Description: Add systemd support
Author: Russell Coker <russell@coker.com.au>
Origin: Fedora
Last-Update: 2012-06-10

Index: refpolicy-2.20110726/policy/flask/security_classes
===================================================================
--- refpolicy-2.20110726.orig/policy/flask/security_classes	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/flask/security_classes	2012-06-30 12:32:00.236479159 +1000
@@ -131,4 +131,11 @@
 class db_sequence		# userspace
 class db_language		# userspace
 
+# systemd services 
+class service 
+
+# gssd services 
+class proxy
+
+
 # FLASK
Index: refpolicy-2.20110726/policy/flask/access_vectors
===================================================================
--- refpolicy-2.20110726.orig/policy/flask/access_vectors	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/flask/access_vectors	2012-06-30 12:32:00.236479159 +1000
@@ -393,6 +393,10 @@
 	syslog_mod
 	syslog_console
 	module_request
+	halt
+	reboot
+	status
+	undefined
 }
 
 #
@@ -862,3 +866,20 @@
 	implement
 	execute
 }
+
+class service
+{
+	start
+	stop
+	status
+	reload
+	kill
+	load
+	enable
+	disable
+}
+
+class proxy
+{
+	read
+}
Index: refpolicy-2.20110726/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy-2.20110726.orig/policy/support/obj_perm_sets.spt	2012-06-30 12:31:57.904435494 +1000
+++ refpolicy-2.20110726/policy/support/obj_perm_sets.spt	2012-06-30 12:32:00.236479159 +1000
@@ -28,8 +28,7 @@
 #
 # All socket classes.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
-
+define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 
 #
 # Datagram socket classes.
@@ -59,7 +58,7 @@
 #
 # Permissions for using sockets.
 # 
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
@@ -153,12 +152,15 @@
 #
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
+define(`read_file_perms',`{ open read_inherited_file_perms }')
 define(`mmap_file_perms',`{ getattr open read execute ioctl }')
 define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
-define(`append_file_perms',`{ getattr open append lock ioctl }')
+define(`append_inherited_file_perms',`{ getattr append }')
+define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }')
 define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
 define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')
@@ -179,7 +181,7 @@
 define(`create_lnk_file_perms',`{ create getattr }')
 define(`rename_lnk_file_perms',`{ getattr rename }')
 define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
 define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
@@ -192,7 +194,8 @@
 define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
 define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
 define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
 define(`create_fifo_file_perms',`{ getattr create open }')
 define(`rename_fifo_file_perms',`{ getattr rename }')
 define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -208,7 +211,8 @@
 define(`setattr_sock_file_perms',`{ setattr }')
 define(`read_sock_file_perms',`{ getattr open read }')
 define(`write_sock_file_perms',`{ getattr write open append }')
-define(`rw_sock_file_perms',`{ getattr open read write append }')
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
 define(`create_sock_file_perms',`{ getattr create open }')
 define(`rename_sock_file_perms',`{ getattr rename }')
 define(`delete_sock_file_perms',`{ getattr unlink }')
@@ -225,7 +229,8 @@
 define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
 define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
 define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
 define(`create_blk_file_perms',`{ getattr create }')
 define(`rename_blk_file_perms',`{ getattr rename }')
 define(`delete_blk_file_perms',`{ getattr unlink }')
@@ -242,7 +247,8 @@
 define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
 define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
 define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
 define(`create_chr_file_perms',`{ getattr create }')
 define(`rename_chr_file_perms',`{ getattr rename }')
 define(`delete_chr_file_perms',`{ getattr unlink }')
@@ -259,7 +265,8 @@
 #
 # Use (read and write) terminals
 #
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
 
 #
 # Sockets
@@ -271,3 +278,20 @@
 # Keys
 #
 define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# Service
+#
+define(`manage_service_perms', `{ start stop status reload kill load } ')
+
+#
+# All 
+#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_service_perms', `{ enable disable manage_service_perms } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
Index: refpolicy-2.20110726/policy/modules/services/nis.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/nis.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/nis.fc	2012-06-30 12:32:00.236479159 +1000
@@ -19,3 +19,8 @@
 /var/run/ypbind.*	--	gen_context(system_u:object_r:ypbind_var_run_t,s0)
 /var/run/ypserv.*	--	gen_context(system_u:object_r:ypserv_var_run_t,s0)
 /var/run/yppass.*	--	gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
+/lib/systemd/system/ypbind\.service    --      gen_context(system_u:object_r:ypbind_unit_file_t,s0)
+/lib/systemd/system/ypserv\.service    --      gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/yppasswdd\.service --      gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/ypxfrd\.service    --      gen_context(system_u:object_r:nis_unit_file_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/automount.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/automount.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/automount.fc	2012-06-30 12:32:00.240479241 +1000
@@ -4,6 +4,8 @@
 /etc/apm/event\.d/autofs --	gen_context(system_u:object_r:automount_exec_t,s0)
 /etc/rc\.d/init\.d/autofs	--	gen_context(system_u:object_r:automount_initrc_exec_t,s0)
 
+/lib/systemd/system/autofs\.service -- gen_context(system_u:object_r:automount_unit_file_t,s0)
+
 #
 # /usr
 #
Index: refpolicy-2.20110726/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/clamav.te	2012-06-30 12:31:59.552466355 +1000
+++ refpolicy-2.20110726/policy/modules/services/clamav.te	2012-06-30 12:32:00.240479241 +1000
@@ -24,6 +24,9 @@
 type clamd_initrc_exec_t;
 init_script_file(clamd_initrc_exec_t)
 
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
 # tmp files
 type clamd_tmp_t;
 files_tmp_file(clamd_tmp_t)
Index: refpolicy-2.20110726/policy/modules/services/bluetooth.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/bluetooth.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/bluetooth.fc	2012-06-30 12:32:00.240479241 +1000
@@ -7,6 +7,8 @@
 /etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 
+/lib/systemd/system/bluetooth\.service -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
 #
 # /usr
 #
Index: refpolicy-2.20110726/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/apache.fc	2012-06-30 12:31:58.100439164 +1000
+++ refpolicy-2.20110726/policy/modules/services/apache.fc	2012-06-30 12:32:00.240479241 +1000
@@ -16,6 +16,9 @@
 /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
+/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
 /srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 
Index: refpolicy-2.20110726/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/samba.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/samba.te	2012-06-30 12:32:00.240479241 +1000
@@ -85,6 +85,9 @@
 type samba_initrc_exec_t;
 init_script_file(samba_initrc_exec_t)
 
+type samba_unit_file_t;
+systemd_unit_file(samba_unit_file_t)
+
 type samba_log_t;
 logging_log_file(samba_log_t)
 
Index: refpolicy-2.20110726/policy/modules/services/apcupsd.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/apcupsd.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/apcupsd.fc	2012-06-30 12:32:00.244479309 +1000
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
 
+/lib/systemd/system/apcupsd\.service -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
 /sbin/apcupsd			--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/dbus.if	2012-06-30 12:31:58.520447029 +1000
+++ refpolicy-2.20110726/policy/modules/services/dbus.if	2012-06-30 12:32:45.113311581 +1000
@@ -41,9 +41,9 @@
 template(`dbus_role_template',`
 	gen_require(`
 		class dbus { send_msg acquire_svc };
-
-		attribute session_bus_type;
+		attribute dbusd_unconfined, session_bus_type;
 		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+		type $1_t;
 	')
 
 	##############################
@@ -52,8 +52,7 @@
 	#
 
 	type $1_dbusd_t, session_bus_type;
-	domain_type($1_dbusd_t)
-	domain_entry_file($1_dbusd_t, dbusd_exec_t)
+	application_domain($1_dbusd_t, dbusd_exec_t)
 	ubac_constrained($1_dbusd_t)
 	role $2 types $1_dbusd_t;
 
@@ -62,107 +61,30 @@
 	# Local policy
 	#
 
-	allow $1_dbusd_t self:process { getattr sigkill signal };
-	dontaudit $1_dbusd_t self:process ptrace;
-	allow $1_dbusd_t self:file { getattr read write };
-	allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
-	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-	allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
-	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
-	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
-
 	# For connecting to the bus
 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
 
 	# SE-DBus specific permissions
-	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
 	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
-	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-	read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-	read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-
-	manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
-	manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
-	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
-
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+	ps_process_pattern($3, $1_dbusd_t)
+	allow $3 $1_dbusd_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $3 $1_dbusd_t:process ptrace;
+	')
 
 	# cjp: this seems very broken
-	corecmd_bin_domtrans($1_dbusd_t, $3)
+	corecmd_bin_domtrans($1_dbusd_t, $1_t)
+	corecmd_shell_domtrans($1_dbusd_t, $1_t)
 	allow $1_dbusd_t $3:process sigkill;
 	allow $3 $1_dbusd_t:fd use;
 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-	allow $3 $1_dbusd_t:process sigchld;
-
-	kernel_read_system_state($1_dbusd_t)
-	kernel_read_kernel_sysctls($1_dbusd_t)
-
-	corecmd_list_bin($1_dbusd_t)
-	corecmd_read_bin_symlinks($1_dbusd_t)
-	corecmd_read_bin_files($1_dbusd_t)
-	corecmd_read_bin_pipes($1_dbusd_t)
-	corecmd_read_bin_sockets($1_dbusd_t)
-
-	corenet_all_recvfrom_unlabeled($1_dbusd_t)
-	corenet_all_recvfrom_netlabel($1_dbusd_t)
-	corenet_tcp_sendrecv_generic_if($1_dbusd_t)
-	corenet_tcp_sendrecv_generic_node($1_dbusd_t)
-	corenet_tcp_sendrecv_all_ports($1_dbusd_t)
-	corenet_tcp_bind_generic_node($1_dbusd_t)
-	corenet_tcp_bind_reserved_port($1_dbusd_t)
-
-	dev_read_urand($1_dbusd_t)
-
- 	domain_use_interactive_fds($1_dbusd_t)
-	domain_read_all_domains_state($1_dbusd_t)
-
-	files_read_etc_files($1_dbusd_t)
-	files_list_home($1_dbusd_t)
-	files_read_usr_files($1_dbusd_t)
-	files_dontaudit_search_var($1_dbusd_t)
-
-	fs_getattr_romfs($1_dbusd_t)
-	fs_getattr_xattr_fs($1_dbusd_t)
-	fs_list_inotifyfs($1_dbusd_t)
-	fs_dontaudit_list_nfs($1_dbusd_t)
-
-	selinux_get_fs_mount($1_dbusd_t)
-	selinux_validate_context($1_dbusd_t)
-	selinux_compute_access_vector($1_dbusd_t)
-	selinux_compute_create_context($1_dbusd_t)
-	selinux_compute_relabel_context($1_dbusd_t)
-	selinux_compute_user_contexts($1_dbusd_t)
 
-	auth_read_pam_console_data($1_dbusd_t)
 	auth_use_nsswitch($1_dbusd_t)
-
-	logging_send_audit_msgs($1_dbusd_t)
-	logging_send_syslog_msg($1_dbusd_t)
-
-	miscfiles_read_localization($1_dbusd_t)
-
-	seutil_read_config($1_dbusd_t)
-	seutil_read_default_contexts($1_dbusd_t)
-
-	term_use_all_terms($1_dbusd_t)
-
-	userdom_read_user_home_content_files($1_dbusd_t)
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
-	')
-
-	optional_policy(`
-		hal_dbus_chat($1_dbusd_t)
-	')
-
-	optional_policy(`
-		xserver_use_xdm_fds($1_dbusd_t)
-		xserver_rw_xdm_pipes($1_dbusd_t)
-	')
 ')
 
 #######################################
@@ -181,11 +103,12 @@
 		type system_dbusd_t, system_dbusd_t;
 		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
+		attribute dbusd_unconfined;
 	')
 
 	# SE-DBus specific permissions
 	allow $1 { system_dbusd_t self }:dbus send_msg;
-	allow system_dbusd_t $1:dbus send_msg;
+	allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
 
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 	files_search_var_lib($1)
@@ -200,6 +123,34 @@
 
 #######################################
 ## <summary>
+##	Creating connections to specified
+##	DBUS sessions.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_session_client',`
+	gen_require(`
+		class dbus send_msg;
+		type $1_dbusd_t;
+	')
+
+	allow $2 $1_dbusd_t:fd use;
+	allow $2 { $1_dbusd_t self }:dbus send_msg;
+	allow $2 $1_dbusd_t:unix_stream_socket connectto;
+')
+
+#######################################
+## <summary>
 ##	Template for creating connections to
 ##	a user DBUS.
 ## </summary>
@@ -220,6 +171,8 @@
 
 	# For connecting to the bus
 	allow $1 session_bus_type:unix_stream_socket connectto;
+
+	allow session_bus_type $1:process sigkill;
 ')
 
 ########################################
@@ -324,6 +277,11 @@
 ##	Allow a application domain to be started
 ##	by the session dbus.
 ## </summary>
+## <param name="domain_prefix">
+##	<summary>
+##	User domain prefix to be used.
+##	</summary>
+## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
@@ -338,13 +296,13 @@
 #
 interface(`dbus_session_domain',`
 	gen_require(`
-		attribute session_bus_type;
+		type $1_dbusd_t;
 	')
 
-	domtrans_pattern(session_bus_type, $2, $1)
+	domtrans_pattern($1_dbusd_t, $2, $3)
 
-	dbus_session_bus_client($1)
-	dbus_connect_session_bus($1)
+	dbus_session_bus_client($3)
+	dbus_connect_session_bus($3)
 ')
 
 ########################################
@@ -423,27 +381,16 @@
 #
 interface(`dbus_system_domain',`
 	gen_require(`
+		attribute system_bus_type;
 		type system_dbusd_t;
 		role system_r;
 	')
+	typeattribute $1  system_bus_type;
 
 	domain_type($1)
 	domain_entry_file($1, $2)
 
-	role system_r types $1;
-
 	domtrans_pattern(system_dbusd_t, $2, $1)
-
-	dbus_system_bus_client($1)
-	dbus_connect_system_bus($1)
-
-	ps_process_pattern(system_dbusd_t, $1)
-
-	userdom_read_all_users_state($1)
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-	')
 ')
 
 ########################################
@@ -466,26 +413,25 @@
 
 ########################################
 ## <summary>
-##	Dontaudit Read, and write system dbus TCP sockets.
+##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+interface(`dbus_unconfined',`
 	gen_require(`
-		type system_dbusd_t;
+		attribute dbusd_unconfined;
 	')
 
-	allow $1 system_dbusd_t:tcp_socket { read write };
-	allow $1 system_dbusd_t:fd use;
+	typeattribute $1 dbusd_unconfined;
 ')
 
 ########################################
 ## <summary>
-##	Allow unconfined access to the system DBUS.
+##	Delete all dbus pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -493,10 +439,51 @@
 ##	</summary>
 ## </param>
 #
-interface(`dbus_unconfined',`
+interface(`dbus_delete_pid_files',`
 	gen_require(`
-		attribute dbusd_unconfined;
+		type system_dbusd_var_run_t;
 	')
 
-	typeattribute $1 dbusd_unconfined;
+	files_search_pids($1)
+	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect to
+##	session bus types with a unix
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_stream_connect_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+	')
+
+	dontaudit $1 session_bus_type:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dbus
+##	messages to session bus types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_chat_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 session_bus_type:dbus send_msg;
 ')
Index: refpolicy-2.20110726/policy/modules/services/ldap.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ldap.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/ldap.te	2012-06-30 12:32:00.244479309 +1000
@@ -21,6 +21,9 @@
 type slapd_initrc_exec_t;
 init_script_file(slapd_initrc_exec_t)
 
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
+
 type slapd_lock_t;
 files_lock_file(slapd_lock_t)
 
Index: refpolicy-2.20110726/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/apache.te	2012-06-30 12:31:58.104439246 +1000
+++ refpolicy-2.20110726/policy/modules/services/apache.te	2012-06-30 12:32:00.244479309 +1000
@@ -177,6 +177,9 @@
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
 
+type httpd_unit_file_t;
+systemd_unit_file(httpd_unit_file_t)
+systemd_manage_passwd_run(httpd_t)
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 
Index: refpolicy-2.20110726/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/mysql.fc	2012-06-30 12:31:58.688450184 +1000
+++ refpolicy-2.20110726/policy/modules/services/mysql.fc	2012-06-30 12:32:00.248479380 +1000
@@ -1,5 +1,7 @@
 # mysql database server
 
+/lib/systemd/system/mysqld\.service -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
 #
 # /etc
 #
Index: refpolicy-2.20110726/policy/modules/services/apm.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/apm.te	2012-06-30 12:31:59.148458790 +1000
+++ refpolicy-2.20110726/policy/modules/services/apm.te	2012-06-30 12:32:00.248479380 +1000
@@ -32,6 +32,9 @@
 	files_type(apmd_var_lib_t)
 ')
 
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
 ########################################
 #
 # apm client Local policy
Index: refpolicy-2.20110726/policy/modules/services/automount.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/automount.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/automount.te	2012-06-30 12:32:00.248479380 +1000
@@ -22,6 +22,9 @@
 files_tmp_file(automount_tmp_t)
 files_mountpoint(automount_tmp_t)
 
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
 ########################################
 #
 # Local policy
Index: refpolicy-2.20110726/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/tor.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/tor.te	2012-06-30 12:32:00.248479380 +1000
@@ -36,17 +36,24 @@
 type tor_var_run_t;
 files_pid_file(tor_var_run_t)
 
+type tor_unit_file_t;
+systemd_unit_file(tor_unit_file_t)
+
 ########################################
 #
 # tor local policy
 #
 
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket create_stream_socket_perms;
 allow tor_t self:netlink_route_socket r_netlink_socket_perms;
 allow tor_t self:tcp_socket create_stream_socket_perms;
 
+# for /sys/devices/system/cpu
+dev_list_sysfs(tor_t)
+
 # configuration files
 allow tor_t tor_etc_t:dir list_dir_perms;
 read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
Index: refpolicy-2.20110726/policy/modules/services/rpc.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/rpc.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/rpc.fc	2012-06-30 12:32:00.248479380 +1000
@@ -6,6 +6,9 @@
 /etc/rc\.d/init\.d/nfslock --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/rpcidmapd --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 
+/lib/systemd/system/nfs.* --	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/lib/systemd/system/rpc.* --	gen_context(system_u:object_r:rpcd_unit_file_t,s0)
+
 #
 # /sbin
 #
Index: refpolicy-2.20110726/policy/modules/services/arpwatch.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/arpwatch.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/arpwatch.fc	2012-06-30 12:32:00.248479380 +1000
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/arpwatch --	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
 
+/lib/systemd/system/arpwatch.service -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
 #
 # /usr
 #
Index: refpolicy-2.20110726/policy/modules/services/avahi.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/avahi.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/avahi.fc	2012-06-30 12:32:00.248479380 +1000
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
 
+/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
 /usr/sbin/avahi-daemon		--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-dnsconfd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-autoipd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/dnsmasq.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/dnsmasq.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/dnsmasq.fc	2012-06-30 12:32:00.248479380 +1000
@@ -1,6 +1,8 @@
 /etc/dnsmasq\.conf		--	gen_context(system_u:object_r:dnsmasq_etc_t, s0)
 /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
 
+/lib/systemd/system/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
 /usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/cron.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/cron.if	2012-06-30 12:31:59.520465754 +1000
+++ refpolicy-2.20110726/policy/modules/services/cron.if	2012-06-30 12:32:44.705304074 +1000
@@ -12,6 +12,11 @@
 ## </param>
 #
 template(`cron_common_crontab_template',`
+	gen_require(`
+		type crond_t, crond_var_run_t, crontab_exec_t;
+		type cron_spool_t, user_cron_spool_t;
+	')
+
 	##############################
 	#
 	# Declarations
@@ -44,7 +49,7 @@
 	files_list_spool($1_t)
 
 	# crontab signals crond by updating the mtime on the spooldir
-	allow $1_t cron_spool_t:dir setattr;
+	allow $1_t cron_spool_t:dir setattr_dir_perms;
 
 	kernel_read_system_state($1_t)
 
@@ -52,6 +57,8 @@
 	selinux_dontaudit_search_fs($1_t)
 
 	fs_getattr_xattr_fs($1_t)
+	fs_manage_cgroup_dirs($1_t)
+	fs_manage_cgroup_files($1_t)
 
 	domain_use_interactive_fds($1_t)
 
@@ -60,12 +67,16 @@
 	files_dontaudit_search_pids($1_t)
 
 	auth_domtrans_chk_passwd($1_t)
+	auth_rw_var_auth($1_t)
+	auth_use_nsswitch($1_t)
 
 	logging_send_syslog_msg($1_t)
 	logging_send_audit_msgs($1_t)
+	logging_set_loginuid($1_t)
 
 	init_dontaudit_write_utmp($1_t)
 	init_read_utmp($1_t)
+	init_read_state($1_t)
 
 	miscfiles_read_localization($1_t)
 
@@ -74,9 +85,10 @@
 	userdom_manage_user_tmp_dirs($1_t)
 	userdom_manage_user_tmp_files($1_t)
 	# Access terminals.
-	userdom_use_user_terminals($1_t)
+	userdom_use_inherited_user_terminals($1_t)
 	# Read user crontabs
 	userdom_read_user_home_content_files($1_t)
+	userdom_read_user_home_content_symlinks($1_t)
 
 	tunable_policy(`fcron_crond',`
 		# fcron wants an instant update of a crontab change for the administrator
@@ -84,9 +96,6 @@
 		dontaudit $1_t crond_t:process signal;
 	')
 
-	optional_policy(`
-		nscd_socket_use($1_t)
-	')
 ')
 
 ########################################
@@ -103,10 +112,12 @@
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_role',`
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
+		type user_cron_spool_t, crond_t;
 	')
 
 	role $1 types { cronjob_t crontab_t };
@@ -117,9 +128,20 @@
 	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, crontab_t)
 
+	allow crond_t $2:process transition;
+	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+	allow $2 crond_t:process sigchld;
+
+	# needs to be authorized SELinux context for cron
+	allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
+
 	# crontab shows up in user ps
 	ps_process_pattern($2, crontab_t)
-	allow $2 crontab_t:process signal;
+	allow $2 crontab_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 crontab_t:process ptrace;
+	')
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(crontab_t, $2)
@@ -133,9 +155,8 @@
 		')
 
 		dbus_stub(cronjob_t)
-
 		allow cronjob_t $2:dbus send_msg;
-	')		
+	')
 ')
 
 ########################################
@@ -152,29 +173,21 @@
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
-		type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+		type unconfined_cronjob_t;
 	')
 
-	role $1 types { unconfined_cronjob_t crontab_t };
+	role $1 types unconfined_cronjob_t;
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
-
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
-
-	# crontab shows up in user ps
-	ps_process_pattern($2, crontab_t)
-	allow $2 crontab_t:process signal;
-
-	# Run helper programs as the user domain
-	#corecmd_bin_domtrans(crontab_t, $2)
-	#corecmd_shell_domtrans(crontab_t, $2)
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
+	allow $2 unconfined_cronjob_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 unconfined_cronjob_t:process ptrace;
+	')
 
 	optional_policy(`
 		gen_require(`
@@ -182,9 +195,8 @@
 		')
 
 		dbus_stub(unconfined_cronjob_t)
-
 		allow unconfined_cronjob_t $2:dbus send_msg;
-	')		
+	')
 ')
 
 ########################################
@@ -201,6 +213,7 @@
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_admin_role',`
 	gen_require(`
@@ -221,7 +234,10 @@
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
+	allow $2 admin_crontab_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 admin_crontab_t:process ptrace;
+	')
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(admin_crontab_t, $2)
@@ -235,9 +251,8 @@
 		')
 
 		dbus_stub(admin_cronjob_t)
-
 		allow cronjob_t $2:dbus send_msg;
-	')		
+	')
 ')
 
 ########################################
@@ -266,6 +281,9 @@
 	allow $1 crond_tmp_t:file { read write ioctl };
 
 	role system_r types $1;
+
+	allow $1 crond_t:fifo_file rw_fifo_file_perms;
+	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -306,7 +324,7 @@
 
 ########################################
 ## <summary>
-##	Execute crond server in the nscd domain.
+##	Execute crond server in the crond domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -324,6 +342,29 @@
 
 ########################################
 ## <summary>
+##	Execute crond server in the crond domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cron_systemctl',`
+	gen_require(`
+		type crond_unit_file_t;
+		type crond_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 crond_unit_file_t:file read_file_perms;
+	allow $1 crond_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, crond_t)
+')
+
+########################################
+## <summary>
 ##	Inherit and use a file descriptor
 ##	from the cron daemon.
 ## </summary>
@@ -361,6 +402,24 @@
 
 ########################################
 ## <summary>
+##	Send a generic signal to cron daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_signal',`
+	gen_require(`
+		type crond_t;
+	')
+
+	allow $1 crond_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Read a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
@@ -379,6 +438,47 @@
 
 ########################################
 ## <summary>
+##	Read crond state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_read_state_crond',`
+	gen_require(`
+		type crond_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, crond_t)
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	crond over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_dbus_chat_crond',`
+	gen_require(`
+		type crond_t;
+		class dbus send_msg;
+	')
+
+	allow $1 crond_t:dbus send_msg;
+	allow crond_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
@@ -392,6 +492,7 @@
 		type crond_t;
 	')
 
+	dontaudit $1 crond_t:fd use;
 	dontaudit $1 crond_t:fifo_file write;
 ')
 
@@ -410,7 +511,43 @@
 		type crond_t;
 	')
 
-	allow $1 crond_t:fifo_file { getattr read write };
+	allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write inherited user spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_inherited_user_spool_files',`
+	gen_require(`
+		type user_cron_spool_t;
+	')
+
+	allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write inherited spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_inherited_spool_files',`
+	gen_require(`
+		type cron_spool_t;
+	')
+
+	allow $1 cron_spool_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -470,6 +607,25 @@
 
 ########################################
 ## <summary>
+##	Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+	gen_require(`
+		type cron_system_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
+########################################
+## <summary>
 ##	Manage pid files used by cron
 ## </summary>
 ## <param name="domain">
@@ -483,6 +639,7 @@
 		type crond_var_run_t;
 	')
 
+	files_search_pids($1)
 	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
 ')
 
@@ -538,7 +695,7 @@
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:file write;
+	allow $1 system_cronjob_t:fifo_file write;
 ')
 
 ########################################
@@ -556,7 +713,7 @@
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+	allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -589,11 +746,14 @@
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
-		type system_cronjob_tmp_t;
+		type system_cronjob_tmp_t, cron_var_run_t;
 	')
 
 	files_search_tmp($1)
 	allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+	files_search_pids($1)
+	allow $1 cron_var_run_t:file read_file_perms;
 ')
 
 ########################################
@@ -629,9 +789,49 @@
 interface(`cron_dontaudit_write_system_job_tmp_files',`
 	gen_require(`
 		type system_cronjob_tmp_t;
+		type cron_var_run_t;
 	')
 
 	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+	dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+	gen_require(`
+		type system_cronjob_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+	gen_require(`
+		type system_cronjob_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')
 
 ########################################
Index: refpolicy-2.20110726/policy/modules/services/consolekit.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/consolekit.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/consolekit.te	2012-06-30 12:32:45.113311581 +1000
@@ -15,6 +15,9 @@
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
 
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
 ########################################
 #
 # consolekit local policy
Index: refpolicy-2.20110726/policy/modules/services/dhcp.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/dhcp.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/dhcp.te	2012-06-30 12:32:45.285314741 +1000
@@ -12,6 +12,9 @@
 type dhcpd_initrc_exec_t;
 init_script_file(dhcpd_initrc_exec_t)
 
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
 type dhcpd_state_t;
 files_type(dhcpd_state_t)
 
Index: refpolicy-2.20110726/policy/modules/services/consolekit.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/consolekit.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/consolekit.fc	2012-06-30 12:32:44.753304966 +1000
@@ -1,3 +1,5 @@
+/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
 /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
 
 /var/log/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_log_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/cron.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/cron.fc	2012-06-30 12:31:58.488446430 +1000
+++ refpolicy-2.20110726/policy/modules/services/cron.fc	2012-06-30 12:32:44.705304074 +1000
@@ -2,6 +2,8 @@
 
 /etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
 /etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+/lib/systemd/system/atd\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
 
 /usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
 /usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/tor.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/tor.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/tor.fc	2012-06-30 12:32:00.248479380 +1000
@@ -4,6 +4,8 @@
 /usr/bin/tor		--	gen_context(system_u:object_r:tor_exec_t,s0)
 /usr/sbin/tor		--	gen_context(system_u:object_r:tor_exec_t,s0)
 
+/lib/systemd/system/tor\.service -- gen_context(system_u:object_r:tor_unit_file_t,s0)
+
 /var/lib/tor(/.*)?		gen_context(system_u:object_r:tor_var_lib_t,s0)
 /var/lib/tor-data(/.*)?		gen_context(system_u:object_r:tor_var_lib_t,s0)
 
Index: refpolicy-2.20110726/policy/modules/services/cups.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/cups.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/cups.fc	2012-06-30 12:32:00.252479456 +1000
@@ -19,6 +19,7 @@
 
 /etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
+/lib/systemd/system/cups\.service -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
 /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 
 /opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/dhcp.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/dhcp.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/dhcp.fc	2012-06-30 12:32:00.252479456 +1000
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/dhcpd	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 
+/lib/systemd/system/dhcpcd.*	--	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+
 /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
 /var/lib/dhcpd(/.*)?			gen_context(system_u:object_r:dhcpd_state_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/ftp.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ftp.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/ftp.te	2012-06-30 12:32:44.753304966 +1000
@@ -85,6 +85,9 @@
 type ftpd_initrc_exec_t;
 init_script_file(ftpd_initrc_exec_t)
 
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
 type ftpd_lock_t;
 files_lock_file(ftpd_lock_t)
 
Index: refpolicy-2.20110726/policy/modules/services/nscd.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/nscd.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/nscd.te	2012-06-30 12:32:00.252479456 +1000
@@ -22,6 +22,9 @@
 type nscd_initrc_exec_t;
 init_script_file(nscd_initrc_exec_t)
 
+type nscd_unit_file_t;
+systemd_unit_file(nscd_unit_file_t)
+
 type nscd_log_t;
 logging_log_file(nscd_log_t)
 
Index: refpolicy-2.20110726/policy/modules/services/dnsmasq.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/dnsmasq.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/dnsmasq.te	2012-06-30 12:32:00.252479456 +1000
@@ -24,6 +24,9 @@
 type dnsmasq_var_run_t;
 files_pid_file(dnsmasq_var_run_t)
 
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
 ########################################
 #
 # Local policy
Index: refpolicy-2.20110726/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/cron.te	2012-06-30 12:31:59.552466355 +1000
+++ refpolicy-2.20110726/policy/modules/services/cron.te	2012-06-30 12:32:45.285314741 +1000
@@ -61,6 +61,9 @@
 type crond_initrc_exec_t;
 init_script_file(crond_initrc_exec_t)
 
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 
@@ -205,6 +208,7 @@
 
 init_rw_utmp(crond_t)
 init_spec_domtrans_script(crond_t)
+init_read_state(crond_t)
 
 auth_use_nsswitch(crond_t)
 
@@ -289,6 +293,15 @@
 ')
 
 optional_policy(`
+	systemd_use_fds_logind(crond_t)
+	systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+optional_policy(`
+	systemd_dbus_chat_logind(system_cronjob_t)
+	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
 	udev_read_db(crond_t)
 ')
 
Index: refpolicy-2.20110726/policy/modules/services/avahi.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/avahi.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/avahi.te	2012-06-30 12:32:00.252479456 +1000
@@ -17,6 +17,10 @@
 
 type avahi_var_run_t;
 files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
+
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
 
 ########################################
 #
Index: refpolicy-2.20110726/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/bind.te	2012-06-30 12:31:59.204459840 +1000
+++ refpolicy-2.20110726/policy/modules/services/bind.te	2012-06-30 12:32:00.252479456 +1000
@@ -37,6 +37,9 @@
 type named_initrc_exec_t;
 init_script_file(named_initrc_exec_t)
 
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
 type named_log_t;
 logging_log_file(named_log_t)
 
Index: refpolicy-2.20110726/policy/modules/services/clamav.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/clamav.fc	2012-06-30 12:31:59.548466282 +1000
+++ refpolicy-2.20110726/policy/modules/services/clamav.fc	2012-06-30 12:32:00.252479456 +1000
@@ -8,6 +8,10 @@
 /usr/sbin/clamd			--	gen_context(system_u:object_r:clamd_exec_t,s0)
 /usr/sbin/clamav-milter		--	gen_context(system_u:object_r:clamd_exec_t,s0)
 
+/lib/systemd/system/clamd@scan\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+/lib/systemd/system/clamd@\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+/lib/systemd/system/clamd\.clamav\.service -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
 /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/run/clamd\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/run/clamav\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/rpc.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/rpc.te	2012-06-30 12:32:45.285314741 +1000
@@ -39,11 +39,17 @@
 type rpcd_initrc_exec_t;
 init_script_file(rpcd_initrc_exec_t)
 
+type rpcd_unit_file_t;
+systemd_unit_file(rpcd_unit_file_t)
+
 rpc_domain_template(nfsd)
 
 type nfsd_initrc_exec_t;
 init_script_file(nfsd_initrc_exec_t)
 
+type nfsd_unit_file_t;
+systemd_unit_file(nfsd_unit_file_t)
+
 type nfsd_rw_t;
 files_type(nfsd_rw_t)
 
Index: refpolicy-2.20110726/policy/modules/services/ppp.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ppp.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/ppp.fc	2012-06-30 12:32:00.252479456 +1000
@@ -11,6 +11,8 @@
 # Fix /etc/ppp {up,down} family scripts (see man pppd)
 /etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
+/lib/systemd/system/ppp.*	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
 /root/.ppprc			--	gen_context(system_u:object_r:pppd_etc_t,s0)
 
 #
Index: refpolicy-2.20110726/policy/modules/services/arpwatch.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/arpwatch.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/arpwatch.te	2012-06-30 12:32:44.753304966 +1000
@@ -21,6 +21,9 @@
 type arpwatch_var_run_t;
 files_pid_file(arpwatch_var_run_t)
 
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
 ########################################
 #
 # Local policy
Index: refpolicy-2.20110726/policy/modules/services/ftp.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ftp.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/ftp.fc	2012-06-30 12:32:00.252479456 +1000
@@ -6,6 +6,9 @@
 /etc/rc\.d/init\.d/vsftpd --	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/proftpd --	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
 
+/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
 #
 # /usr
 #
Index: refpolicy-2.20110726/policy/modules/services/samba.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/samba.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/samba.fc	2012-06-30 12:32:00.252479456 +1000
@@ -11,6 +11,9 @@
 /etc/samba/smbpasswd		--	gen_context(system_u:object_r:samba_secrets_t,s0)
 /etc/samba(/.*)?			gen_context(system_u:object_r:samba_etc_t,s0)
 
+/lib/systemd/system/smb.service --	gen_context(system_u:object_r:samba_unit_file_t,s0)
+
+
 #
 # /usr
 #
Index: refpolicy-2.20110726/policy/modules/services/nis.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/nis.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/nis.te	2012-06-30 12:32:00.252479456 +1000
@@ -24,6 +24,9 @@
 type ypbind_var_run_t;
 files_pid_file(ypbind_var_run_t)
 
+type ypbind_unit_file_t;
+systemd_unit_file(ypbind_unit_file_t)
+
 type yppasswdd_t;
 type yppasswdd_exec_t;
 init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
@@ -52,6 +55,9 @@
 type ypxfr_var_run_t;
 files_pid_file(ypxfr_var_run_t)
 
+type nis_unit_file_t;
+systemd_unit_file(nis_unit_file_t)
+
 ########################################
 #
 # ypbind local policy
Index: refpolicy-2.20110726/policy/modules/services/milter.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/milter.if	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/milter.if	2012-06-30 12:32:00.252479456 +1000
@@ -24,7 +24,7 @@
 
 	# Type for the milter data (e.g. the socket used to communicate with the MTA)
 	type $1_milter_data_t, milter_data_type;
-	files_type($1_milter_data_t)
+	files_pid_file($1_milter_data_t)
 
 	allow $1_milter_t self:fifo_file rw_fifo_file_perms;
 
@@ -37,6 +37,8 @@
 
 	files_read_etc_files($1_milter_t)
 
+	kernel_dontaudit_read_system_state($1_milter_t)
+
 	miscfiles_read_localization($1_milter_t)
 
 	logging_send_syslog_msg($1_milter_t)
@@ -57,7 +59,7 @@
 		attribute milter_data_type, milter_domains;
 	')
 
-	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+	files_search_pids($1)
 	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
 ')
 
@@ -76,12 +78,29 @@
 		attribute milter_data_type;
 	')
 
-	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
 	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
 ')
 
 ########################################
 ## <summary>
+##	Allow setattr of milter dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_setattr_all_dirs',`
+	gen_require(`
+		attribute milter_data_type;
+	')
+
+	setattr_dirs_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
 ##	Manage spamassassin milter state
 ## </summary>
 ## <param name="domain">
@@ -100,3 +119,22 @@
 	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 ')
+
+#######################################
+## <summary>
+##	Delete dkim-milter PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_delete_dkim_pid_files',`
+	gen_require(`
+		type dkim_milter_data_t;
+	')
+
+	files_search_pids($1)
+	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
Index: refpolicy-2.20110726/policy/modules/services/networkmanager.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/networkmanager.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/networkmanager.fc	2012-06-30 12:32:00.256479540 +1000
@@ -1,3 +1,4 @@
+/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
 /etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
 /etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/ldap.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ldap.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/ldap.fc	2012-06-30 12:32:00.256479540 +1000
@@ -2,6 +2,8 @@
 /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
 /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
 
+/lib/systemd/system/slapd.* --	gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
 /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
 
 ifdef(`distro_debian',`
Index: refpolicy-2.20110726/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/networkmanager.te	2012-06-30 12:31:58.720450782 +1000
+++ refpolicy-2.20110726/policy/modules/services/networkmanager.te	2012-06-30 12:32:00.256479540 +1000
@@ -12,6 +12,9 @@
 type NetworkManager_initrc_exec_t;
 init_script_file(NetworkManager_initrc_exec_t)
 
+type NetworkManager_unit_file_t;
+systemd_unit_file(NetworkManager_unit_file_t)
+
 type NetworkManager_log_t;
 logging_log_file(NetworkManager_log_t)
 
@@ -254,6 +257,10 @@
 ')
 
 optional_policy(`
+	systemd_read_logind_sessions_files(NetworkManager_t)
+')
+
+optional_policy(`
 	udev_exec(NetworkManager_t)
 	udev_read_db(NetworkManager_t)
 ')
Index: refpolicy-2.20110726/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/mysql.te	2012-06-30 12:31:58.688450184 +1000
+++ refpolicy-2.20110726/policy/modules/services/mysql.te	2012-06-30 12:32:45.285314741 +1000
@@ -29,6 +29,9 @@
 type mysqld_etc_t alias etc_mysqld_t;
 files_config_file(mysqld_etc_t)
 
+type mysqld_unit_file_t;
+systemd_unit_file(mysqld_unit_file_t)
+
 type mysqld_initrc_exec_t;
 init_script_file(mysqld_initrc_exec_t)
 
Index: refpolicy-2.20110726/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/cups.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/cups.te	2012-06-30 12:32:00.256479540 +1000
@@ -60,6 +60,9 @@
 files_pid_file(cupsd_var_run_t)
 mls_trusted_object(cupsd_var_run_t)
 
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
+
 type hplip_t;
 type hplip_exec_t;
 init_daemon_domain(hplip_t, hplip_exec_t)
Index: refpolicy-2.20110726/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ntp.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/ntp.te	2012-06-30 12:32:00.256479540 +1000
@@ -15,6 +15,9 @@
 type ntpd_initrc_exec_t;
 init_script_file(ntpd_initrc_exec_t)
 
+type ntpd_unit_file_t;
+systemd_unit_file(ntpd_unit_file_t)
+
 type ntpd_key_t;
 files_type(ntpd_key_t)
 
Index: refpolicy-2.20110726/policy/modules/services/apcupsd.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/apcupsd.te	2012-06-30 12:31:58.104439246 +1000
+++ refpolicy-2.20110726/policy/modules/services/apcupsd.te	2012-06-30 12:32:00.256479540 +1000
@@ -24,6 +24,9 @@
 type apcupsd_var_run_t;
 files_pid_file(apcupsd_var_run_t)
 
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
 ########################################
 #
 # apcupsd local policy
Index: refpolicy-2.20110726/policy/modules/services/bind.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/bind.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/bind.fc	2012-06-30 12:32:00.256479540 +1000
@@ -5,6 +5,10 @@
 /etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
 /etc/unbound(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
 
+/lib/systemd/system/unbound.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/lib/systemd/system/unbound-keygen.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+
 /usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
 /usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
 /usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/bluetooth.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/bluetooth.te	2012-06-30 12:32:00.256479540 +1000
@@ -48,6 +48,9 @@
 type bluetooth_var_run_t;
 files_pid_file(bluetooth_var_run_t)
 
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
 ########################################
 #
 # Bluetooth services local policy
Index: refpolicy-2.20110726/policy/modules/services/apm.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/apm.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/apm.fc	2012-06-30 12:32:45.285314741 +1000
@@ -1,3 +1,4 @@
+/lib/systemd/system/apmd\.service -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
 
 #
 # /usr
Index: refpolicy-2.20110726/policy/modules/services/ntp.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ntp.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/ntp.fc	2012-06-30 12:32:00.256479540 +1000
@@ -10,6 +10,10 @@
 
 /etc/rc\.d/init\.d/ntpd		--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
 
+/lib/systemd/system/ntpd\.service               --      gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ntpd\.service               --      gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
 /usr/sbin/ntpd			--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 /usr/sbin/ntpdate		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 
Index: refpolicy-2.20110726/policy/modules/services/ppp.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ppp.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/services/ppp.te	2012-06-30 12:32:00.256479540 +1000
@@ -39,6 +39,9 @@
 type pppd_initrc_exec_t alias pppd_script_exec_t;
 init_script_file(pppd_initrc_exec_t)
 
+type pppd_unit_file_t;
+systemd_unit_file(pppd_unit_file_t)
+
 # pppd_secret_t is the type of the pap and chap password files
 type pppd_secret_t;
 files_type(pppd_secret_t)
Index: refpolicy-2.20110726/policy/modules/admin/kdump.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/admin/kdump.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/admin/kdump.te	2012-06-30 12:32:00.256479540 +1000
@@ -15,6 +15,9 @@
 type kdump_initrc_exec_t;
 init_script_file(kdump_initrc_exec_t)
 
+type kdump_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
 #####################################
 #
 # kdump local policy
Index: refpolicy-2.20110726/policy/modules/admin/kdump.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/admin/kdump.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/admin/kdump.fc	2012-06-30 12:32:00.256479540 +1000
@@ -1,5 +1,7 @@
 /etc/kdump\.conf	--	gen_context(system_u:object_r:kdump_etc_t,s0)
 /etc/rc\.d/init\.d/kdump --	gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
 
+/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
 /sbin/kdump		--	gen_context(system_u:object_r:kdump_exec_t,s0)
 /sbin/kexec		--	gen_context(system_u:object_r:kdump_exec_t,s0)
Index: refpolicy-2.20110726/policy/modules/admin/alsa.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/admin/alsa.fc	2012-06-30 12:31:58.976455573 +1000
+++ refpolicy-2.20110726/policy/modules/admin/alsa.fc	2012-06-30 12:32:00.256479540 +1000
@@ -24,3 +24,5 @@
 /usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 
 /var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/lib/systemd/system/alsa-.*\.service -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
Index: refpolicy-2.20110726/policy/modules/admin/alsa.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/admin/alsa.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/admin/alsa.te	2012-06-30 12:32:00.256479540 +1000
@@ -22,6 +22,9 @@
 type alsa_home_t;
 userdom_user_home_content(alsa_home_t)
 
+type alsa_unit_file_t;
+systemd_unit_file(alsa_unit_file_t)
+
 ########################################
 #
 # Local policy
Index: refpolicy-2.20110726/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/kernel.if	2012-06-30 12:31:57.896435339 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/kernel.if	2012-06-30 12:32:00.260479611 +1000
@@ -303,13 +303,8 @@
 		attribute can_load_kernmodule;
 	')
 
-	allow $1 self:capability sys_module;
 	typeattribute $1 can_load_kernmodule;
 
-	# load_module() calls stop_machine() which
-	# calls sched_setscheduler()
-	allow $1 self:capability sys_nice;
-	kernel_setsched($1)
 ')
 
 ########################################
@@ -749,6 +744,24 @@
 
 ########################################
 ## <summary>
+##	Mounton a proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
@@ -1422,6 +1435,24 @@
 
 ########################################
 ## <summary>
+##	Allow attempts to read all proc types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	read_files_pattern($1, proc_type, proc_type)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts by caller to search
 ##	the base directory of sysctls.
 ## </summary>
@@ -2030,7 +2061,7 @@
 	')
 
 	dontaudit $1 sysctl_type:dir list_dir_perms;
-	dontaudit $1 sysctl_type:file getattr;
+	dontaudit $1 sysctl_type:file read_file_perms;
 ')
 
 ########################################
@@ -2251,7 +2282,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -2433,6 +2464,24 @@
 
 ########################################
 ## <summary>
+##	Read and write unlabeled sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_socket',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled character devices.
 ## </summary>
@@ -2577,7 +2626,7 @@
 	allow $1 unlabeled_t:association { sendto recvfrom };
 
 	# temporary hack until labeling on packets is supported
-	allow $1 unlabeled_t:packet { send recv };
+#	allow $1 unlabeled_t:packet { send recv };
 ')
 
 ########################################
@@ -2615,6 +2664,24 @@
 
 ########################################
 ## <summary>
+##	Receive DCCP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dccp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dccp_socket recvfrom;
+')
+
+########################################
+## <summary>
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
@@ -2642,6 +2709,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to receive DCCP packets from an unlabeled
+##	connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:dccp_socket recvfrom;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to receive TCP packets from an unlabeled
 ##	connection.
 ## </summary>
@@ -2751,6 +2837,33 @@
 
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
+########################################
+## <summary>
+##	Read/Write Raw IP packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##	Receive Raw IP packets from an unlabeled connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_raw_recv_unlabeled() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_rawip_socket',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:rawip_socket rw_socket_perms;
+')
+
 
 ########################################
 ## <summary>
@@ -2906,6 +3019,24 @@
 
 ########################################
 ## <summary>
+##      Relabel to unlabeled context .
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelto_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
+########################################
+## <summary>
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
@@ -2920,4 +3051,43 @@
 	')
 
 	typeattribute $1 kern_unconfined;
+	kernel_load_module($1)	
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	the kernel with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_stream_connect',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for regular entries in proc
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for /proc entries.
+##	</summary>
+## </param>
+#
+interface(`kernel_proc_type',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	typeattribute $1 proc_type;
 ')
+
Index: refpolicy-2.20110726/policy/modules/kernel/terminal.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/terminal.if	2012-06-30 12:31:57.900435423 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/terminal.if	2012-06-30 12:32:00.260479611 +1000
@@ -208,6 +208,27 @@
 
 ########################################
 ## <summary>
+##     Read and write the inherited console, all inherited 
+##     ttys and ptys.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_terms',`
+	gen_require(`
+		attribute ttynode, ptynode;
+		type console_device_t, devpts_t, tty_device_t;
+	')
+
+	allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
 ##	Write to the console.
 ## </summary>
 ## <param name="domain">
@@ -462,6 +483,24 @@
 
 ########################################
 ## <summary>
+##     Relabel the /dev/pts directory
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`term_relabel_ptys_dirs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read the
 ##	/dev/pts directory.
 ## </summary>
@@ -859,6 +898,26 @@
 ')
 
 ########################################
+## <summary>
+##     Read and write all inherited ptys.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_inherited_ptys',`
+	gen_require(`
+		attribute ptynode;
+		type devpts_t;
+	')
+
+	allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
+')
+
+########################################
 ## <summary>
 ##	Do not audit attempts to read or write any ptys.
 ## </summary>
Index: refpolicy-2.20110726/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/devices.if	2012-06-30 12:31:59.492465232 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/devices.if	2012-06-30 12:32:00.260479611 +1000
@@ -155,6 +155,25 @@
 
 ########################################
 ## <summary>
+##     Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	List all of the device nodes in a device directory.
 ## </summary>
 ## <param name="domain">
@@ -463,6 +482,42 @@
 
 ########################################
 ## <summary>
+##     Rename generic block device nodes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_rename_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	rename_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##     write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	Dontaudit getattr on generic block devices.
 ## </summary>
 ## <param name="domain">
@@ -3171,6 +3226,32 @@
 	rw_chr_files_pattern($1, device_t, printer_device_t)
 ')
 
+interface(`dev_relabel_printer',`
+	gen_require(`
+		type printer_device_t;
+	')
+ 
+	allow $1 printer_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+##     Read and write the printer device.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_manage_printer',`
+	gen_require(`
+		type device_t, printer_device_t;
+	')
+
+	manage_chr_files_pattern($1, device_t, printer_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
@@ -3865,6 +3946,50 @@
 
 ########################################
 ## <summary>
+##     Read cpu online hardware state information.
+## </summary>
+## <desc>
+##     <p>
+##     Allow the specified domain to read /sys/devices/system/cpu/online file.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	dev_search_sysfs($1)
+	read_files_pattern($1, cpu_online_t, cpu_online_t)
+')
+
+########################################
+## <summary>
+##     Relabel cpu online hardware state information.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+		type sysfs_t;
+	')
+ 
+	dev_search_sysfs($1)
+	allow $1 cpu_online_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete sysfs
 ##	directories.
 ## </summary>
@@ -3934,6 +4059,44 @@
 ')
 
 ########################################
+## <summary>
+##     Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+##     Relabel hardware state files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+	relabel_files_pattern($1, sysfs_t, sysfs_t)
+	relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
 ## <summary>
 ##	Read and write the TPM device.
 ## </summary>
Index: refpolicy-2.20110726/policy/modules/kernel/devices.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/devices.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/devices.te	2012-06-30 12:32:00.260479611 +1000
@@ -20,6 +20,9 @@
 files_associate_tmp(device_t)
 fs_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
+optional_policy(`
+	systemd_tmpfiles_manage_object(device_t, fifo_file)
+')
 
 #
 # Type for /dev/agpgart
@@ -218,6 +221,10 @@
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
 #
 # Type for /dev/tpm
 #
Index: refpolicy-2.20110726/policy/modules/kernel/files.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/files.te	2012-06-30 12:31:58.360444028 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/files.te	2012-06-30 12:32:45.285314741 +1000
@@ -10,6 +10,7 @@
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
+attribute spoolfile;
 attribute configfile;
 
 # For labeling types that are to be polyinstantiated
@@ -177,6 +178,10 @@
 files_pid_file(var_run_t)
 files_mountpoint(var_run_t)
 
+optional_policy(`
+	systemd_tmpfiles_manage_object(var_run_t, lnk_file)
+')
+
 #
 # var_spool_t is the type of /var/spool
 #
Index: refpolicy-2.20110726/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/files.if	2012-06-30 12:31:58.396444703 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/files.if	2012-06-30 12:32:45.285314741 +1000
@@ -3923,6 +3923,45 @@
 	allow $1 readable_t:sock_file read_sock_file_perms;
 ')
 
+#######################################
+## <summary>
+##  Read manageable system configuration files in /etc
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_read_system_conf_files',`
+	gen_require(`
+		type etc_t, system_conf_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	read_files_pattern($1, etc_t, system_conf_t)
+	read_lnk_files_pattern($1, etc_t, system_conf_t)
+')
+
+######################################
+## <summary>
+##  Manage manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_manage_system_conf_files',`
+	gen_require(`
+		type etc_t, system_conf_t;
+	')
+ 
+	allow $1 tmp_t:dir getattr;
+	manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified type to associate
@@ -4162,6 +4201,42 @@
 
 ########################################
 ## <summary>
+##     Relabel a dir from the type used in /tmp.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_relabelfrom_tmp_dirs',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+##     Relabel a file from the type used in /tmp.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_relabelfrom_tmp_files',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
 ##	Set the attributes of all tmp directories.
 ## </summary>
 ## <param name="domain">
@@ -5325,6 +5400,15 @@
 	manage_files_pattern($1, var_lib_t, var_lib_t)
 ')
 
+interface(`files_create_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+ 
+	files_search_locks($1)
+	allow $1 var_lock_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search the locks directory (/var/lock).
@@ -5340,6 +5424,7 @@
 		type var_t, var_lock_t;
 	')
 
+	files_search_pids($1)
 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_lock_t)
 ')
@@ -5885,6 +5970,115 @@
 
 ########################################
 ## <summary>
+##     Relable all pid directories
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##     Delete all pid sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_delete_all_pid_sockets',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Create all pid sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Create all pid named pipes
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     Delete all pid named pipes
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_delete_all_pid_pipes',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     manage all pidfile directories
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
 ##	Read all process ID files.
 ## </summary>
 ## <param name="domain">
@@ -5907,6 +6101,61 @@
 
 ########################################
 ## <summary>
+##     Relable all pid files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+##     Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##     manage all pidfiles 
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	manage_files_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
 ##	Mount filesystems on all polyinstantiation
 ##	member directories.
 ## </summary>
@@ -5973,6 +6222,91 @@
 
 ########################################
 ## <summary>
+##     Make the specified type a file
+##     used for spool files.
+## </summary>
+## <desc>
+##     <p>
+##     Make the specified type usable for spool files.
+##     This will also make the type usable for files, making
+##     calls to files_type() redundant.  Failure to use this interface
+##     for a spool file may result in problems with
+##     purging spool files.
+##     </p>
+##     <p>
+##     Related interfaces:
+##     </p>
+##     <ul>
+##             <li>files_spool_filetrans()</li>
+##     </ul>
+##     <p>
+##     Example usage with a domain that can create and
+##     write its spool file in the system spool file
+##     directories (/var/spool):
+##     </p>
+##     <p>
+##     type myspoolfile_t;
+##     files_spool_file(myfile_spool_t)
+##     allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
+##     files_spool_filetrans(mydomain_t, myfile_spool_t, file)
+##     </p>
+## </desc>
+## <param name="file_type">
+##     <summary>
+##     Type of the file to be used as a
+##     spool file.
+##     </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_spool_file',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	files_type($1)
+	typeattribute $1 spoolfile;
+')
+
+########################################
+## <summary>
+##     Create all spool sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Delete all spool sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+
+########################################
+## <summary>
 ##	Search the contents of generic spool
 ##	directories (/var/spool).
 ## </summary>
@@ -6190,3 +6524,45 @@
 
 	typeattribute $1 files_unconfined_type;
 ')
+
+########################################
+## <summary>
+##     Create a core files in /
+## </summary>
+## <desc>
+##     <p>
+##     Create a core file in /,
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_root_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+##     Allow domain to delete to all files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`files_delete_all_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	allow $1 non_security_file_type:file_class_set unlink;
+')
Index: refpolicy-2.20110726/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/filesystem.if	2012-06-30 12:31:58.152440138 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/filesystem.if	2012-06-30 12:32:00.264479683 +1000
@@ -631,6 +631,27 @@
 
 ########################################
 ## <summary>
+##     Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	getattr_files_pattern($1, cgroup_t, cgroup_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Search cgroup directories.
 ## </summary>
 ## <param name="domain">
@@ -651,6 +672,44 @@
 
 ########################################
 ## <summary>
+##     Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+#######################################
+## <summary>
+##  Dontaudit search cgroup directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##     Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fs_dontaudit_search_cgroup_dirs', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	dontaudit $1 cgroup_t:dir search_dir_perms;
+	dev_dontaudit_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	list cgroup directories.
 ## </summary>
 ## <param name="domain">
@@ -3934,6 +3993,42 @@
 
 ########################################
 ## <summary>
+##     Relabel directory  on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+##     Relabel files  on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	tmpfs directories
 ## </summary>
@@ -4225,6 +4320,24 @@
 ')
 
 ########################################
+## <summary>
+##     Delete generic files in tmpfs directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_delete_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:file unlink;
+')
+
+########################################
 ## <summary>
 ##	Read and write, create and delete generic
 ##	files on tmpfs filesystems.
Index: refpolicy-2.20110726/policy/modules/kernel/devices.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/devices.fc	2012-06-30 12:31:58.072438639 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/devices.fc	2012-06-30 12:32:00.264479683 +1000
@@ -195,6 +195,7 @@
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 
 /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
 
 ifdef(`distro_redhat',`
 # originally from named.fc
Index: refpolicy-2.20110726/policy/modules/system/systemd.if
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy-2.20110726/policy/modules/system/systemd.if	2012-06-30 12:32:00.264479683 +1000
@@ -0,0 +1,719 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
+## <summary>
+##      Create a domain for processes which are started 
+##      exuting systemctl.
+## </summary>
+## <param name="domain_prefix">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_systemctl_domain',`
+        gen_require(`
+                type systemd_systemctl_exec_t;
+                role system_r;
+		attribute systemctl_domain;
+        ')
+
+	type $1_systemctl_t, systemctl_domain;
+	domain_type($1_systemctl_t)
+	domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)	
+
+	role system_r types $1_systemctl_t;
+
+	domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
+')
+
+########################################
+## <summary>
+##      Execute systemctl in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_exec_systemctl',`
+        gen_require(`
+                type systemd_systemctl_exec_t;
+        ')
+
+	corecmd_search_bin($1)
+	can_exec($1, systemd_systemctl_exec_t)
+
+	fs_list_cgroup_dirs($1)
+	fs_read_cgroup_files($1)
+	systemd_list_unit_dirs($1)
+	init_list_pid_dirs($1)
+	init_read_state($1)
+	init_stream_send($1)
+	init_stream_connect($1)
+
+	systemd_login_list_pid_dirs($1)
+	systemd_login_read_pid_files($1)
+')
+
+#######################################
+## <summary>
+##      Create a file type used for systemd unit files.
+## </summary>
+## <param name="script_file">
+##      <summary>
+##      Type to be used for an unit file.
+##      </summary>
+## </param>
+#
+interface(`systemd_unit_file',`
+        gen_require(`
+                attribute systemd_unit_file_type;
+        ')
+
+        typeattribute $1 systemd_unit_file_type;
+	files_type($1)
+')
+
+######################################
+## <summary>
+##      Allow domain to search systemd unit dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_search_unit_dirs',`
+        gen_require(`
+                attribute systemd_unit_file_type;
+        ')
+	
+	files_search_var_lib($1)
+	allow $1 systemd_unit_file_type:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+##      Allow domain to list systemd unit dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_list_unit_dirs',`
+        gen_require(`
+                attribute systemd_unit_file_type;
+        ')
+	
+	files_search_var_lib($1)
+	allow $1 systemd_unit_file_type:dir list_dir_perms;
+')
+
+#####################################
+## <summary>
+##      Allow domain to getattr all systemd unit files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_getattr_unit_files',`
+        gen_require(`
+                attribute systemd_unit_file_type;
+        ')
+
+    files_search_var_lib($1)
+    allow $1 systemd_unit_file_type:file getattr_file_perms;
+')
+
+######################################
+## <summary>
+##      Allow domain to read all systemd unit files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_read_unit_files',`
+        gen_require(`
+                attribute systemd_unit_file_type;
+        ')
+	
+	files_search_var_lib($1)
+	allow $1 systemd_unit_file_type:file read_file_perms;
+	allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms;
+	allow $1 systemd_unit_file_type:dir list_dir_perms;
+')
+
+#####################################
+## <summary>
+##      Dontaudit domain to read all systemd unit files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##	Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`systemd_dontaudit_read_unit_files',`
+        gen_require(`
+                attribute systemd_unit_file_type;
+        ')
+
+        dontaudit $1 systemd_unit_file_type:file read_file_perms;
+')
+
+######################################
+## <summary>
+##	Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_read_pid_files',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+##	Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_list_pid_dirs',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+##	Use and and inherited systemd
+##	logind file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_use_fds_logind',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+')
+
+######################################
+## <summary>
+##	Read logind sessions files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+	gen_require(`
+		type systemd_logind_sessions_t;
+	')
+
+	init_search_pid_dirs($1)
+	allow $1 systemd_logind_sessions_t:dir list_dir_perms;
+	read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
+')
+
+######################################
+## <summary>
+##	Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+	gen_require(`
+		type systemd_logind_t, systemd_logind_sessions_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+	allow $1 systemd_logind_sessions_t:fifo_file write;
+	allow systemd_logind_t $1:process signal;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	systemd logind over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dbus_chat_logind',`
+	gen_require(`
+		type systemd_logind_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_logind_t:dbus send_msg;
+	allow systemd_logind_t $1:dbus send_msg;
+	ps_process_pattern(systemd_logind_t, $1)
+	allow systemd_logind_t $1:process signal;
+')
+
+#######################################
+## <summary>
+##  Execute a domain transition to run systemd-tmpfiles.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfiles_domtrans',`
+    gen_require(`
+        type systemd_tmpfiles_t, systemd_tmpfiles_exec_t;
+    ')
+
+    domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
+')
+
+#######################################
+## <summary>
+##  Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+##  type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+##  object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfiles_manage_object',`
+    gen_require(`
+        type systemd_tmpfiles_t;
+    ')
+
+    allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run systemd-tty-ask-password-agent.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_domtrans',`
+	gen_require(`
+		type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+	')
+
+	domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+')
+
+#######################################
+## <summary>
+##  Execute systemd-tty-ask-password-agent in the caller domain
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_exec',`
+    gen_require(`
+        type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+    ')
+
+	can_exec($1, systemd_passwd_agent_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run systemd_notify.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_notify_domtrans',`
+	gen_require(`
+		type systemd_notify_t, systemd_notify_exec_t;
+	')
+
+	domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
+')
+
+########################################
+## <summary>
+##	Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and
+##	allow the specified role the systemd_passwd_agent domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the systemd_passwd_agent domain.
+##	</summary>
+## </param>
+#
+interface(`systemd_passwd_agent_run',`
+	gen_require(`
+		type systemd_passwd_agent_t;
+	')
+
+	systemd_passwd_agent_domtrans($1)
+	role $2 types systemd_passwd_agent_t;
+')
+
+########################################
+## <summary>
+##	Role access for systemd_passwd_agent
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`systemd_passwd_agent_role',`
+	gen_require(`
+              type systemd_passwd_agent_t;
+	')
+
+	role $1 types systemd_passwd_agent_t;
+
+	systemd_passwd_agent_domtrans($2)
+
+	ps_process_pattern($2, systemd_passwd_agent_t)
+	allow $2 systemd_passwd_agent_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send generic signals to systemd_passwd_agent processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_signal_passwd_agent',`
+	gen_require(`
+              type systemd_passwd_agent_t;
+	')
+
+	allow $1 systemd_passwd_agent_t:process signal;
+')
+
+######################################
+## <summary>
+##  Allow to domain to read systemd-passwd pipe
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_read_fifo_file_passwd_run',`
+    gen_require(`
+        type systemd_passwd_var_run_t;
+    ')
+
+    read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+')
+
+#######################################
+## <summary>
+##  Send generic signals to systemd_passwd_agent processes.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_manage_passwd_run',`
+	gen_require(`
+		type systemd_passwd_agent_t;	
+		type systemd_passwd_var_run_t;
+	')
+
+	manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+	manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+	allow systemd_passwd_agent_t $1:process signull;
+	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
+######################################
+## <summary>
+##  Template for temporary sockets and files in /dev/.systemd/ask-password
+##  which are used by systemd-passwd-agent
+## </summary>
+## <param name="userdomain_prefix">
+##  <summary>
+##  The prefix of the domain (e.g., user
+##  is the prefix for user_t).
+##  </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_dev_template',`
+        gen_require(`
+                type systemd_passwd_agent_t;
+        ')
+
+	type systemd_$1_device_t;
+        files_type(systemd_$1_device_t)
+        dev_associate(systemd_$1_device_t)
+
+	dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+	init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+        allow $1_t systemd_$1_device_t:file manage_file_perms;
+        allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
+
+	allow systemd_passwd_agent_t $1_t:process signull;
+        allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
+	allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
+        allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	systemd_logger with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_logger_stream_connect',`
+	gen_require(`
+		type systemd_logger_t;
+	')
+
+	allow $1 systemd_logger_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	manage systemd unit dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_unit_dirs',`
+	gen_require(`
+		attribute systemd_unit_file_type;
+	')
+
+	manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+########################################
+## <summary>
+##	manage all systemd unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_all_unit_files',`
+	gen_require(`
+		attribute systemd_unit_file_type;
+	')
+
+	manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+	manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+########################################
+## <summary>
+##	manage all systemd unit lnk_files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_all_unit_lnk_files',`
+	gen_require(`
+		attribute systemd_unit_file_type;
+	')
+
+	manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	systemd_logger with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_config_all_services',`
+	gen_require(`
+		attribute systemd_unit_file_type;
+	')
+
+	allow $1 systemd_unit_file_type:service all_service_perms;
+')
+
+
+########################################
+## <summary>
+##	Transition to systemd named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_filetrans_named_content',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
+########################################
+## <summary>
+##	Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_status',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:system status;
+')
+
+########################################
+## <summary>
+##	Tell systemd_login to reboot the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_reboot',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:system reboot;
+')
+
+########################################
+## <summary>
+##	Tell systemd_login to halt the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_halt',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:system halt;
+')
+
+########################################
+## <summary>
+##	Tell systemd_login to do an unknown access.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_login_undefined',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:system undefined;
+')
+
Index: refpolicy-2.20110726/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/udev.if	2012-06-30 12:31:58.896454079 +1000
+++ refpolicy-2.20110726/policy/modules/system/udev.if	2012-06-30 12:32:45.285314741 +1000
@@ -34,6 +34,7 @@
 	')
 
 	domtrans_pattern($1, udev_exec_t, udev_t)
+	allow $1 udev_t:process noatsecure;
 ')
 
 ########################################
@@ -88,8 +89,7 @@
 	')
 
 	kernel_search_proc($1)
-	allow $1 udev_t:file read_file_perms;
-	allow $1 udev_t:lnk_file read_lnk_file_perms;
+	ps_process_pattern($1, udev_t)
 ')
 
 ########################################
@@ -160,10 +160,28 @@
 #
 interface(`udev_dontaudit_search_db',`
 	gen_require(`
+		type udev_var_run_t;
+	')
+
+	dontaudit $1 udev_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     Allow process to read the table dir
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+#
+interface(`udev_list_table_dir',`
+	gen_require(`
 		type udev_tbl_t;
 	')
 
-	dontaudit $1 udev_tbl_t:dir search_dir_perms;
+	allow $1 udev_tbl_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -201,19 +219,32 @@
 ## <infoflow type="read" weight="10"/>
 #
 interface(`udev_read_db',`
+	udev_read_pid_files($1)
+')
+
+########################################
+## <summary>
+##	Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_rw_db',`
 	gen_require(`
-		type udev_tbl_t;
+		type udev_var_run_t;
 	')
 
+	files_search_pids($1)
 	dev_list_all_dev_nodes($1)
-	allow $1 udev_tbl_t:dir list_dir_perms;
-	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
-	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+	rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Allow process to modify list of devices.
+##	Allow process to modify relabelto udev database
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -221,13 +252,36 @@
 ##	</summary>
 ## </param>
 #
-interface(`udev_rw_db',`
+interface(`udev_relabelto_db',`
 	gen_require(`
-		type udev_tbl_t;
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 udev_var_run_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	udev pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_read_pid_files',`
+	gen_require(`
+		type udev_var_run_t;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 udev_tbl_t:file rw_file_perms;
+	files_search_pids($1)
+	allow $1 udev_var_run_t:dir list_dir_perms;
+	read_files_pattern($1, udev_var_run_t, udev_var_run_t)
+	read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
 
 ########################################
@@ -246,6 +300,84 @@
 		type udev_var_run_t;
 	')
 
-	files_search_var_lib($1)
+	files_search_pids($1)
 	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
+
+#######################################
+## <summary>
+##  Execute udev in the udev domain, and
+##  allow the specified role the udev domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed the iptables domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udev_run',`
+    gen_require(`
+        type udev_t;
+    ')
+
+    udev_domtrans($1)
+    role $2 types udev_t;
+')
+
+#######################################
+## <summary>
+##	Allow caller to create kobject uevent socket for udev
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_create_kobject_uevent_socket',`
+	gen_require(`
+		type udev_t;
+		role system_r;
+	')
+
+	allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+########################################
+## <summary>
+##	Create a domain for processes
+##	which can be started by udev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`udev_system_domain',`
+	gen_require(`
+		type udev_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(udev_t, $2, $1)
+
+	dontaudit $1 udev_t:unix_dgram_socket { read write };
+')
+
Index: refpolicy-2.20110726/policy/modules/system/iptables.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/iptables.te	2012-06-30 12:31:59.744469957 +1000
+++ refpolicy-2.20110726/policy/modules/system/iptables.te	2012-06-30 12:32:00.268479757 +1000
@@ -22,6 +22,9 @@
 type iptables_var_run_t;
 files_pid_file(iptables_var_run_t)
 
+type iptables_unit_file_t;
+systemd_unit_file(iptables_unit_file_t)
+
 ########################################
 #
 # Iptables local policy
Index: refpolicy-2.20110726/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/init.if	2012-06-30 12:31:58.892453996 +1000
+++ refpolicy-2.20110726/policy/modules/system/init.if	2012-06-30 12:32:45.285314741 +1000
@@ -79,6 +79,44 @@
 	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
 ')
 
+
+#######################################
+## <summary>
+##  Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Type to be used as a domain.
+##  </summary>
+## </param>
+## <param name="entry_point">
+##  <summary>
+##  Type of the program to be used as an entry point to this domain.
+##  </summary>
+## </param>
+#
+interface(`init_systemd_domain',`
+    gen_require(`
+        type init_t;
+        role system_r;
+    ')
+
+    domain_type($1)
+    domain_entry_file($1,$2)
+
+    role system_r types $1;
+
+    tunable_policy(`init_systemd',`
+        domtrans_pattern(init_t,$2,$1)
+        allow init_t $1:unix_stream_socket create_stream_socket_perms;
+        allow init_t $1:unix_dgram_socket create_socket_perms;
+	allow $1 init_t:unix_stream_socket ioctl;
+        allow $1 init_t:unix_dgram_socket sendto;
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket($1)
+    ')
+')
+
 ########################################
 ## <summary>
 ##	Create a domain which can be started by init.
@@ -105,7 +143,11 @@
 
 	role system_r types $1;
 
-	domtrans_pattern(init_t, $2, $1)
+	tunable_policy(`init_systemd',`', `
+		domtrans_pattern(init_t, $2, $1)
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow $1 init_t:unix_dgram_socket sendto;
+	')
 
 	ifdef(`hide_broken_symptoms',`
 		# RHEL4 systems seem to have a stray
@@ -193,8 +235,10 @@
 	gen_require(`
 		attribute direct_run_init, direct_init, direct_init_entry;
 		type initrc_t;
+		type init_t;
 		role system_r;
 		attribute daemon;
+		attribute initrc_transition_domain;
 	')
 
 	typeattribute $1 daemon;
@@ -202,39 +246,20 @@
 	domain_type($1)
 	domain_entry_file($1, $2)
 
-	role system_r types $1;
-
-	domtrans_pattern(initrc_t, $2, $1)
-
-	# daemons started from init will
-	# inherit fds from init for the console
-	init_dontaudit_use_fds($1)
-	term_dontaudit_use_console($1)
-
-	# init script ptys are the stdin/out/err
-	# when using run_init
-	init_use_script_ptys($1)
+	domtrans_pattern(initrc_t,$2,$1)
 
 	ifdef(`direct_sysadm_daemon',`
 		domtrans_pattern(direct_run_init, $2, $1)
-		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
 
 		typeattribute $1 direct_init;
 		typeattribute $2 direct_init_entry;
 
-		userdom_dontaudit_use_user_terminals($1)
-	')
-
-	ifdef(`hide_broken_symptoms',`
-		# RHEL4 systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_rhel4',`
-			kernel_dontaudit_use_fds($1)
-		')
+#		userdom_dontaudit_use_user_terminals($1)
 	')
 
-	optional_policy(`
-		nscd_socket_use($1)
+	tunable_policy(`init_upstart || init_systemd',`
+	     # Handle upstart direct transition to a executable
+	     domtrans_pattern(init_t,$2,$1)
 	')
 ')
 
@@ -283,17 +308,20 @@
 interface(`init_ranged_daemon_domain',`
 	gen_require(`
 		type initrc_t;
+		type init_t;
 	')
 
-	init_daemon_domain($1, $2)
+#	init_daemon_domain($1, $2)
 
 	ifdef(`enable_mcs',`
 		range_transition initrc_t $2:process $3;
+		range_transition init_t $2:process $3;
 	')
 
 	ifdef(`enable_mls',`
 		range_transition initrc_t $2:process $3;
 		mls_rangetrans_target($1)
+		range_transition init_t $2:process $3;
 	')
 ')
 
@@ -336,10 +364,14 @@
 #
 interface(`init_system_domain',`
 	gen_require(`
+		type init_t;
 		type initrc_t;
 		role system_r;
+		attribute initrc_transition_domain;
+		attribute systemprocess;
 	')
 
+	typeattribute $1 systemprocess;
 	application_domain($1, $2)
 
 	role system_r types $1;
@@ -348,12 +380,9 @@
 
 	init_use_fds($1)
 
-	ifdef(`hide_broken_symptoms',`
-		# RHEL4 systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_rhel4',`
-			kernel_dontaudit_use_fds($1)
-		')
+	tunable_policy(`init_systemd',`
+		# Handle upstart/systemd direct transition to a executable
+		domtrans_pattern(init_t,$2,$1)
 	')
 ')
 
@@ -403,20 +432,41 @@
 interface(`init_ranged_system_domain',`
 	gen_require(`
 		type initrc_t;
+		type init_t;
 	')
 
 	init_system_domain($1, $2)
 
 	ifdef(`enable_mcs',`
 		range_transition initrc_t $2:process $3;
+		range_transition init_t $2:process $3;
 	')
 
 	ifdef(`enable_mls',`
 		range_transition initrc_t $2:process $3;
+		range_transition init_t $2:process $3;
 		mls_rangetrans_target($1)
 	')
 ')
 
+######################################
+## <summary>
+##  Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`init_dyntrans',`
+    gen_require(`
+        type init_t;
+    ')
+
+    dyntrans_pattern($1, init_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute init (/sbin/init) with a domain transition.
@@ -444,7 +494,6 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`init_exec',`
 	gen_require(`
@@ -453,6 +502,29 @@
 
 	corecmd_search_bin($1)
 	can_exec($1, init_exec_t)
+
+	tunable_policy(`init_systemd',`
+		systemd_exec_systemctl($1)
+	')
+')
+
+#######################################
+## <summary>
+##  Dontaudit getattr on the init program.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dontaudit_getattr_exec',`
+    gen_require(`
+        type init_exec_t;
+    ')
+
+	dontaudit $1 init_exec_t:file getattr;
 ')
 
 ########################################
@@ -511,6 +583,24 @@
 
 ########################################
 ## <summary>
+##	Send generic signals to init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_signal',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Connect to init with a unix socket.
 ## </summary>
 ## <param name="domain">
@@ -521,10 +611,66 @@
 #
 interface(`init_stream_connect',`
 	gen_require(`
-		type init_t;
+		type init_t, init_var_run_t;
 	')
 
-	allow $1 init_t:unix_stream_socket connectto;
+	files_search_pids($1)
+	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)    
+	allow $1 init_t:unix_stream_socket getattr;
+')
+
+#######################################
+## <summary>
+##  Dontaudit Connect to init with a unix socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`init_dontaudit_stream_connect',`
+    gen_require(`
+        type init_t;
+    ')
+
+    dontaudit $1 init_t:unix_stream_socket connectto;
+')
+
+######################################
+## <summary>
+##  Dontaudit getattr to init with a unix socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_stream_socket',`
+    gen_require(`
+        type init_t;
+    ')
+
+    dontaudit $1 init_t:unix_stream_socket getattr;
+')
+
+######################################
+## <summary>
+##  Dontaudit read and write to init with a unix socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_stream_socket',`
+    gen_require(`
+        type init_t;
+    ')
+
+    dontaudit $1 init_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
@@ -676,19 +822,25 @@
 		type initctl_t;
 	')
 
+	corecmd_exec_bin($1)
+
 	dev_list_all_dev_nodes($1)
 	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
 
 	init_exec($1)
 
-	tunable_policy(`init_upstart',`
+	tunable_policy(`init_upstart || init_systemd',`
 		gen_require(`
 			type init_t;
 		')
 
+		ps_process_pattern($1, init_t)
+		allow $1 init_t:process signal;
 		# upstart uses a datagram socket instead of initctl pipe
 		allow $1 self:unix_dgram_socket create_socket_perms;
 		allow $1 init_t:unix_dgram_socket sendto;
+		#576913
+		allow $1 init_t:unix_stream_socket connectto;
 	')
 ')
 
@@ -718,7 +870,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -761,18 +913,19 @@
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
-		type initrc_t, initrc_exec_t;
+		type initrc_t;
+		attribute init_script_file_type;
 	')
 
 	files_list_etc($1)
-	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+	spec_domtrans_pattern($1, init_script_file_type, initrc_t)
 
 	ifdef(`enable_mcs',`
-		range_transition $1 initrc_exec_t:process s0;
+		range_transition $1 init_script_file_type:process s0;
 	')
 
 	ifdef(`enable_mls',`
-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
 	')
 ')
 
@@ -788,23 +941,45 @@
 #
 interface(`init_domtrans_script',`
 	gen_require(`
-		type initrc_t, initrc_exec_t;
+		type initrc_t;
+		attribute init_script_file_type;
+		attribute initrc_transition_domain;
 	')
+	typeattribute $1 initrc_transition_domain;
 
 	files_list_etc($1)
-	domtrans_pattern($1, initrc_exec_t, initrc_t)
+	domtrans_pattern($1, init_script_file_type, initrc_t)
 
 	ifdef(`enable_mcs',`
-		range_transition $1 initrc_exec_t:process s0;
+		range_transition $1 init_script_file_type:process s0;
 	')
 
 	ifdef(`enable_mls',`
-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
 	')
 ')
 
 ########################################
 ## <summary>
+##	Execute a file in a bin directory
+##	in the initrc_t domain 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	corecmd_bin_domtrans($1, initrc_t)
+')
+
+########################################
+## <summary>
 ##	Execute a init script in a specified domain.
 ## </summary>
 ## <desc>
@@ -856,9 +1031,14 @@
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
+		attribute initrc_transition_domain;
 	')
 
+	typeattribute $1 initrc_transition_domain;
+	# service script searches all filesystems via mountpoint
+	fs_search_all($1)
 	domtrans_pattern($1, $2, initrc_t)
+	allow $1 $2:file ioctl;
 	files_search_etc($1)
 ')
 
@@ -949,7 +1129,9 @@
 		type init_t;
 	')
 
-	allow $1 init_t:process ptrace;
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 init_t:process ptrace;
+	')
 ')
 
 ########################################
@@ -1067,6 +1249,24 @@
 
 #######################################
 ## <summary>
+##	Dontaudit getattr all init script files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	dontaudit $1 init_script_file_type:file getattr;
+')
+
+#######################################
+## <summary>
 ##	Dontaudit read all init script files.
 ## </summary>
 ## <param name="domain">
@@ -1118,12 +1318,7 @@
 	')
 
 	kernel_search_proc($1)
-	read_files_pattern($1, initrc_t, initrc_t)
-	read_lnk_files_pattern($1, initrc_t, initrc_t)
-	list_dirs_pattern($1, initrc_t, initrc_t)
-
-	# should move this to separate interface
-	allow $1 initrc_t:process getattr;
+	ps_process_pattern($1, initrc_t)
 ')
 
 ########################################
@@ -1349,6 +1544,27 @@
 ########################################
 ## <summary>
 ##	Send and receive messages from
+##	init over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+	gen_require(`
+		type init_t;
+		class dbus send_msg;
+	')
+
+	allow $1 init_t:dbus send_msg;
+	allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
 ##	init scripts over dbus.
 ## </summary>
 ## <param name="domain">
@@ -1435,6 +1651,25 @@
 
 ########################################
 ## <summary>
+##	Manage init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	manage_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read init script
 ##	status files.
 ## </summary>
@@ -1493,6 +1728,24 @@
 
 ########################################
 ## <summary>
+##	Read and write init script inherited temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_inherited_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	allow $1 initrc_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
@@ -1560,6 +1813,24 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	dontaudit $1 initrc_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write utmp.
 ## </summary>
 ## <param name="domain">
@@ -1648,7 +1919,7 @@
 		type initrc_var_run_t;
 	')
 
-	dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+	dontaudit $1 initrc_var_run_t:file rw_file_perms;
 ')
 
 ########################################
@@ -1689,6 +1960,128 @@
 	files_pid_filetrans($1, initrc_var_run_t, file)
 ')
 
+######################################
+## <summary>
+##  Allow search  directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_search_pid_dirs',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+##  Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_list_pid_dirs',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##  Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:dir list_dir_perms;
+    create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+#######################################
+## <summary>
+##  Create objects in /run/systemd directory
+##  with an automatic type transition to
+##  a specified private type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="private_type">
+##  <summary>
+##  The type of the object to create.
+##  </summary>
+## </param>
+## <param name="object_class">
+##  <summary>
+##  The class of the object to be created.
+##  </summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+	files_search_pids($1)
+	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+#######################################
+## <summary>
+##	Create objects in /run/systemd directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_name">
+##	<summary>
+##	The name of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`init_named_pid_filetrans',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	files_search_pids($1)
+	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
@@ -1723,3 +2116,266 @@
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
+
+########################################
+## <summary>
+##	Transition to system_r when execute an init script
+## </summary>
+## <desc>
+##      <p>
+##	Execute a init script in a specified role
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_role">
+##	<summary>
+##	Role to transition from.
+##	</summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	role_transition $1 init_script_file_type system_r;
+')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked init scrip file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_script_leaks',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	dontaudit $1 initrc_t:tcp_socket { read write };
+	dontaudit $1 initrc_t:udp_socket { read write };
+	dontaudit $1 initrc_t:unix_dgram_socket { read write };
+	dontaudit $1 initrc_t:unix_stream_socket { read write };
+	dontaudit $1 initrc_t:shm rw_shm_perms;
+	init_dontaudit_use_script_ptys($1)
+	init_dontaudit_use_script_fds($1)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to ioctl an
+##  init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_ioctl_stream_sockets',`
+    gen_require(`
+        type init_t;
+    ')
+
+    allow $1 init_t:unix_stream_socket ioctl;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write to
+##	init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to write to
+##  init sock file.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Send a message to init over a unix domain
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dgram_send',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+##	Send a message to init over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stream_send',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket sendto;
+')
+
+########################################
+## <summary>
+##	Create a file type used for init socket files.
+## </summary>
+## <desc>
+##	<p>
+##	This defines a type that init can create sock_file within for 
+##	impersonation purposes
+##	</p>
+## </desc>
+## <param name="script_file">
+##	<summary>
+##	Type to be used for a sock file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`init_sock_file',`
+	gen_require(`
+		attribute init_sock_file_type;
+	')
+
+	typeattribute $1 init_sock_file_type;
+
+')
+
+########################################
+## <summary>
+##	Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_pipes',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+##	Get the system status information from init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_status',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+##	Tell init to reboot the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reboot',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+##	Tell init to halt the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_halt',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+##	Tell init to do an unknown access.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_undefined',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system undefined;
+')
Index: refpolicy-2.20110726/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.if	2012-06-30 12:31:59.860472121 +1000
+++ refpolicy-2.20110726/policy/modules/system/unconfined.if	2012-06-30 12:32:00.268479757 +1000
@@ -132,48 +132,6 @@
 
 ########################################
 ## <summary>
-##	Transition to the unconfined domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`unconfined_domtrans',`
-	gen_require(`
-		type unconfined_t, unconfined_exec_t;
-	')
-
-	domtrans_pattern($1, unconfined_exec_t, unconfined_t)
-')
-
-########################################
-## <summary>
-##	Execute specified programs in the unconfined domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to allow the unconfined domain.
-##	</summary>
-## </param>
-#
-interface(`unconfined_run',`
-	gen_require(`
-		type unconfined_t;
-	')
-
-	unconfined_domtrans($1)
-	role $2 types unconfined_t;
-')
-
-########################################
-## <summary>
 ##	Transition to the unconfined domain by executing a shell.
 ## </summary>
 ## <param name="domain">
@@ -667,3 +625,211 @@
 
 	allow $1 unconfined_tmp_t:file { getattr write append };
 ')
+
+
+########################################
+## <summary>
+##	Change from the unconfineduser role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the unconfineduser role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change_to',`
+	gen_require(`
+		role unconfined_r;
+	')
+
+	allow unconfined_r $1;
+')
+
+########################################
+## <summary>
+##	Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_domtrans',`
+	gen_require(`
+		type unconfined_t, unconfined_exec_t;
+	')
+
+	domtrans_pattern($1,unconfined_exec_t,unconfined_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	unconfined domain stream.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	unconfined domain packet sockets.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to read or write
+##	unconfined domain packet sockets.
+##	</p>
+##	<p>
+##	This interface was added due to a broken
+##	symptom.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_packet_sockets',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+##	Allow ptrace of unconfined domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_ptrace',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+## <summary>
+##	Read and write to unconfined shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_shm',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_set_rlimitnh',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+##	Get the process group of unconfined.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_getpgid',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+## <summary>
+##	Change to the unconfined role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change',`
+	gen_require(`
+		role unconfined_r;
+	')
+
+	allow $1 unconfined_r;
+')
+
+########################################
+## <summary>
+##	Allow domain to attach to TUN devices created by unconfined_t users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_attach_tun_iface',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
Index: refpolicy-2.20110726/policy/modules/system/systemd.te
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy-2.20110726/policy/modules/system/systemd.te	2012-06-30 12:32:45.285314741 +1000
@@ -0,0 +1,402 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
+#
+# Declarations
+#
+
+attribute systemd_unit_file_type;
+attribute systemd_domain;
+attribute systemctl_domain;
+
+type systemd_logger_t;
+type systemd_logger_exec_t;
+init_systemd_domain(systemd_logger_t, systemd_logger_exec_t)
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_systemd_domain(systemd_logind_t, systemd_logind_exec_t)
+
+# /run/systemd/sessions
+type systemd_logind_sessions_t;
+files_pid_file(systemd_logind_sessions_t)
+
+# /run/systemd/{seats, users}
+type systemd_logind_var_run_t;
+files_pid_file(systemd_logind_var_run_t)
+
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
+
+type systemd_passwd_agent_t;
+type systemd_passwd_agent_exec_t;
+init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
+type systemd_passwd_var_run_t alias systemd_device_t;
+files_pid_file(systemd_passwd_var_run_t)
+
+# domain for systemd-tmpfiles component
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
+init_systemd_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_systemd_domain(systemd_notify_t, systemd_notify_exec_t)
+
+# type for systemd unit files
+type systemd_unit_file_t;
+systemd_unit_file(systemd_unit_file_t)
+
+# executable for systemctl
+type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t)
+
+#######################################
+#
+# Systemd_logind local policy
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t })
+manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+init_status(systemd_logind_t)
+init_reboot(systemd_logind_t)
+init_halt(systemd_logind_t)
+init_undefined(systemd_logind_t)
+
+kernel_read_system_state(systemd_logind_t)
+selinux_search_fs(systemd_logind_t)
+selinux_getattr_fs(systemd_logind_t)
+
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
+dev_setattr_mouse_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
+dev_write_kmsg(systemd_logind_t)
+
+domain_read_all_domains_state(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
+files_read_etc_files(systemd_logind_t)
+
+fs_getattr_xattr_fs(systemd_logind_t)
+# /sys/fs/cgroup/systemd/user
+fs_manage_cgroup_dirs(systemd_logind_t)
+# write getattr open setattr
+fs_manage_cgroup_files(systemd_logind_t)
+
+mcs_killall(systemd_logind_t)
+
+storage_setattr_removable_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
+term_use_unallocated_ttys(systemd_logind_t)
+
+# /run/user/.*
+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
+auth_manage_var_auth(systemd_logind_t)
+auth_use_nsswitch(systemd_logind_t)
+
+init_dbus_chat(systemd_logind_t)
+init_dbus_chat_script(systemd_logind_t)
+init_read_script_state(systemd_logind_t)
+init_read_state(systemd_logind_t)
+init_rw_stream_sockets(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
+miscfiles_read_localization(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+udev_manage_rules_files(systemd_logind_t)
+udev_list_table_dir(systemd_logind_t)
+
+userdom_read_all_users_state(systemd_logind_t)
+userdom_use_user_ttys(systemd_logind_t)
+userdom_manage_user_tmp_dirs(systemd_logind_t)
+userdom_manage_user_tmp_files(systemd_logind_t)
+userdom_manage_user_tmp_symlinks(systemd_logind_t)
+userdom_manage_user_tmp_sockets(systemd_logind_t)
+userdom_signal_all_users(systemd_logind_t)
+userdom_signull_all_users(systemd_logind_t)
+userdom_kill_all_users(systemd_logind_t)
+
+application_signal(systemd_logind_t)
+application_signull(systemd_logind_t)
+application_sigkill(systemd_logind_t)
+
+optional_policy(`
+	cron_dbus_chat_crond(systemd_logind_t)
+	cron_read_state_crond(systemd_logind_t)
+	cron_signal(systemd_logind_t)
+')
+
+optional_policy(`
+	dbus_connect_system_bus(systemd_logind_t)
+	dbus_system_bus_client(systemd_logind_t)
+')
+
+optional_policy(`
+	devicekit_dbus_chat_power(systemd_logind_t)
+')
+
+#optional_policy(`
+#	# we label /run/user/$USER/dconf as config_home_t
+#	gnome_manage_home_config_dirs(systemd_logind_t)
+#	gnome_manage_home_config(systemd_logind_t)
+#')
+
+optional_policy(`
+	policykit_dbus_chat(systemd_logind_t)
+')
+
+
+#######################################
+#
+# Local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
+fs_getattr_xattr_fs(systemd_passwd_agent_t)
+kernel_read_system_state(systemd_passwd_agent_t)
+kernel_stream_connect(systemd_passwd_agent_t)
+
+files_read_etc_files(systemd_passwd_agent_t)
+
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pipes(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+	lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+	plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
+#######################################
+#
+# Local policy
+#
+
+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_network_state(systemd_tmpfiles_t)
+kernel_read_system_state(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_relabel_cpu_online(systemd_tmpfiles_t)
+dev_read_cpu_online(systemd_tmpfiles_t)
+dev_manage_printer(systemd_tmpfiles_t)
+dev_relabel_printer(systemd_tmpfiles_t)
+dev_create_generic_pipes(systemd_tmpfiles_t)
+
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+fs_list_all(systemd_tmpfiles_t)
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
+files_getattr_all_files(systemd_tmpfiles_t)
+files_getattr_all_sockets(systemd_tmpfiles_t)
+files_getattr_all_symlinks(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
+files_manage_all_pids(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_files(systemd_tmpfiles_t)
+files_list_lost_found(systemd_tmpfiles_t)
+
+mcs_file_read_all(systemd_tmpfiles_t)
+mcs_file_write_all(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_write_all_levels(systemd_tmpfiles_t)
+
+selinux_get_enforce_mode(systemd_tmpfiles_t)
+selinux_getattr_fs(systemd_tmpfiles_t)
+
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_append_faillog(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+auth_use_nsswitch(systemd_tmpfiles_t)
+
+init_dgram_send(systemd_tmpfiles_t)
+init_rw_stream_sockets(systemd_tmpfiles_t)
+
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_read_localization(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+ifdef(`distro_redhat',`
+	userdom_list_user_home_content(systemd_tmpfiles_t)
+	userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
+	userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
+	userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
+	userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
+	userdom_delete_admin_home_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	apache_list_cache(systemd_tmpfiles_t)
+	apache_delete_cache_files(systemd_tmpfiles_t)
+	apache_setattr_cache_dirs(systemd_tmpfiles_t)
+')
+
+
+optional_policy(`
+    auth_rw_login_records(systemd_tmpfiles_t)
+')
+
+#optional_policy(`
+#	# we have /run/user/$USER/dconf 
+#	gnome_delete_home_config(systemd_tmpfiles_t)
+#	gnome_delete_home_config_dirs(systemd_tmpfiles_t)
+#	gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
+#')
+
+optional_policy(`
+	rpm_read_db(systemd_tmpfiles_t)
+	rpm_delete_db(systemd_tmpfiles_t)
+')
+
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(systemd_notify_t)
+
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
+
+auth_use_nsswitch(systemd_notify_t)
+
+init_rw_stream_sockets(systemd_notify_t)
+
+miscfiles_read_localization(systemd_notify_t)
+
+########################################
+#
+# systemd_logger local policy
+#
+
+allow systemd_logger_t self:capability { sys_admin chown kill };
+allow systemd_logger_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_logger_t self:fifo_file rw_fifo_file_perms;
+allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_use_fds(systemd_logger_t)
+
+dev_write_kmsg(systemd_logger_t)
+
+domain_use_interactive_fds(systemd_logger_t)
+
+files_read_etc_files(systemd_logger_t)
+files_read_usr_files(systemd_logger_t)
+
+# only needs write
+term_use_generic_ptys(systemd_logger_t)
+
+auth_use_nsswitch(systemd_logger_t)
+
+# /run/systemd/notify
+init_write_pid_socket(systemd_logger_t)
+
+logging_send_syslog_msg(systemd_logger_t)
+
+miscfiles_read_localization(systemd_logger_t)
+
+
+########################################
+#
+# systemd_sysctl domains local policy
+#
+
+allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
+
+fs_list_cgroup_dirs(systemctl_domain)
+fs_read_cgroup_files(systemctl_domain)
+
+# needed by systemctl
+init_dgram_send(systemctl_domain)
+init_stream_connect(systemctl_domain)
+init_read_state(systemctl_domain)
+init_list_pid_dirs(systemctl_domain)
+init_use_fds(systemctl_domain)
+
+miscfiles_read_localization(systemctl_domain)
Index: refpolicy-2.20110726/policy/modules/system/iptables.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/iptables.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/system/iptables.fc	2012-06-30 12:32:00.268479757 +1000
@@ -3,6 +3,9 @@
 /etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
 /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
 
+/lib/systemd/system/iptables.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/lib/systemd/system/ip6tables.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
 /sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
Index: refpolicy-2.20110726/policy/modules/system/systemd.fc
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy-2.20110726/policy/modules/system/systemd.fc	2012-06-30 12:32:00.268479757 +1000
@@ -0,0 +1,29 @@
+/bin/systemd-notify				--		gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl					--	gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent		--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/bin/systemd-tmpfiles				--		gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
+/usr/bin/systemctl				--	gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/usr/bin/systemd-gnome-ask-password-agent	--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-notify				--		gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/usr/bin/systemd-tmpfiles			--		gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/usr/bin/systemd-tty-ask-password-agent		--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+
+/lib/systemd/system(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/lib/systemd/systemd-logind	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/lib/systemd/systemd-logger	--	gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/lib/systemd/systemd-tmpfiles				--		gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
+/usr/lib/systemd/system(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/systemd-logind	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-logger	--	gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/usr/lib/systemd/systemd-tmpfiles				--		gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
+/var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
+/var/run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/var/run/systemd/generator(/.*)?	gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/var/run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/var/run/initramfs(/.*)?	<<none>>
Index: refpolicy-2.20110726/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/logging.if	2012-06-30 12:31:58.136439834 +1000
+++ refpolicy-2.20110726/policy/modules/system/logging.if	2012-06-30 12:32:00.268479757 +1000
@@ -303,7 +303,7 @@
 
 ########################################
 ## <summary>
-##	Connect to the audit dispatcher over an unix stream socket.
+##	Connect to the audit dispatcher over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -476,6 +476,63 @@
 	filetrans_pattern($1, var_log_t, $2, $3)
 ')
 
+#######################################
+## <summary>
+##  Create an object in the log directory, with a private type.
+## </summary>
+## <desc>
+##  <p>
+##  Allow the specified domain to create an object
+##  in the general system log directories (e.g., /var/log)
+##  with a private type.  Typically this is used for creating
+##  private log files in /var/log with the private type instead
+##  of the general system log type. To accomplish this goal,
+##  either the program must be SELinux-aware, or use this interface.
+##  </p>
+##  <p>
+##  Related interfaces:
+##  </p>
+##  <ul>
+##      <li>logging_log_file()</li>
+##  </ul>
+##  <p>
+##  Example usage with a domain that can create
+##  and append to a private log file stored in the
+##  general directories (e.g., /var/log):
+##  </p>
+##  <p>
+##  type mylogfile_t;
+##  logging_log_file(mylogfile_t)
+##  allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
+##  logging_log_filetrans(mydomain_t, mylogfile_t, file)
+##  </p>
+## </desc>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="private type">
+##  <summary>
+##  The type of the object to be created.
+##  </summary>
+## </param>
+## <param name="object">
+##  <summary>
+##  The object class of the object being created.
+##  </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`logging_log_named_filetrans',`
+    gen_require(`
+        type var_log_t;
+    ')
+
+    files_search_var($1)
+    filetrans_pattern($1, var_log_t, $2, $3, $4)
+')
+
 ########################################
 ## <summary>
 ##	Send system log messages.
@@ -530,6 +587,45 @@
 
 ########################################
 ## <summary>
+##	Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_create_devlog_dev',`
+	gen_require(`
+		type devlog_t;
+	')
+
+	allow $1 devlog_t:sock_file manage_sock_file_perms;
+	dev_filetrans($1, devlog_t, sock_file)
+	init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+')
+
+########################################
+## <summary>
+##	Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_stream_connect_syslog',`
+	gen_require(`
+		type syslogd_t, syslogd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
+')
+
+########################################
+## <summary>
 ##	Read the auditd configuration files.
 ## </summary>
 ## <param name="domain">
@@ -719,7 +815,25 @@
 	')
 
 	files_search_var($1)
-	append_files_pattern($1, var_log_t, logfile)
+	append_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+##	Append to all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_inherit_append_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	allow $1 logfile:file { getattr append ioctl lock };
 ')
 
 ########################################
@@ -802,7 +916,7 @@
 
 	files_search_var($1)
 	manage_files_pattern($1, logfile, logfile)
-	read_lnk_files_pattern($1, logfile, logfile)
+	manage_lnk_files_pattern($1, logfile, logfile)
 ')
 
 ########################################
@@ -828,6 +942,44 @@
 
 ########################################
 ## <summary>
+##	Link generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_link_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	allow $1 var_log_t:file link;
+')
+
+########################################
+## <summary>
+##	Delete generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_delete_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	allow $1 var_log_t:file unlink;
+')
+
+########################################
+## <summary>
 ##	Write generic log files.
 ## </summary>
 ## <param name="domain">
@@ -962,11 +1114,16 @@
 		type auditd_t, auditd_etc_t, auditd_log_t;
 		type auditd_var_run_t;
 		type auditd_initrc_exec_t;
+		type auditd_unit_file_t;
 	')
 
-	allow $1 auditd_t:process { ptrace signal_perms };
+	allow $1 auditd_t:process signal_perms;
 	ps_process_pattern($1, auditd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 auditd_t:process ptrace;
+	')
+
 	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
 
@@ -982,6 +1139,33 @@
 	domain_system_change_exemption($1)
 	role_transition $2 auditd_initrc_exec_t system_r;
 	allow $2 system_r;
+
+	logging_systemctl_audit($1)
+	admin_pattern($1, auditd_unit_file_t)
+	allow $1 auditd_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Execute auditd server in the auditd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`logging_systemctl_audit',`
+	gen_require(`
+		type auditd_t;
+		type auditd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 auditd_unit_file_t:file read_file_perms;
+	allow $1 auditd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, auditd_t)
 ')
 
 ########################################
@@ -1010,10 +1194,15 @@
 		type syslogd_initrc_exec_t;
 	')
 
-	allow $1 syslogd_t:process { ptrace signal_perms };
-	allow $1 klogd_t:process { ptrace signal_perms };
+	allow $1 self:capability2 syslog;
+	allow $1 syslogd_t:process signal_perms;
+	allow $1 klogd_t:process signal_perms;
 	ps_process_pattern($1, syslogd_t)
 	ps_process_pattern($1, klogd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 syslogd_t:process ptrace;
+		allow $1 klogd_t:process ptrace;
+	')
 
 	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
 	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
@@ -1035,6 +1224,8 @@
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
 	logging_manage_all_logs($1)
+	allow $1 logfile:dir relabel_dir_perms;
+	allow $1 logfile:file relabel_file_perms;
 
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -1063,3 +1254,25 @@
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
+
+########################################
+## <summary>
+##	Transition to logging named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_filetrans_named_content',`
+	gen_require(`
+		type var_log_t;
+		type audit_spool_t;
+	')
+
+	files_var_filetrans($1, var_log_t, dir, "webmin")
+	files_spool_filetrans($1, var_log_t, dir, "rsyslog")
+	files_spool_filetrans($1, var_log_t, dir, "log")
+	files_spool_filetrans($1, audit_spool_t, dir, "audit")
+')
Index: refpolicy-2.20110726/policy/modules/system/clock.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/clock.if	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/system/clock.if	2012-06-30 12:32:00.272479839 +1000
@@ -82,6 +82,25 @@
 
 ########################################
 ## <summary>
+##     Read clock drift adjustments.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`clock_read_adjtime',`
+	gen_require(`
+		type adjtime_t;
+	')
+
+	allow $1 adjtime_t:file read_file_perms;
+	files_list_etc($1)
+')
+
+########################################
+## <summary>
 ##	Read and write clock drift adjustments.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20110726/policy/modules/system/init.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/init.fc	2012-06-30 12:31:58.892453996 +1000
+++ refpolicy-2.20110726/policy/modules/system/init.fc	2012-06-30 12:32:45.285314741 +1000
@@ -20,6 +20,7 @@
 # /dev
 #
 /dev/initctl		-p	gen_context(system_u:object_r:initctl_t,s0)
+/var/run/initctl	-p	gen_context(system_u:object_r:initctl_t,s0)
 
 #
 # /lib
@@ -33,6 +34,18 @@
 #
 # /sbin
 #
+/bin/systemd		--	gen_context(system_u:object_r:init_exec_t,s0)
+
+#
+# systemd init scripts
+#
+/lib/systemd/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
+/lib/systemd/fedora[^/]* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/lib/systemd/system-generators/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
+
+#
+# /sbin
+#
 /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
 # because nowadays, /sbin/init is often a symlink to /sbin/upstart
 /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
@@ -50,11 +63,23 @@
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
+/usr/sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+# because nowadays, /sbin/init is often a symlink to /sbin/upstart
+/usr/sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
+
+/usr/lib/systemd/[^/]*		--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/fedora[^/]* 	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/lib/systemd/system-generators/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
+
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/startx	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+
+/usr/share/system-config-services/system-config-services-mechanism\.py  --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 #
 # /var
@@ -83,3 +108,4 @@
 /var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
+/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
Index: refpolicy-2.20110726/policy/modules/system/lvm.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/lvm.if	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/system/lvm.if	2012-06-30 12:32:00.272479839 +1000
@@ -123,3 +123,94 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
 ')
+
+########################################
+## <summary>
+##	Read and write to lvm temporary file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_rw_clvmd_tmpfs_files',`
+	gen_require(`
+		type clvmd_tmpfs_t;
+	')
+
+	allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete lvm temporary file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_delete_clvmd_tmpfs_files',`
+	gen_require(`
+		type clvmd_tmpfs_t;
+	')
+
+	allow $1 clvmd_tmpfs_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Send lvm a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_signull',`
+	gen_require(`
+		type lvm_t;
+	')
+
+	allow $1 lvm_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send a message to lvm over the 
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_dgram_send',`
+	gen_require(`
+		type lvm_t;
+	')
+
+	allow $1 lvm_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+##	Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_rw_pipes',`
+	gen_require(`
+		type lvm_var_run_t;
+	')
+
+	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
Index: refpolicy-2.20110726/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/userdomain.if	2012-06-30 12:32:00.144477436 +1000
+++ refpolicy-2.20110726/policy/modules/system/userdomain.if	2012-06-30 12:32:45.113311581 +1000
@@ -2610,6 +2610,53 @@
 
 ########################################
 ## <summary>
+##     Read and write a inherited user domain pty.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_use_inherited_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
+##     Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+##     <p>
+##     Allow the specified domain to read and write inherited user
+##     TTYs and PTYs. This will allow the domain to
+##     interact with the user via the terminal. Typically
+##     all interactive applications will require this
+##     access.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+ 
+	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write a user TTYs and PTYs.
 ## </summary>
 ## <desc>
@@ -3160,6 +3207,42 @@
 	allow $1 userdomain:process signal;
 ')
 
+#######################################
+## <summary>
+##  Send signull to all user domains.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`userdom_signull_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:process signull;
+')
+
+########################################
+## <summary>
+##     Send kill signals to all user domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_kill_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to all user domains.
@@ -3214,3 +3297,60 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write
+##     unserdomain stream.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_stream',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write users
+##	temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read/write users
+##	temporary fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
Index: refpolicy-2.20110726/policy/modules/system/logging.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/logging.fc	2012-06-30 12:31:58.136439834 +1000
+++ refpolicy-2.20110726/policy/modules/system/logging.fc	2012-06-30 12:32:00.272479839 +1000
@@ -7,6 +7,8 @@
 /etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 
+/lib/systemd/system/auditd\.service	--	gen_context(system_u:object_r:auditd_unit_file_t,s0)
+
 /sbin/audispd		--	gen_context(system_u:object_r:audisp_exec_t,s0)
 /sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
@@ -18,12 +20,28 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/lib/systemd/systemd-journald		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/lib/systemd/systemd-kmsg-syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/opt/zimbra/log(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/lib/systemd/systemd-journald		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-kmsg-syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/usr/local/centreon/log(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/sbin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
+/usr/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+/usr/sbin/auditctl	--	gen_context(system_u:object_r:auditctl_exec_t,s0)
+/usr/sbin/auditd	--	gen_context(system_u:object_r:auditd_exec_t,s0)
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/minilogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/rsyslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
-/usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -35,11 +53,11 @@
 
 /var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
-/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+#/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
-/var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/boot\.log	--		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/cron[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
@@ -47,6 +65,7 @@
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
 /var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/log(/.*)?		gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 
 ifndef(`distro_gentoo',`
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -55,6 +74,7 @@
 ifdef(`distro_redhat',`
 /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
 /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
+/var/spool/postfix/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
@@ -67,6 +87,7 @@
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
@@ -74,4 +95,9 @@
 /var/spool/plymouth/boot\.log	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 
+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
+
Index: refpolicy-2.20110726/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/logging.te	2012-06-30 12:31:59.828471522 +1000
+++ refpolicy-2.20110726/policy/modules/system/logging.te	2012-06-30 12:32:45.285314741 +1000
@@ -5,6 +5,20 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow syslogd daemon to send mail
+## </p>
+## </desc>
+gen_tunable(logging_syslogd_can_sendmail, false)
+
+## <desc>
+## <p>
+## Allow syslogd the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(logging_syslogd_use_tty, false)
+
 attribute logfile;
 
 type auditctl_t;
@@ -20,6 +34,7 @@
 files_security_mountpoint(auditd_log_t)
 
 type audit_spool_t;
+files_spool_file(audit_spool_t)
 files_security_file(audit_spool_t)
 files_security_mountpoint(audit_spool_t)
 
@@ -33,6 +48,9 @@
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
 
+type auditd_unit_file_t;
+systemd_unit_file(auditd_unit_file_t)
+
 type audisp_t;
 type audisp_exec_t;
 init_system_domain(audisp_t, audisp_exec_t)
@@ -69,6 +87,7 @@
 type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
+mls_trusted_object(syslogd_t)
 
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
@@ -92,6 +111,9 @@
 dev_associate(xconsole_device_t)
 files_associate_tmp(xconsole_device_t)
 allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
+optional_policy(`
+	systemd_tmpfiles_manage_object(xconsole_device_t, fifo_file)
+')
 
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
@@ -107,6 +129,8 @@
 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 dev_read_urand(auditctl_t)
 
+allow auditctl_t self:process getcap;
+
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
 
@@ -124,7 +148,7 @@
 
 mls_file_read_all_levels(auditctl_t)
 
-term_use_all_terms(auditctl_t)
+term_use_all_inherited_terms(auditctl_t)
 
 init_dontaudit_use_fds(auditctl_t)
 
@@ -162,6 +186,7 @@
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
 kernel_read_system_state(auditd_t)
+kernel_read_network_state(auditd_t)
 
 dev_read_sysfs(auditd_t)
 
@@ -197,16 +222,19 @@
 logging_domtrans_dispatcher(auditd_t)
 logging_signal_dispatcher(auditd_t)
 
+auth_use_nsswitch(auditd_t)
+
 miscfiles_read_localization(auditd_t)
 
 mls_file_read_all_levels(auditd_t)
 mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+mls_socket_write_all_levels(auditd_t)
 
 seutil_dontaudit_read_config(auditd_t)
 
 sysnet_dns_name_resolve(auditd_t)
 
-userdom_use_user_terminals(auditd_t)
+userdom_use_inherited_user_terminals(auditd_t)
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 userdom_dontaudit_search_user_home_dirs(auditd_t)
 
@@ -252,10 +280,17 @@
 
 domain_use_interactive_fds(audisp_t)
 
+fs_getattr_all_fs(audisp_t)
+
 files_read_etc_files(audisp_t)
 files_read_etc_runtime_files(audisp_t)
 
+mls_file_read_all_levels(audisp_t)
 mls_file_write_all_levels(audisp_t)
+mls_socket_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
+
+auth_use_nsswitch(audisp_t)
 
 logging_send_syslog_msg(audisp_t)
 
@@ -265,6 +300,10 @@
 
 optional_policy(`
 	dbus_system_bus_client(audisp_t)
+
+	optional_policy(`
+		setroubleshoot_dbus_chat(audisp_t)
+	')
 ')
 
 ########################################
@@ -295,11 +334,20 @@
 
 files_read_etc_files(audisp_remote_t)
 
+mls_socket_write_all_levels(audisp_remote_t)
+
 logging_send_syslog_msg(audisp_remote_t)
 logging_send_audit_msgs(audisp_remote_t)
 
+auth_use_nsswitch(audisp_remote_t)
+auth_append_login_records(audisp_remote_t)
+
 miscfiles_read_localization(audisp_remote_t)
 
+init_telinit(audisp_remote_t)
+init_read_utmp(audisp_remote_t)
+init_dontaudit_write_utmp(audisp_remote_t)
+
 sysnet_dns_name_resolve(audisp_remote_t)
 
 ########################################
@@ -369,11 +417,12 @@
 # chown fsetid for syslog-ng
 # sys_admin for the integrated klog of syslog-ng and metalog
 # cjp: why net_admin!
-allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config };
+allow syslogd_t self:capability { chown sys_ptrace dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config ipc_lock net_admin fsetid setuid setgid };
 dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 syslog;
 # setpgid for metalog
 # setrlimit for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
+allow syslogd_t self:process { signal_perms getcap setcap setpgid setsched setrlimit };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -391,6 +440,7 @@
 # create/append log files.
 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+files_search_spool(syslogd_t)
 
 # for rsyslogd, this access is harmless so making it unconditional
 allow syslogd_t proc_t:file { getattr read };
@@ -403,9 +453,15 @@
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 files_search_var_lib(syslogd_t)
 
+manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
+
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
@@ -444,10 +500,29 @@
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
+tunable_policy(`logging_syslogd_use_tty',`
+   term_use_all_ttys(syslogd_t)
+   term_use_all_ptys(syslogd_t)
+')
+
+tunable_policy(`logging_syslogd_can_sendmail',`
+	# support for ommail module to send logs via mail
+	corenet_tcp_connect_smtp_port(syslogd_t)
+')
+
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
+dev_read_urand(syslogd_t)
+# relating to systemd-kmsg-syslogd
+dev_write_kmsg(syslogd_t)
+selinux_get_enforce_mode(syslogd_t)
+selinux_search_fs(syslogd_t)
 
+domain_read_all_domains_state(syslogd_t)
 domain_use_interactive_fds(syslogd_t)
+domain_read_all_domains_state(syslogd_t)
+domain_getattr_all_domains(syslogd_t)
 
 files_read_etc_files(syslogd_t)
 files_read_usr_files(syslogd_t)
@@ -465,7 +540,9 @@
 term_write_console(syslogd_t)
 # Allow syslog to a terminal
 term_write_unallocated_ttys(syslogd_t)
+term_use_generic_ptys(syslogd_t)
 
+init_stream_connect(syslogd_t)
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
@@ -477,6 +554,7 @@
 
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
+logging_manage_all_logs(syslogd_t)
 
 miscfiles_read_localization(syslogd_t)
 
@@ -514,11 +592,20 @@
 ')
 
 optional_policy(`
+	postfix_search_spool(syslogd_t)
+')
+
+optional_policy(`
 	postgresql_stream_connect(syslogd_t)
 ')
 
 optional_policy(`
 	seutil_sigchld_newrole(syslogd_t)
+	snmp_read_snmp_var_lib_files(syslogd_t)
+')
+
+optional_policy(`
+    daemontools_search_svc_dir(syslogd_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20110726/policy/modules/system/application.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/application.if	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/system/application.if	2012-06-30 12:32:00.272479839 +1000
@@ -189,6 +189,24 @@
 
 ########################################
 ## <summary>
+##     Send kill signals to all application domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`application_sigkill',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	allow $1 application_domain_type:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to send kill signals
 ##	to all application domains.
 ## </summary>
Index: refpolicy-2.20110726/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/udev.te	2012-06-30 12:32:00.088476387 +1000
+++ refpolicy-2.20110726/policy/modules/system/udev.te	2012-06-30 12:32:45.285314741 +1000
@@ -153,6 +153,8 @@
 init_read_utmp(udev_t)
 init_dontaudit_write_utmp(udev_t)
 init_getattr_initctl(udev_t)
+init_search_pid_dirs(udev_t)
+init_telinit(udev_t)
 
 logging_search_logs(udev_t)
 logging_send_syslog_msg(udev_t)
@@ -179,6 +181,8 @@
 sysnet_signal_dhcpc(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
+systemd_login_read_pid_files(udev_t)
+
 userdom_dontaudit_search_user_home_content(udev_t)
 
 fstools_getattr_swap_files(udev_t)
Index: refpolicy-2.20110726/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/init.te	2012-06-30 12:31:58.896454079 +1000
+++ refpolicy-2.20110726/policy/modules/system/init.te	2012-06-30 12:32:44.753304966 +1000
@@ -16,6 +16,27 @@
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Enable support for systemd as the init program.
+## </p>
+## </desc>
+gen_tunable(init_systemd, true)
+
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty, false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core, false)
+
 # used for direct running of init scripts
 # by admin domains
 attribute direct_run_init;
@@ -25,14 +46,18 @@
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
+# Attribute used for systemd so domains can allow systemd to create sock_files
+attribute init_sock_file_type;
 
 # Mark process types as daemons
 attribute daemon;
+attribute systemprocess;
 
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+type init_t, initrc_transition_domain;
 type init_exec_t;
 domain_type(init_t)
 domain_entry_file(init_t, init_exec_t)
@@ -149,7 +174,7 @@
 
 mls_file_read_all_levels(init_t)
 mls_file_write_all_levels(init_t)
-mls_process_write_down(init_t)
+mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
 selinux_set_all_booleans(init_t)
@@ -184,7 +209,7 @@
 ')
 
 optional_policy(`
-tunable_policy(`init_upstart',`
+tunable_policy(`init_upstart || init_systemd',`
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
@@ -193,16 +218,145 @@
 ')
 ')
 
+storage_raw_rw_fixed_disk(init_t)
+
+optional_policy(`
+	modutils_domtrans_insmod(init_t)
+')
+
+optional_policy(`
+	postfix_list_spool(init_t)
+	mta_read_aliases(init_t)
+')
+
+tunable_policy(`init_systemd',`
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+	allow init_t self:process { setsockcreate setfscreate setrlimit };
+	allow init_t self:process { getcap setcap };
+	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
+	# Until systemd is fixed
+	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+	allow init_t self:udp_socket create_socket_perms;
+	allow init_t self:netlink_route_socket create_netlink_socket_perms;
+
+	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+
+	kernel_list_unlabeled(init_t)
+	kernel_read_network_state(init_t)
+	kernel_rw_kernel_sysctl(init_t)
+	kernel_rw_net_sysctls(init_t)
+	kernel_read_all_sysctls(init_t)
+	kernel_read_software_raid_state(init_t)
+	kernel_unmount_debugfs(init_t)
+	kernel_setsched(init_t)
+
+	dev_write_kmsg(init_t)
+	dev_write_urand(init_t)
+	dev_rw_lvm_control(init_t)
+	dev_rw_autofs(init_t)
+	dev_manage_generic_symlinks(init_t)
+	dev_manage_generic_dirs(init_t)
+	dev_manage_generic_files(init_t)
+	dev_read_generic_chr_files(init_t)
+	dev_relabel_generic_dev_dirs(init_t)
+	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_dev_files(init_t)
+	dev_manage_sysfs_dirs(init_t)
+	dev_relabel_sysfs_dirs(init_t)
+
+	files_search_all(init_t)
+	files_mounton_all_mountpoints(init_t)
+	files_unmount_all_file_type_fs(init_t)
+	files_manage_all_pid_dirs(init_t)
+	files_manage_generic_tmp_dirs(init_t)
+	files_relabel_all_pid_dirs(init_t)
+	files_relabel_all_pid_files(init_t)
+	files_create_all_pid_sockets(init_t)
+	files_delete_all_pids(init_t)
+	files_exec_generic_pid_files(init_t)
+	files_create_all_pid_pipes(init_t)
+	files_create_all_spool_sockets(init_t)
+	files_delete_all_spool_sockets(init_t)
+	files_manage_urandom_seed(init_t)
+	files_list_locks(init_t)
+	files_list_spool(init_t)
+	files_list_var(init_t)
+	files_create_lock_dirs(init_t)
+	files_relabel_all_lock_dirs(init_t)
+
+	fs_getattr_all_fs(init_t)
+	fs_manage_cgroup_dirs(init_t)
+	fs_manage_cgroup_files(init_t)
+	fs_manage_hugetlbfs_dirs(init_t)
+	fs_manage_tmpfs_dirs(init_t)
+	fs_relabel_tmpfs_dirs(init_t)
+	fs_relabel_tmpfs_files(init_t)
+	fs_mount_all_fs(init_t)
+	fs_unmount_all_fs(init_t)
+	fs_remount_all_fs(init_t)
+	fs_list_auto_mountpoints(init_t)
+	fs_relabel_cgroup_dirs(init_t)
+	fs_search_cgroup_dirs(daemon)
+
+	selinux_compute_create_context(init_t)
+	selinux_validate_context(init_t)
+	selinux_unmount_fs(init_t)
+
+	storage_getattr_removable_dev(init_t)
+
+	term_relabel_ptys_dirs(init_t)
+
+	auth_relabel_login_records(init_t)
+	auth_relabel_pam_console_data_dirs(init_t)
+
+	clock_read_adjtime(init_t)
+
+	init_read_script_state(init_t)
+
+	seutil_read_file_contexts(init_t)
+
+	systemd_exec_systemctl(init_t)
+	systemd_manage_unit_dirs(init_t)
+	systemd_manage_all_unit_files(init_t)
+	systemd_logger_stream_connect(init_t)
+
+	create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
+')
+
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
+optional_policy(`
+	systemd_filetrans_named_content(init_t)
+')
+
+optional_policy(`
+	lvm_rw_pipes(init_t)
+')
+
 optional_policy(`
-	auth_rw_login_records(init_t)
+	consolekit_manage_log(init_t)
 ')
 
 optional_policy(`
+	dbus_connect_system_bus(init_t)
 	dbus_system_bus_client(init_t)
+	dbus_delete_pid_files(init_t)
+')
+
+optional_policy(`
+	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+	# the directory. But we do not want to allow this.
+	# The master process of dovecot will manage this file.
+	dovecot_dontaudit_unlink_lib_files(initrc_t)
 ')
 
 optional_policy(`
-	nscd_socket_use(init_t)
+	plymouthd_stream_connect(init_t)
+	plymouthd_exec_plymouth(init_t)
 ')
 
 optional_policy(`
@@ -210,6 +364,17 @@
 ')
 
 optional_policy(`
+	udev_read_db(init_t)
+	udev_relabelto_db(init_t)
+	udev_create_kobject_uevent_socket(init_t)
+')
+
+#optional_policy(`
+#	xserver_relabel_xdm_tmp_dirs(init_t)
+#	xserver_manage_xdm_tmp_dirs(init_t)
+#')
+
+optional_policy(`
 	unconfined_domain(init_t)
 ')
 
@@ -219,8 +384,8 @@
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
+dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
@@ -255,6 +420,7 @@
 manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
 
 init_write_initctl(initrc_t)
 
@@ -266,20 +432,33 @@
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
+kernel_request_load_module(initrc_t)
 kernel_rw_all_sysctls(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
+kernel_stream_connect(initrc_t)
+files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
+files_read_var_lib_symlinks(initrc_t)
+files_setattr_pid_dirs(initrc_t)
 
 files_read_kernel_symbol_table(initrc_t)
+files_exec_etc_files(initrc_t)
+files_manage_etc_symlinks(initrc_t)
+
+fs_manage_tmpfs_dirs(initrc_t)
+fs_manage_tmpfs_symlinks(initrc_t)
+fs_delete_tmpfs_files(initrc_t)
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
 
 corecmd_exec_all_executables(initrc_t)
 
 corenet_all_recvfrom_unlabeled(initrc_t)
 corenet_all_recvfrom_netlabel(initrc_t)
-corenet_tcp_sendrecv_all_if(initrc_t)
-corenet_udp_sendrecv_all_if(initrc_t)
-corenet_tcp_sendrecv_all_nodes(initrc_t)
-corenet_udp_sendrecv_all_nodes(initrc_t)
+corenet_tcp_sendrecv_generic_if(initrc_t)
+corenet_udp_sendrecv_generic_if(initrc_t)
+corenet_tcp_sendrecv_generic_node(initrc_t)
+corenet_udp_sendrecv_generic_node(initrc_t)
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
@@ -287,6 +466,7 @@
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
 dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
@@ -298,8 +478,10 @@
 clock_rw_adjtime(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
@@ -313,17 +495,16 @@
 
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
 domain_signull_all_domains(initrc_t)
 domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
@@ -331,6 +512,7 @@
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
@@ -338,8 +520,10 @@
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
 files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
@@ -355,8 +539,12 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
 
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
@@ -366,18 +554,22 @@
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
 
 # initrc_t needs to do a pidof which requires ptrace
-mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
 mcs_killall(initrc_t)
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
 mls_file_write_all_levels(initrc_t)
-mls_process_read_up(initrc_t)
-mls_process_write_down(initrc_t)
+mls_process_read_all_levels(initrc_t)
+mls_process_write_all_levels(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
 
 selinux_get_enforce_mode(initrc_t)
 
@@ -410,10 +602,8 @@
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
 
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
 
 seutil_read_config(initrc_t)
 
@@ -421,7 +611,7 @@
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
 
 # seed udev /dev
 dev_create_generic_dirs(initrc_t)
@@ -495,6 +685,10 @@
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		alsa_read_lib(initrc_t)
 	')
 
@@ -515,7 +709,7 @@
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
-	kernel_dontaudit_use_fds(initrc_t)
+	kernel_use_fds(initrc_t)
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
@@ -550,6 +744,7 @@
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
+	miscfiles_filetrans_named_content(initrc_t)
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
@@ -559,8 +754,35 @@
 	')
 
 	optional_policy(`
+	        abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
+		bind_manage_config(initrc_t)
 		bind_write_config(initrc_t)
+		bind_setattr_zone_dirs(initrc_t)
+	')
+
+	optional_policy(`
+		devicekit_append_inherited_log_files(initrc_t)
+	')
+
+	optional_policy(`
+		dirsrvadmin_read_config(initrc_t)
+		dirsrv_manage_var_run(initrc_t)
+	')
+
+	optional_policy(`
+		gnome_manage_gconf_config(initrc_t)
+	')
+
+	optional_policy(`
+		ldap_read_db_files(initrc_t)
+	')
+
+	optional_policy(`
+		pulseaudio_stream_connect(initrc_t)
 	')
 
 	optional_policy(`
@@ -568,14 +790,27 @@
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
+	optional_policy(`
+		rpcbind_stream_connect(initrc_t)
+	')
 
 	optional_policy(`
 		sysnet_rw_dhcp_config(initrc_t)
 		sysnet_manage_config(initrc_t)
+		sysnet_manage_dhcpc_state(initrc_t)
+		sysnet_relabelfrom_dhcpc_state(initrc_t)
+		sysnet_relabelfrom_net_conf(initrc_t)
+		sysnet_relabelto_net_conf(initrc_t)
+		sysnet_filetrans_named_content(initrc_t)
+	')
+
+	optional_policy(`
+		wdmd_manage_pid_files(initrc_t)
 	')
 
 	optional_policy(`
 		xserver_delete_log(initrc_t)
+		xserver_manage_user_fonts_dir(initrc_t)
 	')
 ')
 
@@ -586,6 +821,32 @@
 	')
 ')
 
+domain_dontaudit_use_interactive_fds(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+	term_use_unallocated_ttys(daemon)
+	term_use_generic_ptys(daemon)
+	term_use_all_ttys(daemon)
+	term_use_all_ptys(daemon)
+',`
+	term_dontaudit_use_unallocated_ttys(daemon)
+	term_dontaudit_use_generic_ptys(daemon)
+	term_dontaudit_use_all_ttys(daemon)
+	term_dontaudit_use_all_ptys(daemon)
+ ')
+ 
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+	files_manage_root_files(daemon)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(daemon)
+	unconfined_dontaudit_rw_stream(daemon)
+	userdom_dontaudit_read_user_tmp_files(daemon)
+	userdom_dontaudit_write_user_tmp_files(daemon)
+')
+ 
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
@@ -598,6 +859,8 @@
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
+	# webmin seems to cause this.
+	apache_search_sys_content(daemon)
 ')
 
 optional_policy(`
@@ -614,6 +877,7 @@
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
+	domain_setpriority_all_domains(initrc_t)
 ')
 
 optional_policy(`
@@ -626,6 +890,12 @@
 ')
 
 optional_policy(`
+	cron_read_pipes(initrc_t)
+	# managing /etc/cron.d/mailman content
+	cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
@@ -642,9 +912,13 @@
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
+	dbus_manage_lib_files(initrc_t)
+
+	init_dbus_chat(initrc_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
+		consolekit_manage_log(initrc_t)
 	')
 
 	optional_policy(`
@@ -686,6 +960,11 @@
 ')
 
 optional_policy(`
+	modutils_read_module_config(initrc_t)
+	modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
 	inn_exec_config(initrc_t)
 ')
 
@@ -726,6 +1005,7 @@
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
+	lpd_manage_spool(init_t)
 ')
 
 optional_policy(`
@@ -743,7 +1023,13 @@
 ')
 
 optional_policy(`
+        milter_delete_dkim_pid_files(initrc_t)
+	milter_setattr_all_dirs(initrc_t)
+')
+
+optional_policy(`
 	mta_read_config(initrc_t)
+	mta_write_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
@@ -766,6 +1052,10 @@
 ')
 
 optional_policy(`
+	plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
@@ -779,6 +1069,7 @@
 	puppet_rw_tmp(initrc_t)
 ')
 
+
 optional_policy(`
 	quota_manage_flags(initrc_t)
 ')
@@ -809,8 +1100,6 @@
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
-	# why is this needed:
-	rpm_manage_db(initrc_t)
 ')
 
 optional_policy(`
@@ -828,10 +1117,12 @@
 	squid_manage_logs(initrc_t)
 ')
 
+ifdef(`enabled_mls',`
 optional_policy(`
 	# allow init scripts to su
 	su_restricted_domain_template(initrc, initrc_t, system_r)
 ')
+')
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
@@ -843,7 +1134,6 @@
 ')
 
 optional_policy(`
-	udev_rw_db(initrc_t)
 	udev_manage_pid_files(initrc_t)
 	udev_manage_rules_files(initrc_t)
 ')
@@ -852,12 +1142,20 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
 
+# Cron jobs used to start and stop services
 optional_policy(`
-	virt_manage_svirt_cache(initrc_t)
+	cron_rw_pipes(daemon)
+	cron_rw_inherited_user_spool_files(daemon)
 ')
 
 optional_policy(`
 	unconfined_domain(initrc_t)
+	domain_role_change_exemption(initrc_t)
+	mcs_file_read_all(initrc_t)
+	mcs_file_write_all(initrc_t)
+	mcs_killall(initrc_t)
+
+	files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
@@ -867,6 +1165,15 @@
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
+
+	optional_policy(`
+		rtkit_scheduled(initrc_t)
+	')
+')
+
+optional_policy(`
+	rpm_read_db(initrc_t)
+	rpm_delete_db(initrc_t)
 ')
 
 optional_policy(`
@@ -889,3 +1196,150 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
+
+userdom_dontaudit_rw_stream(daemon)
+
+logging_inherit_append_all_logs(daemon)
+
+optional_policy(`
+	# sudo service restart causes this 
+	unconfined_signull(daemon)
+')
+
+
+optional_policy(`
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_dontaudit_rw_nfs_files(daemon)
+	')
+	tunable_policy(`use_samba_home_dirs',`
+		fs_dontaudit_rw_cifs_files(daemon)
+	')
+')
+
+init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
+	abrt_stream_connect(daemon)
+')
+
+optional_policy(`
+	fail2ban_read_lib_files(daemon)
+')
+
+init_rw_stream_sockets(daemon)
+
+allow init_t var_run_t:dir relabelto;
+
+init_stream_connect(initrc_t)
+
+allow initrc_t daemon:process siginh;
+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow daemon initrc_transition_domain:fd use;
+
+tunable_policy(`init_systemd',`
+	allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+	allow init_t daemon:unix_dgram_socket create_socket_perms;
+	allow init_t daemon:tcp_socket create_stream_socket_perms;
+	allow init_t daemon:udp_socket create_socket_perms;
+	allow daemon init_t:unix_dgram_socket sendto;
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket(daemon)
+	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# daemons started from init will
+# inherit fds from init for the console
+init_dontaudit_use_fds(daemon)
+term_dontaudit_use_console(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+allow init_t daemon:process siginh;
+
+ifdef(`hide_broken_symptoms',`
+	# RHEL4 systems seem to have a stray
+	# fds open from the initrd
+	ifdef(`distro_rhel4',`
+		kernel_dontaudit_use_fds(daemon)
+	')
+
+	dontaudit daemon init_t:dir search_dir_perms;
+')
+
+optional_policy(`
+	nscd_socket_use(daemon)
+')
+
+optional_policy(`
+	puppet_rw_tmp(daemon)
+')
+
+allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
+
+allow initrc_t systemprocess:process siginh;
+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow systemprocess initrc_transition_domain:fd use;
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+
+tunable_policy(`init_systemd',`
+	# Handle upstart/systemd direct transition to a executable
+	allow init_t systemprocess:process { dyntransition siginh };
+	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+	allow systemprocess init_t:unix_dgram_socket sendto;
+	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+ifdef(`hide_broken_symptoms',`
+	# RHEL4 systems seem to have a stray
+	# fds open from the initrd
+	ifdef(`distro_rhel4',`
+		kernel_dontaudit_use_fds(systemprocess)
+	')
+')
+
+userdom_dontaudit_search_user_home_dirs(systemprocess)
+userdom_dontaudit_rw_stream(systemprocess)
+userdom_dontaudit_write_user_tmp_files(systemprocess)
+
+tunable_policy(`allow_daemons_use_tty',`
+   term_use_all_ttys(systemprocess)
+   term_use_all_ptys(systemprocess)
+',`
+   term_dontaudit_use_all_ttys(systemprocess)
+   term_dontaudit_use_all_ptys(systemprocess)
+')
+
+# these apps are often redirect output to random log files
+logging_inherit_append_all_logs(systemprocess)
+
+optional_policy(`
+	abrt_stream_connect(systemprocess)
+')
+
+optional_policy(`
+	cron_rw_pipes(systemprocess)
+')
+
+optional_policy(`
+	puppet_rw_tmp(systemprocess)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(systemprocess)
+	unconfined_dontaudit_rw_stream(systemprocess)
+	userdom_dontaudit_read_user_tmp_files(systemprocess)
+')
+
+init_rw_script_stream_sockets(systemprocess)
+
+role system_r types systemprocess;
+role system_r types daemon;
+
+#ifdef(`enable_mls',`
+#	mls_rangetrans_target(systemprocess)
+#')
+
Index: refpolicy-2.20110726/policy/global_tunables
===================================================================
--- refpolicy-2.20110726.orig/policy/global_tunables	2012-06-30 12:31:58.024437740 +1000
+++ refpolicy-2.20110726/policy/global_tunables	2012-06-30 12:32:00.276479907 +1000
@@ -6,6 +6,13 @@
 
 ## <desc>
 ## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(deny_ptrace, false)
+
+## <desc>
+## <p>
 ## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
 ## </p>
 ## </desc>
Index: refpolicy-2.20110726/policy/modules/kernel/filesystem.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/filesystem.te	2012-06-30 12:31:58.368444181 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/filesystem.te	2012-06-30 12:32:45.285314741 +1000
@@ -98,6 +98,8 @@
 files_type(hugetlbfs_t)
 files_poly_parent(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+# for systemd
+dev_associate(hugetlbfs_t)
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
Index: refpolicy-2.20110726/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/kernel.te	2012-06-30 12:31:57.912435642 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/kernel.te	2012-06-30 12:32:00.276479907 +1000
@@ -288,6 +288,8 @@
 
 optional_policy(`
 	init_sigchld(kernel_t)
+	init_dyntrans(kernel_t)
+	domain_dyntrans_type(kernel_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20110726/policy/modules/system/lvm.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/lvm.fc	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/system/lvm.fc	2012-06-30 12:32:45.285314741 +1000
@@ -28,6 +28,7 @@
 #
 /lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /lib/lvm-200/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
 
 #
 # /sbin
Index: refpolicy-2.20110726/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/lvm.te	2012-06-30 12:31:59.860472121 +1000
+++ refpolicy-2.20110726/policy/modules/system/lvm.te	2012-06-30 12:32:45.285314741 +1000
@@ -296,6 +296,11 @@
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
 
+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
+init_search_pid_dirs(lvm_t)
+init_write_pid_socket(lvm_t)
+
 logging_send_syslog_msg(lvm_t)
 
 miscfiles_read_localization(lvm_t)
Index: refpolicy-2.20110726/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/authlogin.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/system/authlogin.te	2012-06-30 12:32:45.113311581 +1000
@@ -22,6 +22,9 @@
 
 type faillog_t;
 logging_log_file(faillog_t)
+optional_policy(`
+	systemd_tmpfiles_manage_object(faillog_t, file)
+')
 
 type lastlog_t;
 logging_log_file(lastlog_t)
@@ -73,6 +76,9 @@
 #
 type var_auth_t;
 files_type(var_auth_t)
+optional_policy(`
+	systemd_tmpfiles_manage_object(var_auth_t, dir)
+')
 
 type wtmp_t;
 logging_log_file(wtmp_t)
Index: refpolicy-2.20110726/policy/modules/system/miscfiles.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/miscfiles.te	2012-06-30 12:31:47.440239041 +1000
+++ refpolicy-2.20110726/policy/modules/system/miscfiles.te	2012-06-30 12:32:00.276479907 +1000
@@ -40,6 +40,9 @@
 #
 type man_t alias catman_t;
 files_type(man_t)
+optional_policy(`
+	systemd_tmpfiles_manage_object(man_t, dir)
+')
 
 #
 # Types for public content
Index: refpolicy-2.20110726/policy/modules/services/portslave.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/portslave.te	2012-06-30 12:31:58.804452352 +1000
+++ refpolicy-2.20110726/policy/modules/services/portslave.te	2012-06-30 12:32:00.276479907 +1000
@@ -7,7 +7,6 @@
 
 type portslave_t;
 type portslave_exec_t;
-init_domain(portslave_t, portslave_exec_t)
 init_daemon_domain(portslave_t, portslave_exec_t)
 
 type portslave_etc_t;
Index: refpolicy-2.20110726/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/ssh.te	2012-06-30 12:31:59.460464629 +1000
+++ refpolicy-2.20110726/policy/modules/services/ssh.te	2012-06-30 12:33:31.378154948 +1000
@@ -269,6 +269,10 @@
 ')
 
 optional_policy(`
+	systemd_write_inherited_logind_sessions_pipes(sshd_t)
+')
+
+optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
