_port',`
 	gen_require(`
-		type rlogin_port_t;
+		type kubernetes_port_t;
 	')
 
-	dontaudit $1 rlogin_port_t:tcp_socket name_connect;
+	dontaudit $1 kubernetes_port_t:tcp_socket name_connect;
 ')
 
 
 ########################################
 ## <summary>
-##	Send rlogin_client packets.
+##	Send kubernetes_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55082,17 +55597,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_rlogin_client_packets',`
+interface(`corenet_send_kubernetes_client_packets',`
 	gen_require(`
-		type rlogin_client_packet_t;
+		type kubernetes_client_packet_t;
 	')
 
-	allow $1 rlogin_client_packet_t:packet send;
+	allow $1 kubernetes_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send rlogin_client packets.
+##	Do not audit attempts to send kubernetes_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55101,17 +55616,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_rlogin_client_packets',`
+interface(`corenet_dontaudit_send_kubernetes_client_packets',`
 	gen_require(`
-		type rlogin_client_packet_t;
+		type kubernetes_client_packet_t;
 	')
 
-	dontaudit $1 rlogin_client_packet_t:packet send;
+	dontaudit $1 kubernetes_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive rlogin_client packets.
+##	Receive kubernetes_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55120,17 +55635,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_rlogin_client_packets',`
+interface(`corenet_receive_kubernetes_client_packets',`
 	gen_require(`
-		type rlogin_client_packet_t;
+		type kubernetes_client_packet_t;
 	')
 
-	allow $1 rlogin_client_packet_t:packet recv;
+	allow $1 kubernetes_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive rlogin_client packets.
+##	Do not audit attempts to receive kubernetes_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55139,17 +55654,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_rlogin_client_packets',`
+interface(`corenet_dontaudit_receive_kubernetes_client_packets',`
 	gen_require(`
-		type rlogin_client_packet_t;
+		type kubernetes_client_packet_t;
 	')
 
-	dontaudit $1 rlogin_client_packet_t:packet recv;
+	dontaudit $1 kubernetes_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive rlogin_client packets.
+##	Send and receive kubernetes_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55158,14 +55673,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_rlogin_client_packets',`
-	corenet_send_rlogin_client_packets($1)
-	corenet_receive_rlogin_client_packets($1)
+interface(`corenet_sendrecv_kubernetes_client_packets',`
+	corenet_send_kubernetes_client_packets($1)
+	corenet_receive_kubernetes_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive rlogin_client packets.
+##	Do not audit attempts to send and receive kubernetes_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55174,14 +55689,974 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_rlogin_client_packets',`
-	corenet_dontaudit_send_rlogin_client_packets($1)
-	corenet_dontaudit_receive_rlogin_client_packets($1)
+interface(`corenet_dontaudit_sendrecv_kubernetes_client_packets',`
+	corenet_dontaudit_send_kubernetes_client_packets($1)
+	corenet_dontaudit_receive_kubernetes_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to rlogin_client the packet type.
+##	Relabel packets to kubernetes_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kubernetes_client_packets',`
+	gen_require(`
+		type kubernetes_client_packet_t;
+	')
+
+	allow $1 kubernetes_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send kubernetes_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_kubernetes_server_packets',`
+	gen_require(`
+		type kubernetes_server_packet_t;
+	')
+
+	allow $1 kubernetes_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send kubernetes_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_kubernetes_server_packets',`
+	gen_require(`
+		type kubernetes_server_packet_t;
+	')
+
+	dontaudit $1 kubernetes_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive kubernetes_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_kubernetes_server_packets',`
+	gen_require(`
+		type kubernetes_server_packet_t;
+	')
+
+	allow $1 kubernetes_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive kubernetes_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_kubernetes_server_packets',`
+	gen_require(`
+		type kubernetes_server_packet_t;
+	')
+
+	dontaudit $1 kubernetes_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive kubernetes_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_kubernetes_server_packets',`
+	corenet_send_kubernetes_server_packets($1)
+	corenet_receive_kubernetes_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive kubernetes_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_kubernetes_server_packets',`
+	corenet_dontaudit_send_kubernetes_server_packets($1)
+	corenet_dontaudit_receive_kubernetes_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to kubernetes_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_kubernetes_server_packets',`
+	gen_require(`
+		type kubernetes_server_packet_t;
+	')
+
+	allow $1 kubernetes_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	allow $1 rabbitmq_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	allow $1 rabbitmq_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	dontaudit $1 rabbitmq_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	allow $1 rabbitmq_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	dontaudit $1 rabbitmq_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_rabbitmq_port',`
+	corenet_udp_send_rabbitmq_port($1)
+	corenet_udp_receive_rabbitmq_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_rabbitmq_port',`
+	corenet_dontaudit_udp_send_rabbitmq_port($1)
+	corenet_dontaudit_udp_receive_rabbitmq_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	allow $1 rabbitmq_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	allow $1 rabbitmq_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	dontaudit $1 rabbitmq_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	allow $1 rabbitmq_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to rabbitmq port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_rabbitmq_port',`
+	gen_require(`
+		type rabbitmq_port_t;
+	')
+
+	dontaudit $1 rabbitmq_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send rabbitmq_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rabbitmq_client_packets',`
+	gen_require(`
+		type rabbitmq_client_packet_t;
+	')
+
+	allow $1 rabbitmq_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rabbitmq_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rabbitmq_client_packets',`
+	gen_require(`
+		type rabbitmq_client_packet_t;
+	')
+
+	dontaudit $1 rabbitmq_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rabbitmq_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rabbitmq_client_packets',`
+	gen_require(`
+		type rabbitmq_client_packet_t;
+	')
+
+	allow $1 rabbitmq_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rabbitmq_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rabbitmq_client_packets',`
+	gen_require(`
+		type rabbitmq_client_packet_t;
+	')
+
+	dontaudit $1 rabbitmq_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rabbitmq_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rabbitmq_client_packets',`
+	corenet_send_rabbitmq_client_packets($1)
+	corenet_receive_rabbitmq_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rabbitmq_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rabbitmq_client_packets',`
+	corenet_dontaudit_send_rabbitmq_client_packets($1)
+	corenet_dontaudit_receive_rabbitmq_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rabbitmq_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rabbitmq_client_packets',`
+	gen_require(`
+		type rabbitmq_client_packet_t;
+	')
+
+	allow $1 rabbitmq_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send rabbitmq_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rabbitmq_server_packets',`
+	gen_require(`
+		type rabbitmq_server_packet_t;
+	')
+
+	allow $1 rabbitmq_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rabbitmq_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rabbitmq_server_packets',`
+	gen_require(`
+		type rabbitmq_server_packet_t;
+	')
+
+	dontaudit $1 rabbitmq_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rabbitmq_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rabbitmq_server_packets',`
+	gen_require(`
+		type rabbitmq_server_packet_t;
+	')
+
+	allow $1 rabbitmq_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rabbitmq_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rabbitmq_server_packets',`
+	gen_require(`
+		type rabbitmq_server_packet_t;
+	')
+
+	dontaudit $1 rabbitmq_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rabbitmq_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rabbitmq_server_packets',`
+	corenet_send_rabbitmq_server_packets($1)
+	corenet_receive_rabbitmq_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rabbitmq_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rabbitmq_server_packets',`
+	corenet_dontaudit_send_rabbitmq_server_packets($1)
+	corenet_dontaudit_receive_rabbitmq_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rabbitmq_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_rabbitmq_server_packets',`
+	gen_require(`
+		type rabbitmq_server_packet_t;
+	')
+
+	allow $1 rabbitmq_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	allow $1 rlogin_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	allow $1 rlogin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	dontaudit $1 rlogin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	allow $1 rlogin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	dontaudit $1 rlogin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_rlogin_port',`
+	corenet_udp_send_rlogin_port($1)
+	corenet_udp_receive_rlogin_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_rlogin_port',`
+	corenet_dontaudit_udp_send_rlogin_port($1)
+	corenet_dontaudit_udp_receive_rlogin_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	allow $1 rlogin_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	allow $1 rlogin_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	dontaudit $1 rlogin_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	allow $1 rlogin_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to rlogin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_rlogin_port',`
+	gen_require(`
+		type rlogin_port_t;
+	')
+
+	dontaudit $1 rlogin_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send rlogin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_rlogin_client_packets',`
+	gen_require(`
+		type rlogin_client_packet_t;
+	')
+
+	allow $1 rlogin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send rlogin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_rlogin_client_packets',`
+	gen_require(`
+		type rlogin_client_packet_t;
+	')
+
+	dontaudit $1 rlogin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive rlogin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_rlogin_client_packets',`
+	gen_require(`
+		type rlogin_client_packet_t;
+	')
+
+	allow $1 rlogin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive rlogin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_rlogin_client_packets',`
+	gen_require(`
+		type rlogin_client_packet_t;
+	')
+
+	dontaudit $1 rlogin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive rlogin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_rlogin_client_packets',`
+	corenet_send_rlogin_client_packets($1)
+	corenet_receive_rlogin_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive rlogin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_rlogin_client_packets',`
+	corenet_dontaudit_send_rlogin_client_packets($1)
+	corenet_dontaudit_receive_rlogin_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to rlogin_client the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58681,15 +60156,495 @@
 		type lmtp_server_packet_t;
 	')
 
-	allow $1 lmtp_server_packet_t:packet relabelto;
+	allow $1 lmtp_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	dontaudit $1 lrrd_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	dontaudit $1 lrrd_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_lrrd_port',`
+	corenet_udp_send_lrrd_port($1)
+	corenet_udp_receive_lrrd_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_lrrd_port',`
+	corenet_dontaudit_udp_send_lrrd_port($1)
+	corenet_dontaudit_udp_receive_lrrd_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	dontaudit $1 lrrd_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	allow $1 lrrd_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to lrrd port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_lrrd_port',`
+	gen_require(`
+		type lrrd_port_t;
+	')
+
+	dontaudit $1 lrrd_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	allow $1 lrrd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	dontaudit $1 lrrd_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	allow $1 lrrd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	dontaudit $1 lrrd_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_lrrd_client_packets',`
+	corenet_send_lrrd_client_packets($1)
+	corenet_receive_lrrd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive lrrd_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_lrrd_client_packets',`
+	corenet_dontaudit_send_lrrd_client_packets($1)
+	corenet_dontaudit_receive_lrrd_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to lrrd_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_lrrd_client_packets',`
+	gen_require(`
+		type lrrd_client_packet_t;
+	')
+
+	allow $1 lrrd_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	allow $1 lrrd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	dontaudit $1 lrrd_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	allow $1 lrrd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	dontaudit $1 lrrd_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_lrrd_server_packets',`
+	corenet_send_lrrd_server_packets($1)
+	corenet_receive_lrrd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive lrrd_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_lrrd_server_packets',`
+	corenet_dontaudit_send_lrrd_server_packets($1)
+	corenet_dontaudit_receive_lrrd_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to lrrd_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_lrrd_server_packets',`
+	gen_require(`
+		type lrrd_server_packet_t;
+	')
+
+	allow $1 lrrd_server_packet_t:packet relabelto;
 ')
 
-
+ # no defined portcon
 
 
 ########################################
 ## <summary>
-##	Send and receive TCP traffic on the lrrd port.
+##	Send and receive TCP traffic on the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58698,17 +60653,17 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_tcp_sendrecv_lrrd_port',`
+interface(`corenet_tcp_sendrecv_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	allow $1 lrrd_port_t:tcp_socket { send_msg recv_msg };
+	allow $1 lsm_plugin_port_t:tcp_socket { send_msg recv_msg };
 ')
 
 ########################################
 ## <summary>
-##	Send UDP traffic on the lrrd port.
+##	Send UDP traffic on the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58717,17 +60672,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_udp_send_lrrd_port',`
+interface(`corenet_udp_send_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	allow $1 lrrd_port_t:udp_socket send_msg;
+	allow $1 lsm_plugin_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send UDP traffic on the lrrd port.
+##	Do not audit attempts to send UDP traffic on the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58736,17 +60691,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_send_lrrd_port',`
+interface(`corenet_dontaudit_udp_send_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	dontaudit $1 lrrd_port_t:udp_socket send_msg;
+	dontaudit $1 lsm_plugin_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Receive UDP traffic on the lrrd port.
+##	Receive UDP traffic on the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58755,17 +60710,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_udp_receive_lrrd_port',`
+interface(`corenet_udp_receive_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	allow $1 lrrd_port_t:udp_socket recv_msg;
+	allow $1 lsm_plugin_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive UDP traffic on the lrrd port.
+##	Do not audit attempts to receive UDP traffic on the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58774,17 +60729,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_receive_lrrd_port',`
+interface(`corenet_dontaudit_udp_receive_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	dontaudit $1 lrrd_port_t:udp_socket recv_msg;
+	dontaudit $1 lsm_plugin_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive UDP traffic on the lrrd port.
+##	Send and receive UDP traffic on the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58793,15 +60748,15 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_udp_sendrecv_lrrd_port',`
-	corenet_udp_send_lrrd_port($1)
-	corenet_udp_receive_lrrd_port($1)
+interface(`corenet_udp_sendrecv_lsm_plugin_port',`
+	corenet_udp_send_lsm_plugin_port($1)
+	corenet_udp_receive_lsm_plugin_port($1)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to send and receive
-##	UDP traffic on the lrrd port.
+##	UDP traffic on the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58810,14 +60765,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_sendrecv_lrrd_port',`
-	corenet_dontaudit_udp_send_lrrd_port($1)
-	corenet_dontaudit_udp_receive_lrrd_port($1)
+interface(`corenet_dontaudit_udp_sendrecv_lsm_plugin_port',`
+	corenet_dontaudit_udp_send_lsm_plugin_port($1)
+	corenet_dontaudit_udp_receive_lsm_plugin_port($1)
 ')
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to the lrrd port.
+##	Bind TCP sockets to the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58826,18 +60781,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_tcp_bind_lrrd_port',`
+interface(`corenet_tcp_bind_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	allow $1 lrrd_port_t:tcp_socket name_bind;
+	allow $1 lsm_plugin_port_t:tcp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to the lrrd port.
+##	Bind UDP sockets to the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58846,18 +60801,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_udp_bind_lrrd_port',`
+interface(`corenet_udp_bind_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	allow $1 lrrd_port_t:udp_socket name_bind;
+	allow $1 lsm_plugin_port_t:udp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to sbind to lrrd port.
+##	Do not audit attempts to sbind to lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58866,18 +60821,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_bind_lrrd_port',`
+interface(`corenet_dontaudit_udp_bind_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	dontaudit $1 lrrd_port_t:udp_socket name_bind;
+	dontaudit $1 lsm_plugin_port_t:udp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Make a TCP connection to the lrrd port.
+##	Make a TCP connection to the lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58885,16 +60840,16 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_lrrd_port',`
+interface(`corenet_tcp_connect_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	allow $1 lrrd_port_t:tcp_socket name_connect;
+	allow $1 lsm_plugin_port_t:tcp_socket name_connect;
 ')
 ########################################
 ## <summary>
-##	Do not audit attempts to make a TCP connection to lrrd port.
+##	Do not audit attempts to make a TCP connection to lsm_plugin port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58902,18 +60857,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_lrrd_port',`
+interface(`corenet_dontaudit_tcp_connect_lsm_plugin_port',`
 	gen_require(`
-		type lrrd_port_t;
+		type lsm_plugin_port_t;
 	')
 
-	dontaudit $1 lrrd_port_t:tcp_socket name_connect;
+	dontaudit $1 lsm_plugin_port_t:tcp_socket name_connect;
 ')
 
 
 ########################################
 ## <summary>
-##	Send lrrd_client packets.
+##	Send lsm_plugin_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58922,17 +60877,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_lrrd_client_packets',`
+interface(`corenet_send_lsm_plugin_client_packets',`
 	gen_require(`
-		type lrrd_client_packet_t;
+		type lsm_plugin_client_packet_t;
 	')
 
-	allow $1 lrrd_client_packet_t:packet send;
+	allow $1 lsm_plugin_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send lrrd_client packets.
+##	Do not audit attempts to send lsm_plugin_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58941,17 +60896,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_lrrd_client_packets',`
+interface(`corenet_dontaudit_send_lsm_plugin_client_packets',`
 	gen_require(`
-		type lrrd_client_packet_t;
+		type lsm_plugin_client_packet_t;
 	')
 
-	dontaudit $1 lrrd_client_packet_t:packet send;
+	dontaudit $1 lsm_plugin_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive lrrd_client packets.
+##	Receive lsm_plugin_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58960,17 +60915,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_lrrd_client_packets',`
+interface(`corenet_receive_lsm_plugin_client_packets',`
 	gen_require(`
-		type lrrd_client_packet_t;
+		type lsm_plugin_client_packet_t;
 	')
 
-	allow $1 lrrd_client_packet_t:packet recv;
+	allow $1 lsm_plugin_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive lrrd_client packets.
+##	Do not audit attempts to receive lsm_plugin_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58979,17 +60934,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_lrrd_client_packets',`
+interface(`corenet_dontaudit_receive_lsm_plugin_client_packets',`
 	gen_require(`
-		type lrrd_client_packet_t;
+		type lsm_plugin_client_packet_t;
 	')
 
-	dontaudit $1 lrrd_client_packet_t:packet recv;
+	dontaudit $1 lsm_plugin_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive lrrd_client packets.
+##	Send and receive lsm_plugin_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58998,14 +60953,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_lrrd_client_packets',`
-	corenet_send_lrrd_client_packets($1)
-	corenet_receive_lrrd_client_packets($1)
+interface(`corenet_sendrecv_lsm_plugin_client_packets',`
+	corenet_send_lsm_plugin_client_packets($1)
+	corenet_receive_lsm_plugin_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive lrrd_client packets.
+##	Do not audit attempts to send and receive lsm_plugin_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59014,14 +60969,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_lrrd_client_packets',`
-	corenet_dontaudit_send_lrrd_client_packets($1)
-	corenet_dontaudit_receive_lrrd_client_packets($1)
+interface(`corenet_dontaudit_sendrecv_lsm_plugin_client_packets',`
+	corenet_dontaudit_send_lsm_plugin_client_packets($1)
+	corenet_dontaudit_receive_lsm_plugin_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to lrrd_client the packet type.
+##	Relabel packets to lsm_plugin_client the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59029,18 +60984,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_lrrd_client_packets',`
+interface(`corenet_relabelto_lsm_plugin_client_packets',`
 	gen_require(`
-		type lrrd_client_packet_t;
+		type lsm_plugin_client_packet_t;
 	')
 
-	allow $1 lrrd_client_packet_t:packet relabelto;
+	allow $1 lsm_plugin_client_packet_t:packet relabelto;
 ')
 
 
 ########################################
 ## <summary>
-##	Send lrrd_server packets.
+##	Send lsm_plugin_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59049,17 +61004,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_lrrd_server_packets',`
+interface(`corenet_send_lsm_plugin_server_packets',`
 	gen_require(`
-		type lrrd_server_packet_t;
+		type lsm_plugin_server_packet_t;
 	')
 
-	allow $1 lrrd_server_packet_t:packet send;
+	allow $1 lsm_plugin_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send lrrd_server packets.
+##	Do not audit attempts to send lsm_plugin_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59068,17 +61023,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_lrrd_server_packets',`
+interface(`corenet_dontaudit_send_lsm_plugin_server_packets',`
 	gen_require(`
-		type lrrd_server_packet_t;
+		type lsm_plugin_server_packet_t;
 	')
 
-	dontaudit $1 lrrd_server_packet_t:packet send;
+	dontaudit $1 lsm_plugin_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive lrrd_server packets.
+##	Receive lsm_plugin_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59087,17 +61042,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_lrrd_server_packets',`
+interface(`corenet_receive_lsm_plugin_server_packets',`
 	gen_require(`
-		type lrrd_server_packet_t;
+		type lsm_plugin_server_packet_t;
 	')
 
-	allow $1 lrrd_server_packet_t:packet recv;
+	allow $1 lsm_plugin_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive lrrd_server packets.
+##	Do not audit attempts to receive lsm_plugin_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59106,17 +61061,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_lrrd_server_packets',`
+interface(`corenet_dontaudit_receive_lsm_plugin_server_packets',`
 	gen_require(`
-		type lrrd_server_packet_t;
+		type lsm_plugin_server_packet_t;
 	')
 
-	dontaudit $1 lrrd_server_packet_t:packet recv;
+	dontaudit $1 lsm_plugin_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive lrrd_server packets.
+##	Send and receive lsm_plugin_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59125,14 +61080,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_lrrd_server_packets',`
-	corenet_send_lrrd_server_packets($1)
-	corenet_receive_lrrd_server_packets($1)
+interface(`corenet_sendrecv_lsm_plugin_server_packets',`
+	corenet_send_lsm_plugin_server_packets($1)
+	corenet_receive_lsm_plugin_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive lrrd_server packets.
+##	Do not audit attempts to send and receive lsm_plugin_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59141,14 +61096,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_lrrd_server_packets',`
-	corenet_dontaudit_send_lrrd_server_packets($1)
-	corenet_dontaudit_receive_lrrd_server_packets($1)
+interface(`corenet_dontaudit_sendrecv_lsm_plugin_server_packets',`
+	corenet_dontaudit_send_lsm_plugin_server_packets($1)
+	corenet_dontaudit_receive_lsm_plugin_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to lrrd_server the packet type.
+##	Relabel packets to lsm_plugin_server the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59156,15 +61111,15 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_lrrd_server_packets',`
+interface(`corenet_relabelto_lsm_plugin_server_packets',`
 	gen_require(`
-		type lrrd_server_packet_t;
+		type lsm_plugin_server_packet_t;
 	')
 
-	allow $1 lrrd_server_packet_t:packet relabelto;
+	allow $1 lsm_plugin_server_packet_t:packet relabelto;
 ')
 
- # no defined portcon
+
 
 
 ########################################
@@ -85451,15 +87406,495 @@
 #
 interface(`corenet_send_presence_server_packets',`
 	gen_require(`
-		type presence_server_packet_t;
+		type presence_server_packet_t;
+	')
+
+	allow $1 presence_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	dontaudit $1 presence_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	allow $1 presence_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	dontaudit $1 presence_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_presence_server_packets',`
+	corenet_send_presence_server_packets($1)
+	corenet_receive_presence_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive presence_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_presence_server_packets',`
+	corenet_dontaudit_send_presence_server_packets($1)
+	corenet_dontaudit_receive_presence_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to presence_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_presence_server_packets',`
+	gen_require(`
+		type presence_server_packet_t;
+	')
+
+	allow $1 presence_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	allow $1 preupgrade_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	allow $1 preupgrade_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	dontaudit $1 preupgrade_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	allow $1 preupgrade_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	dontaudit $1 preupgrade_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_preupgrade_port',`
+	corenet_udp_send_preupgrade_port($1)
+	corenet_udp_receive_preupgrade_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_preupgrade_port',`
+	corenet_dontaudit_udp_send_preupgrade_port($1)
+	corenet_dontaudit_udp_receive_preupgrade_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	allow $1 preupgrade_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	allow $1 preupgrade_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	dontaudit $1 preupgrade_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	allow $1 preupgrade_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to preupgrade port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_preupgrade_port',`
+	gen_require(`
+		type preupgrade_port_t;
+	')
+
+	dontaudit $1 preupgrade_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send preupgrade_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_preupgrade_client_packets',`
+	gen_require(`
+		type preupgrade_client_packet_t;
+	')
+
+	allow $1 preupgrade_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send preupgrade_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_preupgrade_client_packets',`
+	gen_require(`
+		type preupgrade_client_packet_t;
+	')
+
+	dontaudit $1 preupgrade_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive preupgrade_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_preupgrade_client_packets',`
+	gen_require(`
+		type preupgrade_client_packet_t;
+	')
+
+	allow $1 preupgrade_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive preupgrade_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_preupgrade_client_packets',`
+	gen_require(`
+		type preupgrade_client_packet_t;
+	')
+
+	dontaudit $1 preupgrade_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive preupgrade_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_preupgrade_client_packets',`
+	corenet_send_preupgrade_client_packets($1)
+	corenet_receive_preupgrade_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive preupgrade_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_preupgrade_client_packets',`
+	corenet_dontaudit_send_preupgrade_client_packets($1)
+	corenet_dontaudit_receive_preupgrade_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to preupgrade_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_preupgrade_client_packets',`
+	gen_require(`
+		type preupgrade_client_packet_t;
+	')
+
+	allow $1 preupgrade_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send preupgrade_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_preupgrade_server_packets',`
+	gen_require(`
+		type preupgrade_server_packet_t;
 	')
 
-	allow $1 presence_server_packet_t:packet send;
+	allow $1 preupgrade_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send presence_server packets.
+##	Do not audit attempts to send preupgrade_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85468,17 +87903,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_presence_server_packets',`
+interface(`corenet_dontaudit_send_preupgrade_server_packets',`
 	gen_require(`
-		type presence_server_packet_t;
+		type preupgrade_server_packet_t;
 	')
 
-	dontaudit $1 presence_server_packet_t:packet send;
+	dontaudit $1 preupgrade_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive presence_server packets.
+##	Receive preupgrade_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85487,17 +87922,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_presence_server_packets',`
+interface(`corenet_receive_preupgrade_server_packets',`
 	gen_require(`
-		type presence_server_packet_t;
+		type preupgrade_server_packet_t;
 	')
 
-	allow $1 presence_server_packet_t:packet recv;
+	allow $1 preupgrade_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive presence_server packets.
+##	Do not audit attempts to receive preupgrade_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85506,17 +87941,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_presence_server_packets',`
+interface(`corenet_dontaudit_receive_preupgrade_server_packets',`
 	gen_require(`
-		type presence_server_packet_t;
+		type preupgrade_server_packet_t;
 	')
 
-	dontaudit $1 presence_server_packet_t:packet recv;
+	dontaudit $1 preupgrade_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive presence_server packets.
+##	Send and receive preupgrade_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85525,14 +87960,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_presence_server_packets',`
-	corenet_send_presence_server_packets($1)
-	corenet_receive_presence_server_packets($1)
+interface(`corenet_sendrecv_preupgrade_server_packets',`
+	corenet_send_preupgrade_server_packets($1)
+	corenet_receive_preupgrade_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive presence_server packets.
+##	Do not audit attempts to send and receive preupgrade_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85541,14 +87976,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_presence_server_packets',`
-	corenet_dontaudit_send_presence_server_packets($1)
-	corenet_dontaudit_receive_presence_server_packets($1)
+interface(`corenet_dontaudit_sendrecv_preupgrade_server_packets',`
+	corenet_dontaudit_send_preupgrade_server_packets($1)
+	corenet_dontaudit_receive_preupgrade_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to presence_server the packet type.
+##	Relabel packets to preupgrade_server the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85556,12 +87991,12 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_presence_server_packets',`
+interface(`corenet_relabelto_preupgrade_server_packets',`
 	gen_require(`
-		type presence_server_packet_t;
+		type preupgrade_server_packet_t;
 	')
 
-	allow $1 presence_server_packet_t:packet relabelto;
+	allow $1 preupgrade_server_packet_t:packet relabelto;
 ')
 
 
@@ -89552,7 +91987,7 @@
 	')
 
 	allow $1 radius_port_t:tcp_socket name_bind;
-	
+	allow $1 self:capability net_bind_service;
 ')
 
 ########################################
@@ -89572,7 +92007,7 @@
 	')
 
 	allow $1 radius_port_t:udp_socket name_bind;
-	
+	allow $1 self:capability net_bind_service;
 ')
 
 ########################################
@@ -89592,7 +92027,7 @@
 	')
 
 	dontaudit $1 radius_port_t:udp_socket name_bind;
-	
+	allow $1 self:capability net_bind_service;
 ')
 
 ########################################
@@ -99009,7 +101444,487 @@
 
 ########################################
 ## <summary>
-##	Send and receive TCP traffic on the sge port.
+##	Send and receive TCP traffic on the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	allow $1 sge_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	allow $1 sge_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	dontaudit $1 sge_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	allow $1 sge_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	dontaudit $1 sge_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_sge_port',`
+	corenet_udp_send_sge_port($1)
+	corenet_udp_receive_sge_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_sge_port',`
+	corenet_dontaudit_udp_send_sge_port($1)
+	corenet_dontaudit_udp_receive_sge_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	allow $1 sge_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	allow $1 sge_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	dontaudit $1 sge_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	allow $1 sge_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to sge port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_sge_port',`
+	gen_require(`
+		type sge_port_t;
+	')
+
+	dontaudit $1 sge_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send sge_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sge_client_packets',`
+	gen_require(`
+		type sge_client_packet_t;
+	')
+
+	allow $1 sge_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sge_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sge_client_packets',`
+	gen_require(`
+		type sge_client_packet_t;
+	')
+
+	dontaudit $1 sge_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sge_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sge_client_packets',`
+	gen_require(`
+		type sge_client_packet_t;
+	')
+
+	allow $1 sge_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sge_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sge_client_packets',`
+	gen_require(`
+		type sge_client_packet_t;
+	')
+
+	dontaudit $1 sge_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sge_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sge_client_packets',`
+	corenet_send_sge_client_packets($1)
+	corenet_receive_sge_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sge_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sge_client_packets',`
+	corenet_dontaudit_send_sge_client_packets($1)
+	corenet_dontaudit_receive_sge_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sge_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sge_client_packets',`
+	gen_require(`
+		type sge_client_packet_t;
+	')
+
+	allow $1 sge_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send sge_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_sge_server_packets',`
+	gen_require(`
+		type sge_server_packet_t;
+	')
+
+	allow $1 sge_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send sge_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_sge_server_packets',`
+	gen_require(`
+		type sge_server_packet_t;
+	')
+
+	dontaudit $1 sge_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive sge_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_sge_server_packets',`
+	gen_require(`
+		type sge_server_packet_t;
+	')
+
+	allow $1 sge_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive sge_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_sge_server_packets',`
+	gen_require(`
+		type sge_server_packet_t;
+	')
+
+	dontaudit $1 sge_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive sge_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_sge_server_packets',`
+	corenet_send_sge_server_packets($1)
+	corenet_receive_sge_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive sge_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_sge_server_packets',`
+	corenet_dontaudit_send_sge_server_packets($1)
+	corenet_dontaudit_receive_sge_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to sge_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_sge_server_packets',`
+	gen_require(`
+		type sge_server_packet_t;
+	')
+
+	allow $1 sge_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99018,17 +101933,17 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_tcp_sendrecv_sge_port',`
+interface(`corenet_tcp_sendrecv_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	allow $1 sge_port_t:tcp_socket { send_msg recv_msg };
+	allow $1 shellinaboxd_port_t:tcp_socket { send_msg recv_msg };
 ')
 
 ########################################
 ## <summary>
-##	Send UDP traffic on the sge port.
+##	Send UDP traffic on the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99037,17 +101952,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_udp_send_sge_port',`
+interface(`corenet_udp_send_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	allow $1 sge_port_t:udp_socket send_msg;
+	allow $1 shellinaboxd_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send UDP traffic on the sge port.
+##	Do not audit attempts to send UDP traffic on the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99056,17 +101971,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_send_sge_port',`
+interface(`corenet_dontaudit_udp_send_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	dontaudit $1 sge_port_t:udp_socket send_msg;
+	dontaudit $1 shellinaboxd_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Receive UDP traffic on the sge port.
+##	Receive UDP traffic on the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99075,17 +101990,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_udp_receive_sge_port',`
+interface(`corenet_udp_receive_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	allow $1 sge_port_t:udp_socket recv_msg;
+	allow $1 shellinaboxd_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive UDP traffic on the sge port.
+##	Do not audit attempts to receive UDP traffic on the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99094,17 +102009,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_receive_sge_port',`
+interface(`corenet_dontaudit_udp_receive_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	dontaudit $1 sge_port_t:udp_socket recv_msg;
+	dontaudit $1 shellinaboxd_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive UDP traffic on the sge port.
+##	Send and receive UDP traffic on the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99113,15 +102028,15 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_udp_sendrecv_sge_port',`
-	corenet_udp_send_sge_port($1)
-	corenet_udp_receive_sge_port($1)
+interface(`corenet_udp_sendrecv_shellinaboxd_port',`
+	corenet_udp_send_shellinaboxd_port($1)
+	corenet_udp_receive_shellinaboxd_port($1)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to send and receive
-##	UDP traffic on the sge port.
+##	UDP traffic on the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99130,14 +102045,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_sendrecv_sge_port',`
-	corenet_dontaudit_udp_send_sge_port($1)
-	corenet_dontaudit_udp_receive_sge_port($1)
+interface(`corenet_dontaudit_udp_sendrecv_shellinaboxd_port',`
+	corenet_dontaudit_udp_send_shellinaboxd_port($1)
+	corenet_dontaudit_udp_receive_shellinaboxd_port($1)
 ')
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to the sge port.
+##	Bind TCP sockets to the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99146,18 +102061,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_tcp_bind_sge_port',`
+interface(`corenet_tcp_bind_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	allow $1 sge_port_t:tcp_socket name_bind;
+	allow $1 shellinaboxd_port_t:tcp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to the sge port.
+##	Bind UDP sockets to the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99166,18 +102081,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_udp_bind_sge_port',`
+interface(`corenet_udp_bind_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	allow $1 sge_port_t:udp_socket name_bind;
+	allow $1 shellinaboxd_port_t:udp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to sbind to sge port.
+##	Do not audit attempts to sbind to shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99186,18 +102101,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_bind_sge_port',`
+interface(`corenet_dontaudit_udp_bind_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	dontaudit $1 sge_port_t:udp_socket name_bind;
+	dontaudit $1 shellinaboxd_port_t:udp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Make a TCP connection to the sge port.
+##	Make a TCP connection to the shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99205,16 +102120,16 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_sge_port',`
+interface(`corenet_tcp_connect_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	allow $1 sge_port_t:tcp_socket name_connect;
+	allow $1 shellinaboxd_port_t:tcp_socket name_connect;
 ')
 ########################################
 ## <summary>
-##	Do not audit attempts to make a TCP connection to sge port.
+##	Do not audit attempts to make a TCP connection to shellinaboxd port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99222,18 +102137,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_sge_port',`
+interface(`corenet_dontaudit_tcp_connect_shellinaboxd_port',`
 	gen_require(`
-		type sge_port_t;
+		type shellinaboxd_port_t;
 	')
 
-	dontaudit $1 sge_port_t:tcp_socket name_connect;
+	dontaudit $1 shellinaboxd_port_t:tcp_socket name_connect;
 ')
 
 
 ########################################
 ## <summary>
-##	Send sge_client packets.
+##	Send shellinaboxd_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99242,17 +102157,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_sge_client_packets',`
+interface(`corenet_send_shellinaboxd_client_packets',`
 	gen_require(`
-		type sge_client_packet_t;
+		type shellinaboxd_client_packet_t;
 	')
 
-	allow $1 sge_client_packet_t:packet send;
+	allow $1 shellinaboxd_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send sge_client packets.
+##	Do not audit attempts to send shellinaboxd_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99261,17 +102176,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_sge_client_packets',`
+interface(`corenet_dontaudit_send_shellinaboxd_client_packets',`
 	gen_require(`
-		type sge_client_packet_t;
+		type shellinaboxd_client_packet_t;
 	')
 
-	dontaudit $1 sge_client_packet_t:packet send;
+	dontaudit $1 shellinaboxd_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive sge_client packets.
+##	Receive shellinaboxd_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99280,17 +102195,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_sge_client_packets',`
+interface(`corenet_receive_shellinaboxd_client_packets',`
 	gen_require(`
-		type sge_client_packet_t;
+		type shellinaboxd_client_packet_t;
 	')
 
-	allow $1 sge_client_packet_t:packet recv;
+	allow $1 shellinaboxd_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive sge_client packets.
+##	Do not audit attempts to receive shellinaboxd_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99299,17 +102214,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_sge_client_packets',`
+interface(`corenet_dontaudit_receive_shellinaboxd_client_packets',`
 	gen_require(`
-		type sge_client_packet_t;
+		type shellinaboxd_client_packet_t;
 	')
 
-	dontaudit $1 sge_client_packet_t:packet recv;
+	dontaudit $1 shellinaboxd_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive sge_client packets.
+##	Send and receive shellinaboxd_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99318,14 +102233,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_sge_client_packets',`
-	corenet_send_sge_client_packets($1)
-	corenet_receive_sge_client_packets($1)
+interface(`corenet_sendrecv_shellinaboxd_client_packets',`
+	corenet_send_shellinaboxd_client_packets($1)
+	corenet_receive_shellinaboxd_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive sge_client packets.
+##	Do not audit attempts to send and receive shellinaboxd_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99334,14 +102249,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_sge_client_packets',`
-	corenet_dontaudit_send_sge_client_packets($1)
-	corenet_dontaudit_receive_sge_client_packets($1)
+interface(`corenet_dontaudit_sendrecv_shellinaboxd_client_packets',`
+	corenet_dontaudit_send_shellinaboxd_client_packets($1)
+	corenet_dontaudit_receive_shellinaboxd_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to sge_client the packet type.
+##	Relabel packets to shellinaboxd_client the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99349,18 +102264,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_sge_client_packets',`
+interface(`corenet_relabelto_shellinaboxd_client_packets',`
 	gen_require(`
-		type sge_client_packet_t;
+		type shellinaboxd_client_packet_t;
 	')
 
-	allow $1 sge_client_packet_t:packet relabelto;
+	allow $1 shellinaboxd_client_packet_t:packet relabelto;
 ')
 
 
 ########################################
 ## <summary>
-##	Send sge_server packets.
+##	Send shellinaboxd_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99369,17 +102284,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_sge_server_packets',`
+interface(`corenet_send_shellinaboxd_server_packets',`
 	gen_require(`
-		type sge_server_packet_t;
+		type shellinaboxd_server_packet_t;
 	')
 
-	allow $1 sge_server_packet_t:packet send;
+	allow $1 shellinaboxd_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send sge_server packets.
+##	Do not audit attempts to send shellinaboxd_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99388,17 +102303,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_sge_server_packets',`
+interface(`corenet_dontaudit_send_shellinaboxd_server_packets',`
 	gen_require(`
-		type sge_server_packet_t;
+		type shellinaboxd_server_packet_t;
 	')
 
-	dontaudit $1 sge_server_packet_t:packet send;
+	dontaudit $1 shellinaboxd_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive sge_server packets.
+##	Receive shellinaboxd_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99407,17 +102322,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_sge_server_packets',`
+interface(`corenet_receive_shellinaboxd_server_packets',`
 	gen_require(`
-		type sge_server_packet_t;
+		type shellinaboxd_server_packet_t;
 	')
 
-	allow $1 sge_server_packet_t:packet recv;
+	allow $1 shellinaboxd_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive sge_server packets.
+##	Do not audit attempts to receive shellinaboxd_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99426,17 +102341,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_sge_server_packets',`
+interface(`corenet_dontaudit_receive_shellinaboxd_server_packets',`
 	gen_require(`
-		type sge_server_packet_t;
+		type shellinaboxd_server_packet_t;
 	')
 
-	dontaudit $1 sge_server_packet_t:packet recv;
+	dontaudit $1 shellinaboxd_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive sge_server packets.
+##	Send and receive shellinaboxd_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99445,14 +102360,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_sge_server_packets',`
-	corenet_send_sge_server_packets($1)
-	corenet_receive_sge_server_packets($1)
+interface(`corenet_sendrecv_shellinaboxd_server_packets',`
+	corenet_send_shellinaboxd_server_packets($1)
+	corenet_receive_shellinaboxd_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive sge_server packets.
+##	Do not audit attempts to send and receive shellinaboxd_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99461,14 +102376,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_sge_server_packets',`
-	corenet_dontaudit_send_sge_server_packets($1)
-	corenet_dontaudit_receive_sge_server_packets($1)
+interface(`corenet_dontaudit_sendrecv_shellinaboxd_server_packets',`
+	corenet_dontaudit_send_shellinaboxd_server_packets($1)
+	corenet_dontaudit_receive_shellinaboxd_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to sge_server the packet type.
+##	Relabel packets to shellinaboxd_server the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99476,12 +102391,12 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_sge_server_packets',`
+interface(`corenet_relabelto_shellinaboxd_server_packets',`
 	gen_require(`
-		type sge_server_packet_t;
+		type shellinaboxd_server_packet_t;
 	')
 
-	allow $1 sge_server_packet_t:packet relabelto;
+	allow $1 shellinaboxd_server_packet_t:packet relabelto;
 ')
 
 
@@ -107501,7 +110416,487 @@
 
 ########################################
 ## <summary>
-##	Relabel packets to swat_client the packet type.
+##	Relabel packets to swat_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_swat_client_packets',`
+	gen_require(`
+		type swat_client_packet_t;
+	')
+
+	allow $1 swat_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	allow $1 swat_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	dontaudit $1 swat_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	allow $1 swat_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	dontaudit $1 swat_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_swat_server_packets',`
+	corenet_send_swat_server_packets($1)
+	corenet_receive_swat_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive swat_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_swat_server_packets',`
+	corenet_dontaudit_send_swat_server_packets($1)
+	corenet_dontaudit_receive_swat_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to swat_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_swat_server_packets',`
+	gen_require(`
+		type swat_server_packet_t;
+	')
+
+	allow $1 swat_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	allow $1 swift_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	allow $1 swift_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	dontaudit $1 swift_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	allow $1 swift_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	dontaudit $1 swift_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_swift_port',`
+	corenet_udp_send_swift_port($1)
+	corenet_udp_receive_swift_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_swift_port',`
+	corenet_dontaudit_udp_send_swift_port($1)
+	corenet_dontaudit_udp_receive_swift_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	allow $1 swift_port_t:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	allow $1 swift_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	dontaudit $1 swift_port_t:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	allow $1 swift_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to swift port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_swift_port',`
+	gen_require(`
+		type swift_port_t;
+	')
+
+	dontaudit $1 swift_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send swift_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_swift_client_packets',`
+	gen_require(`
+		type swift_client_packet_t;
+	')
+
+	allow $1 swift_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send swift_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_swift_client_packets',`
+	gen_require(`
+		type swift_client_packet_t;
+	')
+
+	dontaudit $1 swift_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive swift_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_swift_client_packets',`
+	gen_require(`
+		type swift_client_packet_t;
+	')
+
+	allow $1 swift_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive swift_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_swift_client_packets',`
+	gen_require(`
+		type swift_client_packet_t;
+	')
+
+	dontaudit $1 swift_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive swift_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_swift_client_packets',`
+	corenet_send_swift_client_packets($1)
+	corenet_receive_swift_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive swift_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_swift_client_packets',`
+	corenet_dontaudit_send_swift_client_packets($1)
+	corenet_dontaudit_receive_swift_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to swift_client the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107509,18 +110904,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_swat_client_packets',`
+interface(`corenet_relabelto_swift_client_packets',`
 	gen_require(`
-		type swat_client_packet_t;
+		type swift_client_packet_t;
 	')
 
-	allow $1 swat_client_packet_t:packet relabelto;
+	allow $1 swift_client_packet_t:packet relabelto;
 ')
 
 
 ########################################
 ## <summary>
-##	Send swat_server packets.
+##	Send swift_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107529,17 +110924,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_swat_server_packets',`
+interface(`corenet_send_swift_server_packets',`
 	gen_require(`
-		type swat_server_packet_t;
+		type swift_server_packet_t;
 	')
 
-	allow $1 swat_server_packet_t:packet send;
+	allow $1 swift_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send swat_server packets.
+##	Do not audit attempts to send swift_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107548,17 +110943,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_swat_server_packets',`
+interface(`corenet_dontaudit_send_swift_server_packets',`
 	gen_require(`
-		type swat_server_packet_t;
+		type swift_server_packet_t;
 	')
 
-	dontaudit $1 swat_server_packet_t:packet send;
+	dontaudit $1 swift_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive swat_server packets.
+##	Receive swift_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107567,17 +110962,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_swat_server_packets',`
+interface(`corenet_receive_swift_server_packets',`
 	gen_require(`
-		type swat_server_packet_t;
+		type swift_server_packet_t;
 	')
 
-	allow $1 swat_server_packet_t:packet recv;
+	allow $1 swift_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive swat_server packets.
+##	Do not audit attempts to receive swift_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107586,17 +110981,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_swat_server_packets',`
+interface(`corenet_dontaudit_receive_swift_server_packets',`
 	gen_require(`
-		type swat_server_packet_t;
+		type swift_server_packet_t;
 	')
 
-	dontaudit $1 swat_server_packet_t:packet recv;
+	dontaudit $1 swift_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive swat_server packets.
+##	Send and receive swift_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107605,14 +111000,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_swat_server_packets',`
-	corenet_send_swat_server_packets($1)
-	corenet_receive_swat_server_packets($1)
+interface(`corenet_sendrecv_swift_server_packets',`
+	corenet_send_swift_server_packets($1)
+	corenet_receive_swift_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive swat_server packets.
+##	Do not audit attempts to send and receive swift_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107621,14 +111016,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_swat_server_packets',`
-	corenet_dontaudit_send_swat_server_packets($1)
-	corenet_dontaudit_receive_swat_server_packets($1)
+interface(`corenet_dontaudit_sendrecv_swift_server_packets',`
+	corenet_dontaudit_send_swift_server_packets($1)
+	corenet_dontaudit_receive_swift_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to swat_server the packet type.
+##	Relabel packets to swift_server the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107636,12 +111031,12 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_swat_server_packets',`
+interface(`corenet_relabelto_swift_server_packets',`
 	gen_require(`
-		type swat_server_packet_t;
+		type swift_server_packet_t;
 	')
 
-	allow $1 swat_server_packet_t:packet relabelto;
+	allow $1 swift_server_packet_t:packet relabelto;
 ')
 
 
@@ -112377,7 +115772,487 @@
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive transproxy_server packets.
+##	Do not audit attempts to receive transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_transproxy_server_packets',`
+	gen_require(`
+		type transproxy_server_packet_t;
+	')
+
+	dontaudit $1 transproxy_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_transproxy_server_packets',`
+	corenet_send_transproxy_server_packets($1)
+	corenet_receive_transproxy_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive transproxy_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_transproxy_server_packets',`
+	corenet_dontaudit_send_transproxy_server_packets($1)
+	corenet_dontaudit_receive_transproxy_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to transproxy_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_transproxy_server_packets',`
+	gen_require(`
+		type transproxy_server_packet_t;
+	')
+
+	allow $1 transproxy_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	allow $1 trisoap_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	allow $1 trisoap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	dontaudit $1 trisoap_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	allow $1 trisoap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	dontaudit $1 trisoap_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_trisoap_port',`
+	corenet_udp_send_trisoap_port($1)
+	corenet_udp_receive_trisoap_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_trisoap_port',`
+	corenet_dontaudit_udp_send_trisoap_port($1)
+	corenet_dontaudit_udp_receive_trisoap_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	allow $1 trisoap_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	allow $1 trisoap_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	dontaudit $1 trisoap_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	allow $1 trisoap_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to trisoap port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_trisoap_port',`
+	gen_require(`
+		type trisoap_port_t;
+	')
+
+	dontaudit $1 trisoap_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send trisoap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_trisoap_client_packets',`
+	gen_require(`
+		type trisoap_client_packet_t;
+	')
+
+	allow $1 trisoap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send trisoap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_trisoap_client_packets',`
+	gen_require(`
+		type trisoap_client_packet_t;
+	')
+
+	dontaudit $1 trisoap_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive trisoap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_trisoap_client_packets',`
+	gen_require(`
+		type trisoap_client_packet_t;
+	')
+
+	allow $1 trisoap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive trisoap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_trisoap_client_packets',`
+	gen_require(`
+		type trisoap_client_packet_t;
+	')
+
+	dontaudit $1 trisoap_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive trisoap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_trisoap_client_packets',`
+	corenet_send_trisoap_client_packets($1)
+	corenet_receive_trisoap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive trisoap_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_trisoap_client_packets',`
+	corenet_dontaudit_send_trisoap_client_packets($1)
+	corenet_dontaudit_receive_trisoap_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to trisoap_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_trisoap_client_packets',`
+	gen_require(`
+		type trisoap_client_packet_t;
+	')
+
+	allow $1 trisoap_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send trisoap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_trisoap_server_packets',`
+	gen_require(`
+		type trisoap_server_packet_t;
+	')
+
+	allow $1 trisoap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send trisoap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_trisoap_server_packets',`
+	gen_require(`
+		type trisoap_server_packet_t;
+	')
+
+	dontaudit $1 trisoap_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive trisoap_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_trisoap_server_packets',`
+	gen_require(`
+		type trisoap_server_packet_t;
+	')
+
+	allow $1 trisoap_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive trisoap_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112386,17 +116261,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_transproxy_server_packets',`
+interface(`corenet_dontaudit_receive_trisoap_server_packets',`
 	gen_require(`
-		type transproxy_server_packet_t;
+		type trisoap_server_packet_t;
 	')
 
-	dontaudit $1 transproxy_server_packet_t:packet recv;
+	dontaudit $1 trisoap_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive transproxy_server packets.
+##	Send and receive trisoap_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112405,14 +116280,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_transproxy_server_packets',`
-	corenet_send_transproxy_server_packets($1)
-	corenet_receive_transproxy_server_packets($1)
+interface(`corenet_sendrecv_trisoap_server_packets',`
+	corenet_send_trisoap_server_packets($1)
+	corenet_receive_trisoap_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive transproxy_server packets.
+##	Do not audit attempts to send and receive trisoap_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112421,14 +116296,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_transproxy_server_packets',`
-	corenet_dontaudit_send_transproxy_server_packets($1)
-	corenet_dontaudit_receive_transproxy_server_packets($1)
+interface(`corenet_dontaudit_sendrecv_trisoap_server_packets',`
+	corenet_dontaudit_send_trisoap_server_packets($1)
+	corenet_dontaudit_receive_trisoap_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to transproxy_server the packet type.
+##	Relabel packets to trisoap_server the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112436,12 +116311,12 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_transproxy_server_packets',`
+interface(`corenet_relabelto_trisoap_server_packets',`
 	gen_require(`
-		type transproxy_server_packet_t;
+		type trisoap_server_packet_t;
 	')
 
-	allow $1 transproxy_server_packet_t:packet relabelto;
+	allow $1 trisoap_server_packet_t:packet relabelto;
 ')
 
 
@@ -112449,7 +116324,7 @@
 
 ########################################
 ## <summary>
-##	Send and receive TCP traffic on the trisoap port.
+##	Send and receive TCP traffic on the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112458,17 +116333,17 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_tcp_sendrecv_trisoap_port',`
+interface(`corenet_tcp_sendrecv_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	allow $1 trisoap_port_t:tcp_socket { send_msg recv_msg };
+	allow $1 trivnet1_port_t:tcp_socket { send_msg recv_msg };
 ')
 
 ########################################
 ## <summary>
-##	Send UDP traffic on the trisoap port.
+##	Send UDP traffic on the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112477,17 +116352,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_udp_send_trisoap_port',`
+interface(`corenet_udp_send_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	allow $1 trisoap_port_t:udp_socket send_msg;
+	allow $1 trivnet1_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send UDP traffic on the trisoap port.
+##	Do not audit attempts to send UDP traffic on the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112496,17 +116371,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_send_trisoap_port',`
+interface(`corenet_dontaudit_udp_send_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	dontaudit $1 trisoap_port_t:udp_socket send_msg;
+	dontaudit $1 trivnet1_port_t:udp_socket send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Receive UDP traffic on the trisoap port.
+##	Receive UDP traffic on the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112515,17 +116390,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_udp_receive_trisoap_port',`
+interface(`corenet_udp_receive_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	allow $1 trisoap_port_t:udp_socket recv_msg;
+	allow $1 trivnet1_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive UDP traffic on the trisoap port.
+##	Do not audit attempts to receive UDP traffic on the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112534,17 +116409,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_receive_trisoap_port',`
+interface(`corenet_dontaudit_udp_receive_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	dontaudit $1 trisoap_port_t:udp_socket recv_msg;
+	dontaudit $1 trivnet1_port_t:udp_socket recv_msg;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive UDP traffic on the trisoap port.
+##	Send and receive UDP traffic on the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112553,15 +116428,15 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_udp_sendrecv_trisoap_port',`
-	corenet_udp_send_trisoap_port($1)
-	corenet_udp_receive_trisoap_port($1)
+interface(`corenet_udp_sendrecv_trivnet1_port',`
+	corenet_udp_send_trivnet1_port($1)
+	corenet_udp_receive_trivnet1_port($1)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to send and receive
-##	UDP traffic on the trisoap port.
+##	UDP traffic on the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112570,14 +116445,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_sendrecv_trisoap_port',`
-	corenet_dontaudit_udp_send_trisoap_port($1)
-	corenet_dontaudit_udp_receive_trisoap_port($1)
+interface(`corenet_dontaudit_udp_sendrecv_trivnet1_port',`
+	corenet_dontaudit_udp_send_trivnet1_port($1)
+	corenet_dontaudit_udp_receive_trivnet1_port($1)
 ')
 
 ########################################
 ## <summary>
-##	Bind TCP sockets to the trisoap port.
+##	Bind TCP sockets to the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112586,18 +116461,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_tcp_bind_trisoap_port',`
+interface(`corenet_tcp_bind_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	allow $1 trisoap_port_t:tcp_socket name_bind;
+	allow $1 trivnet1_port_t:tcp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Bind UDP sockets to the trisoap port.
+##	Bind UDP sockets to the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112606,18 +116481,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_udp_bind_trisoap_port',`
+interface(`corenet_udp_bind_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	allow $1 trisoap_port_t:udp_socket name_bind;
+	allow $1 trivnet1_port_t:udp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to sbind to trisoap port.
+##	Do not audit attempts to sbind to trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112626,18 +116501,18 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_udp_bind_trisoap_port',`
+interface(`corenet_dontaudit_udp_bind_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	dontaudit $1 trisoap_port_t:udp_socket name_bind;
+	dontaudit $1 trivnet1_port_t:udp_socket name_bind;
 	
 ')
 
 ########################################
 ## <summary>
-##	Make a TCP connection to the trisoap port.
+##	Make a TCP connection to the trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112645,16 +116520,16 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_tcp_connect_trisoap_port',`
+interface(`corenet_tcp_connect_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	allow $1 trisoap_port_t:tcp_socket name_connect;
+	allow $1 trivnet1_port_t:tcp_socket name_connect;
 ')
 ########################################
 ## <summary>
-##	Do not audit attempts to make a TCP connection to trisoap port.
+##	Do not audit attempts to make a TCP connection to trivnet1 port.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112662,18 +116537,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_connect_trisoap_port',`
+interface(`corenet_dontaudit_tcp_connect_trivnet1_port',`
 	gen_require(`
-		type trisoap_port_t;
+		type trivnet1_port_t;
 	')
 
-	dontaudit $1 trisoap_port_t:tcp_socket name_connect;
+	dontaudit $1 trivnet1_port_t:tcp_socket name_connect;
 ')
 
 
 ########################################
 ## <summary>
-##	Send trisoap_client packets.
+##	Send trivnet1_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112682,17 +116557,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_trisoap_client_packets',`
+interface(`corenet_send_trivnet1_client_packets',`
 	gen_require(`
-		type trisoap_client_packet_t;
+		type trivnet1_client_packet_t;
 	')
 
-	allow $1 trisoap_client_packet_t:packet send;
+	allow $1 trivnet1_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send trisoap_client packets.
+##	Do not audit attempts to send trivnet1_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112701,17 +116576,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_trisoap_client_packets',`
+interface(`corenet_dontaudit_send_trivnet1_client_packets',`
 	gen_require(`
-		type trisoap_client_packet_t;
+		type trivnet1_client_packet_t;
 	')
 
-	dontaudit $1 trisoap_client_packet_t:packet send;
+	dontaudit $1 trivnet1_client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive trisoap_client packets.
+##	Receive trivnet1_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112720,17 +116595,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_trisoap_client_packets',`
+interface(`corenet_receive_trivnet1_client_packets',`
 	gen_require(`
-		type trisoap_client_packet_t;
+		type trivnet1_client_packet_t;
 	')
 
-	allow $1 trisoap_client_packet_t:packet recv;
+	allow $1 trivnet1_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive trisoap_client packets.
+##	Do not audit attempts to receive trivnet1_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112739,17 +116614,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_trisoap_client_packets',`
+interface(`corenet_dontaudit_receive_trivnet1_client_packets',`
 	gen_require(`
-		type trisoap_client_packet_t;
+		type trivnet1_client_packet_t;
 	')
 
-	dontaudit $1 trisoap_client_packet_t:packet recv;
+	dontaudit $1 trivnet1_client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive trisoap_client packets.
+##	Send and receive trivnet1_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112758,14 +116633,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_trisoap_client_packets',`
-	corenet_send_trisoap_client_packets($1)
-	corenet_receive_trisoap_client_packets($1)
+interface(`corenet_sendrecv_trivnet1_client_packets',`
+	corenet_send_trivnet1_client_packets($1)
+	corenet_receive_trivnet1_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive trisoap_client packets.
+##	Do not audit attempts to send and receive trivnet1_client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112774,14 +116649,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_trisoap_client_packets',`
-	corenet_dontaudit_send_trisoap_client_packets($1)
-	corenet_dontaudit_receive_trisoap_client_packets($1)
+interface(`corenet_dontaudit_sendrecv_trivnet1_client_packets',`
+	corenet_dontaudit_send_trivnet1_client_packets($1)
+	corenet_dontaudit_receive_trivnet1_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to trisoap_client the packet type.
+##	Relabel packets to trivnet1_client the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112789,18 +116664,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_trisoap_client_packets',`
+interface(`corenet_relabelto_trivnet1_client_packets',`
 	gen_require(`
-		type trisoap_client_packet_t;
+		type trivnet1_client_packet_t;
 	')
 
-	allow $1 trisoap_client_packet_t:packet relabelto;
+	allow $1 trivnet1_client_packet_t:packet relabelto;
 ')
 
 
 ########################################
 ## <summary>
-##	Send trisoap_server packets.
+##	Send trivnet1_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112809,17 +116684,17 @@
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
-interface(`corenet_send_trisoap_server_packets',`
+interface(`corenet_send_trivnet1_server_packets',`
 	gen_require(`
-		type trisoap_server_packet_t;
+		type trivnet1_server_packet_t;
 	')
 
-	allow $1 trisoap_server_packet_t:packet send;
+	allow $1 trivnet1_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send trisoap_server packets.
+##	Do not audit attempts to send trivnet1_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112828,17 +116703,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_send_trisoap_server_packets',`
+interface(`corenet_dontaudit_send_trivnet1_server_packets',`
 	gen_require(`
-		type trisoap_server_packet_t;
+		type trivnet1_server_packet_t;
 	')
 
-	dontaudit $1 trisoap_server_packet_t:packet send;
+	dontaudit $1 trivnet1_server_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive trisoap_server packets.
+##	Receive trivnet1_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112847,17 +116722,17 @@
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
-interface(`corenet_receive_trisoap_server_packets',`
+interface(`corenet_receive_trivnet1_server_packets',`
 	gen_require(`
-		type trisoap_server_packet_t;
+		type trivnet1_server_packet_t;
 	')
 
-	allow $1 trisoap_server_packet_t:packet recv;
+	allow $1 trivnet1_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive trisoap_server packets.
+##	Do not audit attempts to receive trivnet1_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112866,17 +116741,17 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_receive_trisoap_server_packets',`
+interface(`corenet_dontaudit_receive_trivnet1_server_packets',`
 	gen_require(`
-		type trisoap_server_packet_t;
+		type trivnet1_server_packet_t;
 	')
 
-	dontaudit $1 trisoap_server_packet_t:packet recv;
+	dontaudit $1 trivnet1_server_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive trisoap_server packets.
+##	Send and receive trivnet1_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112885,14 +116760,14 @@
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
-interface(`corenet_sendrecv_trisoap_server_packets',`
-	corenet_send_trisoap_server_packets($1)
-	corenet_receive_trisoap_server_packets($1)
+interface(`corenet_sendrecv_trivnet1_server_packets',`
+	corenet_send_trivnet1_server_packets($1)
+	corenet_receive_trivnet1_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and receive trisoap_server packets.
+##	Do not audit attempts to send and receive trivnet1_server packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112901,14 +116776,14 @@
 ## </param>
 ## <infoflow type="none"/>
 #
-interface(`corenet_dontaudit_sendrecv_trisoap_server_packets',`
-	corenet_dontaudit_send_trisoap_server_packets($1)
-	corenet_dontaudit_receive_trisoap_server_packets($1)
+interface(`corenet_dontaudit_sendrecv_trivnet1_server_packets',`
+	corenet_dontaudit_send_trivnet1_server_packets($1)
+	corenet_dontaudit_receive_trivnet1_server_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to trisoap_server the packet type.
+##	Relabel packets to trivnet1_server the packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112916,12 +116791,12 @@
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_trisoap_server_packets',`
+interface(`corenet_relabelto_trivnet1_server_packets',`
 	gen_require(`
-		type trisoap_server_packet_t;
+		type trivnet1_server_packet_t;
 	')
 
-	allow $1 trisoap_server_packet_t:packet relabelto;
+	allow $1 trivnet1_server_packet_t:packet relabelto;
 ')
 
 
@@ -114365,6 +118240,486 @@
 ')
 
 
+
+
+########################################
+## <summary>
+##	Send and receive TCP traffic on the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	allow $1 us_cli_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	allow $1 us_cli_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	dontaudit $1 us_cli_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	allow $1 us_cli_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	dontaudit $1 us_cli_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_us_cli_port',`
+	corenet_udp_send_us_cli_port($1)
+	corenet_udp_receive_us_cli_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_us_cli_port',`
+	corenet_dontaudit_udp_send_us_cli_port($1)
+	corenet_dontaudit_udp_receive_us_cli_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	allow $1 us_cli_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	allow $1 us_cli_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to sbind to us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_bind_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	dontaudit $1 us_cli_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	allow $1 us_cli_port_t:tcp_socket name_connect;
+')
+########################################
+## <summary>
+##	Do not audit attempts to make a TCP connection to us_cli port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_us_cli_port',`
+	gen_require(`
+		type us_cli_port_t;
+	')
+
+	dontaudit $1 us_cli_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send us_cli_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_us_cli_client_packets',`
+	gen_require(`
+		type us_cli_client_packet_t;
+	')
+
+	allow $1 us_cli_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send us_cli_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_us_cli_client_packets',`
+	gen_require(`
+		type us_cli_client_packet_t;
+	')
+
+	dontaudit $1 us_cli_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive us_cli_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_us_cli_client_packets',`
+	gen_require(`
+		type us_cli_client_packet_t;
+	')
+
+	allow $1 us_cli_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive us_cli_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_us_cli_client_packets',`
+	gen_require(`
+		type us_cli_client_packet_t;
+	')
+
+	dontaudit $1 us_cli_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive us_cli_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_us_cli_client_packets',`
+	corenet_send_us_cli_client_packets($1)
+	corenet_receive_us_cli_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive us_cli_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_us_cli_client_packets',`
+	corenet_dontaudit_send_us_cli_client_packets($1)
+	corenet_dontaudit_receive_us_cli_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to us_cli_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_us_cli_client_packets',`
+	gen_require(`
+		type us_cli_client_packet_t;
+	')
+
+	allow $1 us_cli_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send us_cli_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_us_cli_server_packets',`
+	gen_require(`
+		type us_cli_server_packet_t;
+	')
+
+	allow $1 us_cli_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send us_cli_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_us_cli_server_packets',`
+	gen_require(`
+		type us_cli_server_packet_t;
+	')
+
+	dontaudit $1 us_cli_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive us_cli_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_us_cli_server_packets',`
+	gen_require(`
+		type us_cli_server_packet_t;
+	')
+
+	allow $1 us_cli_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive us_cli_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_us_cli_server_packets',`
+	gen_require(`
+		type us_cli_server_packet_t;
+	')
+
+	dontaudit $1 us_cli_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive us_cli_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_us_cli_server_packets',`
+	corenet_send_us_cli_server_packets($1)
+	corenet_receive_us_cli_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive us_cli_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_us_cli_server_packets',`
+	corenet_dontaudit_send_us_cli_server_packets($1)
+	corenet_dontaudit_receive_us_cli_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to us_cli_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_us_cli_server_packets',`
+	gen_require(`
+		type us_cli_server_packet_t;
+	')
+
+	allow $1 us_cli_server_packet_t:packet relabelto;
+')
+
+
 
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/devices.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/devices.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/devices.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/devices.if	2015-03-06 06:53:47.000000000 +0100
@@ -1110,6 +1110,25 @@
 
 ########################################
 ## <summary>
+##	Allow getattr on all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_all',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	allow $1 { device_t device_node }:dir_file_class_set getattr;
+')
+
+########################################
+## <summary>
 ##	Getattr on all block file device nodes.
 ## </summary>
 ## <param name="domain">
@@ -2256,7 +2275,6 @@
     allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
 ')
 
-
 ########################################
 ## <summary>
 ##	Read ipmi devices.
@@ -2295,6 +2313,44 @@
 
 ########################################
 ## <summary>
+##	Read infiniband devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_infiniband_dev',`
+	gen_require(`
+		type device_t, infiniband_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, infiniband_device_t)
+    read_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write ipmi devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_infiniband_dev',`
+	gen_require(`
+		type device_t, infiniband_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, infiniband_device_t)
+    rw_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the framebuffer device node.
 ## </summary>
 ## <param name="domain">
@@ -3179,6 +3235,78 @@
 
 ########################################
 ## <summary>
+##	Get the attributes of the monitor devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_monitor_dev',`
+	gen_require(`
+		type device_t, monitor_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the monitor devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_monitor_dev',`
+	gen_require(`
+		type device_t, monitor_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+## <summary>
+##	Read the monitor devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_monitor_dev',`
+	gen_require(`
+		type device_t, monitor_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to monitor devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_monitor_dev',`
+	gen_require(`
+		type device_t, monitor_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, monitor_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the mouse devices.
 ## </summary>
 ## <param name="domain">
@@ -4747,7 +4875,7 @@
 #
 interface(`dev_getattr_generic_usb_dev',`
 	gen_require(`
-		type usb_device_t;
+		type usb_device_t,device_t;
 	')
 
 	getattr_chr_files_pattern($1, device_t, usb_device_t)
@@ -5532,6 +5660,24 @@
 
 ########################################
 ## <summary>
+##	Dontaudit attempts to Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_leaked_xserver_misc',`
+	gen_require(`
+		type xserver_misc_device_t;
+	')
+
+	dontaudit $1 xserver_misc_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
 ##	Read and write X server miscellaneous devices.
 ## </summary>
 ## <param name="domain">
@@ -5717,6 +5863,24 @@
 
 ########################################
 ## <summary>
+##	Read and write uhid devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_uhid_dev',`
+	gen_require(`
+		type device_t, uhid_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, uhid_device_t)
+')
+
+########################################
+## <summary>
 ##	Create all named devices with the correct label
 ## </summary>
 ## <param name="domain">
@@ -5815,6 +5979,7 @@
 	type cpu_device_t;
 	type scanner_device_t;
 	type modem_device_t;
+    type monitor_device_t;
 	type vhost_device_t;
 	type netcontrol_device_t;
 	type nvram_device_t;
@@ -6153,6 +6318,7 @@
 	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
 	filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
 	filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
+	filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter")
 	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
 	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
 	filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/domain.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/domain.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/domain.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/domain.if	2015-03-06 06:53:47.000000000 +0100
@@ -566,6 +566,25 @@
 
 ########################################
 ## <summary>
+##	Destroy all domains semaphores
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_destroy_all_semaphores',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:sem destroy;
+')
+
+########################################
+## <summary>
 ##	Search the process state directory (/proc/pid) of all domains.
 ## </summary>
 ## <param name="domain">
@@ -1434,7 +1453,7 @@
 ## <summary>
 ##	Ability to mmap a low area of the address
 ##	space conditionally, as configured by
-##	/proc/sys/kernel/mmap_min_addr.
+##	/proc/sys/vm/mmap_min_addr.
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
@@ -1461,7 +1480,7 @@
 ## <summary>
 ##	Ability to mmap a low area of the address
 ##	space unconditionally, as configured
-##	by /proc/sys/kernel/mmap_min_addr.
+##	by /proc/sys/vm/mmap_min_addr.
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/files.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/files.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/files.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/files.if	2015-03-06 06:53:47.000000000 +0100
@@ -748,6 +748,42 @@
 
 ########################################
 ## <summary>
+##	Get the attributes of all chr files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_chr_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	getattr_chr_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all blk files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_blk_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	getattr_blk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of all files.
 ## </summary>
@@ -982,6 +1018,24 @@
 
 ########################################
 ## <summary>
+##	Search all base file dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_base_file_types',`
+	gen_require(`
+		attribute base_file_type;
+	')
+
+	allow $1 base_file_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel all base file types.
 ## </summary>
 ## <param name="domain">
@@ -1935,24 +1989,6 @@
 
 ########################################
 ## <summary>
-##	List the directory of all mount points.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_list_all_mountpoints',`
-	gen_require(`
-		attribute mountpoint;
-	')
-
-	allow $1 mountpoint:dir list_dir_perms;
-')
-
-########################################
-## <summary>
 ##	Set the attributes of all mount points.
 ## </summary>
 ## <param name="domain">
@@ -2043,6 +2079,24 @@
 
 ########################################
 ## <summary>
+##	List all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit listing of all mount points.
 ## </summary>
 ## <param name="domain">
@@ -2115,6 +2169,24 @@
 
 ########################################
 ## <summary>
+##	Read  all mountpoint symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_all_mountpoint_symlinks',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+    allow $1 mountpoint:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Write all file type directories.
 ## </summary>
 ## <param name="domain">
@@ -2425,6 +2497,24 @@
 
 ########################################
 ## <summary>
+##	Mount a filesystem on the root file system
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_mounton_rootfs',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Get attributes of the /boot directory.
 ## </summary>
 ## <param name="domain">
@@ -3696,10 +3786,10 @@
 #
 interface(`files_getattr_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir getattr;
+	allow $1 unlabeled_t:dir getattr;
 ')
 
 ########################################
@@ -3734,10 +3824,10 @@
 #
 interface(`files_setattr_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir setattr;
+	allow $1 unlabeled_t:dir setattr;
 ')
 
 ########################################
@@ -3753,10 +3843,10 @@
 #
 interface(`files_dontaudit_search_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	dontaudit $1 file_t:dir search_dir_perms;
+	dontaudit $1 unlabeled_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -3772,10 +3862,10 @@
 #
 interface(`files_list_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir list_dir_perms;
+	allow $1 unlabeled_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -3791,10 +3881,10 @@
 #
 interface(`files_rw_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir rw_dir_perms;
+	allow $1 unlabeled_t:dir rw_dir_perms;
 ')
 
 ########################################
@@ -3810,10 +3900,10 @@
 #
 interface(`files_delete_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_dirs_pattern($1, file_t, file_t)
+	delete_dirs_pattern($1, unlabeled_t, unlabeled_t)
 ')
 ########################################
 ## <summary>
@@ -3828,10 +3918,10 @@
 #
 interface(`files_exec_isid_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	can_exec($1, file_t)
+	can_exec($1, unlabeled_t)
 ')
 
 ########################################
@@ -3847,10 +3937,10 @@
 #
 interface(`files_mounton_isid',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir mounton;
+	allow $1 unlabeled_t:dir mounton;
 ')
 
 ########################################
@@ -3866,10 +3956,10 @@
 #
 interface(`files_relabelfrom_isid_type',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	dontaudit $1 file_t:dir_file_class_set relabelfrom;
+	dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
 ')
 
 ########################################
@@ -3885,10 +3975,10 @@
 #
 interface(`files_manage_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir manage_dir_perms;
+	allow $1 unlabeled_t:dir manage_dir_perms;
 ')
 
 ########################################
@@ -3904,10 +3994,10 @@
 #
 interface(`files_mounton_isid_type_dirs',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:dir { search_dir_perms mounton };
+	allow $1 unlabeled_t:dir { search_dir_perms mounton };
 ')
 
 ########################################
@@ -3942,10 +4032,10 @@
 #
 interface(`files_read_isid_type_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:file read_file_perms;
+	allow $1 unlabeled_t:file read_file_perms;
 ')
 
 ########################################
@@ -3961,10 +4051,10 @@
 #
 interface(`files_delete_isid_type_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_files_pattern($1, file_t, file_t)
+	delete_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -3980,10 +4070,10 @@
 #
 interface(`files_delete_isid_type_symlinks',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_lnk_files_pattern($1, file_t, file_t)
+	delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -3999,10 +4089,10 @@
 #
 interface(`files_delete_isid_type_fifo_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_fifo_files_pattern($1, file_t, file_t)
+	delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -4018,10 +4108,10 @@
 #
 interface(`files_delete_isid_type_sock_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_sock_files_pattern($1, file_t, file_t)
+	delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -4037,10 +4127,10 @@
 #
 interface(`files_delete_isid_type_blk_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_blk_files_pattern($1, file_t, file_t)
+	delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -4056,10 +4146,10 @@
 #
 interface(`files_dontaudit_write_isid_chr_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	dontaudit $1 file_t:chr_file write;
+	dontaudit $1 unlabeled_t:chr_file write;
 ')
 
 ########################################
@@ -4075,10 +4165,10 @@
 #
 interface(`files_delete_isid_type_chr_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	delete_chr_files_pattern($1, file_t, file_t)
+	delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
 ')
 
 ########################################
@@ -4094,10 +4184,10 @@
 #
 interface(`files_manage_isid_type_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:file manage_file_perms;
+	allow $1 unlabeled_t:file manage_file_perms;
 ')
 
 ########################################
@@ -4113,10 +4203,10 @@
 #
 interface(`files_manage_isid_type_symlinks',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:lnk_file manage_lnk_file_perms;
+	allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
 ')
 
 ########################################
@@ -4132,10 +4222,10 @@
 #
 interface(`files_rw_isid_type_blk_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:blk_file rw_blk_file_perms;
+	allow $1 unlabeled_t:blk_file rw_blk_file_perms;
 ')
 
 ########################################
@@ -4151,10 +4241,10 @@
 #
 interface(`files_rw_inherited_isid_type_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:file rw_inherited_file_perms;
+	allow $1 unlabeled_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -4170,10 +4260,10 @@
 #
 interface(`files_manage_isid_type_blk_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:blk_file manage_blk_file_perms;
+	allow $1 unlabeled_t:blk_file manage_blk_file_perms;
 ')
 
 ########################################
@@ -4189,10 +4279,10 @@
 #
 interface(`files_manage_isid_type_chr_files',`
 	gen_require(`
-		type file_t;
+		type unlabeled_t;
 	')
 
-	allow $1 file_t:chr_file manage_chr_file_perms;
+	allow $1 unlabeled_t:chr_file manage_chr_file_perms;
 ')
 
 ########################################
@@ -4238,6 +4328,27 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to check the 
+##	access on home root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_access_check_home_dir',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	dontaudit $1 home_root_t:dir_file_class_set audit_access;
+')
+
+
+
+########################################
+## <summary>
 ##	Search home directories root (/home).
 ## </summary>
 ## <param name="domain">
@@ -4972,7 +5083,7 @@
 #
 interface(`files_filetrans_system_conf_named_files',`
     gen_require(`
-        type etc_t, system_conf_t;
+        type etc_t, system_conf_t, usr_t;
     ')
 
 	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
@@ -4992,6 +5103,9 @@
     filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
 	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
 	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
+	filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
+	filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
+	filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
 ')
 
 ######################################
@@ -5199,6 +5313,7 @@
 		type tmp_t;
 	')
 
+    fs_search_tmpfs($1)
 	read_lnk_files_pattern($1, tmp_t, tmp_t)
 	allow $1 tmp_t:dir search_dir_perms;
 ')
@@ -6657,23 +6772,25 @@
 	rw_dirs_pattern($1, var_lib_t, var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##      Create directories in /var/lib
+##	Create directories in /var/lib
 ## </summary>
 ## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`files_create_var_lib_dirs',`
-    gen_require(`
-        type var_lib_t;
-    ')
-    allow $1 var_lib_t:dir { create rw_dir_perms };
+	gen_require(`
+		type var_lib_t;
+	')
+
+	allow $1 var_lib_t:dir { create rw_dir_perms };
 ')
 
+
 ########################################
 ## <summary>
 ##	Create objects in the /var/lib directory
@@ -8179,6 +8296,40 @@
 
 ########################################
 ## <summary>
+##	Create, lib_t objects with an automatic
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="directory_type">
+##	<summary>
+##	Type of the directory to be transitioned from
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_filetrans_lib',`
+       gen_require(`
+               type lib_t, lib_t;
+       ')
+
+       filetrans_pattern($1, $2, lib_t, $3, $4)
+')
+
+########################################
+## <summary>
 ##	manage generic symbolic links
 ##	in the /var/run directory.
 ## </summary>
@@ -8217,6 +8368,24 @@
 
 ########################################
 ## <summary>
+##	Allow delete all tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_delete_tmpfs_files',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	allow $1 tmpfsfile:file delete_file_perms;
+')
+
+########################################
+## <summary>
 ##	Allow read write all tmpfs files
 ## </summary>
 ## <param name="domain">
@@ -8253,6 +8422,42 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to search security files 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_security_files',`
+	gen_require(`
+		attribute security_file_type;
+	')
+
+	dontaudit $1 security_file_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read security dirs 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_security_dirs',`
+	gen_require(`
+		attribute security_file_type;
+	')
+
+	dontaudit $1 security_file_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	rw any files inherited from another process
 ## </summary>
 ## <param name="domain">
@@ -8457,6 +8662,7 @@
 	files_root_filetrans($1, mnt_t, dir, "net")
 	files_root_filetrans($1, usr_t, dir, "export")
 	files_root_filetrans($1, usr_t, dir, "opt")
+	files_root_filetrans($1, usr_t, dir, "ostree")
 	files_root_filetrans($1, usr_t, dir, "emul")
 	files_root_filetrans($1, var_t, dir, "srv")
 	files_root_filetrans($1, var_run_t, dir, "run")
@@ -8471,6 +8677,7 @@
     files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
     files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
     files_etc_filetrans($1, etc_t, file, "hwdb.bin")
+	files_etc_filetrans_etc_runtime($1, file, ".updated")
 	files_etc_filetrans_etc_runtime($1, file, "runtime")
 	files_etc_filetrans_etc_runtime($1, dir, "blkid")
 	files_etc_filetrans_etc_runtime($1, dir, "cmtab")
@@ -8484,7 +8691,8 @@
 	files_etc_filetrans_etc_runtime($1, file, "iptables.save")
 	files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
 	files_var_filetrans($1, tmp_t, dir, "tmp")
-    files_var_filetrans($1, var_run_t, dir, "run")
+	files_var_filetrans($1, var_run_t, dir, "run")
+	files_var_filetrans($1, etc_runtime_t, file, ".updated")
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/filesystem.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/filesystem.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/filesystem.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/filesystem.if	2015-03-06 06:53:47.000000000 +0100
@@ -3257,22 +3257,43 @@
 ## <summary>
 ##	Do not audit attempts to list removable storage directories.
 ## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to list removable storage directories
+##	</p>
+##	<p>
+##	This interface has been deprecated, and will
+##	be removed in the future.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_list_pstorefs',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list removable storage directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_list_pstore',`
 	gen_require(`
-		type pstorefs_t;
+		type pstore_t;
 	')
 
-	allow $1 pstorefs_t:dir list_dir_perms;
+	allow $1 pstore_t:dir list_dir_perms;
 ')
 
-
-
 ########################################
 ## <summary>
 ##	Search removable storage directories.
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/kernel.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/kernel.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/kernel.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/kernel.if	2015-03-06 06:53:47.000000000 +0100
@@ -126,6 +126,24 @@
 
 ########################################
 ## <summary>
+##	Dontaudit attempts to set the priority of kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_setsched',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:process setsched;
+')
+
+########################################
+## <summary>
 ##	Send a SIGCHLD signal to kernel threads.
 ## </summary>
 ## <param name="domain">
@@ -180,6 +198,24 @@
 
 ########################################
 ## <summary>
+##	Send signull to kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_signull',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Allows the kernel to share state information with
 ##	the caller.
 ## </summary>
@@ -1058,6 +1094,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write the
+##	file in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_proc_files',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:file write;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to check the 
 ##	access on generic proc entries.
 ## </summary>
@@ -1260,8 +1315,7 @@
 
 ########################################
 ## <summary>
-##	Allow caller to read kernel messages
-##	using the /proc/kmsg interface.
+##	Allow caller to mounton the kernel messages file
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1271,10 +1325,10 @@
 #
 interface(`kernel_mounton_messages',`
 	gen_require(`
-		type proc_kmsg_t, proc_t;
+		type proc_kmsg_t;
 	')
 
-    allow $1 proc_kmsg_t:dir mounton;
+	allow $1 proc_kmsg_t:file mounton;
 ')
 
 ########################################
@@ -1529,6 +1583,25 @@
 
 ########################################
 ## <summary>
+##	Allow attempts to mounton all proc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	allow $1 proc_type:dir mounton;
+	allow $1 proc_type:file mounton;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to list all proc directories.
 ## </summary>
 ## <param name="domain">
@@ -1761,7 +1834,7 @@
 	')
 
 	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
-
+	read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
@@ -1782,7 +1855,7 @@
 	')
 
 	rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
-
+	read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
@@ -1804,7 +1877,6 @@
 	')
 
 	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
-
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
@@ -1839,16 +1911,9 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`kernel_read_hotplug_sysctls',`
-	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-	')
-
-	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
-
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -1860,16 +1925,9 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`kernel_rw_hotplug_sysctls',`
-	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
-	')
-
-	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
-
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -1881,16 +1939,9 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`kernel_read_modprobe_sysctls',`
-	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-	')
-
-	read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
-
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -1902,16 +1953,9 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`kernel_rw_modprobe_sysctls',`
-	gen_require(`
-		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
-	')
-
-	rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
-
-	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+    refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -2179,6 +2223,25 @@
 
 ########################################
 ## <summary>
+##	Allow attempts to mounton all sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+	')
+
+	allow $1 sysctl_type:dir mounton;
+')
+
+
+########################################
+## <summary>
 ##	Allow caller to read all sysctls.
 ## </summary>
 ## <param name="domain">
@@ -2774,9 +2837,6 @@
 	')
 
 	allow $1 unlabeled_t:association { sendto recvfrom };
-
-	# temporary hack until labeling on packets is supported
-#	allow $1 unlabeled_t:packet { send recv };
 ')
 
 ########################################
@@ -3498,3 +3558,268 @@
 	rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
 	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the security
+##	state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_security_state',`
+	gen_require(`
+		type proc_security_t;
+	')
+
+	dontaudit $1 proc_security_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow searching of security state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_search_security_state',`
+	gen_require(`
+		type proc_security_t;
+	')
+
+	search_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Read the security state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the security
+##	state information. 
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_read_security_state',`
+	gen_require(`
+		type proc_t, proc_security_t;
+	')
+
+	read_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+	read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+	list_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Write the security state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to write the security
+##	state information. 
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_write_security_state',`
+	gen_require(`
+		type proc_t, proc_security_t;
+	')
+
+	write_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the security state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_security_state_symlinks',`
+	gen_require(`
+		type proc_t, proc_security_t;
+	')
+
+	read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+	list_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the security state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_security_state',`
+	gen_require(`
+		type proc_t, proc_security_t;
+	')
+
+	rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
+
+	list_dirs_pattern($1, proc_t, proc_security_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the usermodehelper
+##	state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_usermodehelper_state',`
+	gen_require(`
+		type usermodehelper_t;
+	')
+
+	dontaudit $1 usermodehelper_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow searching of usermodehelper state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_search_usermodehelper_state',`
+	gen_require(`
+		type usermodehelper_t;
+	')
+
+	search_dirs_pattern($1, proc_t, usermodehelper_t)
+')
+
+########################################
+## <summary>
+##	Read the usermodehelper state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the usermodehelpering
+##	state information. This includes several pieces
+##	of usermodehelpering information, such as usermodehelper interface
+##	names, usermodehelperfilter (iptables) statistics, protocol
+##	information, routes, and remote procedure call (RPC)
+##	information.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_read_usermodehelper_state',`
+	gen_require(`
+		type proc_t, usermodehelper_t;
+	')
+
+	read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
+	read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
+
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
+')
+
+########################################
+## <summary>
+##	Allow caller to read the usermodehelper state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_usermodehelper_state_symlinks',`
+	gen_require(`
+		type proc_t, usermodehelper_t;
+	')
+
+	read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
+
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
+')
+
+########################################
+## <summary>
+##	Read and write usermodehelper state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_usermodehelper_state',`
+	gen_require(`
+		type proc_t, usermodehelper_t;
+	')
+
+	dev_search_sysfs($1)
+	rw_files_pattern($1, proc_t, usermodehelper_t)
+	list_dirs_pattern($1, proc_t, usermodehelper_t)
+')
+
+########################################
+## <summary>
+##      Relabel to usermodehelper context .
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelto_usermodehelper',`
+	gen_require(`
+		type usermodehelper_t;
+	')
+
+	allow $1 usermodehelper_t:file relabelto;
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/selinux.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/selinux.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/selinux.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/selinux.if	2015-03-06 06:53:47.000000000 +0100
@@ -234,7 +234,6 @@
 		type security_t;
 	')
 
-	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
 	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir search_dir_perms;
@@ -318,10 +317,11 @@
 		type security_t;
 	')
 
+	dev_search_sysfs($1)
 	selinux_get_fs_mount($1)
-	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file read_file_perms;
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -352,6 +352,9 @@
 		attribute can_setenforce;
 	')
 
+	dev_search_sysfs($1)
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
 	typeattribute $1 can_setenforce;
 ')
 
@@ -371,11 +374,10 @@
 		attribute can_load_policy;
 	')
 
-	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
-	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	typeattribute $1 can_load_policy;
 ')
 
@@ -394,11 +396,10 @@
 		type security_t;
 	')
 
-	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
-	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file read_file_perms;
+	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:security read_policy;
 ')
 
@@ -463,7 +464,6 @@
 	')
 
 	typeattribute $1 can_setbool;
-	dev_getattr_sysfs_fs($1)
 	dev_search_sysfs($1)
 	allow $1 security_t:lnk_file read_lnk_file_perms;
 	allow $1 security_t:dir list_dir_perms;
@@ -698,6 +698,29 @@
 
 ########################################
 ## <summary>
+##	Allows caller to setcheckreqprot
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_setcheckreqprot',`
+	gen_require(`
+		type security_t;
+	')
+
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+	allow $1 security_t:lnk_file read_lnk_file_perms;
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:security setcheckreqprot;
+')
+
+########################################
+## <summary>
 ##	Allows caller to compute possible contexts for a user.
 ## </summary>
 ## <param name="domain">
@@ -760,4 +783,3 @@
 	fs_type($1)
 	mls_trusted_object($1)
 ')
-
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/storage.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/storage.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/storage.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/storage.if	2015-03-06 06:53:47.000000000 +0100
@@ -284,13 +284,18 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Optional filename of the block device to be created
+##	</summary>
+## </param>
 #
 interface(`storage_dev_filetrans_fixed_disk',`
 	gen_require(`
 		type fixed_disk_device_t;
 	')
 
-	dev_filetrans($1, fixed_disk_device_t, blk_file)
+	dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
 ')
 
 #######################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/kernel/terminal.if centos-7.1.1503/usr/share/selinux/devel/include/kernel/terminal.if
--- centos-7.0.1406/usr/share/selinux/devel/include/kernel/terminal.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/kernel/terminal.if	2015-03-06 06:53:47.000000000 +0100
@@ -1762,16 +1762,16 @@
 #
 interface(`term_filetrans_all_named_dev',`
 
-gen_require(`
-	type tty_device_t;
-	type bsdpty_device_t;
-	type console_device_t;
-	type ptmx_t;
-	type devtty_t;
-	type virtio_device_t;
-	type devpts_t;
-	type usbtty_device_t;
-')
+    gen_require(`
+	    type tty_device_t;
+	    type bsdpty_device_t;
+	    type console_device_t;
+	    type ptmx_t;
+    	type devtty_t;
+	    type virtio_device_t;
+	    type devpts_t;
+	    type usbtty_device_t;
+    ')
 
 	dev_filetrans($1, devtty_t, chr_file, "tty")
 	dev_filetrans($1, tty_device_t, chr_file, "tty0")
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/roles/unconfineduser.if centos-7.1.1503/usr/share/selinux/devel/include/roles/unconfineduser.if
--- centos-7.0.1406/usr/share/selinux/devel/include/roles/unconfineduser.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/roles/unconfineduser.if	2015-03-06 06:53:47.000000000 +0100
@@ -164,6 +164,22 @@
 	userdom_use_user_terminals($1)
 ')
 
+######################################
+## <summary>
+##      Stub unconfined role.
+## </summary>
+## <param name="domain_prefix">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`unconfined_stub_role',`
+        gen_require(`
+                role unconfined_r;
+        ')
+')
+
 ########################################
 ## <summary>
 ##	Inherit file descriptors from the unconfined domain.
@@ -237,6 +253,24 @@
 ')
 
 ########################################
+## <summary>
+##	Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_setsched',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process setsched;
+')
+
+########################################
 ## <summary>
 ##	Read unconfined domain unnamed pipes.
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/services/ssh.if centos-7.1.1503/usr/share/selinux/devel/include/services/ssh.if
--- centos-7.0.1406/usr/share/selinux/devel/include/services/ssh.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/services/ssh.if	2015-03-06 06:53:47.000000000 +0100
@@ -219,8 +219,9 @@
 	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
 	term_create_pty($1_t, $1_devpts_t)
 
-	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+	#manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	#fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+    userdom_manage_tmp_role(system_r, sshd_t)
 
 	allow $1_t $1_var_run_t:file manage_file_perms;
 	files_pid_filetrans($1_t, $1_var_run_t, file)
@@ -1015,6 +1016,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+    init_reload_services($1)
 	allow $1 sshd_unit_file_t:file manage_file_perms;
 	allow $1 sshd_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/services/xserver.if centos-7.1.1503/usr/share/selinux/devel/include/services/xserver.if
--- centos-7.0.1406/usr/share/selinux/devel/include/services/xserver.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/services/xserver.if	2015-03-06 06:53:47.000000000 +0100
@@ -18,18 +18,17 @@
 #
 interface(`xserver_restricted_role',`
 	gen_require(`
-		type xserver_t, xauth_t, iceauth_t;
+		type xauth_t, iceauth_t;
 		attribute dridomain, x_userdomain;
 	')
 
-	role $1 types { xserver_t xauth_t iceauth_t };
+	role $1 types { xauth_t iceauth_t };
 	typeattribute $2 x_userdomain, dridomain;
 
-    xserver_common_x_domain_template(user,$2)
-    xserver_stream_connect_xdm($2)
-    xserver_xdm_append_log($2)
+	xserver_common_x_domain_template(user,$2)
+	xserver_stream_connect_xdm($2)
+	xserver_xdm_append_log($2)
 
-	modutils_run_insmod(xserver_t, $1)
 	xserver_dri_domain($2)
 ')
 
@@ -220,7 +219,7 @@
 interface(`xserver_user_client',`
 	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
 	gen_require(`
-		type xdm_t, xdm_tmp_t;
+		type xdm_t;
 		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
 	')
 
@@ -235,8 +234,8 @@
 	# for when /tmp/.X11-unix is created by the system
 	allow $1 xdm_t:fd use;
 	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-	allow $1 xdm_tmp_t:dir search_dir_perms;
-	allow $1 xdm_tmp_t:sock_file { read write };
+    userdom_search_user_tmp_dirs($1)
+    userdom_rw_user_tmp_sock_files($1)
 	dontaudit $1 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
@@ -395,7 +394,7 @@
 #
 template(`xserver_user_x_domain_template',`
 	gen_require(`
-		type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
+		type xdm_t, xserver_tmpfs_t;
 		type xdm_home_t;
 		type xauth_home_t, iceauth_home_t, xserver_t;
 	')
@@ -413,8 +412,8 @@
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
 	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
-	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+    userdom_search_user_tmp_dirs($2)
+    userdom_rw_user_tmp_sock_files($2)
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
@@ -429,7 +428,7 @@
 	xserver_ro_session($2, $3)
 	xserver_use_user_fonts($2)
 
-	xserver_read_xdm_tmp_files($2)
+    userdom_read_user_tmp_files($2)
 	xserver_read_xdm_pid($2)
 	xserver_xdm_append_log($2)
 
@@ -817,12 +816,13 @@
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
-		type xdm_t, xdm_tmp_t, xdm_var_run_t;
+		type xdm_t, xdm_var_run_t;
 	')
 
 	files_search_tmp($1)
 	files_search_pids($1)
-	stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
+	stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
+    userdom_stream_connect($1)
 ')
 
 ########################################
@@ -934,12 +934,8 @@
 ## </param>
 #
 interface(`xserver_search_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 xdm_tmp_t:dir search_dir_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
+    userdom_search_user_tmp_dirs($1)
 ')
 
 ########################################
@@ -953,11 +949,8 @@
 ## </param>
 #
 interface(`xserver_setattr_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	allow $1 xdm_tmp_t:dir setattr_dir_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
+    userdom_dontaudit_setattr_user_tmp($1)
 ')
 
 ########################################
@@ -971,11 +964,8 @@
 ## </param>
 #
 interface(`xserver_dontaudit_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
+    userdom_dontaudit_setattr_user_tmp($1)
 ')
 
 ########################################
@@ -990,13 +980,8 @@
 ## </param>
 #
 interface(`xserver_create_xdm_tmp_sockets',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 xdm_tmp_t:dir list_dir_perms;
-	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
+    userdom_create_user_tmp_sockets($1)
 ')
 
 ########################################
@@ -1317,12 +1302,8 @@
 ## </param>
 #
 interface(`xserver_read_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
+    userdom_read_user_tmpfs_files($1)
 ')
 
 ########################################
@@ -1336,12 +1317,8 @@
 ## </param>
 #
 interface(`xserver_dontaudit_read_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	dontaudit $1 xdm_tmp_t:dir search_dir_perms;
-	dontaudit $1 xdm_tmp_t:file read_file_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
+    userdom_dontaudit_read_user_tmp_files($1)
 ')
 
 ########################################
@@ -1355,12 +1332,8 @@
 ## </param>
 #
 interface(`xserver_rw_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	allow $1 xdm_tmp_t:dir search_dir_perms;
-	allow $1 xdm_tmp_t:file rw_file_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
+    userdom_rw_user_tmpfs_files($1)
 ')
 
 ########################################
@@ -1374,11 +1347,8 @@
 ## </param>
 #
 interface(`xserver_manage_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
+    userdom_manage_user_tmp_files($1)
 ')
 
 ########################################
@@ -1392,11 +1362,8 @@
 ## </param>
 #
 interface(`xserver_relabel_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	allow $1 xdm_tmp_t:dir relabel_dir_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
+    userdom_relabel_user_tmp_dirs($1)
 ')
 
 ########################################
@@ -1410,11 +1377,8 @@
 ## </param>
 #
 interface(`xserver_manage_xdm_tmp_dirs',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+    refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
+    userdom_manage_user_tmp_dirs($1)
 ')
 
 ########################################
@@ -1429,11 +1393,8 @@
 ## </param>
 #
 interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+    refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.')
+    usedom_dontaudit_user_getattr_tmp_sockets($1)
 ')
 
 ########################################
@@ -1819,6 +1780,27 @@
 
 ########################################
 ## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dbus_chat',`
+	gen_require(`
+		type xserver_t;
+		class dbus send_msg;
+	')
+
+	allow $1 xserver_t:dbus send_msg;
+	allow xserver_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Read xserver files created in /var/run
 ## </summary>
 ## <param name="domain">
@@ -1925,11 +1907,8 @@
 ## </param>
 #
 interface(`xserver_append_xdm_tmp_files',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	allow $1 xdm_tmp_t:file append_inherited_file_perms;
+    refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
+    userdom_append_user_tmp_files($1)
 ')
 
 ########################################
@@ -2192,6 +2171,9 @@
 	userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
 	userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
 	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+	optional_policy(`
+		gnome_data_filetrans($1, user_fonts_t, dir, "fonts")
+	')
 	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
 	filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
 	files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
@@ -2275,12 +2257,8 @@
 ## </param>
 #
 interface(`xserver_xdm_tmp_filetrans',`
-	gen_require(`
-		type xdm_tmp_t;
-	')
-
-	filetrans_pattern($1, xdm_tmp_t, $2, $3, $4)
-	files_search_tmp($1)
+    refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.')
+    userdom_user_tmp_filetrans($1,$2, $3, $4)
 ')
 
 ########################################
@@ -2316,6 +2294,6 @@
 		type xdm_t;
 	')
 
-	allow $1 xdm_t:key { read write };
+	allow $1 xdm_t:key { read write setattr };
 ')
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/support/all_perms.spt centos-7.1.1503/usr/share/selinux/devel/include/support/all_perms.spt
--- centos-7.0.1406/usr/share/selinux/devel/include/support/all_perms.spt	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/support/all_perms.spt	2015-03-06 06:53:47.000000000 +0100
@@ -25,7 +25,7 @@
 define(`all_msg_perms',`{ send receive }')
 define(`all_shm_perms',`{ create destroy getattr setattr read write associate unix_read unix_write lock }')
 define(`all_security_perms',`{ compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy }')
-define(`all_system_perms',`{ ipc_info syslog_read syslog_mod syslog_console module_request halt reboot status undefined enable disable reload }')
+define(`all_system_perms',`{ ipc_info syslog_read syslog_mod syslog_console module_request halt reboot status undefined enable disable reload kill }')
 define(`all_capability_perms',`{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }')
 define(`all_capability2_perms',`{ mac_override mac_admin syslog wake_alarm epolwakeup block_suspend compromise_kernel }')
 define(`all_passwd_perms',`{ passwd chfn chsh rootok crontab }')
@@ -79,7 +79,7 @@
 define(`all_db_view_perms',`{ create drop getattr setattr relabelfrom relabelto expand }')
 define(`all_db_sequence_perms',`{ create drop getattr setattr relabelfrom relabelto get_value next_value set_value }')
 define(`all_db_language_perms',`{ create drop getattr setattr relabelfrom relabelto implement execute }')
-define(`all_service_perms',`{ start stop status reload kill load enable disable }')
+define(`all_service_perms',`{ start stop status reload enable disable kill load }')
 define(`all_proxy_perms',`{ read }')
 
 define(`all_kernel_class_perms',`
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/support/obj_perm_sets.spt centos-7.1.1503/usr/share/selinux/devel/include/support/obj_perm_sets.spt
--- centos-7.0.1406/usr/share/selinux/devel/include/support/obj_perm_sets.spt	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/support/obj_perm_sets.spt	2015-03-06 06:53:47.000000000 +0100
@@ -214,7 +214,7 @@
 define(`write_sock_file_perms',`{ getattr write open append }')
 define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
 define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
-define(`create_sock_file_perms',`{ getattr create open }')
+define(`create_sock_file_perms',`{ getattr setattr create open }')
 define(`rename_sock_file_perms',`{ getattr rename }')
 define(`delete_sock_file_perms',`{ getattr unlink }')
 define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/authlogin.if centos-7.1.1503/usr/share/selinux/devel/include/system/authlogin.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/authlogin.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/authlogin.if	2015-03-06 06:53:47.000000000 +0100
@@ -69,6 +69,8 @@
 	logging_send_audit_msgs($1)
 	logging_send_syslog_msg($1)
 
+	userdom_search_user_tmp_dirs($1)
+
 	optional_policy(`
 		dbus_system_bus_client($1)
 
@@ -135,6 +137,7 @@
 	mls_file_upgrade($1)
 	mls_file_downgrade($1)
 	mls_process_set_level($1)
+    mls_process_write_to_clearance($1)
 	mls_fd_share_all_levels($1)
 
 	auth_use_pam($1)
@@ -1996,10 +1999,6 @@
 	typeattribute $1 nsswitch_domain;
 
 	corenet_all_recvfrom_netlabel($1)
-
-    optional_policy(`
-        kerberos_keytab_domains($1)
-    ')
 ')
 
 ########################################
@@ -2232,6 +2231,26 @@
 	read_files_pattern($1, auth_home_t, auth_home_t)
 ')
 
+########################################
+## <summary>
+##	Read the authorization data in the user home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_home_content',`
+	
+	gen_require(`
+		type auth_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, auth_home_t, auth_home_t)
+    manage_dirs_pattern($1, auth_home_t, auth_home_t)
+')
 
 ########################################
 ## <summary>
@@ -2272,3 +2291,21 @@
 
 	allow $1 login_pgm:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Manage the keyrings of all login programs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_login_manage_key',`
+	gen_require(`
+		attribute login_pgm;
+	')
+
+	allow $1 login_pgm:key manage_key_perms;
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/init.if centos-7.1.1503/usr/share/selinux/devel/include/system/init.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/init.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/init.if	2015-03-06 06:53:47.000000000 +0100
@@ -1222,6 +1222,26 @@
 
 ########################################
 ## <summary>
+##	Dontaudit read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_state',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:dir search_dir_perms;
+	dontaudit $1 init_t:file read_file_perms;
+	dontaudit $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read the process keyring of init.
 ## </summary>
 ## <param name="domain">
@@ -1807,6 +1827,27 @@
 
 ########################################
 ## <summary>
+##	Read and write inherited init script ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_use_inherited_script_ptys',`
+	gen_require(`
+		type initrc_devpts_t;
+	')
+
+	term_list_ptys($1)
+	allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
+
+	init_use_fds($1)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and
 ##	write the init script pty.
 ## </summary>
@@ -2546,6 +2587,24 @@
 	rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
 ')
 
+#######################################
+## <summary>
+##  Read and write init TCP sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_rw_tcp_sockets',`
+    gen_require(`
+        type init_t;
+    ')
+
+    allow $1 init_t:tcp_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##	Get the system status information from init
@@ -2762,7 +2821,7 @@
 		type init_t;
 	')
 
-	allow $1 init_t:service { start stop reload status };
+	allow $1 init_t:service manage_service_perms;
 ')
 
 ########################################
@@ -2780,9 +2839,14 @@
 		type init_var_run_t;
 		type initrc_var_run_t;
 		type machineid_t;
+		type initctl_t;
+        type systemd_unit_file_t;
 	')
 
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 	files_pid_filetrans($1, init_var_run_t, file, "random-seed")
 	files_etc_filetrans($1, machineid_t, file, "machine-id" )
+	files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
+	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
+	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
 ')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/ipsec.if centos-7.1.1503/usr/share/selinux/devel/include/system/ipsec.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/ipsec.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/ipsec.if	2015-03-06 06:53:47.000000000 +0100
@@ -18,6 +18,24 @@
 	domtrans_pattern($1, ipsec_exec_t, ipsec_t)
 ')
 
+#######################################
+## <summary>
+##  Allow read/write ipsec pipes
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ipsec_rw_inherited_pipes',`
+    gen_require(`
+        type ipsec_t;
+    ')
+
+    allow $1 ipsec_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to IPSEC using a unix domain stream socket.
@@ -355,6 +373,25 @@
 
 	allow $1 ipsec_spd_t:association setcontext;
 ')
+########################################
+## <summary>
+##	Read the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_read_pid',`
+	gen_require(`
+		type ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+    read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
 
 ########################################
 ## <summary>
@@ -498,6 +535,7 @@
     ')
 
     systemd_exec_systemctl($1)
+    init_reload_services($1)
     allow $1 ipsec_mgmt_unit_file_t:file read_file_perms;
     allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/iptables.if centos-7.1.1503/usr/share/selinux/devel/include/system/iptables.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/iptables.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/iptables.if	2015-03-06 06:53:47.000000000 +0100
@@ -99,6 +99,7 @@
 	')
 
 	systemd_exec_systemctl($1)
+    init_reload_services($1)
 	allow $1 iptables_unit_file_t:file read_file_perms;
 	allow $1 iptables_unit_file_t:service manage_service_perms;
 
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/logging.if centos-7.1.1503/usr/share/selinux/devel/include/system/logging.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/logging.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/logging.if	2015-03-06 06:53:47.000000000 +0100
@@ -715,6 +715,25 @@
 
 ########################################
 ## <summary>
+##	dontaudit search of auditd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_dontaudit_search_audit_logs',`
+	gen_require(`
+		type auditd_log_t;
+	')
+
+	dontaudit $1 auditd_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	dontaudit search of auditd configuration files.
 ## </summary>
 ## <param name="domain">
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/lvm.if centos-7.1.1503/usr/share/selinux/devel/include/system/lvm.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/lvm.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/lvm.if	2015-03-06 06:53:47.000000000 +0100
@@ -277,3 +277,21 @@
     dontaudit $1 lvm_lock_t:dir audit_access;
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of lvm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_read_state',`
+	gen_require(`
+		type lvm_t;
+	')
+
+	ps_process_pattern($1, lvm_t)
+')
+
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/miscfiles.if centos-7.1.1503/usr/share/selinux/devel/include/system/miscfiles.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/miscfiles.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/miscfiles.if	2015-03-06 06:53:47.000000000 +0100
@@ -67,6 +67,27 @@
 
 ########################################
 ## <summary>
+##	Read all SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_all_certs',`
+	gen_require(`
+		attribute cert_type;
+	')
+
+	allow $1 cert_type:dir list_dir_perms;
+	manage_files_pattern($1, cert_type, cert_type)
+	manage_lnk_files_pattern($1, cert_type, cert_type)
+')
+
+########################################
+## <summary>
 ##	Read generic SSL certificates.
 ## </summary>
 ## <param name="domain">
@@ -139,7 +160,7 @@
 	')
 
 	manage_files_pattern($1, cert_t, cert_t)
-	read_lnk_files_pattern($1, cert_t, cert_t)
+	manage_lnk_files_pattern($1, cert_t, cert_t)
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/mount.if centos-7.1.1503/usr/share/selinux/devel/include/system/mount.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/mount.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/mount.if	2015-03-06 06:53:47.000000000 +0100
@@ -45,36 +45,12 @@
 #
 interface(`mount_run',`
 	gen_require(`
-		#attribute_role mount_roles;
+		attribute_role mount_roles;
 		type mount_t;
 	')
 
-	#mount_domtrans($1)
-	#roleattribute $2 mount_roles;
-
 	mount_domtrans($1)
-        role $2 types mount_t;
-
-        optional_policy(`
-                fstools_run(mount_t, $2)
-        ')
-
-	optional_policy(`
-                lvm_run(mount_t, $2)
-        ')
-
-        optional_policy(`
-                modutils_run_insmod(mount_t, $2)
-        ')
-
-        optional_policy(`
-                rpc_run_rpcd(mount_t, $2)
-        ')
-
-        optional_policy(`
-                samba_run_smbmount(mount_t, $2)
-        ')
-
+	roleattribute $2 mount_roles;
 ')
 
 ########################################
@@ -402,3 +378,49 @@
         corecmd_search_bin($1)
         domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
 ')
+
+#######################################
+## <summary>
+##  Execute mount in the unconfined mount domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`mount_domtrans_unconfined',`
+    gen_require(`
+        type unconfined_mount_t, mount_exec_t;
+    ')
+
+    domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
+')
+
+#######################################
+## <summary>
+##  Execute mount in the unconfined mount domain, and
+##  allow the specified role the unconfined mount domain,
+##  and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run_unconfined',`
+    gen_require(`
+        type unconfined_mount_t;
+    ')
+
+    mount_domtrans_unconfined($1)
+    role $2 types unconfined_mount_t;
+')
+
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/selinuxutil.if centos-7.1.1503/usr/share/selinux/devel/include/system/selinuxutil.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/selinuxutil.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/selinuxutil.if	2015-03-06 06:53:47.000000000 +0100
@@ -135,6 +135,42 @@
 
 ########################################
 ## <summary>
+## Allow access check on load_policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_access_check_load_policy',`
+	gen_require(`
+		type load_policy_exec_t;
+	')
+
+    allow $1 load_policy_exec_t:file execute;
+')
+
+########################################
+## <summary>
+## Dontaudit access check on load_policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_access_check_load_policy',`
+	gen_require(`
+		type load_policy_exec_t;
+	')
+
+    dontaudit $1 load_policy_exec_t:file audit_access;
+')
+
+########################################
+## <summary>
 ##	Read the load_policy program file.
 ## </summary>
 ## <param name="domain">
@@ -651,6 +687,42 @@
 
 ########################################
 ## <summary>
+## Allow access check on setfiles.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_access_check_setfiles',`
+	gen_require(`
+		type setfiles_exec_t;
+	')
+
+    allow $1 setfiles_exec_t:file execute;
+')
+
+########################################
+## <summary>
+## Dontaudit access check on setfiles.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_access_check_setfiles',`
+	gen_require(`
+		type setfiles_exec_t;
+	')
+
+    dontaudit $1 setfiles_exec_t:file audit_access;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search the SELinux
 ##	configuration directory (/etc/selinux).
 ## </summary>
@@ -778,7 +850,7 @@
 	files_search_etc($1)
 	manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
 	manage_files_pattern($1, selinux_config_t, selinux_config_t)
-	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+    manage_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
 ')
 
 ######################################
@@ -1373,6 +1445,24 @@
 	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
 ')
 
+#######################################
+## <summary>
+##	Dontaudit access check on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_access_check_semanage_module_store',`
+	gen_require(`
+		type semanage_store_t;
+	')
+
+    dontaudit $1 semanage_store_t:dir_file_class_set audit_access;
+')
+
 ########################################
 ## <summary>
 ##	Full management of the semanage
@@ -1419,6 +1509,24 @@
 ')
 
 #######################################
+## <summary>
+##	Dontaudit access check on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_access_check_semanage_read_lock',`
+	gen_require(`
+		type semanage_read_lock_t;
+	')
+
+    dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access;
+')
+
+#######################################
 ## <summary>
 ##	Get trans lock on module store
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/sysnetwork.if centos-7.1.1503/usr/share/selinux/devel/include/system/sysnetwork.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/sysnetwork.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/sysnetwork.if	2015-03-06 06:53:47.000000000 +0100
@@ -66,6 +66,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read and
+##	write dhcpc udp socket descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	dontaudit $1 dhcpc_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to use
 ##	the dhcp file descriptors.
 ## </summary>
@@ -344,7 +363,7 @@
 	')
 
 	files_search_etc($1)
-	allow $1 net_conf_t:file setattr;
+	allow $1 net_conf_t:file setattr_file_perms;
 ')
 
 #######################################
@@ -424,7 +443,15 @@
 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
 
+	ifdef(`distro_debian',`
+		files_search_pids($1)
+		allow $1 net_conf_t:dir list_dir_perms;
+		read_files_pattern($1, net_conf_t, net_conf_t)
+	')
+
 	ifdef(`distro_redhat',`
+        files_search_pids($1)
+        init_search_pid_dirs($1)
 		allow $1 net_conf_t:dir list_dir_perms;
 		allow $1 net_conf_t:lnk_file read_lnk_file_perms;
 		read_files_pattern($1, net_conf_t, net_conf_t)
@@ -562,7 +589,14 @@
 
 	allow $1 net_conf_t:file manage_file_perms;
 
+	ifdef(`distro_debian',`
+		files_search_pids($1)
+		manage_files_pattern($1, net_conf_t, net_conf_t)
+	')
+
 	ifdef(`distro_redhat',`
+        files_search_pids($1)
+        init_search_pid_dirs($1)
 		allow $1 net_conf_t:dir list_dir_perms;
 		manage_files_pattern($1, net_conf_t, net_conf_t)
 	')
@@ -570,6 +604,36 @@
 
 #######################################
 ## <summary>
+##	Create, read, write, and delete network config dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_manage_config_dirs',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 net_conf_t:dir manage_dir_perms;
+
+	ifdef(`distro_debian',`
+		files_search_pids($1)
+		manage_dirs_pattern($1, net_conf_t, net_conf_t)
+	')
+
+	ifdef(`distro_redhat',`
+        files_search_pids($1)
+        init_search_pid_dirs($1)
+		allow $1 net_conf_t:dir list_dir_perms;
+		manage_dirs_pattern($1, net_conf_t, net_conf_t)
+	')
+')
+
+#######################################
+## <summary>
 ##	Read the dhcp client pid file.
 ## </summary>
 ## <param name="domain">
@@ -769,6 +833,26 @@
 	allow $1 dhcp_state_t:dir search_dir_perms;
 ')
 
+#######################################
+## <summary>
+##	Set the attributes of network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_setattr_dhcp_state',`
+	gen_require(`
+		type dhcp_state_t;
+	')
+
+    files_search_var_lib($1)
+	allow $1 dhcp_state_t:file setattr_file_perms;
+')
+
+
 ########################################
 ## <summary>
 ##	Create DHCP state data.
@@ -881,12 +965,14 @@
 
 	# Support for LDAPS
 	dev_read_rand($1)
+	# LDAP Configuration using encrypted requires
 	dev_read_urand($1)
 
 	sysnet_read_config($1)
 
-	# LDAP Configuration using encrypted requires
-	dev_read_urand($1)
+	optional_policy(`
+		ldap_read_certs($1)
+	')
 ')
 
 ########################################
@@ -991,6 +1077,7 @@
 	files_etc_filetrans($1, net_conf_t, file, "ethers")
 	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+    init_pid_filetrans($1, net_conf_t, dir, "network") 
 ')
 
 ########################################
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/systemd.if centos-7.1.1503/usr/share/selinux/devel/include/system/systemd.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/systemd.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/systemd.if	2015-03-06 06:53:47.000000000 +0100
@@ -96,6 +96,8 @@
 	systemd_login_list_pid_dirs($1)
 	systemd_login_read_pid_files($1)
 	systemd_passwd_agent_exec($1)
+
+	dontaudit $1 self:capability net_admin;
 ')
 
 #######################################
@@ -368,6 +370,24 @@
 ')
 
 ######################################
+## <summary>
+##	Dontaudit attempts to write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
+	gen_require(`
+		type systemd_logind_sessions_t;
+	')
+
+	dontaudit $1 systemd_logind_sessions_t:fifo_file write;
+')
+
+######################################
 ## <summary>
 ##	Write systemd inhibit pipes.
 ## </summary>
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/unconfined.if centos-7.1.1503/usr/share/selinux/devel/include/system/unconfined.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/unconfined.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/unconfined.if	2015-03-06 06:53:47.000000000 +0100
@@ -187,3 +187,61 @@
 interface(`unconfined_execmem_alias_program',`
 	refpolicywarn(`$0() has been deprecated.')
 ')
+
+########################################
+## <summary>
+##	Connect to unconfined_server with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_server_stream_connect',`
+	gen_require(`
+		type unconfined_service_t;
+	')
+
+	files_search_pids($1)
+	files_write_generic_pid_pipes($1)
+	allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
+')
+
+########################################
+## <summary>
+##	Connect to unconfined_server with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_server_domtrans',`
+	gen_require(`
+		type unconfined_service_t;
+	')
+
+	corecmd_bin_domtrans($1, unconfined_service_t)
+')
+
+########################################
+## <summary>
+##	Allow caller domain to dbus chat unconfined_server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_server_dbus_chat',`
+	gen_require(`
+		type unconfined_service_t;
+        class dbus send_msg;
+	')
+
+        allow $1 unconfined_service_t:dbus send_msg;
+        allow unconfined_service_t $1:dbus send_msg;
+')
diff -ru centos-7.0.1406/usr/share/selinux/devel/include/system/userdomain.if centos-7.1.1503/usr/share/selinux/devel/include/system/userdomain.if
--- centos-7.0.1406/usr/share/selinux/devel/include/system/userdomain.if	2014-06-10 03:38:27.000000000 +0200
+++ centos-7.1.1503/usr/share/selinux/devel/include/system/userdomain.if	2015-03-06 06:53:47.000000000 +0100
@@ -370,6 +370,25 @@
 
 #######################################
 ## <summary>
+##	Manage user temporary directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_mounton_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+    allow $1 user_tmp_t:dir mounton;
+')
+
+#######################################
+## <summary>
 ##	Manage user temporary files
 ## </summary>
 ## <param name="role">
@@ -401,6 +420,7 @@
 	manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
 	manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
 	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+    fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
 	relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
 	relabel_files_pattern($2, user_tmp_type, user_tmp_type)
 	relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
@@ -483,7 +503,7 @@
 		type user_tmpfs_t;
 	')
 
-	allow $1 user_tmpfs_t:file manage_file_perms;
+	manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
 ')
 
 #######################################
@@ -513,24 +533,8 @@
 ## <rolecap/>
 #
 interface(`userdom_manage_tmpfs_role',`
-	gen_require(`
-		attribute user_tmpfs_type;
-		type user_tmpfs_t;
-	')
-
-	role $1 types user_tmpfs_t;
-
-	manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-	relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-	relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.')
+    userdom_manage_tmp_role($1,$2)
 ')
 
 #######################################
@@ -713,6 +717,11 @@
 
 	application_getattr_socket($1_usertype)
 
+
+    ifdef(`enabled_mls',`
+        init_rw_tcp_sockets($1_usertype)
+    ')
+
 	logging_send_syslog_msg($1_t)
 
 	selinux_get_enforce_mode($1_t)
@@ -798,6 +807,10 @@
         ')
 
 		optional_policy(`
+			geoclue_dbus_chat($1_usertype)
+		')
+
+		optional_policy(`
 			gnome_dbus_chat_gconfdefault($1_usertype)
 		')
 
@@ -969,7 +982,6 @@
 	userdom_manage_home_role($1_r, $1_t)
 
 	userdom_manage_tmp_role($1_r, $1_usertype)
-	userdom_manage_tmpfs_role($1_r, $1_usertype)
 
 	ifelse(`$1',`unconfined',`',`
 		gen_tunable($1_exec_content, true)
@@ -1217,7 +1229,6 @@
 	 # bug: #682499
 	 optional_policy(`
 	 	gnome_read_usr_config($1_usertype)
-		gnome_role_gkeyringd($1, $1_r, $1_usertype)
 		# cjp: telepathy F15 bugs
 		telepathy_role($1_r, $1_t, $1)
 	')
@@ -1265,6 +1276,10 @@
 		')
 
 		optional_policy(`
+			gnome_role_template($1, $1_r, $1_t)
+        ')
+
+        optional_policy(`
 			wm_role_template($1, $1_r, $1_t)
 		')
 	')
@@ -1383,6 +1398,9 @@
 		corenet_tcp_bind_all_unreserved_ports($1_usertype)
 	')
 
+	tunable_policy(`selinuxuser_udp_server',`
+		corenet_udp_bind_all_unreserved_ports($1_usertype)
+	')
 	optional_policy(`
 		cdrecord_role($1_r, $1_t)
 	')
@@ -1392,7 +1410,7 @@
 	')
 
 	optional_policy(`
-		games_rw_data($1_usertype)
+        games_manage_data_files($1_usertype)
 	')
 
 	optional_policy(`
@@ -1534,6 +1552,7 @@
 	dev_rw_generic_usb_dev($1_t)
 	dev_rw_usbfs($1_t)
 	dev_read_kmsg($1_t)
+	dev_read_cpuid($1_t)
 
 	domain_setpriority_all_domains($1_t)
 	domain_read_all_domains_state($1_t)
@@ -1573,6 +1592,8 @@
 	# Relabel almost all files
 	files_relabel_non_security_files($1_t)
 
+    files_mounton_rootfs($1_t)
+
 	init_telinit($1_t)
 
 	logging_send_syslog_msg($1_t)
@@ -1609,7 +1630,11 @@
 	tunable_policy(`selinuxuser_tcp_server',`
         corenet_tcp_bind_all_unreserved_ports($1_t)
     ')
-
+  
+	tunable_policy(`selinuxuser_udp_server',`
+        corenet_udp_bind_all_unreserved_ports($1_t)
+    ')
+      
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
@@ -1811,8 +1836,8 @@
 ## </param>
 #
 interface(`userdom_user_tmpfs_file',`
-	files_tmpfs_file($1)
-	ubac_constrained($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.')
+    userdom_user_tmp_file($1)
 ')
 
 ########################################
@@ -1850,14 +1875,8 @@
 ## </param>
 #
 interface(`userdom_user_tmpfs_content',`
-	gen_require(`
-		attribute user_tmpfs_type;
-	')
-
-	typeattribute $1 user_tmpfs_type;
-
-	files_tmpfs_file($1)
-	ubac_constrained($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.')
+    userdom_user_tmp_content($1)
 ')
 
 ########################################
@@ -2102,6 +2121,24 @@
 
 ########################################
 ## <summary>
+##	Create user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	dontaudit $1 user_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel to user home directories.
 ## </summary>
 ## <param name="domain">
@@ -2372,6 +2409,43 @@
 
 ########################################
 ## <summary>
+##	Create a user tmp sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_user_tmp_sockets',`
+    gen_require(`
+        type user_tmp_t;
+    ')
+
+    files_search_tmp($1)
+    allow $1 user_tmp_t:dir list_dir_perms;
+    create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit getattr on user tmp sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
+    gen_require(`
+        type user_tmp_t;
+    ')
+    dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel user tmp files.
 ## </summary>
 ## <param name="domain">
@@ -2388,6 +2462,26 @@
 
 	allow $1 user_tmp_t:file relabel_file_perms;
 ')
+
+########################################
+## <summary>
+##	Relabel user tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_relabel_user_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:dir relabel_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the
@@ -2559,7 +2653,8 @@
 		type user_home_t;
 	')
 
-	allow $1 user_home_t:file delete_file_perms;
+	userdom_search_user_home_content($1)
+	delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
 ')
 
 ########################################
@@ -3039,6 +3134,25 @@
 ##	</summary>
 ## </param>
 #
+interface(`userdom_getattr_user_tmp_files',`
+	gen_require(`
+		attribute user_tmp_type;
+	')
+
+	getattr_files_pattern($1, user_tmp_type, user_tmp_type)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Read user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`userdom_read_user_tmp_files',`
 	gen_require(`
 		attribute user_tmp_type;
@@ -3051,6 +3165,23 @@
 
 ########################################
 ## <summary>
+##	Read user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_append_user_tmp_files',`
+    gen_require(`
+        type user_tmp_t;
+    ')
+    allow $1 user_tmp_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read users
 ##	temporary files.
 ## </summary>
@@ -3106,6 +3237,25 @@
 	rw_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
 ')
+########################################
+## <summary>
+##	Read and write user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_user_tmp_sock_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:dir list_dir_perms;
+    allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms;
+	files_search_tmp($1)
+')
 
 ########################################
 ## <summary>
@@ -3237,6 +3387,27 @@
 ##	</summary>
 ## </param>
 #
+interface(`userdom_rw_inherited_user_tmp_pipes',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+    allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+	files_search_tmp($1)
+')
+
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`userdom_manage_user_tmp_pipes',`
 	gen_require(`
 		type user_tmp_t;
@@ -3343,12 +3514,8 @@
 ## </param>
 #
 interface(`userdom_getattr_user_tmpfs_files',`
-    gen_require(`
-        type user_tmpfs_t;
-    ')
-
-    getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-    fs_search_tmpfs($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
+    userdom_getattr_user_tmp_files($1)
 ')
 
 ########################################
@@ -3362,14 +3529,8 @@
 ## </param>
 #
 interface(`userdom_read_user_tmpfs_files',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	allow $1 user_tmpfs_t:dir list_dir_perms;
-	fs_search_tmpfs($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.')
+    userdom_read_user_tmp_files($1)
 ')
 
 ########################################
@@ -3383,14 +3544,23 @@
 ## </param>
 #
 interface(`userdom_rw_user_tmpfs_files',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
+    refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
+    userdom_rw_user_tmp_files($1)
+')
 
-	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	allow $1 user_tmpfs_t:dir list_dir_perms;
-	fs_search_tmpfs($1)
+########################################
+## <summary>
+##	Manage user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmpfs_files',`
+    refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.')
+    userdom_manage_user_tmp_files($1)
 ')
 
 ########################################
@@ -3404,11 +3574,8 @@
 ## </param>
 #
 interface(`userdom_rw_inherited_user_tmpfs_files',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	allow $1 user_tmpfs_t:file rw_inherited_file_perms;
+    refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
+    userdom_rw_inherited_user_tmp_files($1)
 ')
 
 ########################################
@@ -3422,11 +3589,26 @@
 ## </param>
 #
 interface(`userdom_execute_user_tmpfs_files',`
+    refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
+    userdom_execute_user_tmp_files($1)
+')
+
+########################################
+## <summary>
+##	Execute user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_execute_user_tmp_files',`
 	gen_require(`
-		type user_tmpfs_t;
+		type user_tmp_t;
 	')
 
-	allow $1 user_tmpfs_t:file execute;
+	allow $1 user_tmp_t:file execute;
 ')
 
 ########################################
@@ -4309,7 +4491,7 @@
 
 ########################################
 ## <summary>
-##	Create keys for all user domains.
+##	Write keys for all user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4317,17 +4499,17 @@
 ##	</summary>
 ## </param>
 #
-interface(`userdom_create_all_users_keys',`
+interface(`userdom_write_all_users_keys',`
 	gen_require(`
 		attribute userdomain;
 	')
 
-	allow $1 userdomain:key create;
+	allow $1 userdomain:key write;
 ')
 
 ########################################
 ## <summary>
-##	Manage keys for all user domains.
+##	Read and write keys for all user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4335,12 +4517,30 @@
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_all_users_keys',`
+interface(`userdom_rw_all_users_keys',`
 	gen_require(`
 		attribute userdomain;
 	')
 
-	allow $1 userdomain:key manage_key_perms;
+	allow $1 userdomain:key { read view write };
+')
+
+########################################
+## <summary>
+##	Create keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_create_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key create;
 ')
 
 ########################################
@@ -4868,8 +5068,27 @@
 
 ########################################
 ## <summary>
+##	Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:key manage_key_perms;
+')
+
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and write
-##	unserdomain stream.
+##	userdomain stream.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4887,6 +5106,24 @@
 
 ########################################
 ## <summary>
+##	Read and write	userdomain stream.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_stream',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and write
 ##	unserdomain datagram socket.
 ## </summary>
@@ -5178,16 +5415,8 @@
 ## </param>
 #
 interface(`userdom_manage_all_user_tmpfs_content',`
-	gen_require(`
-		attribute user_tmpfs_type;
-	')
-
-	manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-	fs_search_tmpfs($1)
+    refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.')    
+    userdom_manage_all_user_tmp_content($1)
 ')
 
 ########################################
@@ -5401,11 +5630,8 @@
 ## </param>
 #
 interface(`userdom_dontaudit_setattr_user_tmpfs',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	dontaudit $1 user_tmpfs_t:file setattr;
+    refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.')
+    userdom_dontaudit_setattr_user_tmp($1)
 ')
 
 ########################################
@@ -5509,11 +5735,8 @@
 ## </param>
 #
 interface(`userdom_delete_user_tmpfs_files',`
-	gen_require(`
-		type user_tmpfs_t;
-	')
-
-	allow $1 user_tmpfs_t:file delete_file_perms;
+    refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.')
+    userdom_delete_user_tmpfs_files($1)
 ')
 
 ########################################
@@ -5819,6 +6042,7 @@
             type home_bin_t;
             type audio_home_t;
             type home_cert_t;
+            type user_tmp_t;
     ')
 
     userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
@@ -5827,6 +6051,8 @@
     userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
     userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
     userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
+    userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp")
+    userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp")
 ')
 
 ########################################
@@ -6017,4 +6243,3 @@
 		samhain_run($1, $2)
 	')
 ')
-