From 19096d0b1c6ffe9ed5021698d13e133c238acfb8 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 6 Oct 2023 11:52:34 -0400
Subject: [PATCH] Update generated policy and doc files

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 doc/policy.xml       | 4320 ++++++++++++++++++++++++------------------
 policy/booleans.conf |  103 +-
 policy/modules.conf  |   49 +
 3 files changed, 2651 insertions(+), 1821 deletions(-)

diff --git a/doc/policy.xml b/doc/policy.xml
index ec78d3383..e96f1ea28 100644
--- a/doc/policy.xml
+++ b/doc/policy.xml
@@ -5634,7 +5634,28 @@ The domain for which gpg_exec_t is an entrypoint.
 </summary>
 </param>
 </interface>
-<interface name="gpg_signal" lineno="208">
+<interface name="gpg_agent_exec" lineno="208">
+<summary>
+Execute the gpg_agent in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="gpg_agent_entry_type" lineno="228">
+<summary>
+Make gpg_agent executable files an
+entrypoint for the specified domain.
+</summary>
+<param name="domain">
+<summary>
+The domain for which gpg_agent_exec_t is an entrypoint.
+</summary>
+</param>
+</interface>
+<interface name="gpg_signal" lineno="246">
 <summary>
 Send generic signals to gpg.
 </summary>
@@ -5644,7 +5665,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="gpg_rw_agent_pipes" lineno="226">
+<interface name="gpg_rw_agent_pipes" lineno="264">
 <summary>
 Read and write gpg agent pipes.
 </summary>
@@ -5654,7 +5675,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="gpg_stream_connect_agent" lineno="244">
+<interface name="gpg_stream_connect_agent" lineno="282">
 <summary>
 Connect to gpg agent socket
 </summary>
@@ -5664,7 +5685,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="gpg_search_agent_tmp_dirs" lineno="266">
+<interface name="gpg_search_agent_tmp_dirs" lineno="304">
 <summary>
 Search gpg agent dirs.
 </summary>
@@ -5674,7 +5695,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="gpg_agent_tmp_filetrans" lineno="300">
+<interface name="gpg_agent_tmp_filetrans" lineno="338">
 <summary>
 filetrans in gpg_agent_tmp_t dirs
 </summary>
@@ -5700,7 +5721,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="gpg_runtime_filetrans" lineno="335">
+<interface name="gpg_runtime_filetrans" lineno="373">
 <summary>
 filetrans in gpg_runtime_t dirs
 </summary>
@@ -5726,7 +5747,17 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="gpg_secret_filetrans" lineno="370">
+<interface name="gpg_dontaudit_getattr_gpg_runtime_dirs" lineno="392">
+<summary>
+Do not audit attempt to getattr gpg runtime dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="gpg_secret_filetrans" lineno="428">
 <summary>
 filetrans in gpg_secret_t dirs
 </summary>
@@ -5752,7 +5783,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="gpg_pinentry_dbus_chat" lineno="391">
+<interface name="gpg_pinentry_dbus_chat" lineno="449">
 <summary>
 Send messages to and from gpg
 pinentry over DBUS.
@@ -5763,7 +5794,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="gpg_dontaudit_search_user_secrets" lineno="412">
+<interface name="gpg_dontaudit_search_user_secrets" lineno="470">
 <summary>
 Do not audit attempts to search gpg
 user secrets.
@@ -5774,7 +5805,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="gpg_list_user_secrets" lineno="430">
+<interface name="gpg_list_user_secrets" lineno="490">
 <summary>
 List gpg user secrets.
 </summary>
@@ -5784,6 +5815,16 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<interface name="gpg_dontaudit_search_user_secrets_dirs" lineno="509">
+<summary>
+Do not audit attempt to search gpg user secrets dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
 <tunable name="gpg_agent_env_file" dftval="false">
 <desc>
 <p>
@@ -7384,6 +7425,14 @@ writable memory
 </p>
 </desc>
 </tunable>
+<tunable name="pulseaudio_can_network" dftval="false">
+<desc>
+<p>
+Determine whether pulseaudio
+can use the network.
+</p>
+</desc>
+</tunable>
 </module>
 <module name="qemu" filename="policy/modules/apps/qemu.if">
 <summary>QEMU machine emulator and virtualizer.</summary>
@@ -8618,7 +8667,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="wm_exec" lineno="126">
+<interface name="wm_exec" lineno="132">
 <summary>
 Execute wm in the caller domain.
 </summary>
@@ -8628,7 +8677,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="wm_dbus_chat" lineno="152">
+<template name="wm_dbus_chat" lineno="158">
 <summary>
 Send and receive messages from
 specified wm over dbus.
@@ -8645,7 +8694,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="wm_dontaudit_exec_tmp_files" lineno="173">
+<interface name="wm_dontaudit_exec_tmp_files" lineno="179">
 <summary>
 Do not audit attempts to execute
 files in temporary directories.
@@ -8656,7 +8705,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="wm_dontaudit_exec_tmpfs_files" lineno="192">
+<interface name="wm_dontaudit_exec_tmpfs_files" lineno="198">
 <summary>
 Do not audit attempts to execute
 files in temporary filesystems.
@@ -8667,7 +8716,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="wm_application_domain" lineno="235">
+<interface name="wm_application_domain" lineno="241">
 <summary>
 Create a domain for applications
 that are launched by the window
@@ -8702,7 +8751,7 @@ Type to be used as the source window manager domain.
 </param>
 <infoflow type="none"/>
 </interface>
-<template name="wm_write_pipes" lineno="260">
+<template name="wm_write_pipes" lineno="266">
 <summary>
 Write wm unnamed pipes.
 </summary>
@@ -8747,6 +8796,34 @@ Role allowed access
 </summary>
 </param>
 </template>
+<interface name="xscreensaver_domtrans" lineno="69">
+<summary>
+Make a domain transition to the
+xscreensaver target domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="xscreensaver_run" lineno="95">
+<summary>
+Execute xscreensaver in the xscreensaver
+domain, and allow the specified role
+the xscreensaver domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
 <tunable name="xscreensaver_read_generic_user_content" dftval="true">
 <desc>
 <p>
@@ -57198,7 +57275,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_infiniband" lineno="2417">
+<interface name="dev_read_iio" lineno="2417">
+<summary>
+Allow read/write access to InfiniBand devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_infiniband" lineno="2435">
 <summary>
 Allow read/write access to InfiniBand devices.
 </summary>
@@ -57208,7 +57295,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_kmsg" lineno="2435">
+<interface name="dev_read_kmsg" lineno="2453">
 <summary>
 Read the kernel messages
 </summary>
@@ -57218,7 +57305,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_kmsg" lineno="2453">
+<interface name="dev_dontaudit_read_kmsg" lineno="2471">
 <summary>
 Do not audit attempts to read the kernel messages
 </summary>
@@ -57228,7 +57315,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_kmsg" lineno="2471">
+<interface name="dev_write_kmsg" lineno="2489">
 <summary>
 Write to the kernel messages device
 </summary>
@@ -57238,7 +57325,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_kmsg" lineno="2489">
+<interface name="dev_rw_kmsg" lineno="2507">
 <summary>
 Read and write to the kernel messages device
 </summary>
@@ -57248,7 +57335,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_kmsg" lineno="2507">
+<interface name="dev_mounton_kmsg" lineno="2525">
 <summary>
 Mount on the kernel messages device
 </summary>
@@ -57258,7 +57345,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_ksm_dev" lineno="2525">
+<interface name="dev_getattr_ksm_dev" lineno="2543">
 <summary>
 Get the attributes of the ksm devices.
 </summary>
@@ -57268,7 +57355,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_ksm_dev" lineno="2543">
+<interface name="dev_setattr_ksm_dev" lineno="2561">
 <summary>
 Set the attributes of the ksm devices.
 </summary>
@@ -57278,7 +57365,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_ksm" lineno="2561">
+<interface name="dev_read_ksm" lineno="2579">
 <summary>
 Read the ksm devices.
 </summary>
@@ -57288,7 +57375,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_ksm" lineno="2579">
+<interface name="dev_rw_ksm" lineno="2597">
 <summary>
 Read and write to ksm devices.
 </summary>
@@ -57298,7 +57385,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_kvm_dev" lineno="2597">
+<interface name="dev_getattr_kvm_dev" lineno="2615">
 <summary>
 Get the attributes of the kvm devices.
 </summary>
@@ -57308,7 +57395,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_kvm_dev" lineno="2615">
+<interface name="dev_setattr_kvm_dev" lineno="2633">
 <summary>
 Set the attributes of the kvm devices.
 </summary>
@@ -57318,7 +57405,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_kvm" lineno="2633">
+<interface name="dev_read_kvm" lineno="2651">
 <summary>
 Read the kvm devices.
 </summary>
@@ -57328,7 +57415,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_kvm" lineno="2651">
+<interface name="dev_rw_kvm" lineno="2669">
 <summary>
 Read and write to kvm devices.
 </summary>
@@ -57338,7 +57425,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_lirc" lineno="2669">
+<interface name="dev_read_lirc" lineno="2687">
 <summary>
 Read the lirc device.
 </summary>
@@ -57348,7 +57435,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_lirc" lineno="2687">
+<interface name="dev_rw_lirc" lineno="2705">
 <summary>
 Read and write the lirc device.
 </summary>
@@ -57358,7 +57445,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_lirc" lineno="2711">
+<interface name="dev_filetrans_lirc" lineno="2729">
 <summary>
 Automatic type transition to the type
 for lirc device nodes when created in /dev.
@@ -57374,7 +57461,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_loop_control" lineno="2729">
+<interface name="dev_rw_loop_control" lineno="2747">
 <summary>
 Read and write the loop-control device.
 </summary>
@@ -57384,7 +57471,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_lvm_control" lineno="2747">
+<interface name="dev_getattr_lvm_control" lineno="2765">
 <summary>
 Get the attributes of the lvm comtrol device.
 </summary>
@@ -57394,7 +57481,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_lvm_control" lineno="2765">
+<interface name="dev_read_lvm_control" lineno="2783">
 <summary>
 Read the lvm comtrol device.
 </summary>
@@ -57404,7 +57491,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_lvm_control" lineno="2783">
+<interface name="dev_rw_lvm_control" lineno="2801">
 <summary>
 Read and write the lvm control device.
 </summary>
@@ -57414,7 +57501,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_lvm_control" lineno="2801">
+<interface name="dev_dontaudit_rw_lvm_control" lineno="2819">
 <summary>
 Do not audit attempts to read and write lvm control device.
 </summary>
@@ -57424,7 +57511,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_lvm_control_dev" lineno="2819">
+<interface name="dev_delete_lvm_control_dev" lineno="2837">
 <summary>
 Delete the lvm control device.
 </summary>
@@ -57434,7 +57521,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_memory_dev" lineno="2837">
+<interface name="dev_dontaudit_getattr_memory_dev" lineno="2855">
 <summary>
 dontaudit getattr raw memory devices (e.g. /dev/mem).
 </summary>
@@ -57444,7 +57531,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_raw_memory" lineno="2858">
+<interface name="dev_read_raw_memory" lineno="2876">
 <summary>
 Read raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57457,7 +57544,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_raw_memory_cond" lineno="2888">
+<interface name="dev_read_raw_memory_cond" lineno="2906">
 <summary>
 Read raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57475,7 +57562,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_raw_memory" lineno="2915">
+<interface name="dev_dontaudit_read_raw_memory" lineno="2933">
 <summary>
 Do not audit attempts to read raw memory devices
 (e.g. /dev/mem).
@@ -57489,7 +57576,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_raw_memory" lineno="2936">
+<interface name="dev_write_raw_memory" lineno="2954">
 <summary>
 Write raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57502,7 +57589,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_raw_memory_cond" lineno="2966">
+<interface name="dev_write_raw_memory_cond" lineno="2984">
 <summary>
 Write raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57520,7 +57607,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_rx_raw_memory" lineno="2992">
+<interface name="dev_rx_raw_memory" lineno="3010">
 <summary>
 Read and execute raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57533,7 +57620,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_wx_raw_memory" lineno="3014">
+<interface name="dev_wx_raw_memory" lineno="3032">
 <summary>
 Write and execute raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57546,7 +57633,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_wx_raw_memory_cond" lineno="3041">
+<interface name="dev_wx_raw_memory_cond" lineno="3059">
 <summary>
 Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57564,7 +57651,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_misc_dev" lineno="3064">
+<interface name="dev_getattr_misc_dev" lineno="3082">
 <summary>
 Get the attributes of miscellaneous devices.
 </summary>
@@ -57574,7 +57661,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_misc_dev" lineno="3083">
+<interface name="dev_dontaudit_getattr_misc_dev" lineno="3101">
 <summary>
 Do not audit attempts to get the attributes
 of miscellaneous devices.
@@ -57585,7 +57672,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_misc_dev" lineno="3101">
+<interface name="dev_setattr_misc_dev" lineno="3119">
 <summary>
 Set the attributes of miscellaneous devices.
 </summary>
@@ -57595,7 +57682,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_misc_dev" lineno="3120">
+<interface name="dev_dontaudit_setattr_misc_dev" lineno="3138">
 <summary>
 Do not audit attempts to set the attributes
 of miscellaneous devices.
@@ -57606,7 +57693,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_misc" lineno="3138">
+<interface name="dev_read_misc" lineno="3156">
 <summary>
 Read miscellaneous devices.
 </summary>
@@ -57616,7 +57703,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_misc" lineno="3156">
+<interface name="dev_write_misc" lineno="3174">
 <summary>
 Write miscellaneous devices.
 </summary>
@@ -57626,7 +57713,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_misc" lineno="3174">
+<interface name="dev_dontaudit_rw_misc" lineno="3192">
 <summary>
 Do not audit attempts to read and write miscellaneous devices.
 </summary>
@@ -57636,7 +57723,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_modem_dev" lineno="3192">
+<interface name="dev_getattr_modem_dev" lineno="3210">
 <summary>
 Get the attributes of the modem devices.
 </summary>
@@ -57646,7 +57733,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_modem_dev" lineno="3210">
+<interface name="dev_setattr_modem_dev" lineno="3228">
 <summary>
 Set the attributes of the modem devices.
 </summary>
@@ -57656,7 +57743,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_modem" lineno="3228">
+<interface name="dev_read_modem" lineno="3246">
 <summary>
 Read the modem devices.
 </summary>
@@ -57666,7 +57753,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_modem" lineno="3246">
+<interface name="dev_rw_modem" lineno="3264">
 <summary>
 Read and write to modem devices.
 </summary>
@@ -57676,7 +57763,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_mouse_dev" lineno="3264">
+<interface name="dev_getattr_mouse_dev" lineno="3282">
 <summary>
 Get the attributes of the mouse devices.
 </summary>
@@ -57686,7 +57773,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_mouse_dev" lineno="3282">
+<interface name="dev_setattr_mouse_dev" lineno="3300">
 <summary>
 Set the attributes of the mouse devices.
 </summary>
@@ -57696,7 +57783,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_mouse" lineno="3300">
+<interface name="dev_read_mouse" lineno="3318">
 <summary>
 Read the mouse devices.
 </summary>
@@ -57706,7 +57793,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_mouse" lineno="3318">
+<interface name="dev_rw_mouse" lineno="3336">
 <summary>
 Read and write to mouse devices.
 </summary>
@@ -57716,7 +57803,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_mtrr_dev" lineno="3337">
+<interface name="dev_getattr_mtrr_dev" lineno="3355">
 <summary>
 Get the attributes of the memory type range
 registers (MTRR) device.
@@ -57727,7 +57814,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_mtrr" lineno="3357">
+<interface name="dev_dontaudit_write_mtrr" lineno="3375">
 <summary>
 Do not audit attempts to write the memory type
 range registers (MTRR).
@@ -57738,7 +57825,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_mtrr" lineno="3376">
+<interface name="dev_rw_mtrr" lineno="3394">
 <summary>
 Read and write the memory type range registers (MTRR).
 </summary>
@@ -57748,7 +57835,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_null_dev" lineno="3395">
+<interface name="dev_getattr_null_dev" lineno="3413">
 <summary>
 Get the attributes of the null device nodes.
 </summary>
@@ -57758,7 +57845,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_null_dev" lineno="3413">
+<interface name="dev_setattr_null_dev" lineno="3431">
 <summary>
 Set the attributes of the null device nodes.
 </summary>
@@ -57768,7 +57855,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_null_dev" lineno="3432">
+<interface name="dev_dontaudit_setattr_null_dev" lineno="3450">
 <summary>
 Do not audit attempts to set the attributes of
 the null device nodes.
@@ -57779,7 +57866,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_null" lineno="3450">
+<interface name="dev_delete_null" lineno="3468">
 <summary>
 Delete the null device (/dev/null).
 </summary>
@@ -57789,7 +57876,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_null" lineno="3468">
+<interface name="dev_rw_null" lineno="3486">
 <summary>
 Read and write to the null device (/dev/null).
 </summary>
@@ -57799,7 +57886,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_null_dev" lineno="3486">
+<interface name="dev_create_null_dev" lineno="3504">
 <summary>
 Create the null device (/dev/null).
 </summary>
@@ -57809,7 +57896,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_null_service" lineno="3505">
+<interface name="dev_manage_null_service" lineno="3523">
 <summary>
 Manage services with script type null_device_t for when
 /lib/systemd/system/something.service is a link to /dev/null
@@ -57820,7 +57907,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3525">
+<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3543">
 <summary>
 Do not audit attempts to get the attributes
 of the BIOS non-volatile RAM device.
@@ -57831,7 +57918,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_nvram" lineno="3543">
+<interface name="dev_rw_nvram" lineno="3561">
 <summary>
 Read and write BIOS non-volatile RAM.
 </summary>
@@ -57841,7 +57928,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_printer_dev" lineno="3561">
+<interface name="dev_getattr_printer_dev" lineno="3579">
 <summary>
 Get the attributes of the printer device nodes.
 </summary>
@@ -57851,7 +57938,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_printer_dev" lineno="3579">
+<interface name="dev_setattr_printer_dev" lineno="3597">
 <summary>
 Set the attributes of the printer device nodes.
 </summary>
@@ -57861,7 +57948,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_append_printer" lineno="3598">
+<interface name="dev_append_printer" lineno="3616">
 <summary>
 Append the printer device.
 </summary>
@@ -57871,7 +57958,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_printer" lineno="3616">
+<interface name="dev_rw_printer" lineno="3634">
 <summary>
 Read and write the printer device.
 </summary>
@@ -57881,7 +57968,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_pmqos_dev" lineno="3634">
+<interface name="dev_getattr_pmqos_dev" lineno="3652">
 <summary>
 Get the attributes of PM QoS devices
 </summary>
@@ -57891,7 +57978,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_pmqos" lineno="3652">
+<interface name="dev_read_pmqos" lineno="3670">
 <summary>
 Read the PM QoS devices.
 </summary>
@@ -57901,7 +57988,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_pmqos" lineno="3670">
+<interface name="dev_rw_pmqos" lineno="3688">
 <summary>
 Read and write the the PM QoS devices.
 </summary>
@@ -57911,7 +57998,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_qemu_dev" lineno="3689">
+<interface name="dev_getattr_qemu_dev" lineno="3707">
 <summary>
 Get the attributes of the QEMU
 microcode and id interfaces.
@@ -57922,7 +58009,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_qemu_dev" lineno="3708">
+<interface name="dev_setattr_qemu_dev" lineno="3726">
 <summary>
 Set the attributes of the QEMU
 microcode and id interfaces.
@@ -57933,7 +58020,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_qemu" lineno="3726">
+<interface name="dev_read_qemu" lineno="3744">
 <summary>
 Read the QEMU device
 </summary>
@@ -57943,7 +58030,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_qemu" lineno="3744">
+<interface name="dev_rw_qemu" lineno="3762">
 <summary>
 Read and write the the QEMU device.
 </summary>
@@ -57953,7 +58040,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_rand" lineno="3778">
+<interface name="dev_read_rand" lineno="3796">
 <summary>
 Read from random number generator
 devices (e.g., /dev/random).
@@ -57979,7 +58066,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_dontaudit_read_rand" lineno="3797">
+<interface name="dev_dontaudit_read_rand" lineno="3815">
 <summary>
 Do not audit attempts to read from random
 number generator devices (e.g., /dev/random)
@@ -57990,7 +58077,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_append_rand" lineno="3816">
+<interface name="dev_dontaudit_append_rand" lineno="3834">
 <summary>
 Do not audit attempts to append to random
 number generator devices (e.g., /dev/random)
@@ -58001,7 +58088,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_rand" lineno="3836">
+<interface name="dev_write_rand" lineno="3854">
 <summary>
 Write to the random device (e.g., /dev/random). This adds
 entropy used to generate the random data read from the
@@ -58013,7 +58100,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_rand_dev" lineno="3854">
+<interface name="dev_create_rand_dev" lineno="3872">
 <summary>
 Create the random device (/dev/random).
 </summary>
@@ -58023,7 +58110,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_realtime_clock" lineno="3872">
+<interface name="dev_read_realtime_clock" lineno="3890">
 <summary>
 Read the realtime clock (/dev/rtc).
 </summary>
@@ -58033,7 +58120,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_realtime_clock" lineno="3890">
+<interface name="dev_write_realtime_clock" lineno="3908">
 <summary>
 Set the realtime clock (/dev/rtc).
 </summary>
@@ -58043,7 +58130,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_realtime_clock" lineno="3910">
+<interface name="dev_rw_realtime_clock" lineno="3928">
 <summary>
 Read and set the realtime clock (/dev/rtc).
 </summary>
@@ -58053,7 +58140,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_scanner_dev" lineno="3925">
+<interface name="dev_getattr_scanner_dev" lineno="3943">
 <summary>
 Get the attributes of the scanner device.
 </summary>
@@ -58063,7 +58150,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3944">
+<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3962">
 <summary>
 Do not audit attempts to get the attributes of
 the scanner device.
@@ -58074,7 +58161,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_scanner_dev" lineno="3962">
+<interface name="dev_setattr_scanner_dev" lineno="3980">
 <summary>
 Set the attributes of the scanner device.
 </summary>
@@ -58084,7 +58171,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3981">
+<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3999">
 <summary>
 Do not audit attempts to set the attributes of
 the scanner device.
@@ -58095,7 +58182,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_scanner" lineno="3999">
+<interface name="dev_rw_scanner" lineno="4017">
 <summary>
 Read and write the scanner device.
 </summary>
@@ -58105,7 +58192,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sound_dev" lineno="4017">
+<interface name="dev_getattr_sound_dev" lineno="4035">
 <summary>
 Get the attributes of the sound devices.
 </summary>
@@ -58115,7 +58202,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_sound_dev" lineno="4035">
+<interface name="dev_setattr_sound_dev" lineno="4053">
 <summary>
 Set the attributes of the sound devices.
 </summary>
@@ -58125,7 +58212,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sound" lineno="4053">
+<interface name="dev_read_sound" lineno="4071">
 <summary>
 Read the sound devices.
 </summary>
@@ -58135,7 +58222,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sound" lineno="4072">
+<interface name="dev_write_sound" lineno="4090">
 <summary>
 Write the sound devices.
 </summary>
@@ -58145,7 +58232,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sound_mixer" lineno="4091">
+<interface name="dev_read_sound_mixer" lineno="4109">
 <summary>
 Read the sound mixer devices.
 </summary>
@@ -58155,7 +58242,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sound_mixer" lineno="4110">
+<interface name="dev_write_sound_mixer" lineno="4128">
 <summary>
 Write the sound mixer devices.
 </summary>
@@ -58165,7 +58252,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_power_mgmt_dev" lineno="4129">
+<interface name="dev_getattr_power_mgmt_dev" lineno="4147">
 <summary>
 Get the attributes of the the power management device.
 </summary>
@@ -58175,7 +58262,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_power_mgmt_dev" lineno="4147">
+<interface name="dev_setattr_power_mgmt_dev" lineno="4165">
 <summary>
 Set the attributes of the the power management device.
 </summary>
@@ -58185,7 +58272,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_power_management" lineno="4165">
+<interface name="dev_rw_power_management" lineno="4183">
 <summary>
 Read and write the the power management device.
 </summary>
@@ -58195,7 +58282,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_smartcard_dev" lineno="4183">
+<interface name="dev_getattr_smartcard_dev" lineno="4201">
 <summary>
 Getattr on smartcard devices
 </summary>
@@ -58205,7 +58292,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4202">
+<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4220">
 <summary>
 dontaudit getattr on smartcard devices
 </summary>
@@ -58215,7 +58302,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_smartcard" lineno="4221">
+<interface name="dev_rw_smartcard" lineno="4239">
 <summary>
 Read and write smartcard devices.
 </summary>
@@ -58225,7 +58312,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_smartcard" lineno="4239">
+<interface name="dev_manage_smartcard" lineno="4257">
 <summary>
 Create, read, write, and delete smartcard devices.
 </summary>
@@ -58235,7 +58322,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_sysdig" lineno="4257">
+<interface name="dev_rw_sysdig" lineno="4275">
 <summary>
 Read, write and map the sysdig device.
 </summary>
@@ -58245,7 +58332,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_sysfs" lineno="4276">
+<interface name="dev_mounton_sysfs" lineno="4294">
 <summary>
 Mount a filesystem on sysfs.  (Deprecated)
 </summary>
@@ -58255,7 +58342,7 @@ Domain allow access.
 </summary>
 </param>
 </interface>
-<interface name="dev_associate_sysfs" lineno="4291">
+<interface name="dev_associate_sysfs" lineno="4309">
 <summary>
 Associate a file to a sysfs filesystem.
 </summary>
@@ -58265,7 +58352,7 @@ The type of the file to be associated to sysfs.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sysfs_dirs" lineno="4309">
+<interface name="dev_getattr_sysfs_dirs" lineno="4327">
 <summary>
 Get the attributes of sysfs directories.
 </summary>
@@ -58275,7 +58362,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sysfs" lineno="4327">
+<interface name="dev_getattr_sysfs" lineno="4345">
 <summary>
 Get the attributes of sysfs filesystem
 </summary>
@@ -58285,7 +58372,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mount_sysfs" lineno="4345">
+<interface name="dev_mount_sysfs" lineno="4363">
 <summary>
 mount a sysfs filesystem
 </summary>
@@ -58295,7 +58382,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_remount_sysfs" lineno="4363">
+<interface name="dev_remount_sysfs" lineno="4381">
 <summary>
 Remount a sysfs filesystem.
 </summary>
@@ -58305,7 +58392,7 @@ Domain allow access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_sysfs" lineno="4381">
+<interface name="dev_dontaudit_getattr_sysfs" lineno="4399">
 <summary>
 Do not audit getting the attributes of sysfs filesystem
 </summary>
@@ -58315,7 +58402,7 @@ Domain to dontaudit access from
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_sysfs" lineno="4399">
+<interface name="dev_dontaudit_read_sysfs" lineno="4417">
 <summary>
 Dont audit attempts to read hardware state information
 </summary>
@@ -58325,7 +58412,7 @@ Domain for which the attempts do not need to be audited
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_sysfs_dirs" lineno="4419">
+<interface name="dev_mounton_sysfs_dirs" lineno="4437">
 <summary>
 Mount on sysfs directories.
 </summary>
@@ -58335,7 +58422,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_search_sysfs" lineno="4437">
+<interface name="dev_search_sysfs" lineno="4455">
 <summary>
 Search the sysfs directories.
 </summary>
@@ -58345,7 +58432,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_search_sysfs" lineno="4455">
+<interface name="dev_dontaudit_search_sysfs" lineno="4473">
 <summary>
 Do not audit attempts to search sysfs.
 </summary>
@@ -58355,7 +58442,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_list_sysfs" lineno="4473">
+<interface name="dev_list_sysfs" lineno="4491">
 <summary>
 List the contents of the sysfs directories.
 </summary>
@@ -58365,7 +58452,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sysfs_dirs" lineno="4492">
+<interface name="dev_write_sysfs_dirs" lineno="4510">
 <summary>
 Write in a sysfs directories.
 </summary>
@@ -58375,7 +58462,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4510">
+<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4528">
 <summary>
 Do not audit attempts to write in a sysfs directory.
 </summary>
@@ -58385,7 +58472,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_sysfs_files" lineno="4528">
+<interface name="dev_dontaudit_write_sysfs_files" lineno="4546">
 <summary>
 Do not audit attempts to write to a sysfs file.
 </summary>
@@ -58395,7 +58482,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_sysfs_dirs" lineno="4547">
+<interface name="dev_manage_sysfs_dirs" lineno="4565">
 <summary>
 Create, read, write, and delete sysfs
 directories.
@@ -58406,7 +58493,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sysfs" lineno="4574">
+<interface name="dev_read_sysfs" lineno="4592">
 <summary>
 Read hardware state information.
 </summary>
@@ -58425,7 +58512,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_write_sysfs" lineno="4602">
+<interface name="dev_write_sysfs" lineno="4620">
 <summary>
 Write to hardware state information.
 </summary>
@@ -58442,7 +58529,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_rw_sysfs" lineno="4621">
+<interface name="dev_rw_sysfs" lineno="4639">
 <summary>
 Allow caller to modify hardware state information.
 </summary>
@@ -58452,7 +58539,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_sysfs_files" lineno="4642">
+<interface name="dev_create_sysfs_files" lineno="4660">
 <summary>
 Add a sysfs file
 </summary>
@@ -58462,7 +58549,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_sysfs_dirs" lineno="4660">
+<interface name="dev_relabel_sysfs_dirs" lineno="4678">
 <summary>
 Relabel hardware state directories.
 </summary>
@@ -58472,7 +58559,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_all_sysfs" lineno="4678">
+<interface name="dev_relabel_all_sysfs" lineno="4696">
 <summary>
 Relabel from/to all sysfs types.
 </summary>
@@ -58482,7 +58569,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_all_sysfs" lineno="4698">
+<interface name="dev_setattr_all_sysfs" lineno="4716">
 <summary>
 Set the attributes of sysfs files, directories and symlinks.
 </summary>
@@ -58492,7 +58579,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_tpm" lineno="4718">
+<interface name="dev_rw_tpm" lineno="4736">
 <summary>
 Read and write the TPM device.
 </summary>
@@ -58502,7 +58589,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_urand" lineno="4759">
+<interface name="dev_read_urand" lineno="4777">
 <summary>
 Read from pseudo random number generator devices (e.g., /dev/urandom).
 </summary>
@@ -58535,7 +58622,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_dontaudit_read_urand" lineno="4778">
+<interface name="dev_dontaudit_read_urand" lineno="4796">
 <summary>
 Do not audit attempts to read from pseudo
 random devices (e.g., /dev/urandom)
@@ -58546,7 +58633,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_urand" lineno="4797">
+<interface name="dev_write_urand" lineno="4815">
 <summary>
 Write to the pseudo random device (e.g., /dev/urandom). This
 sets the random number generator seed.
@@ -58557,7 +58644,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_urand_dev" lineno="4815">
+<interface name="dev_create_urand_dev" lineno="4833">
 <summary>
 Create the urandom device (/dev/urandom).
 </summary>
@@ -58567,7 +58654,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_urand_dev" lineno="4833">
+<interface name="dev_setattr_urand_dev" lineno="4851">
 <summary>
 Set attributes on the urandom device (/dev/urandom).
 </summary>
@@ -58577,7 +58664,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_generic_usb_dev" lineno="4851">
+<interface name="dev_getattr_generic_usb_dev" lineno="4869">
 <summary>
 Getattr generic the USB devices.
 </summary>
@@ -58587,7 +58674,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_generic_usb_dev" lineno="4869">
+<interface name="dev_setattr_generic_usb_dev" lineno="4887">
 <summary>
 Setattr generic the USB devices.
 </summary>
@@ -58597,7 +58684,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_usb_dev" lineno="4887">
+<interface name="dev_read_generic_usb_dev" lineno="4905">
 <summary>
 Read generic the USB devices.
 </summary>
@@ -58607,7 +58694,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_usb_dev" lineno="4905">
+<interface name="dev_rw_generic_usb_dev" lineno="4923">
 <summary>
 Read and write generic the USB devices.
 </summary>
@@ -58617,7 +58704,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_generic_usb_dev" lineno="4923">
+<interface name="dev_relabel_generic_usb_dev" lineno="4941">
 <summary>
 Relabel generic the USB devices.
 </summary>
@@ -58627,7 +58714,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_usbmon_dev" lineno="4941">
+<interface name="dev_read_usbmon_dev" lineno="4959">
 <summary>
 Read USB monitor devices.
 </summary>
@@ -58637,7 +58724,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_usbmon_dev" lineno="4959">
+<interface name="dev_write_usbmon_dev" lineno="4977">
 <summary>
 Write USB monitor devices.
 </summary>
@@ -58647,7 +58734,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mount_usbfs" lineno="4977">
+<interface name="dev_mount_usbfs" lineno="4995">
 <summary>
 Mount a usbfs filesystem.
 </summary>
@@ -58657,7 +58744,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_associate_usbfs" lineno="4995">
+<interface name="dev_associate_usbfs" lineno="5013">
 <summary>
 Associate a file to a usbfs filesystem.
 </summary>
@@ -58667,7 +58754,7 @@ The type of the file to be associated to usbfs.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_usbfs_dirs" lineno="5013">
+<interface name="dev_getattr_usbfs_dirs" lineno="5031">
 <summary>
 Get the attributes of a directory in the usb filesystem.
 </summary>
@@ -58677,7 +58764,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5032">
+<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5050">
 <summary>
 Do not audit attempts to get the attributes
 of a directory in the usb filesystem.
@@ -58688,7 +58775,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_search_usbfs" lineno="5050">
+<interface name="dev_search_usbfs" lineno="5068">
 <summary>
 Search the directory containing USB hardware information.
 </summary>
@@ -58698,7 +58785,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_list_usbfs" lineno="5068">
+<interface name="dev_list_usbfs" lineno="5086">
 <summary>
 Allow caller to get a list of usb hardware.
 </summary>
@@ -58708,7 +58795,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_usbfs_files" lineno="5089">
+<interface name="dev_setattr_usbfs_files" lineno="5107">
 <summary>
 Set the attributes of usbfs filesystem.
 </summary>
@@ -58718,7 +58805,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_usbfs" lineno="5109">
+<interface name="dev_read_usbfs" lineno="5127">
 <summary>
 Read USB hardware information using
 the usbfs filesystem interface.
@@ -58729,7 +58816,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_usbfs" lineno="5129">
+<interface name="dev_rw_usbfs" lineno="5147">
 <summary>
 Allow caller to modify usb hardware configuration files.
 </summary>
@@ -58739,7 +58826,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_video_dev" lineno="5149">
+<interface name="dev_getattr_video_dev" lineno="5167">
 <summary>
 Get the attributes of video4linux devices.
 </summary>
@@ -58749,7 +58836,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_userio_dev" lineno="5167">
+<interface name="dev_rw_userio_dev" lineno="5185">
 <summary>
 Read and write userio device.
 </summary>
@@ -58759,7 +58846,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_video_dev" lineno="5186">
+<interface name="dev_dontaudit_getattr_video_dev" lineno="5204">
 <summary>
 Do not audit attempts to get the attributes
 of video4linux device nodes.
@@ -58770,7 +58857,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_video_dev" lineno="5204">
+<interface name="dev_setattr_video_dev" lineno="5222">
 <summary>
 Set the attributes of video4linux device nodes.
 </summary>
@@ -58780,7 +58867,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_video_dev" lineno="5223">
+<interface name="dev_dontaudit_setattr_video_dev" lineno="5241">
 <summary>
 Do not audit attempts to set the attributes
 of video4linux device nodes.
@@ -58791,7 +58878,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_video_dev" lineno="5241">
+<interface name="dev_read_video_dev" lineno="5259">
 <summary>
 Read the video4linux devices.
 </summary>
@@ -58801,7 +58888,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_video_dev" lineno="5259">
+<interface name="dev_write_video_dev" lineno="5277">
 <summary>
 Write the video4linux devices.
 </summary>
@@ -58811,7 +58898,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vfio_dev" lineno="5277">
+<interface name="dev_rw_vfio_dev" lineno="5295">
 <summary>
 Read and write vfio devices.
 </summary>
@@ -58821,7 +58908,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabelfrom_vfio_dev" lineno="5295">
+<interface name="dev_relabelfrom_vfio_dev" lineno="5313">
 <summary>
 Relabel vfio devices.
 </summary>
@@ -58831,7 +58918,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vhost" lineno="5313">
+<interface name="dev_rw_vhost" lineno="5331">
 <summary>
 Allow read/write the vhost devices
 </summary>
@@ -58841,7 +58928,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vmware" lineno="5331">
+<interface name="dev_rw_vmware" lineno="5349">
 <summary>
 Read and write VMWare devices.
 </summary>
@@ -58851,7 +58938,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rwx_vmware" lineno="5349">
+<interface name="dev_rwx_vmware" lineno="5367">
 <summary>
 Read, write, and mmap VMWare devices.
 </summary>
@@ -58861,7 +58948,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_watchdog" lineno="5368">
+<interface name="dev_read_watchdog" lineno="5386">
 <summary>
 Read from watchdog devices.
 </summary>
@@ -58871,7 +58958,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_watchdog" lineno="5386">
+<interface name="dev_write_watchdog" lineno="5404">
 <summary>
 Write to watchdog devices.
 </summary>
@@ -58881,7 +58968,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_wireless" lineno="5404">
+<interface name="dev_read_wireless" lineno="5422">
 <summary>
 Read the wireless device.
 </summary>
@@ -58891,7 +58978,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_wireless" lineno="5422">
+<interface name="dev_rw_wireless" lineno="5440">
 <summary>
 Read and write the the wireless device.
 </summary>
@@ -58901,7 +58988,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_wireless" lineno="5440">
+<interface name="dev_manage_wireless" lineno="5458">
 <summary>
 manage the wireless device.
 </summary>
@@ -58911,7 +58998,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_xen" lineno="5458">
+<interface name="dev_rw_xen" lineno="5476">
 <summary>
 Read and write Xen devices.
 </summary>
@@ -58921,7 +59008,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_xen" lineno="5477">
+<interface name="dev_manage_xen" lineno="5495">
 <summary>
 Create, read, write, and delete Xen devices.
 </summary>
@@ -58931,7 +59018,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_xen" lineno="5501">
+<interface name="dev_filetrans_xen" lineno="5519">
 <summary>
 Automatic type transition to the type
 for xen device nodes when created in /dev.
@@ -58947,7 +59034,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_xserver_misc_dev" lineno="5519">
+<interface name="dev_getattr_xserver_misc_dev" lineno="5537">
 <summary>
 Get the attributes of X server miscellaneous devices.
 </summary>
@@ -58957,7 +59044,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_xserver_misc_dev" lineno="5537">
+<interface name="dev_setattr_xserver_misc_dev" lineno="5555">
 <summary>
 Set the attributes of X server miscellaneous devices.
 </summary>
@@ -58967,7 +59054,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_xserver_misc" lineno="5555">
+<interface name="dev_rw_xserver_misc" lineno="5573">
 <summary>
 Read and write X server miscellaneous devices.
 </summary>
@@ -58977,7 +59064,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_map_xserver_misc" lineno="5573">
+<interface name="dev_map_xserver_misc" lineno="5591">
 <summary>
 Map X server miscellaneous devices.
 </summary>
@@ -58987,7 +59074,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_zero" lineno="5591">
+<interface name="dev_rw_zero" lineno="5609">
 <summary>
 Read and write to the zero device (/dev/zero).
 </summary>
@@ -58997,7 +59084,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rwx_zero" lineno="5609">
+<interface name="dev_rwx_zero" lineno="5627">
 <summary>
 Read, write, and execute the zero device (/dev/zero).
 </summary>
@@ -59007,7 +59094,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_execmod_zero" lineno="5628">
+<interface name="dev_execmod_zero" lineno="5646">
 <summary>
 Execmod the zero device (/dev/zero).
 </summary>
@@ -59017,7 +59104,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_zero_dev" lineno="5647">
+<interface name="dev_create_zero_dev" lineno="5665">
 <summary>
 Create the zero device (/dev/zero).
 </summary>
@@ -59027,7 +59114,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_cpu_online" lineno="5670">
+<interface name="dev_read_cpu_online" lineno="5688">
 <summary>
 Read cpu online hardware state information
 </summary>
@@ -59042,7 +59129,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_unconfined" lineno="5690">
+<interface name="dev_rw_gpiochip" lineno="5708">
+<summary>
+Read and write to the gpiochip device, /dev/gpiochip[0-9]
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_unconfined" lineno="5726">
 <summary>
 Unconfined access to devices.
 </summary>
@@ -59052,7 +59149,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_cpu_online" lineno="5710">
+<interface name="dev_relabel_cpu_online" lineno="5746">
 <summary>
 Relabel cpu online hardware state information.
 </summary>
@@ -59062,7 +59159,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_usbmon_dev" lineno="5729">
+<interface name="dev_dontaudit_read_usbmon_dev" lineno="5765">
 <summary>
 Dont audit attempts to read usbmon devices
 </summary>
@@ -60339,7 +60436,17 @@ The type to be transformed.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_dirs" lineno="447">
+<interface name="files_dontaudit_getattr_all_tmpfs_files" lineno="447">
+<summary>
+dontaudit getattr on tmpfs files
+</summary>
+<param name="domain">
+<summary>
+Domain to not have stat on tmpfs files audited
+</summary>
+</param>
+</interface>
+<interface name="files_getattr_all_dirs" lineno="465">
 <summary>
 Get the attributes of all directories.
 </summary>
@@ -60349,7 +60456,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_dirs" lineno="466">
+<interface name="files_dontaudit_getattr_all_dirs" lineno="484">
 <summary>
 Do not audit attempts to get the attributes
 of all directories.
@@ -60360,7 +60467,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_non_security" lineno="484">
+<interface name="files_list_non_security" lineno="502">
 <summary>
 List all non-security directories.
 </summary>
@@ -60370,7 +60477,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_non_security" lineno="503">
+<interface name="files_dontaudit_list_non_security" lineno="521">
 <summary>
 Do not audit attempts to list all
 non-security directories.
@@ -60381,7 +60488,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_non_security" lineno="522">
+<interface name="files_mounton_non_security" lineno="540">
 <summary>
 Mount a filesystem on all non-security
 directories and files.
@@ -60392,7 +60499,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_non_security_dirs" lineno="541">
+<interface name="files_write_non_security_dirs" lineno="559">
 <summary>
 Allow attempts to modify any directory
 </summary>
@@ -60402,7 +60509,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_non_security_dirs" lineno="559">
+<interface name="files_manage_non_security_dirs" lineno="577">
 <summary>
 Allow attempts to manage non-security directories
 </summary>
@@ -60412,7 +60519,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_non_security_dirs" lineno="577">
+<interface name="files_create_non_security_dirs" lineno="595">
 <summary>
 Create non-security directories.
 </summary>
@@ -60422,7 +60529,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_non_security_dirs" lineno="595">
+<interface name="files_relabel_non_security_dirs" lineno="613">
 <summary>
 Relabel from/to non-security directories.
 </summary>
@@ -60432,7 +60539,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_files" lineno="613">
+<interface name="files_getattr_all_files" lineno="631">
 <summary>
 Get the attributes of all files.
 </summary>
@@ -60442,7 +60549,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_files" lineno="633">
+<interface name="files_dontaudit_getattr_all_files" lineno="651">
 <summary>
 Do not audit attempts to get the attributes
 of all files.
@@ -60453,7 +60560,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_files" lineno="652">
+<interface name="files_dontaudit_getattr_non_security_files" lineno="670">
 <summary>
 Do not audit attempts to get the attributes
 of non security files.
@@ -60464,7 +60571,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_non_security_files" lineno="671">
+<interface name="files_manage_non_security_files" lineno="689">
 <summary>
 Create, read, write, and delete all non-security files.
 </summary>
@@ -60475,7 +60582,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_non_security_files" lineno="690">
+<interface name="files_relabel_non_security_files" lineno="708">
 <summary>
 Relabel from/to all non-security files.
 </summary>
@@ -60486,7 +60593,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_all_files" lineno="708">
+<interface name="files_read_all_files" lineno="726">
 <summary>
 Read all files.
 </summary>
@@ -60496,7 +60603,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_execmod_all_files" lineno="739">
+<interface name="files_execmod_all_files" lineno="757">
 <summary>
 Allow shared library text relocations in all files.
 </summary>
@@ -60514,7 +60621,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_non_security_files" lineno="758">
+<interface name="files_read_non_security_files" lineno="776">
 <summary>
 Read all non-security files.
 </summary>
@@ -60525,7 +60632,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_write_non_security_files" lineno="778">
+<interface name="files_write_non_security_files" lineno="796">
 <summary>
 Write all non-security files.
 </summary>
@@ -60536,7 +60643,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_create_non_security_files" lineno="798">
+<interface name="files_create_non_security_files" lineno="816">
 <summary>
 Create all non-security files.
 </summary>
@@ -60547,7 +60654,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_all_dirs_except" lineno="824">
+<interface name="files_read_all_dirs_except" lineno="842">
 <summary>
 Read all directories on the filesystem, except
 the listed exceptions.
@@ -60564,7 +60671,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_files_except" lineno="849">
+<interface name="files_read_all_files_except" lineno="867">
 <summary>
 Read all files on the filesystem, except
 the listed exceptions.
@@ -60581,7 +60688,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_symlinks_except" lineno="874">
+<interface name="files_read_all_symlinks_except" lineno="892">
 <summary>
 Read all symbolic links on the filesystem, except
 the listed exceptions.
@@ -60598,7 +60705,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_symlinks" lineno="892">
+<interface name="files_getattr_all_symlinks" lineno="910">
 <summary>
 Get the attributes of all symbolic links.
 </summary>
@@ -60608,7 +60715,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_symlinks" lineno="911">
+<interface name="files_dontaudit_getattr_all_symlinks" lineno="929">
 <summary>
 Do not audit attempts to get the attributes
 of all symbolic links.
@@ -60619,7 +60726,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_all_symlinks" lineno="929">
+<interface name="files_dontaudit_read_all_symlinks" lineno="947">
 <summary>
 Do not audit attempts to read all symbolic links.
 </summary>
@@ -60629,7 +60736,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_symlinks" lineno="948">
+<interface name="files_dontaudit_getattr_non_security_symlinks" lineno="966">
 <summary>
 Do not audit attempts to get the attributes
 of non security symbolic links.
@@ -60640,7 +60747,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_blk_files" lineno="967">
+<interface name="files_dontaudit_getattr_non_security_blk_files" lineno="985">
 <summary>
 Do not audit attempts to get the attributes
 of non security block devices.
@@ -60651,7 +60758,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_chr_files" lineno="986">
+<interface name="files_dontaudit_getattr_non_security_chr_files" lineno="1004">
 <summary>
 Do not audit attempts to get the attributes
 of non security character devices.
@@ -60662,7 +60769,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_symlinks" lineno="1005">
+<interface name="files_read_all_symlinks" lineno="1023">
 <summary>
 Read all symbolic links.
 </summary>
@@ -60673,7 +60780,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_all_pipes" lineno="1024">
+<interface name="files_getattr_all_pipes" lineno="1042">
 <summary>
 Get the attributes of all named pipes.
 </summary>
@@ -60683,7 +60790,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_pipes" lineno="1044">
+<interface name="files_dontaudit_getattr_all_pipes" lineno="1062">
 <summary>
 Do not audit attempts to get the attributes
 of all named pipes.
@@ -60694,7 +60801,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_pipes" lineno="1063">
+<interface name="files_dontaudit_getattr_non_security_pipes" lineno="1081">
 <summary>
 Do not audit attempts to get the attributes
 of non security named pipes.
@@ -60705,7 +60812,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_sockets" lineno="1081">
+<interface name="files_getattr_all_sockets" lineno="1099">
 <summary>
 Get the attributes of all named sockets.
 </summary>
@@ -60715,7 +60822,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_sockets" lineno="1101">
+<interface name="files_dontaudit_getattr_all_sockets" lineno="1119">
 <summary>
 Do not audit attempts to get the attributes
 of all named sockets.
@@ -60726,7 +60833,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_sockets" lineno="1120">
+<interface name="files_dontaudit_getattr_non_security_sockets" lineno="1138">
 <summary>
 Do not audit attempts to get the attributes
 of non security named sockets.
@@ -60737,7 +60844,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_blk_files" lineno="1138">
+<interface name="files_read_all_blk_files" lineno="1156">
 <summary>
 Read all block nodes with file types.
 </summary>
@@ -60747,7 +60854,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_chr_files" lineno="1156">
+<interface name="files_read_all_chr_files" lineno="1174">
 <summary>
 Read all character nodes with file types.
 </summary>
@@ -60757,7 +60864,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_files" lineno="1182">
+<interface name="files_relabel_all_files" lineno="1200">
 <summary>
 Relabel all files on the filesystem, except
 the listed exceptions.
@@ -60775,7 +60882,7 @@ must be negated by the caller.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_rw_all_files" lineno="1220">
+<interface name="files_rw_all_files" lineno="1238">
 <summary>
 rw all files on the filesystem, except
 the listed exceptions.
@@ -60793,7 +60900,7 @@ must be negated by the caller.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_files" lineno="1246">
+<interface name="files_manage_all_files" lineno="1264">
 <summary>
 Manage all files on the filesystem, except
 the listed exceptions.
@@ -60811,7 +60918,7 @@ must be negated by the caller.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_search_all" lineno="1269">
+<interface name="files_search_all" lineno="1287">
 <summary>
 Search the contents of all directories on
 extended attribute filesystems.
@@ -60822,7 +60929,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_all" lineno="1288">
+<interface name="files_list_all" lineno="1306">
 <summary>
 List the contents of all directories on
 extended attribute filesystems.
@@ -60833,7 +60940,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_files_as" lineno="1306">
+<interface name="files_create_all_files_as" lineno="1324">
 <summary>
 Create all files as is.
 </summary>
@@ -60843,7 +60950,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_all_dirs" lineno="1326">
+<interface name="files_dontaudit_search_all_dirs" lineno="1344">
 <summary>
 Do not audit attempts to search the
 contents of any directories on extended
@@ -60855,7 +60962,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_file_type_fs" lineno="1349">
+<interface name="files_getattr_all_file_type_fs" lineno="1367">
 <summary>
 Get the attributes of all filesystems
 with the type of a file.
@@ -60866,7 +60973,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_all_file_type_fs" lineno="1367">
+<interface name="files_relabelto_all_file_type_fs" lineno="1385">
 <summary>
 Relabel a filesystem to the type of a file.
 </summary>
@@ -60876,7 +60983,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_file_type_fs" lineno="1385">
+<interface name="files_relabel_all_file_type_fs" lineno="1403">
 <summary>
 Relabel a filesystem to and from the type of a file.
 </summary>
@@ -60886,7 +60993,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mount_all_file_type_fs" lineno="1403">
+<interface name="files_mount_all_file_type_fs" lineno="1421">
 <summary>
 Mount all filesystems with the type of a file.
 </summary>
@@ -60896,7 +61003,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_unmount_all_file_type_fs" lineno="1421">
+<interface name="files_unmount_all_file_type_fs" lineno="1439">
 <summary>
 Unmount all filesystems with the type of a file.
 </summary>
@@ -60906,7 +61013,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_non_auth_dirs" lineno="1440">
+<interface name="files_watch_all_dirs" lineno="1457">
+<summary>
+watch all directories of file_type
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_list_non_auth_dirs" lineno="1477">
 <summary>
 Read all non-authentication related
 directories.
@@ -60917,7 +61034,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_non_auth_files" lineno="1459">
+<interface name="files_read_non_auth_files" lineno="1496">
 <summary>
 Read all non-authentication related
 files.
@@ -60928,7 +61045,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_non_auth_symlinks" lineno="1478">
+<interface name="files_read_non_auth_symlinks" lineno="1515">
 <summary>
 Read all non-authentication related
 symbolic links.
@@ -60939,7 +61056,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_non_auth_files" lineno="1496">
+<interface name="files_rw_non_auth_files" lineno="1533">
 <summary>
 rw non-authentication related files.
 </summary>
@@ -60949,7 +61066,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_non_auth_files" lineno="1516">
+<interface name="files_manage_non_auth_files" lineno="1553">
 <summary>
 Manage non-authentication related
 files.
@@ -60961,7 +61078,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_map_non_auth_files" lineno="1540">
+<interface name="files_map_non_auth_files" lineno="1577">
 <summary>
 Mmap non-authentication related
 files.
@@ -60973,7 +61090,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_non_auth_files" lineno="1560">
+<interface name="files_relabel_non_auth_files" lineno="1597">
 <summary>
 Relabel all non-authentication related
 files.
@@ -60985,7 +61102,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_config_dirs" lineno="1593">
+<interface name="files_manage_config_dirs" lineno="1630">
 <summary>
 Manage all configuration directories on filesystem
 </summary>
@@ -60996,7 +61113,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_relabel_config_dirs" lineno="1612">
+<interface name="files_relabel_config_dirs" lineno="1649">
 <summary>
 Relabel configuration directories
 </summary>
@@ -61007,7 +61124,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_dontaudit_relabel_config_dirs" lineno="1631">
+<interface name="files_dontaudit_relabel_config_dirs" lineno="1668">
 <summary>
 Do not audit attempts to relabel configuration directories
 </summary>
@@ -61018,7 +61135,7 @@ Domain not to audit.
 </param>
 
 </interface>
-<interface name="files_read_config_files" lineno="1649">
+<interface name="files_read_config_files" lineno="1686">
 <summary>
 Read config files in /etc.
 </summary>
@@ -61028,7 +61145,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_config_files" lineno="1670">
+<interface name="files_manage_config_files" lineno="1707">
 <summary>
 Manage all configuration files on filesystem
 </summary>
@@ -61039,7 +61156,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_relabel_config_files" lineno="1689">
+<interface name="files_relabel_config_files" lineno="1726">
 <summary>
 Relabel configuration files
 </summary>
@@ -61050,7 +61167,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_dontaudit_relabel_config_files" lineno="1708">
+<interface name="files_dontaudit_relabel_config_files" lineno="1745">
 <summary>
 Do not audit attempts to relabel configuration files
 </summary>
@@ -61061,7 +61178,7 @@ Domain not to audit.
 </param>
 
 </interface>
-<interface name="files_relabel_config_symlinks" lineno="1727">
+<interface name="files_relabel_config_symlinks" lineno="1764">
 <summary>
 Relabel configuration symlinks.
 </summary>
@@ -61072,7 +61189,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_mounton_all_mountpoints" lineno="1745">
+<interface name="files_mounton_all_mountpoints" lineno="1782">
 <summary>
 Mount a filesystem on all mount points.
 </summary>
@@ -61082,7 +61199,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_mountpoints" lineno="1766">
+<interface name="files_getattr_all_mountpoints" lineno="1803">
 <summary>
 Get the attributes of all mount points.
 </summary>
@@ -61092,7 +61209,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_all_mountpoints" lineno="1784">
+<interface name="files_setattr_all_mountpoints" lineno="1821">
 <summary>
 Set the attributes of all mount points.
 </summary>
@@ -61102,7 +61219,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_setattr_all_mountpoints" lineno="1802">
+<interface name="files_dontaudit_setattr_all_mountpoints" lineno="1839">
 <summary>
 Do not audit attempts to set the attributes on all mount points.
 </summary>
@@ -61112,7 +61229,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_all_mountpoints" lineno="1820">
+<interface name="files_search_all_mountpoints" lineno="1857">
 <summary>
 Search all mount points.
 </summary>
@@ -61122,7 +61239,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_all_mountpoints" lineno="1838">
+<interface name="files_dontaudit_search_all_mountpoints" lineno="1875">
 <summary>
 Do not audit searching of all mount points.
 </summary>
@@ -61132,7 +61249,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_all_mountpoints" lineno="1856">
+<interface name="files_list_all_mountpoints" lineno="1893">
 <summary>
 List all mount points.
 </summary>
@@ -61142,7 +61259,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_all_mountpoints" lineno="1874">
+<interface name="files_dontaudit_list_all_mountpoints" lineno="1911">
 <summary>
 Do not audit listing of all mount points.
 </summary>
@@ -61152,7 +61269,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_all_mountpoints" lineno="1892">
+<interface name="files_watch_all_mountpoints" lineno="1929">
 <summary>
 Watch all mountpoints.
 </summary>
@@ -61162,7 +61279,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_all_mount_perm" lineno="1910">
+<interface name="files_watch_all_mount_perm" lineno="1947">
 <summary>
 Watch all mountpoints.
 </summary>
@@ -61172,7 +61289,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_all_mountpoints" lineno="1928">
+<interface name="files_write_all_mountpoints" lineno="1965">
 <summary>
 Check if all mountpoints are writable.
 </summary>
@@ -61182,7 +61299,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_all_mountpoints" lineno="1946">
+<interface name="files_dontaudit_write_all_mountpoints" lineno="1983">
 <summary>
 Do not audit attempts to write to mount points.
 </summary>
@@ -61192,7 +61309,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_root" lineno="1964">
+<interface name="files_list_root" lineno="2001">
 <summary>
 List the contents of the root directory.
 </summary>
@@ -61202,7 +61319,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_root_symlinks" lineno="1984">
+<interface name="files_delete_root_symlinks" lineno="2021">
 <summary>
 Delete symbolic links in the
 root directory.
@@ -61213,7 +61330,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_root_dirs" lineno="2002">
+<interface name="files_dontaudit_write_root_dirs" lineno="2039">
 <summary>
 Do not audit attempts to write to / dirs.
 </summary>
@@ -61223,7 +61340,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_root_dir" lineno="2021">
+<interface name="files_dontaudit_rw_root_dir" lineno="2058">
 <summary>
 Do not audit attempts to write
 files in the root directory.
@@ -61234,7 +61351,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_root_dirs" lineno="2039">
+<interface name="files_watch_root_dirs" lineno="2076">
 <summary>
 Watch the root directory.
 </summary>
@@ -61244,7 +61361,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_root_filetrans" lineno="2073">
+<interface name="files_root_filetrans" lineno="2110">
 <summary>
 Create an object in the root directory, with a private
 type using a type transition.
@@ -61270,7 +61387,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_root_files" lineno="2092">
+<interface name="files_dontaudit_read_root_files" lineno="2129">
 <summary>
 Do not audit attempts to read files in
 the root directory.
@@ -61281,7 +61398,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_root_files" lineno="2111">
+<interface name="files_dontaudit_rw_root_files" lineno="2148">
 <summary>
 Do not audit attempts to read or write
 files in the root directory.
@@ -61292,7 +61409,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_root_chr_files" lineno="2130">
+<interface name="files_dontaudit_rw_root_chr_files" lineno="2167">
 <summary>
 Do not audit attempts to read or write
 character device nodes in the root directory.
@@ -61303,7 +61420,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_root_chr_files" lineno="2149">
+<interface name="files_delete_root_chr_files" lineno="2186">
 <summary>
 Delete character device nodes in
 the root directory.
@@ -61314,7 +61431,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_root_files" lineno="2167">
+<interface name="files_delete_root_files" lineno="2204">
 <summary>
 Delete files in the root directory.
 </summary>
@@ -61324,7 +61441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_root_files" lineno="2185">
+<interface name="files_exec_root_files" lineno="2222">
 <summary>
 Execute files in the root directory.
 </summary>
@@ -61334,7 +61451,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_root_dir_entry" lineno="2203">
+<interface name="files_delete_root_dir_entry" lineno="2240">
 <summary>
 Remove entries from the root directory.
 </summary>
@@ -61344,7 +61461,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_root_dir" lineno="2221">
+<interface name="files_manage_root_dir" lineno="2258">
 <summary>
 Manage the root directory.
 </summary>
@@ -61354,7 +61471,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_rootfs" lineno="2240">
+<interface name="files_getattr_rootfs" lineno="2277">
 <summary>
 Get the attributes of a rootfs
 file system.
@@ -61365,7 +61482,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_associate_rootfs" lineno="2258">
+<interface name="files_associate_rootfs" lineno="2295">
 <summary>
 Associate to root file system.
 </summary>
@@ -61375,7 +61492,7 @@ Type of the file to associate.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_rootfs" lineno="2276">
+<interface name="files_relabel_rootfs" lineno="2313">
 <summary>
 Relabel to and from rootfs file system.
 </summary>
@@ -61385,7 +61502,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_unmount_rootfs" lineno="2294">
+<interface name="files_unmount_rootfs" lineno="2331">
 <summary>
 Unmount a rootfs filesystem.
 </summary>
@@ -61395,7 +61512,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_root" lineno="2312">
+<interface name="files_mounton_root" lineno="2349">
 <summary>
 Mount on the root directory (/)
 </summary>
@@ -61405,7 +61522,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_boot_fs" lineno="2331">
+<interface name="files_getattr_boot_fs" lineno="2368">
 <summary>
 Get the attributes of a filesystem
 mounted on /boot.
@@ -61416,7 +61533,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_remount_boot" lineno="2349">
+<interface name="files_remount_boot" lineno="2386">
 <summary>
 Remount a filesystem mounted on /boot.
 </summary>
@@ -61426,7 +61543,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_boot_dirs" lineno="2367">
+<interface name="files_getattr_boot_dirs" lineno="2404">
 <summary>
 Get attributes of the /boot directory.
 </summary>
@@ -61436,7 +61553,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_boot_dirs" lineno="2386">
+<interface name="files_dontaudit_getattr_boot_dirs" lineno="2423">
 <summary>
 Do not audit attempts to get attributes
 of the /boot directory.
@@ -61447,7 +61564,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_boot" lineno="2404">
+<interface name="files_search_boot" lineno="2441">
 <summary>
 Search the /boot directory.
 </summary>
@@ -61457,7 +61574,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_boot" lineno="2422">
+<interface name="files_dontaudit_search_boot" lineno="2459">
 <summary>
 Do not audit attempts to search the /boot directory.
 </summary>
@@ -61467,7 +61584,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_boot" lineno="2440">
+<interface name="files_list_boot" lineno="2477">
 <summary>
 List the /boot directory.
 </summary>
@@ -61477,7 +61594,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_boot" lineno="2458">
+<interface name="files_dontaudit_list_boot" lineno="2495">
 <summary>
 Do not audit attempts to list the /boot directory.
 </summary>
@@ -61487,7 +61604,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_boot_dirs" lineno="2476">
+<interface name="files_create_boot_dirs" lineno="2513">
 <summary>
 Create directories in /boot
 </summary>
@@ -61497,7 +61614,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_boot_dirs" lineno="2495">
+<interface name="files_manage_boot_dirs" lineno="2532">
 <summary>
 Create, read, write, and delete
 directories in /boot.
@@ -61508,7 +61625,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_boot_filetrans" lineno="2529">
+<interface name="files_boot_filetrans" lineno="2566">
 <summary>
 Create a private type object in boot
 with an automatic type transition
@@ -61534,7 +61651,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_read_boot_files" lineno="2548">
+<interface name="files_read_boot_files" lineno="2585">
 <summary>
 read files in the /boot directory.
 </summary>
@@ -61545,7 +61662,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_boot_files" lineno="2568">
+<interface name="files_manage_boot_files" lineno="2605">
 <summary>
 Create, read, write, and delete files
 in the /boot directory.
@@ -61557,7 +61674,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabelfrom_boot_files" lineno="2586">
+<interface name="files_relabelfrom_boot_files" lineno="2623">
 <summary>
 Relabel from files in the /boot directory.
 </summary>
@@ -61567,7 +61684,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_boot_symlinks" lineno="2604">
+<interface name="files_read_boot_symlinks" lineno="2641">
 <summary>
 Read symbolic links in the /boot directory.
 </summary>
@@ -61577,7 +61694,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_boot_symlinks" lineno="2623">
+<interface name="files_rw_boot_symlinks" lineno="2660">
 <summary>
 Read and write symbolic links
 in the /boot directory.
@@ -61588,7 +61705,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_boot_symlinks" lineno="2643">
+<interface name="files_manage_boot_symlinks" lineno="2680">
 <summary>
 Create, read, write, and delete symbolic links
 in the /boot directory.
@@ -61599,7 +61716,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_kernel_img" lineno="2661">
+<interface name="files_read_kernel_img" lineno="2698">
 <summary>
 Read kernel files in the /boot directory.
 </summary>
@@ -61609,7 +61726,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_kernel_img" lineno="2682">
+<interface name="files_create_kernel_img" lineno="2719">
 <summary>
 Install a kernel into the /boot directory.
 </summary>
@@ -61620,7 +61737,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_delete_kernel" lineno="2702">
+<interface name="files_delete_kernel" lineno="2739">
 <summary>
 Delete a kernel from /boot.
 </summary>
@@ -61631,7 +61748,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_default_dirs" lineno="2720">
+<interface name="files_getattr_default_dirs" lineno="2757">
 <summary>
 Getattr of directories with the default file type.
 </summary>
@@ -61641,7 +61758,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_default_dirs" lineno="2739">
+<interface name="files_dontaudit_getattr_default_dirs" lineno="2776">
 <summary>
 Do not audit attempts to get the attributes of
 directories with the default file type.
@@ -61652,7 +61769,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_default" lineno="2757">
+<interface name="files_search_default" lineno="2794">
 <summary>
 Search the contents of directories with the default file type.
 </summary>
@@ -61662,7 +61779,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_default" lineno="2775">
+<interface name="files_list_default" lineno="2812">
 <summary>
 List contents of directories with the default file type.
 </summary>
@@ -61672,7 +61789,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_default" lineno="2794">
+<interface name="files_dontaudit_list_default" lineno="2831">
 <summary>
 Do not audit attempts to list contents of
 directories with the default file type.
@@ -61683,7 +61800,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_default_dirs" lineno="2813">
+<interface name="files_manage_default_dirs" lineno="2850">
 <summary>
 Create, read, write, and delete directories with
 the default file type.
@@ -61694,7 +61811,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_default" lineno="2831">
+<interface name="files_mounton_default" lineno="2868">
 <summary>
 Mount a filesystem on a directory with the default file type.
 </summary>
@@ -61704,7 +61821,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_default_files" lineno="2850">
+<interface name="files_dontaudit_getattr_default_files" lineno="2887">
 <summary>
 Do not audit attempts to get the attributes of
 files with the default file type.
@@ -61715,7 +61832,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_files" lineno="2868">
+<interface name="files_read_default_files" lineno="2905">
 <summary>
 Read files with the default file type.
 </summary>
@@ -61725,7 +61842,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_default_files" lineno="2887">
+<interface name="files_dontaudit_read_default_files" lineno="2924">
 <summary>
 Do not audit attempts to read files
 with the default file type.
@@ -61736,7 +61853,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_default_files" lineno="2906">
+<interface name="files_manage_default_files" lineno="2943">
 <summary>
 Create, read, write, and delete files with
 the default file type.
@@ -61747,7 +61864,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_symlinks" lineno="2924">
+<interface name="files_read_default_symlinks" lineno="2961">
 <summary>
 Read symbolic links with the default file type.
 </summary>
@@ -61757,7 +61874,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_sockets" lineno="2942">
+<interface name="files_read_default_sockets" lineno="2979">
 <summary>
 Read sockets with the default file type.
 </summary>
@@ -61767,7 +61884,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_pipes" lineno="2960">
+<interface name="files_read_default_pipes" lineno="2997">
 <summary>
 Read named pipes with the default file type.
 </summary>
@@ -61777,7 +61894,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_etc" lineno="2978">
+<interface name="files_search_etc" lineno="3015">
 <summary>
 Search the contents of /etc directories.
 </summary>
@@ -61787,7 +61904,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_etc_dirs" lineno="2996">
+<interface name="files_setattr_etc_dirs" lineno="3033">
 <summary>
 Set the attributes of the /etc directories.
 </summary>
@@ -61797,7 +61914,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_etc" lineno="3014">
+<interface name="files_list_etc" lineno="3051">
 <summary>
 List the contents of /etc directories.
 </summary>
@@ -61807,7 +61924,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_etc_dirs" lineno="3032">
+<interface name="files_dontaudit_write_etc_dirs" lineno="3069">
 <summary>
 Do not audit attempts to write to /etc dirs.
 </summary>
@@ -61817,7 +61934,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_dirs" lineno="3050">
+<interface name="files_rw_etc_dirs" lineno="3087">
 <summary>
 Add and remove entries from /etc directories.
 </summary>
@@ -61827,7 +61944,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_dirs" lineno="3069">
+<interface name="files_manage_etc_dirs" lineno="3106">
 <summary>
 Manage generic directories in /etc
 </summary>
@@ -61838,7 +61955,7 @@ Domain allowed access
 </param>
 
 </interface>
-<interface name="files_relabelto_etc_dirs" lineno="3087">
+<interface name="files_relabelto_etc_dirs" lineno="3124">
 <summary>
 Relabel directories to etc_t.
 </summary>
@@ -61848,7 +61965,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_etc_dirs" lineno="3106">
+<interface name="files_mounton_etc_dirs" lineno="3143">
 <summary>
 Mount a filesystem on the
 etc directories.
@@ -61859,7 +61976,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_remount_etc" lineno="3124">
+<interface name="files_remount_etc" lineno="3161">
 <summary>
 Remount etc filesystems.
 </summary>
@@ -61869,7 +61986,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_dirs" lineno="3142">
+<interface name="files_watch_etc_dirs" lineno="3179">
 <summary>
 Watch /etc directories
 </summary>
@@ -61879,7 +61996,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_files" lineno="3194">
+<interface name="files_read_etc_files" lineno="3231">
 <summary>
 Read generic files in /etc.
 </summary>
@@ -61923,7 +62040,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_map_etc_files" lineno="3226">
+<interface name="files_map_etc_files" lineno="3263">
 <summary>
 Map generic files in /etc.
 </summary>
@@ -61945,7 +62062,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_dontaudit_write_etc_files" lineno="3244">
+<interface name="files_dontaudit_write_etc_files" lineno="3281">
 <summary>
 Do not audit attempts to write generic files in /etc.
 </summary>
@@ -61955,7 +62072,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_files" lineno="3263">
+<interface name="files_rw_etc_files" lineno="3300">
 <summary>
 Read and write generic files in /etc.
 </summary>
@@ -61966,7 +62083,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_etc_files" lineno="3285">
+<interface name="files_manage_etc_files" lineno="3322">
 <summary>
 Create, read, write, and delete generic
 files in /etc.
@@ -61978,7 +62095,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_manage_etc_files" lineno="3306">
+<interface name="files_dontaudit_manage_etc_files" lineno="3343">
 <summary>
 Do not audit attempts to create, read, write,
 and delete generic files in /etc.
@@ -61990,7 +62107,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_delete_etc_files" lineno="3324">
+<interface name="files_delete_etc_files" lineno="3361">
 <summary>
 Delete system configuration files in /etc.
 </summary>
@@ -62000,7 +62117,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_etc_files" lineno="3342">
+<interface name="files_exec_etc_files" lineno="3379">
 <summary>
 Execute generic files in /etc.
 </summary>
@@ -62010,7 +62127,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_files" lineno="3362">
+<interface name="files_watch_etc_files" lineno="3399">
 <summary>
 Watch /etc files.
 </summary>
@@ -62020,7 +62137,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_get_etc_unit_status" lineno="3380">
+<interface name="files_get_etc_unit_status" lineno="3417">
 <summary>
 Get etc_t service status.
 </summary>
@@ -62030,7 +62147,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_start_etc_service" lineno="3399">
+<interface name="files_start_etc_service" lineno="3436">
 <summary>
 start etc_t service
 </summary>
@@ -62040,7 +62157,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_stop_etc_service" lineno="3418">
+<interface name="files_stop_etc_service" lineno="3455">
 <summary>
 stop etc_t service
 </summary>
@@ -62050,7 +62167,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_etc_files" lineno="3437">
+<interface name="files_relabel_etc_files" lineno="3474">
 <summary>
 Relabel from and to generic files in /etc.
 </summary>
@@ -62060,7 +62177,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_symlinks" lineno="3456">
+<interface name="files_read_etc_symlinks" lineno="3493">
 <summary>
 Read symbolic links in /etc.
 </summary>
@@ -62070,7 +62187,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_symlinks" lineno="3474">
+<interface name="files_watch_etc_symlinks" lineno="3511">
 <summary>
 Watch /etc symlinks
 </summary>
@@ -62080,7 +62197,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_symlinks" lineno="3492">
+<interface name="files_manage_etc_symlinks" lineno="3529">
 <summary>
 Create, read, write, and delete symbolic links in /etc.
 </summary>
@@ -62090,7 +62207,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_etc_filetrans" lineno="3526">
+<interface name="files_etc_filetrans" lineno="3563">
 <summary>
 Create objects in /etc with a private
 type using a type_transition.
@@ -62116,7 +62233,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_create_boot_flag" lineno="3556">
+<interface name="files_create_boot_flag" lineno="3593">
 <summary>
 Create a boot flag.
 </summary>
@@ -62138,7 +62255,7 @@ The name of the object being created.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_delete_boot_flag" lineno="3582">
+<interface name="files_delete_boot_flag" lineno="3619">
 <summary>
 Delete a boot flag.
 </summary>
@@ -62155,7 +62272,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_etc_runtime_dirs" lineno="3601">
+<interface name="files_getattr_etc_runtime_dirs" lineno="3638">
 <summary>
 Get the attributes of the
 etc_runtime directories.
@@ -62166,7 +62283,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_etc_runtime_dirs" lineno="3620">
+<interface name="files_mounton_etc_runtime_dirs" lineno="3657">
 <summary>
 Mount a filesystem on the
 etc_runtime directories.
@@ -62177,7 +62294,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_etc_runtime_dirs" lineno="3638">
+<interface name="files_relabelto_etc_runtime_dirs" lineno="3675">
 <summary>
 Relabel to etc_runtime_t dirs.
 </summary>
@@ -62187,7 +62304,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3656">
+<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3693">
 <summary>
 Do not audit attempts to set the attributes of the etc_runtime files
 </summary>
@@ -62197,7 +62314,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_runtime_files" lineno="3694">
+<interface name="files_read_etc_runtime_files" lineno="3731">
 <summary>
 Read files in /etc that are dynamically
 created on boot, such as mtab.
@@ -62227,7 +62344,7 @@ Domain allowed access.
 <infoflow type="read" weight="10" />
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_read_etc_runtime_files" lineno="3716">
+<interface name="files_dontaudit_read_etc_runtime_files" lineno="3753">
 <summary>
 Do not audit attempts to read files
 in /etc that are dynamically
@@ -62239,7 +62356,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_etc_files" lineno="3735">
+<interface name="files_dontaudit_read_etc_files" lineno="3772">
 <summary>
 Do not audit attempts to read files
 in /etc
@@ -62250,7 +62367,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_etc_runtime_files" lineno="3754">
+<interface name="files_dontaudit_write_etc_runtime_files" lineno="3791">
 <summary>
 Do not audit attempts to write
 etc runtime files.
@@ -62261,7 +62378,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_runtime_files" lineno="3774">
+<interface name="files_rw_etc_runtime_files" lineno="3811">
 <summary>
 Read and write files in /etc that are dynamically
 created on boot, such as mtab.
@@ -62273,7 +62390,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_etc_runtime_files" lineno="3796">
+<interface name="files_manage_etc_runtime_files" lineno="3833">
 <summary>
 Create, read, write, and delete files in
 /etc that are dynamically created on boot,
@@ -62286,7 +62403,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabelto_etc_runtime_files" lineno="3814">
+<interface name="files_relabelto_etc_runtime_files" lineno="3851">
 <summary>
 Relabel to etc_runtime_t files.
 </summary>
@@ -62296,7 +62413,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_etc_filetrans_etc_runtime" lineno="3843">
+<interface name="files_etc_filetrans_etc_runtime" lineno="3880">
 <summary>
 Create, etc runtime objects with an automatic
 type transition.
@@ -62317,7 +62434,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_home_dir" lineno="3862">
+<interface name="files_getattr_home_dir" lineno="3899">
 <summary>
 Get the attributes of the home directories root
 (/home).
@@ -62328,7 +62445,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_home_dir" lineno="3883">
+<interface name="files_dontaudit_getattr_home_dir" lineno="3920">
 <summary>
 Do not audit attempts to get the
 attributes of the home directories root
@@ -62340,7 +62457,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_home" lineno="3902">
+<interface name="files_search_home" lineno="3939">
 <summary>
 Search home directories root (/home).
 </summary>
@@ -62350,7 +62467,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_home" lineno="3922">
+<interface name="files_dontaudit_search_home" lineno="3959">
 <summary>
 Do not audit attempts to search
 home directories root (/home).
@@ -62361,7 +62478,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_home" lineno="3942">
+<interface name="files_dontaudit_list_home" lineno="3979">
 <summary>
 Do not audit attempts to list
 home directories root (/home).
@@ -62372,7 +62489,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_home" lineno="3961">
+<interface name="files_list_home" lineno="3998">
 <summary>
 Get listing of home directories.
 </summary>
@@ -62382,7 +62499,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_home" lineno="3980">
+<interface name="files_relabelto_home" lineno="4017">
 <summary>
 Relabel to user home root (/home).
 </summary>
@@ -62392,7 +62509,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelfrom_home" lineno="3998">
+<interface name="files_relabelfrom_home" lineno="4035">
 <summary>
 Relabel from user home root (/home).
 </summary>
@@ -62402,7 +62519,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_home" lineno="4016">
+<interface name="files_watch_home" lineno="4053">
 <summary>
 Watch the user home root (/home).
 </summary>
@@ -62412,7 +62529,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_home_filetrans" lineno="4049">
+<interface name="files_home_filetrans" lineno="4086">
 <summary>
 Create objects in /home.
 </summary>
@@ -62437,7 +62554,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_lost_found_dirs" lineno="4067">
+<interface name="files_getattr_lost_found_dirs" lineno="4104">
 <summary>
 Get the attributes of lost+found directories.
 </summary>
@@ -62447,7 +62564,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4086">
+<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4123">
 <summary>
 Do not audit attempts to get the attributes of
 lost+found directories.
@@ -62458,7 +62575,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_lost_found" lineno="4104">
+<interface name="files_list_lost_found" lineno="4141">
 <summary>
 List the contents of lost+found directories.
 </summary>
@@ -62468,7 +62585,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_lost_found" lineno="4124">
+<interface name="files_manage_lost_found" lineno="4161">
 <summary>
 Create, read, write, and delete objects in
 lost+found directories.
@@ -62480,7 +62597,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_search_mnt" lineno="4146">
+<interface name="files_search_mnt" lineno="4183">
 <summary>
 Search the contents of /mnt.
 </summary>
@@ -62490,7 +62607,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_mnt" lineno="4164">
+<interface name="files_dontaudit_search_mnt" lineno="4201">
 <summary>
 Do not audit attempts to search /mnt.
 </summary>
@@ -62500,7 +62617,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_mnt" lineno="4182">
+<interface name="files_list_mnt" lineno="4219">
 <summary>
 List the contents of /mnt.
 </summary>
@@ -62510,7 +62627,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_mnt" lineno="4200">
+<interface name="files_dontaudit_list_mnt" lineno="4237">
 <summary>
 Do not audit attempts to list the contents of /mnt.
 </summary>
@@ -62520,7 +62637,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_mnt" lineno="4218">
+<interface name="files_mounton_mnt" lineno="4255">
 <summary>
 Mount a filesystem on /mnt.
 </summary>
@@ -62530,7 +62647,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mnt_dirs" lineno="4237">
+<interface name="files_manage_mnt_dirs" lineno="4274">
 <summary>
 Create, read, write, and delete directories in /mnt.
 </summary>
@@ -62541,7 +62658,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_mnt_files" lineno="4255">
+<interface name="files_manage_mnt_files" lineno="4292">
 <summary>
 Create, read, write, and delete files in /mnt.
 </summary>
@@ -62551,7 +62668,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_mnt_files" lineno="4273">
+<interface name="files_read_mnt_files" lineno="4310">
 <summary>
 read files in /mnt.
 </summary>
@@ -62561,7 +62678,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_mnt_symlinks" lineno="4291">
+<interface name="files_read_mnt_symlinks" lineno="4328">
 <summary>
 Read symbolic links in /mnt.
 </summary>
@@ -62571,7 +62688,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mnt_symlinks" lineno="4309">
+<interface name="files_manage_mnt_symlinks" lineno="4346">
 <summary>
 Create, read, write, and delete symbolic links in /mnt.
 </summary>
@@ -62581,7 +62698,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_kernel_modules" lineno="4327">
+<interface name="files_search_kernel_modules" lineno="4364">
 <summary>
 Search the contents of the kernel module directories.
 </summary>
@@ -62591,7 +62708,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_kernel_modules" lineno="4346">
+<interface name="files_list_kernel_modules" lineno="4383">
 <summary>
 List the contents of the kernel module directories.
 </summary>
@@ -62601,7 +62718,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_kernel_modules" lineno="4365">
+<interface name="files_getattr_kernel_modules" lineno="4402">
 <summary>
 Get the attributes of kernel module files.
 </summary>
@@ -62611,7 +62728,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_kernel_modules" lineno="4383">
+<interface name="files_read_kernel_modules" lineno="4420">
 <summary>
 Read kernel module files.
 </summary>
@@ -62621,7 +62738,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mmap_read_kernel_modules" lineno="4403">
+<interface name="files_mmap_read_kernel_modules" lineno="4440">
 <summary>
 Read and mmap kernel module files.
 </summary>
@@ -62631,7 +62748,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_kernel_modules" lineno="4424">
+<interface name="files_write_kernel_modules" lineno="4461">
 <summary>
 Write kernel module files.
 </summary>
@@ -62641,7 +62758,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_kernel_modules" lineno="4443">
+<interface name="files_delete_kernel_modules" lineno="4480">
 <summary>
 Delete kernel module files.
 </summary>
@@ -62651,7 +62768,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_kernel_modules" lineno="4463">
+<interface name="files_manage_kernel_modules" lineno="4500">
 <summary>
 Create, read, write, and delete
 kernel module files.
@@ -62663,7 +62780,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_kernel_modules" lineno="4483">
+<interface name="files_relabel_kernel_modules" lineno="4520">
 <summary>
 Relabel from and to kernel module files.
 </summary>
@@ -62673,7 +62790,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_kernel_modules_dirs" lineno="4502">
+<interface name="files_mounton_kernel_modules_dirs" lineno="4539">
 <summary>
 Mount on kernel module directories.
 </summary>
@@ -62683,7 +62800,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_kernel_modules_filetrans" lineno="4536">
+<interface name="files_kernel_modules_filetrans" lineno="4573">
 <summary>
 Create objects in the kernel module directories
 with a private type via an automatic type transition.
@@ -62709,7 +62826,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_load_kernel_modules" lineno="4554">
+<interface name="files_load_kernel_modules" lineno="4591">
 <summary>
 Load kernel module files.
 </summary>
@@ -62719,7 +62836,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_load_kernel_modules" lineno="4573">
+<interface name="files_dontaudit_load_kernel_modules" lineno="4610">
 <summary>
 Load kernel module files.
 </summary>
@@ -62729,7 +62846,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_world_readable" lineno="4593">
+<interface name="files_list_world_readable" lineno="4630">
 <summary>
 List world-readable directories.
 </summary>
@@ -62740,7 +62857,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_files" lineno="4612">
+<interface name="files_read_world_readable_files" lineno="4649">
 <summary>
 Read world-readable files.
 </summary>
@@ -62751,7 +62868,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_symlinks" lineno="4631">
+<interface name="files_read_world_readable_symlinks" lineno="4668">
 <summary>
 Read world-readable symbolic links.
 </summary>
@@ -62762,7 +62879,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_pipes" lineno="4649">
+<interface name="files_read_world_readable_pipes" lineno="4686">
 <summary>
 Read world-readable named pipes.
 </summary>
@@ -62772,7 +62889,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_world_readable_sockets" lineno="4667">
+<interface name="files_read_world_readable_sockets" lineno="4704">
 <summary>
 Read world-readable sockets.
 </summary>
@@ -62782,7 +62899,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_associate_tmp" lineno="4687">
+<interface name="files_associate_tmp" lineno="4724">
 <summary>
 Allow the specified type to associate
 to a filesystem with the type of the
@@ -62794,7 +62911,7 @@ Type of the file to associate.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_tmp_dirs" lineno="4705">
+<interface name="files_getattr_tmp_dirs" lineno="4742">
 <summary>
 Get the	attributes of the tmp directory (/tmp).
 </summary>
@@ -62804,7 +62921,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4724">
+<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4761">
 <summary>
 Do not audit attempts to get the
 attributes of the tmp directory (/tmp).
@@ -62815,7 +62932,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_tmp" lineno="4742">
+<interface name="files_search_tmp" lineno="4779">
 <summary>
 Search the tmp directory (/tmp).
 </summary>
@@ -62825,7 +62942,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_tmp" lineno="4760">
+<interface name="files_dontaudit_search_tmp" lineno="4797">
 <summary>
 Do not audit attempts to search the tmp directory (/tmp).
 </summary>
@@ -62835,7 +62952,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_tmp" lineno="4778">
+<interface name="files_list_tmp" lineno="4815">
 <summary>
 Read the tmp directory (/tmp).
 </summary>
@@ -62845,7 +62962,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_tmp" lineno="4796">
+<interface name="files_dontaudit_list_tmp" lineno="4833">
 <summary>
 Do not audit listing of the tmp directory (/tmp).
 </summary>
@@ -62855,7 +62972,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_tmp_dir_entry" lineno="4814">
+<interface name="files_delete_tmp_dir_entry" lineno="4851">
 <summary>
 Remove entries from the tmp directory.
 </summary>
@@ -62865,7 +62982,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_tmp_files" lineno="4832">
+<interface name="files_read_generic_tmp_files" lineno="4869">
 <summary>
 Read files in the tmp directory (/tmp).
 </summary>
@@ -62875,7 +62992,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_tmp_dirs" lineno="4850">
+<interface name="files_manage_generic_tmp_dirs" lineno="4887">
 <summary>
 Manage temporary directories in /tmp.
 </summary>
@@ -62885,7 +63002,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_generic_tmp_dirs" lineno="4868">
+<interface name="files_relabel_generic_tmp_dirs" lineno="4905">
 <summary>
 Relabel temporary directories in /tmp.
 </summary>
@@ -62895,7 +63012,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_tmp_files" lineno="4886">
+<interface name="files_manage_generic_tmp_files" lineno="4923">
 <summary>
 Manage temporary files and directories in /tmp.
 </summary>
@@ -62905,7 +63022,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_tmp_symlinks" lineno="4904">
+<interface name="files_read_generic_tmp_symlinks" lineno="4941">
 <summary>
 Read symbolic links in the tmp directory (/tmp).
 </summary>
@@ -62915,7 +63032,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_generic_tmp_sockets" lineno="4922">
+<interface name="files_rw_generic_tmp_sockets" lineno="4959">
 <summary>
 Read and write generic named sockets in the tmp directory (/tmp).
 </summary>
@@ -62925,7 +63042,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_tmp" lineno="4940">
+<interface name="files_mounton_tmp" lineno="4977">
 <summary>
 Mount filesystems in the tmp directory (/tmp)
 </summary>
@@ -62935,7 +63052,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_all_tmp_dirs" lineno="4958">
+<interface name="files_setattr_all_tmp_dirs" lineno="4995">
 <summary>
 Set the attributes of all tmp directories.
 </summary>
@@ -62945,7 +63062,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_all_tmp" lineno="4976">
+<interface name="files_list_all_tmp" lineno="5013">
 <summary>
 List all tmp directories.
 </summary>
@@ -62955,7 +63072,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_tmp_dirs" lineno="4996">
+<interface name="files_relabel_all_tmp_dirs" lineno="5033">
 <summary>
 Relabel to and from all temporary
 directory types.
@@ -62967,7 +63084,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5017">
+<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5054">
 <summary>
 Do not audit attempts to get the attributes
 of all tmp files.
@@ -62978,7 +63095,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_tmp_files" lineno="5036">
+<interface name="files_getattr_all_tmp_files" lineno="5073">
 <summary>
 Allow attempts to get the attributes
 of all tmp files.
@@ -62989,7 +63106,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_tmp_files" lineno="5056">
+<interface name="files_relabel_all_tmp_files" lineno="5093">
 <summary>
 Relabel to and from all temporary
 file types.
@@ -63001,7 +63118,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5077">
+<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5114">
 <summary>
 Do not audit attempts to get the attributes
 of all tmp sock_file.
@@ -63012,7 +63129,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_tmp_files" lineno="5095">
+<interface name="files_read_all_tmp_files" lineno="5132">
 <summary>
 Read all tmp files.
 </summary>
@@ -63022,7 +63139,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_tmp_filetrans" lineno="5129">
+<interface name="files_tmp_filetrans" lineno="5166">
 <summary>
 Create an object in the tmp directories, with a private
 type using a type transition.
@@ -63048,7 +63165,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_purge_tmp" lineno="5147">
+<interface name="files_purge_tmp" lineno="5184">
 <summary>
 Delete the contents of /tmp.
 </summary>
@@ -63058,7 +63175,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_tmpfs_files" lineno="5170">
+<interface name="files_getattr_all_tmpfs_files" lineno="5207">
 <summary>
 Get the attributes of all tmpfs files.
 </summary>
@@ -63068,7 +63185,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_usr_dirs" lineno="5189">
+<interface name="files_setattr_usr_dirs" lineno="5226">
 <summary>
 Set the attributes of the /usr directory.
 </summary>
@@ -63078,7 +63195,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_usr" lineno="5207">
+<interface name="files_search_usr" lineno="5244">
 <summary>
 Search the content of /usr.
 </summary>
@@ -63088,7 +63205,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_usr" lineno="5226">
+<interface name="files_list_usr" lineno="5263">
 <summary>
 List the contents of generic
 directories in /usr.
@@ -63099,7 +63216,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_usr_dirs" lineno="5244">
+<interface name="files_dontaudit_write_usr_dirs" lineno="5281">
 <summary>
 Do not audit write of /usr dirs
 </summary>
@@ -63109,7 +63226,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_usr_dirs" lineno="5262">
+<interface name="files_rw_usr_dirs" lineno="5299">
 <summary>
 Add and remove entries from /usr directories.
 </summary>
@@ -63119,7 +63236,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_usr_dirs" lineno="5281">
+<interface name="files_dontaudit_rw_usr_dirs" lineno="5318">
 <summary>
 Do not audit attempts to add and remove
 entries from /usr directories.
@@ -63130,7 +63247,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_usr_dirs" lineno="5299">
+<interface name="files_delete_usr_dirs" lineno="5336">
 <summary>
 Delete generic directories in /usr in the caller domain.
 </summary>
@@ -63140,7 +63257,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_usr_dirs" lineno="5317">
+<interface name="files_watch_usr_dirs" lineno="5354">
 <summary>
 Watch generic directories in /usr.
 </summary>
@@ -63150,7 +63267,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_usr_files" lineno="5335">
+<interface name="files_delete_usr_files" lineno="5372">
 <summary>
 Delete generic files in /usr in the caller domain.
 </summary>
@@ -63160,7 +63277,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_usr_files" lineno="5353">
+<interface name="files_getattr_usr_files" lineno="5390">
 <summary>
 Get the attributes of files in /usr.
 </summary>
@@ -63170,7 +63287,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_map_usr_files" lineno="5372">
+<interface name="files_map_usr_files" lineno="5409">
 <summary>
 Map generic files in /usr.
 </summary>
@@ -63181,7 +63298,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_read_usr_files" lineno="5408">
+<interface name="files_read_usr_files" lineno="5445">
 <summary>
 Read generic files in /usr.
 </summary>
@@ -63209,7 +63326,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_exec_usr_files" lineno="5428">
+<interface name="files_exec_usr_files" lineno="5465">
 <summary>
 Execute generic programs in /usr in the caller domain.
 </summary>
@@ -63219,7 +63336,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_usr_files" lineno="5448">
+<interface name="files_dontaudit_write_usr_files" lineno="5485">
 <summary>
 dontaudit write of /usr files
 </summary>
@@ -63229,7 +63346,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_usr_files" lineno="5466">
+<interface name="files_manage_usr_files" lineno="5503">
 <summary>
 Create, read, write, and delete files in the /usr directory.
 </summary>
@@ -63239,7 +63356,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_usr_files" lineno="5484">
+<interface name="files_relabelto_usr_files" lineno="5521">
 <summary>
 Relabel a file to the type used in /usr.
 </summary>
@@ -63249,7 +63366,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelfrom_usr_files" lineno="5502">
+<interface name="files_relabelfrom_usr_files" lineno="5539">
 <summary>
 Relabel a file from the type used in /usr.
 </summary>
@@ -63259,7 +63376,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_usr_symlinks" lineno="5520">
+<interface name="files_read_usr_symlinks" lineno="5557">
 <summary>
 Read symbolic links in /usr.
 </summary>
@@ -63269,7 +63386,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_usr_filetrans" lineno="5553">
+<interface name="files_usr_filetrans" lineno="5590">
 <summary>
 Create objects in the /usr directory
 </summary>
@@ -63294,7 +63411,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_search_src" lineno="5571">
+<interface name="files_search_src" lineno="5608">
 <summary>
 Search directories in /usr/src.
 </summary>
@@ -63304,7 +63421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_src" lineno="5589">
+<interface name="files_dontaudit_search_src" lineno="5626">
 <summary>
 Do not audit attempts to search /usr/src.
 </summary>
@@ -63314,7 +63431,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_usr_src_files" lineno="5607">
+<interface name="files_getattr_usr_src_files" lineno="5644">
 <summary>
 Get the attributes of files in /usr/src.
 </summary>
@@ -63324,7 +63441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_usr_src_files" lineno="5628">
+<interface name="files_read_usr_src_files" lineno="5665">
 <summary>
 Read files in /usr/src.
 </summary>
@@ -63334,7 +63451,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_usr_src_files" lineno="5649">
+<interface name="files_exec_usr_src_files" lineno="5686">
 <summary>
 Execute programs in /usr/src in the caller domain.
 </summary>
@@ -63344,7 +63461,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_kernel_symbol_table" lineno="5669">
+<interface name="files_create_kernel_symbol_table" lineno="5706">
 <summary>
 Install a system.map into the /boot directory.
 </summary>
@@ -63354,7 +63471,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_kernel_symbol_table" lineno="5688">
+<interface name="files_read_kernel_symbol_table" lineno="5725">
 <summary>
 Read system.map in the /boot directory.
 </summary>
@@ -63364,7 +63481,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_kernel_symbol_table" lineno="5707">
+<interface name="files_delete_kernel_symbol_table" lineno="5744">
 <summary>
 Delete a system.map in the /boot directory.
 </summary>
@@ -63374,7 +63491,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_var" lineno="5726">
+<interface name="files_search_var" lineno="5763">
 <summary>
 Search the contents of /var.
 </summary>
@@ -63384,7 +63501,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_var_dirs" lineno="5744">
+<interface name="files_dontaudit_write_var_dirs" lineno="5781">
 <summary>
 Do not audit attempts to write to /var.
 </summary>
@@ -63394,7 +63511,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_write_var_dirs" lineno="5762">
+<interface name="files_write_var_dirs" lineno="5799">
 <summary>
 Allow attempts to write to /var.dirs
 </summary>
@@ -63404,7 +63521,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_var" lineno="5781">
+<interface name="files_dontaudit_search_var" lineno="5818">
 <summary>
 Do not audit attempts to search
 the contents of /var.
@@ -63415,7 +63532,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_var" lineno="5799">
+<interface name="files_list_var" lineno="5836">
 <summary>
 List the contents of /var.
 </summary>
@@ -63425,7 +63542,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_var" lineno="5818">
+<interface name="files_dontaudit_list_var" lineno="5855">
 <summary>
 Do not audit attempts to list
 the contents of /var.
@@ -63436,7 +63553,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_dirs" lineno="5837">
+<interface name="files_manage_var_dirs" lineno="5874">
 <summary>
 Create, read, write, and delete directories
 in the /var directory.
@@ -63447,7 +63564,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_var_dirs" lineno="5855">
+<interface name="files_relabel_var_dirs" lineno="5892">
 <summary>
 relabelto/from var directories
 </summary>
@@ -63457,7 +63574,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_files" lineno="5873">
+<interface name="files_read_var_files" lineno="5910">
 <summary>
 Read files in the /var directory.
 </summary>
@@ -63467,7 +63584,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_append_var_files" lineno="5891">
+<interface name="files_append_var_files" lineno="5928">
 <summary>
 Append files in the /var directory.
 </summary>
@@ -63477,7 +63594,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_var_files" lineno="5909">
+<interface name="files_rw_var_files" lineno="5946">
 <summary>
 Read and write files in the /var directory.
 </summary>
@@ -63487,7 +63604,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_var_files" lineno="5928">
+<interface name="files_dontaudit_rw_var_files" lineno="5965">
 <summary>
 Do not audit attempts to read and write
 files in the /var directory.
@@ -63498,7 +63615,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_files" lineno="5946">
+<interface name="files_manage_var_files" lineno="5983">
 <summary>
 Create, read, write, and delete files in the /var directory.
 </summary>
@@ -63508,7 +63625,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_symlinks" lineno="5964">
+<interface name="files_read_var_symlinks" lineno="6001">
 <summary>
 Read symbolic links in the /var directory.
 </summary>
@@ -63518,7 +63635,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_symlinks" lineno="5983">
+<interface name="files_manage_var_symlinks" lineno="6020">
 <summary>
 Create, read, write, and delete symbolic
 links in the /var directory.
@@ -63529,7 +63646,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_var_filetrans" lineno="6016">
+<interface name="files_var_filetrans" lineno="6053">
 <summary>
 Create objects in the /var directory
 </summary>
@@ -63554,7 +63671,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_var_lib_dirs" lineno="6034">
+<interface name="files_getattr_var_lib_dirs" lineno="6071">
 <summary>
 Get the attributes of the /var/lib directory.
 </summary>
@@ -63564,7 +63681,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_var_lib" lineno="6066">
+<interface name="files_search_var_lib" lineno="6103">
 <summary>
 Search the /var/lib directory.
 </summary>
@@ -63588,7 +63705,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="5"/>
 </interface>
-<interface name="files_dontaudit_search_var_lib" lineno="6086">
+<interface name="files_dontaudit_search_var_lib" lineno="6123">
 <summary>
 Do not audit attempts to search the
 contents of /var/lib.
@@ -63600,7 +63717,7 @@ Domain to not audit.
 </param>
 <infoflow type="read" weight="5"/>
 </interface>
-<interface name="files_list_var_lib" lineno="6104">
+<interface name="files_list_var_lib" lineno="6141">
 <summary>
 List the contents of the /var/lib directory.
 </summary>
@@ -63610,7 +63727,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_var_lib_dirs" lineno="6122">
+<interface name="files_rw_var_lib_dirs" lineno="6159">
 <summary>
 Read-write /var/lib directories
 </summary>
@@ -63620,7 +63737,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_lib_dirs" lineno="6140">
+<interface name="files_manage_var_lib_dirs" lineno="6177">
 <summary>
 manage var_lib_t dirs
 </summary>
@@ -63630,7 +63747,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_var_lib_dirs" lineno="6159">
+<interface name="files_relabel_var_lib_dirs" lineno="6196">
 <summary>
 relabel var_lib_t dirs
 </summary>
@@ -63640,7 +63757,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_var_lib_filetrans" lineno="6193">
+<interface name="files_var_lib_filetrans" lineno="6230">
 <summary>
 Create objects in the /var/lib directory
 </summary>
@@ -63665,7 +63782,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_lib_files" lineno="6212">
+<interface name="files_read_var_lib_files" lineno="6249">
 <summary>
 Read generic files in /var/lib.
 </summary>
@@ -63675,7 +63792,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_lib_symlinks" lineno="6231">
+<interface name="files_read_var_lib_symlinks" lineno="6268">
 <summary>
 Read generic symbolic links in /var/lib
 </summary>
@@ -63685,7 +63802,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_urandom_seed" lineno="6253">
+<interface name="files_manage_urandom_seed" lineno="6290">
 <summary>
 Create, read, write, and delete the
 pseudorandom number generator seed.
@@ -63696,7 +63813,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mounttab" lineno="6273">
+<interface name="files_manage_mounttab" lineno="6309">
 <summary>
 Allow domain to manage mount tables
 necessary for rpcd, nfsd, etc.
@@ -63707,7 +63824,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_lock_dirs" lineno="6292">
+<interface name="files_setattr_lock_dirs" lineno="6328">
 <summary>
 Set the attributes of the generic lock directories.
 </summary>
@@ -63717,7 +63834,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_locks" lineno="6310">
+<interface name="files_search_locks" lineno="6346">
 <summary>
 Search the locks directory (/var/lock).
 </summary>
@@ -63727,7 +63844,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_locks" lineno="6330">
+<interface name="files_dontaudit_search_locks" lineno="6366">
 <summary>
 Do not audit attempts to search the
 locks directory (/var/lock).
@@ -63738,7 +63855,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_locks" lineno="6349">
+<interface name="files_list_locks" lineno="6385">
 <summary>
 List generic lock directories.
 </summary>
@@ -63748,7 +63865,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_check_write_lock_dirs" lineno="6368">
+<interface name="files_check_write_lock_dirs" lineno="6404">
 <summary>
 Test write access on lock directories.
 </summary>
@@ -63758,7 +63875,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_add_entry_lock_dirs" lineno="6387">
+<interface name="files_add_entry_lock_dirs" lineno="6423">
 <summary>
 Add entries in the /var/lock directories.
 </summary>
@@ -63768,7 +63885,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_lock_dirs" lineno="6407">
+<interface name="files_rw_lock_dirs" lineno="6443">
 <summary>
 Add and remove entries in the /var/lock
 directories.
@@ -63779,7 +63896,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_lock_dirs" lineno="6426">
+<interface name="files_create_lock_dirs" lineno="6462">
 <summary>
 Create lock directories
 </summary>
@@ -63789,7 +63906,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_lock_dirs" lineno="6447">
+<interface name="files_relabel_all_lock_dirs" lineno="6483">
 <summary>
 Relabel to and from all lock directory types.
 </summary>
@@ -63800,7 +63917,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_generic_locks" lineno="6468">
+<interface name="files_getattr_generic_locks" lineno="6504">
 <summary>
 Get the attributes of generic lock files.
 </summary>
@@ -63810,7 +63927,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_generic_locks" lineno="6489">
+<interface name="files_delete_generic_locks" lineno="6525">
 <summary>
 Delete generic lock files.
 </summary>
@@ -63820,7 +63937,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_locks" lineno="6510">
+<interface name="files_manage_generic_locks" lineno="6546">
 <summary>
 Create, read, write, and delete generic
 lock files.
@@ -63831,7 +63948,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_locks" lineno="6532">
+<interface name="files_delete_all_locks" lineno="6568">
 <summary>
 Delete all lock files.
 </summary>
@@ -63842,7 +63959,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_all_locks" lineno="6553">
+<interface name="files_read_all_locks" lineno="6589">
 <summary>
 Read all lock files.
 </summary>
@@ -63852,7 +63969,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_all_locks" lineno="6576">
+<interface name="files_manage_all_locks" lineno="6612">
 <summary>
 manage all lock files.
 </summary>
@@ -63862,7 +63979,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_locks" lineno="6599">
+<interface name="files_relabel_all_locks" lineno="6635">
 <summary>
 Relabel from/to all lock files.
 </summary>
@@ -63872,7 +63989,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_lock_filetrans" lineno="6638">
+<interface name="files_lock_filetrans" lineno="6674">
 <summary>
 Create an object in the locks directory, with a private
 type using a type transition.
@@ -63898,7 +64015,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6659">
+<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6695">
 <summary>
 Do not audit attempts to get the attributes
 of the /var/run directory.
@@ -63909,7 +64026,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_runtime_dirs" lineno="6678">
+<interface name="files_mounton_runtime_dirs" lineno="6714">
 <summary>
 mounton a /var/run directory.
 </summary>
@@ -63919,7 +64036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_runtime_dirs" lineno="6696">
+<interface name="files_setattr_runtime_dirs" lineno="6732">
 <summary>
 Set the attributes of the /var/run directory.
 </summary>
@@ -63929,7 +64046,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_runtime" lineno="6716">
+<interface name="files_search_runtime" lineno="6752">
 <summary>
 Search the contents of runtime process
 ID directories (/var/run).
@@ -63940,7 +64057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_runtime" lineno="6736">
+<interface name="files_dontaudit_search_runtime" lineno="6772">
 <summary>
 Do not audit attempts to search
 the /var/run directory.
@@ -63951,7 +64068,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_runtime" lineno="6756">
+<interface name="files_list_runtime" lineno="6792">
 <summary>
 List the contents of the runtime process
 ID directories (/var/run).
@@ -63962,7 +64079,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_check_write_runtime_dirs" lineno="6775">
+<interface name="files_check_write_runtime_dirs" lineno="6811">
 <summary>
 Check write access on /var/run directories.
 </summary>
@@ -63972,7 +64089,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_runtime_dirs" lineno="6793">
+<interface name="files_create_runtime_dirs" lineno="6829">
 <summary>
 Create a /var/run directory.
 </summary>
@@ -63982,7 +64099,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_runtime_dirs" lineno="6811">
+<interface name="files_rw_runtime_dirs" lineno="6847">
+<summary>
+Read and write a /var/run directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_watch_runtime_dirs" lineno="6865">
 <summary>
 Watch /var/run directories.
 </summary>
@@ -63992,7 +64119,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_runtime_files" lineno="6829">
+<interface name="files_read_runtime_files" lineno="6883">
 <summary>
 Read generic runtime files.
 </summary>
@@ -64002,7 +64129,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_runtime" lineno="6849">
+<interface name="files_exec_runtime" lineno="6903">
 <summary>
 Execute generic programs in /var/run in the caller domain.
 </summary>
@@ -64012,7 +64139,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_runtime_files" lineno="6867">
+<interface name="files_rw_runtime_files" lineno="6921">
 <summary>
 Read and write generic runtime files.
 </summary>
@@ -64022,7 +64149,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_runtime_symlinks" lineno="6887">
+<interface name="files_delete_runtime_symlinks" lineno="6941">
 <summary>
 Delete generic runtime symlinks.
 </summary>
@@ -64032,7 +64159,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_runtime_pipes" lineno="6905">
+<interface name="files_write_runtime_pipes" lineno="6959">
 <summary>
 Write named generic runtime pipes.
 </summary>
@@ -64042,7 +64169,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_dirs" lineno="6925">
+<interface name="files_delete_all_runtime_dirs" lineno="6979">
 <summary>
 Delete all runtime dirs.
 </summary>
@@ -64053,7 +64180,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_dirs" lineno="6943">
+<interface name="files_manage_all_runtime_dirs" lineno="6997">
 <summary>
 Create, read, write, and delete all runtime directories.
 </summary>
@@ -64063,7 +64190,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_dirs" lineno="6961">
+<interface name="files_relabel_all_runtime_dirs" lineno="7015">
 <summary>
 Relabel all runtime directories.
 </summary>
@@ -64073,7 +64200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_runtime_files" lineno="6980">
+<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7034">
 <summary>
 Do not audit attempts to get the attributes of
 all runtime data files.
@@ -64084,7 +64211,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_runtime_files" lineno="7001">
+<interface name="files_read_all_runtime_files" lineno="7055">
 <summary>
 Read all runtime files.
 </summary>
@@ -64095,7 +64222,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7022">
+<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7076">
 <summary>
 Do not audit attempts to ioctl all runtime files.
 </summary>
@@ -64105,7 +64232,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_all_runtime_files" lineno="7042">
+<interface name="files_dontaudit_write_all_runtime_files" lineno="7096">
 <summary>
 Do not audit attempts to write to all runtime files.
 </summary>
@@ -64115,7 +64242,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_files" lineno="7063">
+<interface name="files_delete_all_runtime_files" lineno="7117">
 <summary>
 Delete all runtime files.
 </summary>
@@ -64126,7 +64253,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_files" lineno="7082">
+<interface name="files_manage_all_runtime_files" lineno="7136">
 <summary>
 Create, read, write and delete all
 var_run (pid) files
@@ -64137,7 +64264,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_files" lineno="7100">
+<interface name="files_relabel_all_runtime_files" lineno="7154">
 <summary>
 Relabel all runtime files.
 </summary>
@@ -64147,7 +64274,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_symlinks" lineno="7119">
+<interface name="files_delete_all_runtime_symlinks" lineno="7173">
 <summary>
 Delete all runtime symlinks.
 </summary>
@@ -64158,7 +64285,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_symlinks" lineno="7138">
+<interface name="files_manage_all_runtime_symlinks" lineno="7192">
 <summary>
 Create, read, write and delete all
 var_run (pid) symbolic links.
@@ -64169,7 +64296,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_symlinks" lineno="7156">
+<interface name="files_relabel_all_runtime_symlinks" lineno="7210">
 <summary>
 Relabel all runtime symbolic links.
 </summary>
@@ -64179,7 +64306,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_runtime_pipes" lineno="7174">
+<interface name="files_create_all_runtime_pipes" lineno="7228">
 <summary>
 Create all runtime named pipes
 </summary>
@@ -64189,7 +64316,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_pipes" lineno="7193">
+<interface name="files_delete_all_runtime_pipes" lineno="7247">
 <summary>
 Delete all runtime named pipes
 </summary>
@@ -64199,7 +64326,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_runtime_sockets" lineno="7212">
+<interface name="files_create_all_runtime_sockets" lineno="7266">
 <summary>
 Create all runtime sockets.
 </summary>
@@ -64209,7 +64336,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_sockets" lineno="7230">
+<interface name="files_delete_all_runtime_sockets" lineno="7284">
 <summary>
 Delete all runtime sockets.
 </summary>
@@ -64219,7 +64346,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_sockets" lineno="7248">
+<interface name="files_relabel_all_runtime_sockets" lineno="7302">
 <summary>
 Relabel all runtime named sockets.
 </summary>
@@ -64229,7 +64356,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_runtime_filetrans" lineno="7308">
+<interface name="files_runtime_filetrans" lineno="7362">
 <summary>
 Create an object in the /run directory, with a private type.
 </summary>
@@ -64281,7 +64408,7 @@ The name of the object being created.
 </param>
 <infoflow type="write" weight="10"/>
 </interface>
-<interface name="files_runtime_filetrans_lock_dir" lineno="7333">
+<interface name="files_runtime_filetrans_lock_dir" lineno="7387">
 <summary>
 Create a generic lock directory within the run directories.
 </summary>
@@ -64296,7 +64423,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_spool_sockets" lineno="7351">
+<interface name="files_create_all_spool_sockets" lineno="7405">
 <summary>
 Create all spool sockets
 </summary>
@@ -64306,7 +64433,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_spool_sockets" lineno="7369">
+<interface name="files_delete_all_spool_sockets" lineno="7423">
 <summary>
 Delete all spool sockets
 </summary>
@@ -64316,7 +64443,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_all_poly_members" lineno="7388">
+<interface name="files_mounton_all_poly_members" lineno="7442">
 <summary>
 Mount filesystems on all polyinstantiation
 member directories.
@@ -64327,7 +64454,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_spool" lineno="7407">
+<interface name="files_search_spool" lineno="7461">
 <summary>
 Search the contents of generic spool
 directories (/var/spool).
@@ -64338,7 +64465,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_spool" lineno="7426">
+<interface name="files_dontaudit_search_spool" lineno="7480">
 <summary>
 Do not audit attempts to search generic
 spool directories.
@@ -64349,7 +64476,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_spool" lineno="7445">
+<interface name="files_list_spool" lineno="7499">
 <summary>
 List the contents of generic spool
 (/var/spool) directories.
@@ -64360,7 +64487,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_spool_dirs" lineno="7464">
+<interface name="files_manage_generic_spool_dirs" lineno="7518">
 <summary>
 Create, read, write, and delete generic
 spool directories (/var/spool).
@@ -64371,7 +64498,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_spool" lineno="7483">
+<interface name="files_read_generic_spool" lineno="7537">
 <summary>
 Read generic spool files.
 </summary>
@@ -64381,7 +64508,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_spool" lineno="7503">
+<interface name="files_manage_generic_spool" lineno="7557">
 <summary>
 Create, read, write, and delete generic
 spool files.
@@ -64392,7 +64519,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_spool_filetrans" lineno="7539">
+<interface name="files_spool_filetrans" lineno="7593">
 <summary>
 Create objects in the spool directory
 with a private type with a type transition.
@@ -64419,7 +64546,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_polyinstantiate_all" lineno="7559">
+<interface name="files_polyinstantiate_all" lineno="7613">
 <summary>
 Allow access to manage all polyinstantiated
 directories on the system.
@@ -64430,7 +64557,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_unconfined" lineno="7613">
+<interface name="files_unconfined" lineno="7667">
 <summary>
 Unconfined access to files.
 </summary>
@@ -64440,7 +64567,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_runtime_lnk_files" lineno="7635">
+<interface name="files_manage_etc_runtime_lnk_files" lineno="7689">
 <summary>
 Create, read, write, and delete symbolic links in
 /etc that are dynamically created on boot.
@@ -64452,7 +64579,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_read_etc_runtime" lineno="7653">
+<interface name="files_dontaudit_read_etc_runtime" lineno="7707">
 <summary>
 Do not audit attempts to read etc_runtime resources
 </summary>
@@ -64462,7 +64589,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_src" lineno="7671">
+<interface name="files_list_src" lineno="7725">
 <summary>
 List usr/src files
 </summary>
@@ -64472,7 +64599,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_read_src_files" lineno="7689">
+<interface name="files_read_src_files" lineno="7743">
 <summary>
 Read usr/src files
 </summary>
@@ -64482,7 +64609,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_manage_src_files" lineno="7707">
+<interface name="files_manage_src_files" lineno="7761">
 <summary>
 Manage /usr/src files
 </summary>
@@ -64492,7 +64619,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_lib_filetrans_kernel_modules" lineno="7738">
+<interface name="files_lib_filetrans_kernel_modules" lineno="7792">
 <summary>
 Create a resource in the generic lib location
 with an automatic type transition towards the kernel modules
@@ -64514,7 +64641,7 @@ Optional name of the resource
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_runtime" lineno="7756">
+<interface name="files_read_etc_runtime" lineno="7810">
 <summary>
 Read etc runtime resources
 </summary>
@@ -64524,7 +64651,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_non_security_file_types" lineno="7778">
+<interface name="files_relabel_all_non_security_file_types" lineno="7832">
 <summary>
 Allow relabel from and to non-security types
 </summary>
@@ -64535,7 +64662,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_non_security_file_types" lineno="7808">
+<interface name="files_manage_all_non_security_file_types" lineno="7862">
 <summary>
 Manage non-security-sensitive resource types
 </summary>
@@ -64546,7 +64673,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_all_pidfiles" lineno="7830">
+<interface name="files_relabel_all_pidfiles" lineno="7884">
 <summary>
 Allow relabeling from and to any pidfile associated type
 </summary>
@@ -65226,7 +65353,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_cgroup_filetrans" lineno="1180">
+<interface name="fs_mounton_cgroup_files" lineno="1164">
+<summary>
+Mount on cgroup files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_cgroup_filetrans" lineno="1198">
 <summary>
 Create an object in a cgroup tmpfs filesystem, with a private
 type using a type transition.
@@ -65252,7 +65389,38 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_cifs_dirs" lineno="1201">
+<interface name="fs_cgroup_filetrans_memory_pressure" lineno="1229">
+<summary>
+Create an object in a cgroup tmpfs filesystem, with the memory_pressure_t
+type using a type transition.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="fs_watch_memory_pressure" lineno="1247">
+<summary>
+Allow managing a cgroup's memory.pressure file to get notifications
+</summary>
+<param name="domain">
+<summary>
+Source domain
+</summary>
+</param>
+</interface>
+<interface name="fs_dontaudit_list_cifs_dirs" lineno="1266">
 <summary>
 Do not audit attempts to read
 dirs on a CIFS or SMB filesystem.
@@ -65263,7 +65431,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_cifs" lineno="1219">
+<interface name="fs_mount_cifs" lineno="1284">
 <summary>
 Mount a CIFS or SMB network filesystem.
 </summary>
@@ -65273,7 +65441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_cifs" lineno="1238">
+<interface name="fs_remount_cifs" lineno="1303">
 <summary>
 Remount a CIFS or SMB network filesystem.
 This allows some mount options to be changed.
@@ -65284,7 +65452,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_cifs" lineno="1256">
+<interface name="fs_unmount_cifs" lineno="1321">
 <summary>
 Unmount a CIFS or SMB network filesystem.
 </summary>
@@ -65294,7 +65462,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_cifs" lineno="1276">
+<interface name="fs_getattr_cifs" lineno="1341">
 <summary>
 Get the attributes of a CIFS or
 SMB network filesystem.
@@ -65306,7 +65474,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_search_cifs" lineno="1294">
+<interface name="fs_search_cifs" lineno="1359">
 <summary>
 Search directories on a CIFS or SMB filesystem.
 </summary>
@@ -65316,7 +65484,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_cifs" lineno="1313">
+<interface name="fs_list_cifs" lineno="1378">
 <summary>
 List the contents of directories on a
 CIFS or SMB filesystem.
@@ -65327,7 +65495,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_cifs" lineno="1332">
+<interface name="fs_dontaudit_list_cifs" lineno="1397">
 <summary>
 Do not audit attempts to list the contents
 of directories on a CIFS or SMB filesystem.
@@ -65338,7 +65506,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_cifs" lineno="1350">
+<interface name="fs_mounton_cifs" lineno="1415">
 <summary>
 Mounton a CIFS filesystem.
 </summary>
@@ -65348,7 +65516,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_files" lineno="1369">
+<interface name="fs_read_cifs_files" lineno="1434">
 <summary>
 Read files on a CIFS or SMB filesystem.
 </summary>
@@ -65359,7 +65527,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_all_inherited_image_files" lineno="1389">
+<interface name="fs_read_all_inherited_image_files" lineno="1454">
 <summary>
 Read all inherited filesystem image files.
 </summary>
@@ -65370,7 +65538,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_all_image_files" lineno="1408">
+<interface name="fs_read_all_image_files" lineno="1473">
 <summary>
 Read all filesystem image files.
 </summary>
@@ -65381,7 +65549,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_read_all_image_files" lineno="1427">
+<interface name="fs_mmap_read_all_image_files" lineno="1492">
 <summary>
 Mmap-read all filesystem image files.
 </summary>
@@ -65392,7 +65560,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_rw_all_image_files" lineno="1446">
+<interface name="fs_rw_all_image_files" lineno="1511">
 <summary>
 Read and write all filesystem image files.
 </summary>
@@ -65403,7 +65571,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_rw_all_image_files" lineno="1465">
+<interface name="fs_mmap_rw_all_image_files" lineno="1530">
 <summary>
 Mmap-Read-write all filesystem image files.
 </summary>
@@ -65414,7 +65582,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_write_all_image_files" lineno="1484">
+<interface name="fs_dontaudit_write_all_image_files" lineno="1549">
 <summary>
 Do not audit attempts to write all filesystem image files.
 </summary>
@@ -65425,7 +65593,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_noxattr_fs" lineno="1504">
+<interface name="fs_getattr_noxattr_fs" lineno="1569">
 <summary>
 Get the attributes of filesystems that
 do not have extended attribute support.
@@ -65437,7 +65605,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_list_noxattr_fs" lineno="1522">
+<interface name="fs_list_noxattr_fs" lineno="1587">
 <summary>
 Read all noxattrfs directories.
 </summary>
@@ -65447,7 +65615,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_noxattr_fs" lineno="1541">
+<interface name="fs_dontaudit_list_noxattr_fs" lineno="1606">
 <summary>
 Do not audit attempts to list all
 noxattrfs directories.
@@ -65458,7 +65626,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_dirs" lineno="1559">
+<interface name="fs_manage_noxattr_fs_dirs" lineno="1624">
 <summary>
 Create, read, write, and delete all noxattrfs directories.
 </summary>
@@ -65468,7 +65636,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_noxattr_fs_files" lineno="1577">
+<interface name="fs_read_noxattr_fs_files" lineno="1642">
 <summary>
 Read all noxattrfs files.
 </summary>
@@ -65478,7 +65646,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1597">
+<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1662">
 <summary>
 Do not audit attempts to read all
 noxattrfs files.
@@ -65489,7 +65657,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1615">
+<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1680">
 <summary>
 Dont audit attempts to write to noxattrfs files.
 </summary>
@@ -65499,7 +65667,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_files" lineno="1633">
+<interface name="fs_manage_noxattr_fs_files" lineno="1698">
 <summary>
 Create, read, write, and delete all noxattrfs files.
 </summary>
@@ -65509,7 +65677,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_noxattr_fs_symlinks" lineno="1652">
+<interface name="fs_read_noxattr_fs_symlinks" lineno="1717">
 <summary>
 Read all noxattrfs symbolic links.
 </summary>
@@ -65519,7 +65687,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_symlinks" lineno="1671">
+<interface name="fs_manage_noxattr_fs_symlinks" lineno="1736">
 <summary>
 Manage all noxattrfs symbolic links.
 </summary>
@@ -65529,7 +65697,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_noxattr_fs" lineno="1691">
+<interface name="fs_relabelfrom_noxattr_fs" lineno="1756">
 <summary>
 Relabel all objects from filesystems that
 do not support extended attributes.
@@ -65540,7 +65708,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_cifs_files" lineno="1717">
+<interface name="fs_dontaudit_read_cifs_files" lineno="1782">
 <summary>
 Do not audit attempts to read
 files on a CIFS or SMB filesystem.
@@ -65551,7 +65719,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_append_cifs_files" lineno="1737">
+<interface name="fs_append_cifs_files" lineno="1802">
 <summary>
 Append files
 on a CIFS filesystem.
@@ -65563,7 +65731,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_append_cifs_files" lineno="1757">
+<interface name="fs_dontaudit_append_cifs_files" lineno="1822">
 <summary>
 dontaudit Append files
 on a CIFS filesystem.
@@ -65575,7 +65743,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_rw_cifs_files" lineno="1776">
+<interface name="fs_dontaudit_rw_cifs_files" lineno="1841">
 <summary>
 Do not audit attempts to read or
 write files on a CIFS or SMB filesystem.
@@ -65586,7 +65754,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_symlinks" lineno="1794">
+<interface name="fs_read_cifs_symlinks" lineno="1859">
 <summary>
 Read symbolic links on a CIFS or SMB filesystem.
 </summary>
@@ -65596,7 +65764,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_named_pipes" lineno="1814">
+<interface name="fs_read_cifs_named_pipes" lineno="1879">
 <summary>
 Read named pipes
 on a CIFS or SMB network filesystem.
@@ -65607,7 +65775,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_named_sockets" lineno="1833">
+<interface name="fs_read_cifs_named_sockets" lineno="1898">
 <summary>
 Read named sockets
 on a CIFS or SMB network filesystem.
@@ -65618,7 +65786,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_exec_cifs_files" lineno="1854">
+<interface name="fs_exec_cifs_files" lineno="1919">
 <summary>
 Execute files on a CIFS or SMB
 network filesystem, in the caller
@@ -65631,7 +65799,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_cifs_dirs" lineno="1875">
+<interface name="fs_manage_cifs_dirs" lineno="1940">
 <summary>
 Create, read, write, and delete directories
 on a CIFS or SMB network filesystem.
@@ -65643,7 +65811,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1895">
+<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1960">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -65655,7 +65823,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_files" lineno="1915">
+<interface name="fs_manage_cifs_files" lineno="1980">
 <summary>
 Create, read, write, and delete files
 on a CIFS or SMB network filesystem.
@@ -65667,7 +65835,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_cifs_files" lineno="1935">
+<interface name="fs_dontaudit_manage_cifs_files" lineno="2000">
 <summary>
 Do not audit attempts to create, read,
 write, and delete files
@@ -65679,7 +65847,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_symlinks" lineno="1954">
+<interface name="fs_manage_cifs_symlinks" lineno="2019">
 <summary>
 Create, read, write, and delete symbolic links
 on a CIFS or SMB network filesystem.
@@ -65690,7 +65858,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_named_pipes" lineno="1973">
+<interface name="fs_manage_cifs_named_pipes" lineno="2038">
 <summary>
 Create, read, write, and delete named pipes
 on a CIFS or SMB network filesystem.
@@ -65701,7 +65869,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_named_sockets" lineno="1992">
+<interface name="fs_manage_cifs_named_sockets" lineno="2057">
 <summary>
 Create, read, write, and delete named sockets
 on a CIFS or SMB network filesystem.
@@ -65712,7 +65880,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_cifs_domtrans" lineno="2035">
+<interface name="fs_cifs_domtrans" lineno="2100">
 <summary>
 Execute a file on a CIFS or SMB filesystem
 in the specified domain.
@@ -65747,7 +65915,7 @@ The type of the new process.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_configfs_dirs" lineno="2055">
+<interface name="fs_manage_configfs_dirs" lineno="2120">
 <summary>
 Create, read, write, and delete dirs
 on a configfs filesystem.
@@ -65758,7 +65926,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_configfs_files" lineno="2074">
+<interface name="fs_manage_configfs_files" lineno="2139">
 <summary>
 Create, read, write, and delete files
 on a configfs filesystem.
@@ -65769,7 +65937,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_dos_fs" lineno="2093">
+<interface name="fs_mount_dos_fs" lineno="2158">
 <summary>
 Mount a DOS filesystem, such as
 FAT32 or NTFS.
@@ -65780,7 +65948,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_dos_fs" lineno="2113">
+<interface name="fs_remount_dos_fs" lineno="2178">
 <summary>
 Remount a DOS filesystem, such as
 FAT32 or NTFS.  This allows
@@ -65792,7 +65960,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_dos_fs" lineno="2132">
+<interface name="fs_unmount_dos_fs" lineno="2197">
 <summary>
 Unmount a DOS filesystem, such as
 FAT32 or NTFS.
@@ -65803,7 +65971,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_dos_fs" lineno="2152">
+<interface name="fs_getattr_dos_fs" lineno="2217">
 <summary>
 Get the attributes of a DOS
 filesystem, such as FAT32 or NTFS.
@@ -65815,7 +65983,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_relabelfrom_dos_fs" lineno="2171">
+<interface name="fs_relabelfrom_dos_fs" lineno="2236">
 <summary>
 Allow changing of the label of a
 DOS filesystem using the context= mount option.
@@ -65826,7 +65994,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_dos_dirs" lineno="2189">
+<interface name="fs_getattr_dos_dirs" lineno="2254">
 <summary>
 Get attributes of directories on a dosfs filesystem.
 </summary>
@@ -65836,7 +66004,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_dos" lineno="2207">
+<interface name="fs_search_dos" lineno="2272">
 <summary>
 Search dosfs filesystem.
 </summary>
@@ -65846,7 +66014,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_dos" lineno="2225">
+<interface name="fs_list_dos" lineno="2290">
 <summary>
 List dirs DOS filesystem.
 </summary>
@@ -65856,7 +66024,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_dos_dirs" lineno="2244">
+<interface name="fs_manage_dos_dirs" lineno="2309">
 <summary>
 Create, read, write, and delete dirs
 on a DOS filesystem.
@@ -65867,7 +66035,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_dos_files" lineno="2262">
+<interface name="fs_read_dos_files" lineno="2327">
 <summary>
 Read files on a DOS filesystem.
 </summary>
@@ -65877,7 +66045,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mmap_read_dos_files" lineno="2280">
+<interface name="fs_mmap_read_dos_files" lineno="2345">
 <summary>
 Read and map files on a DOS filesystem.
 </summary>
@@ -65887,7 +66055,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_dos_files" lineno="2300">
+<interface name="fs_manage_dos_files" lineno="2365">
 <summary>
 Create, read, write, and delete files
 on a DOS filesystem.
@@ -65898,7 +66066,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_ecryptfs" lineno="2318">
+<interface name="fs_list_ecryptfs" lineno="2383">
 <summary>
 Read symbolic links on an eCryptfs filesystem.
 </summary>
@@ -65908,7 +66076,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ecryptfs_dirs" lineno="2339">
+<interface name="fs_manage_ecryptfs_dirs" lineno="2404">
 <summary>
 Create, read, write, and delete directories
 on an eCryptfs filesystem.
@@ -65920,7 +66088,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_ecryptfs_files" lineno="2359">
+<interface name="fs_manage_ecryptfs_files" lineno="2424">
 <summary>
 Create, read, write, and delete files
 on an eCryptfs filesystem.
@@ -65932,7 +66100,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_ecryptfs_named_sockets" lineno="2378">
+<interface name="fs_manage_ecryptfs_named_sockets" lineno="2443">
 <summary>
 Create, read, write, and delete named sockets
 on an eCryptfs filesystem.
@@ -65943,7 +66111,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_efivarfs" lineno="2396">
+<interface name="fs_getattr_efivarfs" lineno="2461">
 <summary>
 Get the attributes of efivarfs filesystems.
 </summary>
@@ -65953,7 +66121,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_efivars" lineno="2414">
+<interface name="fs_list_efivars" lineno="2479">
 <summary>
 List dirs in efivarfs filesystem.
 </summary>
@@ -65963,7 +66131,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_efivarfs_files" lineno="2434">
+<interface name="fs_read_efivarfs_files" lineno="2499">
 <summary>
 Read files in efivarfs
 - contains Linux Kernel configuration options for UEFI systems
@@ -65975,7 +66143,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_efivarfs_files" lineno="2454">
+<interface name="fs_setattr_efivarfs_files" lineno="2519">
 <summary>
 Set the attributes of files in efivarfs
 - contains Linux Kernel configuration options for UEFI systems
@@ -65987,7 +66155,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_efivarfs_files" lineno="2474">
+<interface name="fs_manage_efivarfs_files" lineno="2539">
 <summary>
 Create, read, write, and delete files
 on a efivarfs filesystem.
@@ -65999,7 +66167,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs" lineno="2492">
+<interface name="fs_getattr_fusefs" lineno="2557">
 <summary>
 stat a FUSE filesystem
 </summary>
@@ -66009,7 +66177,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_fusefs" lineno="2510">
+<interface name="fs_mount_fusefs" lineno="2575">
 <summary>
 Mount a FUSE filesystem.
 </summary>
@@ -66019,7 +66187,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_fusefs" lineno="2528">
+<interface name="fs_unmount_fusefs" lineno="2593">
 <summary>
 Unmount a FUSE filesystem.
 </summary>
@@ -66029,7 +66197,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_fusefs" lineno="2546">
+<interface name="fs_remount_fusefs" lineno="2611">
 <summary>
 Remount a FUSE filesystem.
 </summary>
@@ -66039,7 +66207,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_fusefs" lineno="2564">
+<interface name="fs_mounton_fusefs" lineno="2629">
 <summary>
 Mounton a FUSEFS filesystem.
 </summary>
@@ -66049,7 +66217,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_fusefs_entry_type" lineno="2583">
+<interface name="fs_fusefs_entry_type" lineno="2648">
 <summary>
 Make FUSEFS files an entrypoint for the
 specified domain.
@@ -66060,7 +66228,7 @@ The domain for which fusefs_t is an entrypoint.
 </summary>
 </param>
 </interface>
-<interface name="fs_fusefs_domtrans" lineno="2616">
+<interface name="fs_fusefs_domtrans" lineno="2681">
 <summary>
 Execute FUSEFS files in a specified domain.
 </summary>
@@ -66085,7 +66253,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_fusefs" lineno="2636">
+<interface name="fs_search_fusefs" lineno="2701">
 <summary>
 Search directories
 on a FUSEFS filesystem.
@@ -66097,7 +66265,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_list_fusefs" lineno="2656">
+<interface name="fs_list_fusefs" lineno="2721">
 <summary>
 List the contents of directories
 on a FUSEFS filesystem.
@@ -66109,7 +66277,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_list_fusefs" lineno="2675">
+<interface name="fs_dontaudit_list_fusefs" lineno="2740">
 <summary>
 Do not audit attempts to list the contents
 of directories on a FUSEFS filesystem.
@@ -66120,7 +66288,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_fusefs_dirs" lineno="2695">
+<interface name="fs_setattr_fusefs_dirs" lineno="2760">
 <summary>
 Set the attributes of directories
 on a FUSEFS filesystem.
@@ -66132,7 +66300,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_dirs" lineno="2715">
+<interface name="fs_manage_fusefs_dirs" lineno="2780">
 <summary>
 Create, read, write, and delete directories
 on a FUSEFS filesystem.
@@ -66144,7 +66312,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2735">
+<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2800">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -66156,7 +66324,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs_files" lineno="2755">
+<interface name="fs_getattr_fusefs_files" lineno="2820">
 <summary>
 Get the attributes of files on a
 FUSEFS filesystem.
@@ -66168,7 +66336,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_fusefs_files" lineno="2774">
+<interface name="fs_read_fusefs_files" lineno="2839">
 <summary>
 Read, a FUSEFS filesystem.
 </summary>
@@ -66179,7 +66347,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_exec_fusefs_files" lineno="2793">
+<interface name="fs_exec_fusefs_files" lineno="2858">
 <summary>
 Execute files on a FUSEFS filesystem.
 </summary>
@@ -66190,7 +66358,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_files" lineno="2813">
+<interface name="fs_setattr_fusefs_files" lineno="2878">
 <summary>
 Set the attributes of files on a
 FUSEFS filesystem.
@@ -66202,7 +66370,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_files" lineno="2833">
+<interface name="fs_manage_fusefs_files" lineno="2898">
 <summary>
 Create, read, write, and delete files
 on a FUSEFS filesystem.
@@ -66214,7 +66382,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_fusefs_files" lineno="2853">
+<interface name="fs_dontaudit_manage_fusefs_files" lineno="2918">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -66226,7 +66394,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs_symlinks" lineno="2873">
+<interface name="fs_getattr_fusefs_symlinks" lineno="2938">
 <summary>
 Get the attributes of symlinks
 on a FUSEFS filesystem.
@@ -66238,7 +66406,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_fusefs_symlinks" lineno="2891">
+<interface name="fs_read_fusefs_symlinks" lineno="2956">
 <summary>
 Read symbolic links on a FUSEFS filesystem.
 </summary>
@@ -66248,7 +66416,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_fusefs_symlinks" lineno="2912">
+<interface name="fs_setattr_fusefs_symlinks" lineno="2977">
 <summary>
 Set the attributes of symlinks
 on a FUSEFS filesystem.
@@ -66260,7 +66428,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_symlinks" lineno="2931">
+<interface name="fs_manage_fusefs_symlinks" lineno="2996">
 <summary>
 Manage symlinks on a FUSEFS filesystem.
 </summary>
@@ -66271,7 +66439,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_fifo_files" lineno="2951">
+<interface name="fs_getattr_fusefs_fifo_files" lineno="3016">
 <summary>
 Get the attributes of named pipes
 on a FUSEFS filesystem.
@@ -66283,7 +66451,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_fifo_files" lineno="2971">
+<interface name="fs_setattr_fusefs_fifo_files" lineno="3036">
 <summary>
 Set the attributes of named pipes
 on a FUSEFS filesystem.
@@ -66295,7 +66463,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_fifo_files" lineno="2991">
+<interface name="fs_manage_fusefs_fifo_files" lineno="3056">
 <summary>
 Manage named pipes on a FUSEFS
 filesystem.
@@ -66307,7 +66475,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_sock_files" lineno="3011">
+<interface name="fs_getattr_fusefs_sock_files" lineno="3076">
 <summary>
 Get the attributes of named sockets
 on a FUSEFS filesystem.
@@ -66319,7 +66487,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_sock_files" lineno="3031">
+<interface name="fs_setattr_fusefs_sock_files" lineno="3096">
 <summary>
 Set the attributes of named sockets
 on a FUSEFS filesystem.
@@ -66331,7 +66499,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_sock_files" lineno="3051">
+<interface name="fs_manage_fusefs_sock_files" lineno="3116">
 <summary>
 Manage named sockets on a FUSEFS
 filesystem.
@@ -66343,7 +66511,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_chr_files" lineno="3071">
+<interface name="fs_getattr_fusefs_chr_files" lineno="3136">
 <summary>
 Get the attributes of character files
 on a FUSEFS filesystem.
@@ -66355,7 +66523,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_chr_files" lineno="3091">
+<interface name="fs_setattr_fusefs_chr_files" lineno="3156">
 <summary>
 Set the attributes of character files
 on a FUSEFS filesystem.
@@ -66367,7 +66535,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_chr_files" lineno="3111">
+<interface name="fs_manage_fusefs_chr_files" lineno="3176">
 <summary>
 Manage character files on a FUSEFS
 filesystem.
@@ -66379,7 +66547,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_hugetlbfs" lineno="3130">
+<interface name="fs_getattr_hugetlbfs" lineno="3195">
 <summary>
 Get the attributes of an hugetlbfs
 filesystem.
@@ -66390,7 +66558,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_hugetlbfs" lineno="3148">
+<interface name="fs_list_hugetlbfs" lineno="3213">
 <summary>
 List hugetlbfs.
 </summary>
@@ -66400,7 +66568,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_hugetlbfs_dirs" lineno="3166">
+<interface name="fs_manage_hugetlbfs_dirs" lineno="3231">
 <summary>
 Manage hugetlbfs dirs.
 </summary>
@@ -66410,7 +66578,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3184">
+<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3249">
 <summary>
 Read and write inherited hugetlbfs files.
 </summary>
@@ -66420,7 +66588,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_hugetlbfs_files" lineno="3202">
+<interface name="fs_rw_hugetlbfs_files" lineno="3267">
 <summary>
 Read and write hugetlbfs files.
 </summary>
@@ -66430,7 +66598,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3220">
+<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3285">
 <summary>
 Read, map and write hugetlbfs files.
 </summary>
@@ -66440,7 +66608,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_associate_hugetlbfs" lineno="3239">
+<interface name="fs_associate_hugetlbfs" lineno="3304">
 <summary>
 Allow the type to associate to hugetlbfs filesystems.
 </summary>
@@ -66450,7 +66618,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_inotifyfs" lineno="3257">
+<interface name="fs_search_inotifyfs" lineno="3322">
 <summary>
 Search inotifyfs filesystem.
 </summary>
@@ -66460,7 +66628,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_inotifyfs" lineno="3275">
+<interface name="fs_list_inotifyfs" lineno="3340">
 <summary>
 List inotifyfs filesystem.
 </summary>
@@ -66470,7 +66638,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_inotifyfs" lineno="3293">
+<interface name="fs_dontaudit_list_inotifyfs" lineno="3358">
 <summary>
 Dontaudit List inotifyfs filesystem.
 </summary>
@@ -66480,7 +66648,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_hugetlbfs_filetrans" lineno="3327">
+<interface name="fs_hugetlbfs_filetrans" lineno="3392">
 <summary>
 Create an object in a hugetlbfs filesystem, with a private
 type using a type transition.
@@ -66506,7 +66674,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_iso9660_fs" lineno="3347">
+<interface name="fs_mount_iso9660_fs" lineno="3412">
 <summary>
 Mount an iso9660 filesystem, which
 is usually used on CDs.
@@ -66517,7 +66685,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_iso9660_fs" lineno="3367">
+<interface name="fs_remount_iso9660_fs" lineno="3432">
 <summary>
 Remount an iso9660 filesystem, which
 is usually used on CDs.  This allows
@@ -66529,7 +66697,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_iso9660_fs" lineno="3386">
+<interface name="fs_relabelfrom_iso9660_fs" lineno="3451">
 <summary>
 Allow changing of the label of a
 filesystem with iso9660 type
@@ -66540,7 +66708,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_iso9660_fs" lineno="3405">
+<interface name="fs_unmount_iso9660_fs" lineno="3470">
 <summary>
 Unmount an iso9660 filesystem, which
 is usually used on CDs.
@@ -66551,7 +66719,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_iso9660_fs" lineno="3425">
+<interface name="fs_getattr_iso9660_fs" lineno="3490">
 <summary>
 Get the attributes of an iso9660
 filesystem, which is usually used on CDs.
@@ -66563,7 +66731,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_iso9660_files" lineno="3444">
+<interface name="fs_getattr_iso9660_files" lineno="3509">
 <summary>
 Get the attributes of files on an iso9660
 filesystem, which is usually used on CDs.
@@ -66574,7 +66742,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_iso9660_files" lineno="3464">
+<interface name="fs_read_iso9660_files" lineno="3529">
 <summary>
 Read files on an iso9660 filesystem, which
 is usually used on CDs.
@@ -66585,7 +66753,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_nfs" lineno="3484">
+<interface name="fs_mount_nfs" lineno="3549">
 <summary>
 Mount a NFS filesystem.
 </summary>
@@ -66595,7 +66763,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_nfs" lineno="3503">
+<interface name="fs_remount_nfs" lineno="3568">
 <summary>
 Remount a NFS filesystem.  This allows
 some mount options to be changed.
@@ -66606,7 +66774,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nfs" lineno="3521">
+<interface name="fs_unmount_nfs" lineno="3586">
 <summary>
 Unmount a NFS filesystem.
 </summary>
@@ -66616,7 +66784,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfs" lineno="3540">
+<interface name="fs_getattr_nfs" lineno="3605">
 <summary>
 Get the attributes of a NFS filesystem.
 </summary>
@@ -66627,7 +66795,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_search_nfs" lineno="3558">
+<interface name="fs_search_nfs" lineno="3623">
 <summary>
 Search directories on a NFS filesystem.
 </summary>
@@ -66637,7 +66805,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_nfs" lineno="3576">
+<interface name="fs_list_nfs" lineno="3641">
 <summary>
 List NFS filesystem.
 </summary>
@@ -66647,7 +66815,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_nfs" lineno="3595">
+<interface name="fs_dontaudit_list_nfs" lineno="3660">
 <summary>
 Do not audit attempts to list the contents
 of directories on a NFS filesystem.
@@ -66658,7 +66826,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfs_dirs" lineno="3614">
+<interface name="fs_watch_nfs_dirs" lineno="3679">
 <summary>
 Add a watch on directories on an NFS
 filesystem.
@@ -66669,7 +66837,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_nfs" lineno="3632">
+<interface name="fs_mounton_nfs" lineno="3697">
 <summary>
 Mounton a NFS filesystem.
 </summary>
@@ -66679,7 +66847,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_files" lineno="3651">
+<interface name="fs_read_nfs_files" lineno="3716">
 <summary>
 Read files on a NFS filesystem.
 </summary>
@@ -66690,7 +66858,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_read_nfs_files" lineno="3671">
+<interface name="fs_dontaudit_read_nfs_files" lineno="3736">
 <summary>
 Do not audit attempts to read
 files on a NFS filesystem.
@@ -66701,7 +66869,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_nfs_files" lineno="3689">
+<interface name="fs_write_nfs_files" lineno="3754">
 <summary>
 Read files on a NFS filesystem.
 </summary>
@@ -66711,7 +66879,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_exec_nfs_files" lineno="3709">
+<interface name="fs_exec_nfs_files" lineno="3774">
 <summary>
 Execute files on a NFS filesystem.
 </summary>
@@ -66722,7 +66890,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_append_nfs_files" lineno="3730">
+<interface name="fs_append_nfs_files" lineno="3795">
 <summary>
 Append files
 on a NFS filesystem.
@@ -66734,7 +66902,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_append_nfs_files" lineno="3750">
+<interface name="fs_dontaudit_append_nfs_files" lineno="3815">
 <summary>
 dontaudit Append files
 on a NFS filesystem.
@@ -66746,7 +66914,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_rw_nfs_files" lineno="3769">
+<interface name="fs_dontaudit_rw_nfs_files" lineno="3834">
 <summary>
 Do not audit attempts to read or
 write files on a NFS filesystem.
@@ -66757,7 +66925,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfs_files" lineno="3787">
+<interface name="fs_watch_nfs_files" lineno="3852">
 <summary>
 Add a watch on files on an NFS filesystem.
 </summary>
@@ -66767,7 +66935,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_symlinks" lineno="3805">
+<interface name="fs_read_nfs_symlinks" lineno="3870">
 <summary>
 Read symbolic links on a NFS filesystem.
 </summary>
@@ -66777,7 +66945,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_nfs_symlinks" lineno="3824">
+<interface name="fs_dontaudit_read_nfs_symlinks" lineno="3889">
 <summary>
 Dontaudit read symbolic links on a NFS filesystem.
 </summary>
@@ -66787,7 +66955,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_named_sockets" lineno="3842">
+<interface name="fs_read_nfs_named_sockets" lineno="3907">
 <summary>
 Read named sockets on a NFS filesystem.
 </summary>
@@ -66797,7 +66965,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_named_pipes" lineno="3861">
+<interface name="fs_read_nfs_named_pipes" lineno="3926">
 <summary>
 Read named pipes on a NFS network filesystem.
 </summary>
@@ -66808,7 +66976,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_rpc_dirs" lineno="3880">
+<interface name="fs_getattr_rpc_dirs" lineno="3945">
 <summary>
 Get the attributes of directories of RPC
 file system pipes.
@@ -66819,7 +66987,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_rpc" lineno="3899">
+<interface name="fs_search_rpc" lineno="3964">
 <summary>
 Search directories of RPC file system pipes.
 </summary>
@@ -66829,7 +66997,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_removable" lineno="3917">
+<interface name="fs_search_removable" lineno="3982">
 <summary>
 Search removable storage directories.
 </summary>
@@ -66839,7 +67007,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_removable" lineno="3935">
+<interface name="fs_dontaudit_list_removable" lineno="4000">
 <summary>
 Do not audit attempts to list removable storage directories.
 </summary>
@@ -66849,7 +67017,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_files" lineno="3953">
+<interface name="fs_read_removable_files" lineno="4018">
 <summary>
 Read removable storage files.
 </summary>
@@ -66859,7 +67027,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_removable_files" lineno="3971">
+<interface name="fs_dontaudit_read_removable_files" lineno="4036">
 <summary>
 Do not audit attempts to read removable storage files.
 </summary>
@@ -66869,7 +67037,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_removable_files" lineno="3989">
+<interface name="fs_dontaudit_write_removable_files" lineno="4054">
 <summary>
 Do not audit attempts to write removable storage files.
 </summary>
@@ -66879,7 +67047,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_symlinks" lineno="4007">
+<interface name="fs_read_removable_symlinks" lineno="4072">
 <summary>
 Read removable storage symbolic links.
 </summary>
@@ -66889,7 +67057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_blk_files" lineno="4025">
+<interface name="fs_read_removable_blk_files" lineno="4090">
 <summary>
 Read block nodes on removable filesystems.
 </summary>
@@ -66899,7 +67067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_removable_blk_files" lineno="4044">
+<interface name="fs_rw_removable_blk_files" lineno="4109">
 <summary>
 Read and write block nodes on removable filesystems.
 </summary>
@@ -66909,7 +67077,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_rpc" lineno="4063">
+<interface name="fs_list_rpc" lineno="4128">
 <summary>
 Read directories of RPC file system pipes.
 </summary>
@@ -66919,7 +67087,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_files" lineno="4081">
+<interface name="fs_read_rpc_files" lineno="4146">
 <summary>
 Read files of RPC file system pipes.
 </summary>
@@ -66929,7 +67097,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_symlinks" lineno="4099">
+<interface name="fs_read_rpc_symlinks" lineno="4164">
 <summary>
 Read symbolic links of RPC file system pipes.
 </summary>
@@ -66939,7 +67107,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_sockets" lineno="4117">
+<interface name="fs_read_rpc_sockets" lineno="4182">
 <summary>
 Read sockets of RPC file system pipes.
 </summary>
@@ -66949,7 +67117,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_rpc_sockets" lineno="4135">
+<interface name="fs_rw_rpc_sockets" lineno="4200">
 <summary>
 Read and write sockets of RPC file system pipes.
 </summary>
@@ -66959,7 +67127,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_dirs" lineno="4155">
+<interface name="fs_manage_nfs_dirs" lineno="4220">
 <summary>
 Create, read, write, and delete directories
 on a NFS filesystem.
@@ -66971,7 +67139,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4175">
+<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4240">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -66983,7 +67151,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_files" lineno="4195">
+<interface name="fs_manage_nfs_files" lineno="4260">
 <summary>
 Create, read, write, and delete files
 on a NFS filesystem.
@@ -66995,7 +67163,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_nfs_files" lineno="4215">
+<interface name="fs_dontaudit_manage_nfs_files" lineno="4280">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -67007,7 +67175,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_symlinks" lineno="4235">
+<interface name="fs_manage_nfs_symlinks" lineno="4300">
 <summary>
 Create, read, write, and delete symbolic links
 on a NFS network filesystem.
@@ -67019,7 +67187,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_nfs_named_pipes" lineno="4254">
+<interface name="fs_manage_nfs_named_pipes" lineno="4319">
 <summary>
 Create, read, write, and delete named pipes
 on a NFS filesystem.
@@ -67030,7 +67198,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_named_sockets" lineno="4273">
+<interface name="fs_manage_nfs_named_sockets" lineno="4338">
 <summary>
 Create, read, write, and delete named sockets
 on a NFS filesystem.
@@ -67041,7 +67209,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_nfs_domtrans" lineno="4316">
+<interface name="fs_nfs_domtrans" lineno="4381">
 <summary>
 Execute a file on a NFS filesystem
 in the specified domain.
@@ -67076,7 +67244,7 @@ The type of the new process.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_nfsd_fs" lineno="4335">
+<interface name="fs_mount_nfsd_fs" lineno="4400">
 <summary>
 Mount a NFS server pseudo filesystem.
 </summary>
@@ -67086,7 +67254,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_nfsd_fs" lineno="4354">
+<interface name="fs_remount_nfsd_fs" lineno="4419">
 <summary>
 Mount a NFS server pseudo filesystem.
 This allows some mount options to be changed.
@@ -67097,7 +67265,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nfsd_fs" lineno="4372">
+<interface name="fs_unmount_nfsd_fs" lineno="4437">
 <summary>
 Unmount a NFS server pseudo filesystem.
 </summary>
@@ -67107,7 +67275,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfsd_fs" lineno="4391">
+<interface name="fs_getattr_nfsd_fs" lineno="4456">
 <summary>
 Get the attributes of a NFS server
 pseudo filesystem.
@@ -67118,7 +67286,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_nfsd_fs" lineno="4409">
+<interface name="fs_search_nfsd_fs" lineno="4474">
 <summary>
 Search NFS server directories.
 </summary>
@@ -67128,7 +67296,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_nfsd_fs" lineno="4427">
+<interface name="fs_list_nfsd_fs" lineno="4492">
 <summary>
 List NFS server directories.
 </summary>
@@ -67138,7 +67306,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfsd_dirs" lineno="4445">
+<interface name="fs_watch_nfsd_dirs" lineno="4510">
 <summary>
 Watch NFS server directories.
 </summary>
@@ -67148,7 +67316,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfsd_files" lineno="4463">
+<interface name="fs_getattr_nfsd_files" lineno="4528">
 <summary>
 Getattr files on an nfsd filesystem
 </summary>
@@ -67158,7 +67326,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_nfsd_fs" lineno="4481">
+<interface name="fs_rw_nfsd_fs" lineno="4546">
 <summary>
 Read and write NFS server files.
 </summary>
@@ -67168,7 +67336,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nsfs_files" lineno="4499">
+<interface name="fs_getattr_nsfs_files" lineno="4564">
 <summary>
 Get the attributes of nsfs inodes (e.g. /proc/pid/ns/uts)
 </summary>
@@ -67178,7 +67346,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nsfs_files" lineno="4517">
+<interface name="fs_read_nsfs_files" lineno="4582">
 <summary>
 Read nsfs inodes (e.g. /proc/pid/ns/uts)
 </summary>
@@ -67188,7 +67356,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfsd_files" lineno="4535">
+<interface name="fs_watch_nfsd_files" lineno="4600">
 <summary>
 Watch NFS server files.
 </summary>
@@ -67198,7 +67366,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nsfs" lineno="4553">
+<interface name="fs_getattr_nsfs" lineno="4618">
 <summary>
 Get the attributes of an nsfs filesystem.
 </summary>
@@ -67208,7 +67376,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nsfs" lineno="4571">
+<interface name="fs_unmount_nsfs" lineno="4636">
 <summary>
 Unmount an nsfs filesystem.
 </summary>
@@ -67218,7 +67386,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_pstorefs" lineno="4589">
+<interface name="fs_getattr_pstorefs" lineno="4654">
 <summary>
 Get the attributes of a pstore filesystem.
 </summary>
@@ -67228,7 +67396,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_pstore_dirs" lineno="4608">
+<interface name="fs_getattr_pstore_dirs" lineno="4673">
 <summary>
 Get the attributes of directories
 of a pstore filesystem.
@@ -67239,7 +67407,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_pstore_dirs" lineno="4627">
+<interface name="fs_create_pstore_dirs" lineno="4692">
 <summary>
 Create pstore directories.
 </summary>
@@ -67249,7 +67417,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_pstore_dirs" lineno="4646">
+<interface name="fs_relabel_pstore_dirs" lineno="4711">
 <summary>
 Relabel to/from pstore_t directories.
 </summary>
@@ -67259,7 +67427,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_pstore_dirs" lineno="4665">
+<interface name="fs_list_pstore_dirs" lineno="4730">
 <summary>
 List the directories
 of a pstore filesystem.
@@ -67270,7 +67438,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_pstore_files" lineno="4684">
+<interface name="fs_read_pstore_files" lineno="4749">
 <summary>
 Read pstore_t files
 </summary>
@@ -67280,7 +67448,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_delete_pstore_files" lineno="4703">
+<interface name="fs_delete_pstore_files" lineno="4768">
 <summary>
 Delete the files
 of a pstore filesystem.
@@ -67291,7 +67459,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_associate_ramfs" lineno="4722">
+<interface name="fs_associate_ramfs" lineno="4787">
 <summary>
 Allow the type to associate to ramfs filesystems.
 </summary>
@@ -67301,7 +67469,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_ramfs" lineno="4740">
+<interface name="fs_mount_ramfs" lineno="4805">
 <summary>
 Mount a RAM filesystem.
 </summary>
@@ -67311,7 +67479,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_ramfs" lineno="4759">
+<interface name="fs_remount_ramfs" lineno="4824">
 <summary>
 Remount a RAM filesystem.  This allows
 some mount options to be changed.
@@ -67322,7 +67490,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_ramfs" lineno="4777">
+<interface name="fs_unmount_ramfs" lineno="4842">
 <summary>
 Unmount a RAM filesystem.
 </summary>
@@ -67332,7 +67500,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_ramfs" lineno="4795">
+<interface name="fs_getattr_ramfs" lineno="4860">
 <summary>
 Get the attributes of a RAM filesystem.
 </summary>
@@ -67342,7 +67510,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_ramfs" lineno="4813">
+<interface name="fs_search_ramfs" lineno="4878">
 <summary>
 Search directories on a ramfs
 </summary>
@@ -67352,7 +67520,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_search_ramfs" lineno="4831">
+<interface name="fs_dontaudit_search_ramfs" lineno="4896">
 <summary>
 Dontaudit Search directories on a ramfs
 </summary>
@@ -67362,7 +67530,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_ramfs_dirs" lineno="4850">
+<interface name="fs_setattr_ramfs_dirs" lineno="4915">
 <summary>
 Set the attributes of directories on
 a ramfs.
@@ -67373,7 +67541,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_dirs" lineno="4869">
+<interface name="fs_manage_ramfs_dirs" lineno="4934">
 <summary>
 Create, read, write, and delete
 directories on a ramfs.
@@ -67384,7 +67552,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_ramfs_files" lineno="4887">
+<interface name="fs_dontaudit_read_ramfs_files" lineno="4952">
 <summary>
 Dontaudit read on a ramfs files.
 </summary>
@@ -67394,7 +67562,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_ramfs_pipes" lineno="4905">
+<interface name="fs_dontaudit_read_ramfs_pipes" lineno="4970">
 <summary>
 Dontaudit read on a ramfs fifo_files.
 </summary>
@@ -67404,7 +67572,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_files" lineno="4924">
+<interface name="fs_manage_ramfs_files" lineno="4989">
 <summary>
 Create, read, write, and delete
 files on a ramfs filesystem.
@@ -67415,7 +67583,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_ramfs_pipes" lineno="4942">
+<interface name="fs_write_ramfs_pipes" lineno="5007">
 <summary>
 Write to named pipe on a ramfs filesystem.
 </summary>
@@ -67425,7 +67593,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_ramfs_pipes" lineno="4961">
+<interface name="fs_dontaudit_write_ramfs_pipes" lineno="5026">
 <summary>
 Do not audit attempts to write to named
 pipes on a ramfs filesystem.
@@ -67436,7 +67604,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_ramfs_pipes" lineno="4979">
+<interface name="fs_rw_ramfs_pipes" lineno="5044">
 <summary>
 Read and write a named pipe on a ramfs filesystem.
 </summary>
@@ -67446,7 +67614,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_pipes" lineno="4998">
+<interface name="fs_manage_ramfs_pipes" lineno="5063">
 <summary>
 Create, read, write, and delete
 named pipes on a ramfs filesystem.
@@ -67457,7 +67625,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_ramfs_sockets" lineno="5016">
+<interface name="fs_write_ramfs_sockets" lineno="5081">
 <summary>
 Write to named socket on a ramfs filesystem.
 </summary>
@@ -67467,7 +67635,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_sockets" lineno="5035">
+<interface name="fs_manage_ramfs_sockets" lineno="5100">
 <summary>
 Create, read, write, and delete
 named sockets on a ramfs filesystem.
@@ -67478,7 +67646,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_romfs" lineno="5053">
+<interface name="fs_mount_romfs" lineno="5118">
 <summary>
 Mount a ROM filesystem.
 </summary>
@@ -67488,7 +67656,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_romfs" lineno="5072">
+<interface name="fs_remount_romfs" lineno="5137">
 <summary>
 Remount a ROM filesystem.  This allows
 some mount options to be changed.
@@ -67499,7 +67667,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_romfs" lineno="5090">
+<interface name="fs_unmount_romfs" lineno="5155">
 <summary>
 Unmount a ROM filesystem.
 </summary>
@@ -67509,7 +67677,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_romfs" lineno="5109">
+<interface name="fs_getattr_romfs" lineno="5174">
 <summary>
 Get the attributes of a ROM
 filesystem.
@@ -67520,7 +67688,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_rpc_pipefs" lineno="5127">
+<interface name="fs_mount_rpc_pipefs" lineno="5192">
 <summary>
 Mount a RPC pipe filesystem.
 </summary>
@@ -67530,7 +67698,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_rpc_pipefs" lineno="5146">
+<interface name="fs_remount_rpc_pipefs" lineno="5211">
 <summary>
 Remount a RPC pipe filesystem.  This
 allows some mount option to be changed.
@@ -67541,7 +67709,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_rpc_pipefs" lineno="5164">
+<interface name="fs_unmount_rpc_pipefs" lineno="5229">
 <summary>
 Unmount a RPC pipe filesystem.
 </summary>
@@ -67551,7 +67719,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_rpc_pipefs" lineno="5183">
+<interface name="fs_getattr_rpc_pipefs" lineno="5248">
 <summary>
 Get the attributes of a RPC pipe
 filesystem.
@@ -67562,7 +67730,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_rpc_named_pipes" lineno="5201">
+<interface name="fs_rw_rpc_named_pipes" lineno="5266">
 <summary>
 Read and write RPC pipe filesystem named pipes.
 </summary>
@@ -67572,7 +67740,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_rpc_pipefs_dirs" lineno="5219">
+<interface name="fs_watch_rpc_pipefs_dirs" lineno="5284">
 <summary>
 Watch RPC pipe filesystem directories.
 </summary>
@@ -67582,7 +67750,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_tmpfs" lineno="5237">
+<interface name="fs_mount_tmpfs" lineno="5302">
 <summary>
 Mount a tmpfs filesystem.
 </summary>
@@ -67592,7 +67760,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_tmpfs" lineno="5255">
+<interface name="fs_remount_tmpfs" lineno="5320">
 <summary>
 Remount a tmpfs filesystem.
 </summary>
@@ -67602,7 +67770,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_tmpfs" lineno="5273">
+<interface name="fs_unmount_tmpfs" lineno="5338">
 <summary>
 Unmount a tmpfs filesystem.
 </summary>
@@ -67612,7 +67780,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs" lineno="5291">
+<interface name="fs_dontaudit_getattr_tmpfs" lineno="5356">
 <summary>
 Do not audit getting the attributes of a tmpfs filesystem
 </summary>
@@ -67622,7 +67790,7 @@ Domain to not audit
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tmpfs" lineno="5311">
+<interface name="fs_getattr_tmpfs" lineno="5376">
 <summary>
 Get the attributes of a tmpfs
 filesystem.
@@ -67634,7 +67802,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_associate_tmpfs" lineno="5329">
+<interface name="fs_associate_tmpfs" lineno="5394">
 <summary>
 Allow the type to associate to tmpfs filesystems.
 </summary>
@@ -67644,7 +67812,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs" lineno="5347">
+<interface name="fs_relabelfrom_tmpfs" lineno="5412">
 <summary>
 Relabel from tmpfs filesystem.
 </summary>
@@ -67654,7 +67822,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tmpfs_dirs" lineno="5365">
+<interface name="fs_getattr_tmpfs_dirs" lineno="5430">
 <summary>
 Get the attributes of tmpfs directories.
 </summary>
@@ -67664,7 +67832,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5384">
+<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5449">
 <summary>
 Do not audit attempts to get the attributes
 of tmpfs directories.
@@ -67675,7 +67843,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_tmpfs" lineno="5402">
+<interface name="fs_mounton_tmpfs" lineno="5467">
 <summary>
 Mount on tmpfs directories.
 </summary>
@@ -67685,7 +67853,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_tmpfs_files" lineno="5420">
+<interface name="fs_mounton_tmpfs_files" lineno="5485">
 <summary>
 Mount on tmpfs files.
 </summary>
@@ -67695,7 +67863,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_tmpfs_dirs" lineno="5438">
+<interface name="fs_setattr_tmpfs_dirs" lineno="5503">
 <summary>
 Set the attributes of tmpfs directories.
 </summary>
@@ -67705,7 +67873,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_tmpfs" lineno="5456">
+<interface name="fs_search_tmpfs" lineno="5521">
 <summary>
 Search tmpfs directories.
 </summary>
@@ -67715,7 +67883,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_tmpfs" lineno="5474">
+<interface name="fs_list_tmpfs" lineno="5539">
 <summary>
 List the contents of generic tmpfs directories.
 </summary>
@@ -67725,7 +67893,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_tmpfs" lineno="5493">
+<interface name="fs_dontaudit_list_tmpfs" lineno="5558">
 <summary>
 Do not audit attempts to list the
 contents of generic tmpfs directories.
@@ -67736,7 +67904,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_dirs" lineno="5512">
+<interface name="fs_manage_tmpfs_dirs" lineno="5577">
 <summary>
 Create, read, write, and delete
 tmpfs directories
@@ -67747,7 +67915,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5531">
+<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5596">
 <summary>
 Do not audit attempts to write
 tmpfs directories
@@ -67758,7 +67926,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5549">
+<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5614">
 <summary>
 Relabel from tmpfs_t dir
 </summary>
@@ -67768,7 +67936,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_dirs" lineno="5567">
+<interface name="fs_relabel_tmpfs_dirs" lineno="5632">
 <summary>
 Relabel directory on tmpfs filesystems.
 </summary>
@@ -67778,7 +67946,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_tmpfs_dirs" lineno="5584">
+<interface name="fs_watch_tmpfs_dirs" lineno="5649">
 <summary>
 Watch directories on tmpfs filesystems.
 </summary>
@@ -67788,7 +67956,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_tmpfs_filetrans" lineno="5618">
+<interface name="fs_tmpfs_filetrans" lineno="5683">
 <summary>
 Create an object in a tmpfs filesystem, with a private
 type using a type transition.
@@ -67814,7 +67982,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5638">
+<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5703">
 <summary>
 Do not audit attempts to getattr
 generic tmpfs files.
@@ -67825,7 +67993,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5657">
+<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5722">
 <summary>
 Do not audit attempts to read or write
 generic tmpfs files.
@@ -67836,7 +68004,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_delete_tmpfs_symlinks" lineno="5675">
+<interface name="fs_delete_tmpfs_symlinks" lineno="5740">
 <summary>
 Delete tmpfs symbolic links.
 </summary>
@@ -67846,7 +68014,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_auto_mountpoints" lineno="5694">
+<interface name="fs_manage_auto_mountpoints" lineno="5759">
 <summary>
 Create, read, write, and delete
 auto moutpoints.
@@ -67857,7 +68025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_tmpfs_files" lineno="5712">
+<interface name="fs_read_tmpfs_files" lineno="5777">
 <summary>
 Read generic tmpfs files.
 </summary>
@@ -67867,7 +68035,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_files" lineno="5730">
+<interface name="fs_rw_tmpfs_files" lineno="5795">
 <summary>
 Read and write generic tmpfs files.
 </summary>
@@ -67877,7 +68045,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_files" lineno="5748">
+<interface name="fs_relabel_tmpfs_files" lineno="5813">
 <summary>
 Relabel files on tmpfs filesystems.
 </summary>
@@ -67887,7 +68055,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_tmpfs_symlinks" lineno="5766">
+<interface name="fs_read_tmpfs_symlinks" lineno="5831">
 <summary>
 Read tmpfs link files.
 </summary>
@@ -67897,7 +68065,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_sockets" lineno="5784">
+<interface name="fs_relabelfrom_tmpfs_sockets" lineno="5849">
 <summary>
 Relabelfrom socket files on tmpfs filesystems.
 </summary>
@@ -67907,7 +68075,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="5802">
+<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="5867">
 <summary>
 Relabelfrom tmpfs link files.
 </summary>
@@ -67917,7 +68085,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_chr_files" lineno="5820">
+<interface name="fs_rw_tmpfs_chr_files" lineno="5885">
 <summary>
 Read and write character nodes on tmpfs filesystems.
 </summary>
@@ -67927,7 +68095,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="5839">
+<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="5904">
 <summary>
 dontaudit Read and write character nodes on tmpfs filesystems.
 </summary>
@@ -67937,7 +68105,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_chr_files" lineno="5858">
+<interface name="fs_relabel_tmpfs_chr_files" lineno="5923">
 <summary>
 Relabel character nodes on tmpfs filesystems.
 </summary>
@@ -67947,7 +68115,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_blk_files" lineno="5877">
+<interface name="fs_rw_tmpfs_blk_files" lineno="5942">
 <summary>
 Read and write block nodes on tmpfs filesystems.
 </summary>
@@ -67957,7 +68125,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_blk_files" lineno="5896">
+<interface name="fs_relabel_tmpfs_blk_files" lineno="5961">
 <summary>
 Relabel block nodes on tmpfs filesystems.
 </summary>
@@ -67967,7 +68135,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_fifo_files" lineno="5915">
+<interface name="fs_relabel_tmpfs_fifo_files" lineno="5980">
 <summary>
 Relabel named pipes on tmpfs filesystems.
 </summary>
@@ -67977,7 +68145,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_files" lineno="5935">
+<interface name="fs_manage_tmpfs_files" lineno="6000">
 <summary>
 Read and write, create and delete generic
 files on tmpfs filesystems.
@@ -67988,7 +68156,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_symlinks" lineno="5954">
+<interface name="fs_manage_tmpfs_symlinks" lineno="6019">
 <summary>
 Read and write, create and delete symbolic
 links on tmpfs filesystems.
@@ -67999,7 +68167,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_sockets" lineno="5973">
+<interface name="fs_manage_tmpfs_sockets" lineno="6038">
 <summary>
 Read and write, create and delete socket
 files on tmpfs filesystems.
@@ -68010,7 +68178,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_chr_files" lineno="5992">
+<interface name="fs_manage_tmpfs_chr_files" lineno="6057">
 <summary>
 Read and write, create and delete character
 nodes on tmpfs filesystems.
@@ -68021,7 +68189,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_blk_files" lineno="6011">
+<interface name="fs_manage_tmpfs_blk_files" lineno="6076">
 <summary>
 Read and write, create and delete block nodes
 on tmpfs filesystems.
@@ -68032,7 +68200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs" lineno="6029">
+<interface name="fs_getattr_tracefs" lineno="6094">
 <summary>
 Get the attributes of a trace filesystem.
 </summary>
@@ -68042,7 +68210,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs_dirs" lineno="6047">
+<interface name="fs_getattr_tracefs_dirs" lineno="6112">
 <summary>
 Get attributes of dirs on tracefs filesystem.
 </summary>
@@ -68052,7 +68220,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_tracefs" lineno="6065">
+<interface name="fs_search_tracefs" lineno="6130">
 <summary>
 search directories on a tracefs filesystem
 </summary>
@@ -68062,7 +68230,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs_files" lineno="6084">
+<interface name="fs_getattr_tracefs_files" lineno="6149">
 <summary>
 Get the attributes of files
 on a trace filesystem.
@@ -68073,7 +68241,27 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_xenfs" lineno="6102">
+<interface name="fs_rw_tracefs_files" lineno="6167">
+<summary>
+Read/write trace filesystem files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_create_tracefs_dirs" lineno="6186">
+<summary>
+create trace filesystem directories
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_mount_xenfs" lineno="6204">
 <summary>
 Mount a XENFS filesystem.
 </summary>
@@ -68083,7 +68271,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_xenfs" lineno="6120">
+<interface name="fs_search_xenfs" lineno="6222">
 <summary>
 Search the XENFS filesystem.
 </summary>
@@ -68093,7 +68281,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_xenfs_dirs" lineno="6140">
+<interface name="fs_manage_xenfs_dirs" lineno="6242">
 <summary>
 Create, read, write, and delete directories
 on a XENFS filesystem.
@@ -68105,7 +68293,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6160">
+<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6262">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -68117,7 +68305,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_xenfs_files" lineno="6180">
+<interface name="fs_manage_xenfs_files" lineno="6282">
 <summary>
 Create, read, write, and delete files
 on a XENFS filesystem.
@@ -68129,7 +68317,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_xenfs_files" lineno="6198">
+<interface name="fs_mmap_xenfs_files" lineno="6300">
 <summary>
 Map files a XENFS filesystem.
 </summary>
@@ -68139,7 +68327,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_manage_xenfs_files" lineno="6218">
+<interface name="fs_dontaudit_manage_xenfs_files" lineno="6320">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -68151,7 +68339,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_all_fs" lineno="6236">
+<interface name="fs_mount_all_fs" lineno="6338">
 <summary>
 Mount all filesystems.
 </summary>
@@ -68161,7 +68349,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_all_fs" lineno="6255">
+<interface name="fs_remount_all_fs" lineno="6357">
 <summary>
 Remount all filesystems.  This
 allows some mount options to be changed.
@@ -68172,7 +68360,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_all_fs" lineno="6273">
+<interface name="fs_unmount_all_fs" lineno="6375">
 <summary>
 Unmount all filesystems.
 </summary>
@@ -68182,7 +68370,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_fs" lineno="6305">
+<interface name="fs_getattr_all_fs" lineno="6407">
 <summary>
 Get the attributes of all filesystems.
 </summary>
@@ -68206,7 +68394,7 @@ Domain allowed access.
 <infoflow type="read" weight="5"/>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_getattr_all_fs" lineno="6325">
+<interface name="fs_dontaudit_getattr_all_fs" lineno="6427">
 <summary>
 Do not audit attempts to get the attributes
 all filesystems.
@@ -68217,7 +68405,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_get_all_fs_quotas" lineno="6344">
+<interface name="fs_get_all_fs_quotas" lineno="6446">
 <summary>
 Get the quotas of all filesystems.
 </summary>
@@ -68228,7 +68416,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_set_all_quotas" lineno="6363">
+<interface name="fs_set_all_quotas" lineno="6465">
 <summary>
 Set the quotas of all filesystems.
 </summary>
@@ -68239,7 +68427,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_relabelfrom_all_fs" lineno="6381">
+<interface name="fs_relabelfrom_all_fs" lineno="6483">
 <summary>
 Relabelfrom all filesystems.
 </summary>
@@ -68249,7 +68437,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_dirs" lineno="6400">
+<interface name="fs_getattr_all_dirs" lineno="6502">
 <summary>
 Get the attributes of all directories
 with a filesystem type.
@@ -68260,7 +68448,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_all" lineno="6418">
+<interface name="fs_search_all" lineno="6520">
 <summary>
 Search all directories with a filesystem type.
 </summary>
@@ -68270,7 +68458,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_all" lineno="6436">
+<interface name="fs_list_all" lineno="6538">
 <summary>
 List all directories with a filesystem type.
 </summary>
@@ -68280,7 +68468,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_files" lineno="6455">
+<interface name="fs_getattr_all_files" lineno="6557">
 <summary>
 Get the attributes of all files with
 a filesystem type.
@@ -68291,7 +68479,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_files" lineno="6474">
+<interface name="fs_dontaudit_getattr_all_files" lineno="6576">
 <summary>
 Do not audit attempts to get the attributes
 of all files with a filesystem type.
@@ -68302,7 +68490,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_symlinks" lineno="6493">
+<interface name="fs_getattr_all_symlinks" lineno="6595">
 <summary>
 Get the attributes of all symbolic links with
 a filesystem type.
@@ -68313,7 +68501,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6512">
+<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6614">
 <summary>
 Do not audit attempts to get the attributes
 of all symbolic links with a filesystem type.
@@ -68324,7 +68512,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_pipes" lineno="6531">
+<interface name="fs_getattr_all_pipes" lineno="6633">
 <summary>
 Get the attributes of all named pipes with
 a filesystem type.
@@ -68335,7 +68523,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_pipes" lineno="6550">
+<interface name="fs_dontaudit_getattr_all_pipes" lineno="6652">
 <summary>
 Do not audit attempts to get the attributes
 of all named pipes with a filesystem type.
@@ -68346,7 +68534,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_sockets" lineno="6569">
+<interface name="fs_getattr_all_sockets" lineno="6671">
 <summary>
 Get the attributes of all named sockets with
 a filesystem type.
@@ -68357,7 +68545,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_sockets" lineno="6588">
+<interface name="fs_dontaudit_getattr_all_sockets" lineno="6690">
 <summary>
 Do not audit attempts to get the attributes
 of all named sockets with a filesystem type.
@@ -68368,7 +68556,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_blk_files" lineno="6607">
+<interface name="fs_getattr_all_blk_files" lineno="6709">
 <summary>
 Get the attributes of all block device nodes with
 a filesystem type.
@@ -68379,7 +68567,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_chr_files" lineno="6626">
+<interface name="fs_getattr_all_chr_files" lineno="6728">
 <summary>
 Get the attributes of all character device nodes with
 a filesystem type.
@@ -68390,7 +68578,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unconfined" lineno="6644">
+<interface name="fs_unconfined" lineno="6746">
 <summary>
 Unconfined access to filesystems
 </summary>
@@ -69279,7 +69467,29 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_search_xen_state" lineno="1549">
+<interface name="kernel_read_psi" lineno="1549">
+<summary>
+Allow caller to receive pressure stall information (PSI).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_rw_psi" lineno="1570">
+<summary>
+Allow caller to set up pressure stall information (PSI).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="kernel_search_xen_state" lineno="1594">
 <summary>
 Allow searching of xen state directory.
 </summary>
@@ -69290,7 +69500,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="kernel_dontaudit_search_xen_state" lineno="1569">
+<interface name="kernel_dontaudit_search_xen_state" lineno="1614">
 <summary>
 Do not audit attempts to search the xen
 state directory.
@@ -69302,7 +69512,7 @@ Domain to not audit.
 </param>
 
 </interface>
-<interface name="kernel_read_xen_state" lineno="1588">
+<interface name="kernel_read_xen_state" lineno="1633">
 <summary>
 Allow caller to read the xen state information.
 </summary>
@@ -69313,7 +69523,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="kernel_read_xen_state_symlinks" lineno="1610">
+<interface name="kernel_read_xen_state_symlinks" lineno="1655">
 <summary>
 Allow caller to read the xen state symbolic links.
 </summary>
@@ -69324,7 +69534,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="kernel_write_xen_state" lineno="1631">
+<interface name="kernel_write_xen_state" lineno="1676">
 <summary>
 Allow caller to write xen state information.
 </summary>
@@ -69335,7 +69545,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="kernel_list_all_proc" lineno="1649">
+<interface name="kernel_list_all_proc" lineno="1694">
 <summary>
 Allow attempts to list all proc directories.
 </summary>
@@ -69345,7 +69555,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_list_all_proc" lineno="1668">
+<interface name="kernel_dontaudit_list_all_proc" lineno="1713">
 <summary>
 Do not audit attempts to list all proc directories.
 </summary>
@@ -69355,7 +69565,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_write_non_proc_init_mountpoint_files" lineno="1687">
+<interface name="kernel_write_non_proc_init_mountpoint_files" lineno="1732">
 <summary>
 Write systemd mountpoint files except proc entries.
 </summary>
@@ -69365,7 +69575,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_create_non_proc_init_mountpoint_files" lineno="1705">
+<interface name="kernel_create_non_proc_init_mountpoint_files" lineno="1750">
 <summary>
 Create systemd mountpoint files except proc entries.
 </summary>
@@ -69375,7 +69585,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_search_sysctl" lineno="1725">
+<interface name="kernel_dontaudit_search_sysctl" lineno="1770">
 <summary>
 Do not audit attempts by caller to search
 the base directory of sysctls.
@@ -69387,7 +69597,7 @@ Domain to not audit.
 </param>
 
 </interface>
-<interface name="kernel_mounton_sysctl_dirs" lineno="1744">
+<interface name="kernel_mounton_sysctl_dirs" lineno="1789">
 <summary>
 Mount on sysctl_t dirs.
 </summary>
@@ -69398,7 +69608,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_sysctl" lineno="1764">
+<interface name="kernel_read_sysctl" lineno="1809">
 <summary>
 Allow access to read sysctl directories.
 </summary>
@@ -69409,7 +69619,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="kernel_mounton_sysctl_files" lineno="1784">
+<interface name="kernel_mounton_sysctl_files" lineno="1829">
 <summary>
 Mount on sysctl files.
 </summary>
@@ -69420,7 +69630,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_device_sysctls" lineno="1804">
+<interface name="kernel_read_device_sysctls" lineno="1849">
 <summary>
 Allow caller to read the device sysctls.
 </summary>
@@ -69431,7 +69641,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_device_sysctls" lineno="1825">
+<interface name="kernel_rw_device_sysctls" lineno="1870">
 <summary>
 Read and write device sysctls.
 </summary>
@@ -69442,7 +69652,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_search_vm_sysctl" lineno="1845">
+<interface name="kernel_search_vm_sysctl" lineno="1890">
 <summary>
 Allow caller to search virtual memory sysctls.
 </summary>
@@ -69452,7 +69662,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_vm_sysctls" lineno="1864">
+<interface name="kernel_read_vm_sysctls" lineno="1909">
 <summary>
 Allow caller to read virtual memory sysctls.
 </summary>
@@ -69463,7 +69673,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_vm_sysctls" lineno="1885">
+<interface name="kernel_rw_vm_sysctls" lineno="1930">
 <summary>
 Read and write virtual memory sysctls.
 </summary>
@@ -69474,7 +69684,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_search_network_sysctl" lineno="1907">
+<interface name="kernel_search_network_sysctl" lineno="1952">
 <summary>
 Search network sysctl directories.
 </summary>
@@ -69484,7 +69694,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_search_network_sysctl" lineno="1925">
+<interface name="kernel_dontaudit_search_network_sysctl" lineno="1970">
 <summary>
 Do not audit attempts by caller to search network sysctl directories.
 </summary>
@@ -69494,7 +69704,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_net_sysctls" lineno="1944">
+<interface name="kernel_read_net_sysctls" lineno="1989">
 <summary>
 Allow caller to read network sysctls.
 </summary>
@@ -69505,7 +69715,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_net_sysctls" lineno="1965">
+<interface name="kernel_rw_net_sysctls" lineno="2010">
 <summary>
 Allow caller to modiry contents of sysctl network files.
 </summary>
@@ -69516,7 +69726,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_unix_sysctls" lineno="1987">
+<interface name="kernel_read_unix_sysctls" lineno="2032">
 <summary>
 Allow caller to read unix domain
 socket sysctls.
@@ -69528,7 +69738,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_unix_sysctls" lineno="2009">
+<interface name="kernel_rw_unix_sysctls" lineno="2054">
 <summary>
 Read and write unix domain
 socket sysctls.
@@ -69540,7 +69750,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_hotplug_sysctls" lineno="2030">
+<interface name="kernel_read_hotplug_sysctls" lineno="2075">
 <summary>
 Read the hotplug sysctl.
 </summary>
@@ -69551,7 +69761,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_hotplug_sysctls" lineno="2051">
+<interface name="kernel_rw_hotplug_sysctls" lineno="2096">
 <summary>
 Read and write the hotplug sysctl.
 </summary>
@@ -69562,7 +69772,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_modprobe_sysctls" lineno="2072">
+<interface name="kernel_read_modprobe_sysctls" lineno="2117">
 <summary>
 Read the modprobe sysctl.
 </summary>
@@ -69573,7 +69783,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_modprobe_sysctls" lineno="2093">
+<interface name="kernel_rw_modprobe_sysctls" lineno="2138">
 <summary>
 Read and write the modprobe sysctl.
 </summary>
@@ -69584,7 +69794,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2113">
+<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2158">
 <summary>
 Do not audit attempts to search generic kernel sysctls.
 </summary>
@@ -69594,7 +69804,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2131">
+<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2176">
 <summary>
 Do not audit attempted reading of kernel sysctls
 </summary>
@@ -69604,7 +69814,7 @@ Domain to not audit accesses from
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_crypto_sysctls" lineno="2149">
+<interface name="kernel_read_crypto_sysctls" lineno="2194">
 <summary>
 Read generic crypto sysctls.
 </summary>
@@ -69614,7 +69824,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_kernel_sysctls" lineno="2190">
+<interface name="kernel_read_kernel_sysctls" lineno="2235">
 <summary>
 Read general kernel sysctls.
 </summary>
@@ -69646,7 +69856,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2210">
+<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2255">
 <summary>
 Do not audit attempts to write generic kernel sysctls.
 </summary>
@@ -69656,7 +69866,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_kernel_sysctl" lineno="2229">
+<interface name="kernel_rw_kernel_sysctl" lineno="2274">
 <summary>
 Read and write generic kernel sysctls.
 </summary>
@@ -69667,7 +69877,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_mounton_kernel_sysctl_files" lineno="2250">
+<interface name="kernel_mounton_kernel_sysctl_files" lineno="2295">
 <summary>
 Mount on kernel sysctl files.
 </summary>
@@ -69678,7 +69888,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2270">
+<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2315">
 <summary>
 Read kernel ns lastpid sysctls.
 </summary>
@@ -69689,7 +69899,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2290">
+<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2335">
 <summary>
 Do not audit attempts to write kernel ns lastpid sysctls.
 </summary>
@@ -69699,7 +69909,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2309">
+<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2354">
 <summary>
 Read and write kernel ns lastpid sysctls.
 </summary>
@@ -69710,7 +69920,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_search_fs_sysctls" lineno="2330">
+<interface name="kernel_search_fs_sysctls" lineno="2375">
 <summary>
 Search filesystem sysctl directories.
 </summary>
@@ -69721,7 +69931,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_fs_sysctls" lineno="2349">
+<interface name="kernel_read_fs_sysctls" lineno="2394">
 <summary>
 Read filesystem sysctls.
 </summary>
@@ -69732,7 +69942,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_fs_sysctls" lineno="2370">
+<interface name="kernel_rw_fs_sysctls" lineno="2415">
 <summary>
 Read and write filesystem sysctls.
 </summary>
@@ -69743,7 +69953,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_irq_sysctls" lineno="2391">
+<interface name="kernel_read_irq_sysctls" lineno="2436">
 <summary>
 Read IRQ sysctls.
 </summary>
@@ -69754,7 +69964,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_dontaudit_search_fs_sysctls" lineno="2413">
+<interface name="kernel_dontaudit_search_fs_sysctls" lineno="2458">
 <summary>
 Do not audit attempts to search
 filesystem sysctl directories.
@@ -69766,7 +69976,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_irq_sysctls" lineno="2432">
+<interface name="kernel_rw_irq_sysctls" lineno="2477">
 <summary>
 Read and write IRQ sysctls.
 </summary>
@@ -69777,7 +69987,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_read_rpc_sysctls" lineno="2453">
+<interface name="kernel_read_rpc_sysctls" lineno="2498">
 <summary>
 Read RPC sysctls.
 </summary>
@@ -69788,7 +69998,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_rpc_sysctls" lineno="2474">
+<interface name="kernel_rw_rpc_sysctls" lineno="2519">
 <summary>
 Read and write RPC sysctls.
 </summary>
@@ -69799,7 +70009,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_dontaudit_list_all_sysctls" lineno="2494">
+<interface name="kernel_dontaudit_list_all_sysctls" lineno="2539">
 <summary>
 Do not audit attempts to list all sysctl directories.
 </summary>
@@ -69809,7 +70019,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_all_sysctls" lineno="2514">
+<interface name="kernel_read_all_sysctls" lineno="2559">
 <summary>
 Allow caller to read all sysctls.
 </summary>
@@ -69820,7 +70030,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_all_sysctls" lineno="2537">
+<interface name="kernel_rw_all_sysctls" lineno="2582">
 <summary>
 Read and write all sysctls.
 </summary>
@@ -69831,7 +70041,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_associate_proc" lineno="2562">
+<interface name="kernel_associate_proc" lineno="2607">
 <summary>
 Associate a file to proc_t (/proc)
 </summary>
@@ -69842,7 +70052,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_kill_unlabeled" lineno="2579">
+<interface name="kernel_kill_unlabeled" lineno="2624">
 <summary>
 Send a kill signal to unlabeled processes.
 </summary>
@@ -69852,7 +70062,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_mount_unlabeled" lineno="2597">
+<interface name="kernel_mount_unlabeled" lineno="2642">
 <summary>
 Mount a kernel unlabeled filesystem.
 </summary>
@@ -69862,7 +70072,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_unmount_unlabeled" lineno="2615">
+<interface name="kernel_unmount_unlabeled" lineno="2660">
 <summary>
 Unmount a kernel unlabeled filesystem.
 </summary>
@@ -69872,7 +70082,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_signal_unlabeled" lineno="2633">
+<interface name="kernel_signal_unlabeled" lineno="2678">
 <summary>
 Send general signals to unlabeled processes.
 </summary>
@@ -69882,7 +70092,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_signull_unlabeled" lineno="2651">
+<interface name="kernel_signull_unlabeled" lineno="2696">
 <summary>
 Send a null signal to unlabeled processes.
 </summary>
@@ -69892,7 +70102,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sigstop_unlabeled" lineno="2669">
+<interface name="kernel_sigstop_unlabeled" lineno="2714">
 <summary>
 Send a stop signal to unlabeled processes.
 </summary>
@@ -69902,7 +70112,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sigchld_unlabeled" lineno="2687">
+<interface name="kernel_sigchld_unlabeled" lineno="2732">
 <summary>
 Send a child terminated signal to unlabeled processes.
 </summary>
@@ -69912,7 +70122,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_getattr_unlabeled_dirs" lineno="2705">
+<interface name="kernel_getattr_unlabeled_dirs" lineno="2750">
 <summary>
 Get the attributes of unlabeled directories.
 </summary>
@@ -69922,7 +70132,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_search_unlabeled" lineno="2723">
+<interface name="kernel_dontaudit_search_unlabeled" lineno="2768">
 <summary>
 Do not audit attempts to search unlabeled directories.
 </summary>
@@ -69932,7 +70142,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_list_unlabeled" lineno="2741">
+<interface name="kernel_list_unlabeled" lineno="2786">
 <summary>
 List unlabeled directories.
 </summary>
@@ -69942,7 +70152,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_unlabeled_state" lineno="2759">
+<interface name="kernel_read_unlabeled_state" lineno="2804">
 <summary>
 Read the process state (/proc/pid) of all unlabeled_t.
 </summary>
@@ -69952,7 +70162,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_list_unlabeled" lineno="2779">
+<interface name="kernel_dontaudit_list_unlabeled" lineno="2824">
 <summary>
 Do not audit attempts to list unlabeled directories.
 </summary>
@@ -69962,7 +70172,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_unlabeled_dirs" lineno="2797">
+<interface name="kernel_rw_unlabeled_dirs" lineno="2842">
 <summary>
 Read and write unlabeled directories.
 </summary>
@@ -69972,7 +70182,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_dirs" lineno="2815">
+<interface name="kernel_delete_unlabeled_dirs" lineno="2860">
 <summary>
 Delete unlabeled directories.
 </summary>
@@ -69982,7 +70192,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_dirs" lineno="2833">
+<interface name="kernel_manage_unlabeled_dirs" lineno="2878">
 <summary>
 Create, read, write, and delete unlabeled directories.
 </summary>
@@ -69992,7 +70202,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_mounton_unlabeled_dirs" lineno="2851">
+<interface name="kernel_mounton_unlabeled_dirs" lineno="2896">
 <summary>
 Mount a filesystem on an unlabeled directory.
 </summary>
@@ -70002,7 +70212,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_unlabeled_files" lineno="2869">
+<interface name="kernel_read_unlabeled_files" lineno="2914">
 <summary>
 Read unlabeled files.
 </summary>
@@ -70012,7 +70222,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_unlabeled_files" lineno="2887">
+<interface name="kernel_rw_unlabeled_files" lineno="2932">
 <summary>
 Read and write unlabeled files.
 </summary>
@@ -70022,7 +70232,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_files" lineno="2905">
+<interface name="kernel_delete_unlabeled_files" lineno="2950">
 <summary>
 Delete unlabeled files.
 </summary>
@@ -70032,7 +70242,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_files" lineno="2923">
+<interface name="kernel_manage_unlabeled_files" lineno="2968">
 <summary>
 Create, read, write, and delete unlabeled files.
 </summary>
@@ -70042,7 +70252,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2942">
+<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2987">
 <summary>
 Do not audit attempts by caller to get the
 attributes of an unlabeled file.
@@ -70053,7 +70263,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2961">
+<interface name="kernel_dontaudit_read_unlabeled_files" lineno="3006">
 <summary>
 Do not audit attempts by caller to
 read an unlabeled file.
@@ -70064,7 +70274,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_unlabeled_filetrans" lineno="2995">
+<interface name="kernel_unlabeled_filetrans" lineno="3040">
 <summary>
 Create an object in unlabeled directories
 with a private type.
@@ -70090,7 +70300,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_symlinks" lineno="3013">
+<interface name="kernel_delete_unlabeled_symlinks" lineno="3058">
 <summary>
 Delete unlabeled symbolic links.
 </summary>
@@ -70100,7 +70310,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_symlinks" lineno="3031">
+<interface name="kernel_manage_unlabeled_symlinks" lineno="3076">
 <summary>
 Create, read, write, and delete unlabeled symbolic links.
 </summary>
@@ -70110,7 +70320,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3050">
+<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3095">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled symbolic links.
@@ -70121,7 +70331,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3069">
+<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3114">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled named pipes.
@@ -70132,7 +70342,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3088">
+<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3133">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled named sockets.
@@ -70143,7 +70353,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3107">
+<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3152">
 <summary>
 Do not audit attempts by caller to get attributes for
 unlabeled block devices.
@@ -70154,7 +70364,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_unlabeled_blk_files" lineno="3125">
+<interface name="kernel_rw_unlabeled_blk_files" lineno="3170">
 <summary>
 Read and write unlabeled block device nodes.
 </summary>
@@ -70164,7 +70374,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_blk_files" lineno="3143">
+<interface name="kernel_delete_unlabeled_blk_files" lineno="3188">
 <summary>
 Delete unlabeled block device nodes.
 </summary>
@@ -70174,7 +70384,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_blk_files" lineno="3161">
+<interface name="kernel_manage_unlabeled_blk_files" lineno="3206">
 <summary>
 Create, read, write, and delete unlabeled block device nodes.
 </summary>
@@ -70184,7 +70394,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3180">
+<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3225">
 <summary>
 Do not audit attempts by caller to get attributes for
 unlabeled character devices.
@@ -70195,7 +70405,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3199">
+<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3244">
 <summary>
 Do not audit attempts to
 write unlabeled character devices.
@@ -70206,7 +70416,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_chr_files" lineno="3217">
+<interface name="kernel_delete_unlabeled_chr_files" lineno="3262">
 <summary>
 Delete unlabeled character device nodes.
 </summary>
@@ -70216,7 +70426,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_chr_files" lineno="3236">
+<interface name="kernel_manage_unlabeled_chr_files" lineno="3281">
 <summary>
 Create, read, write, and delete unlabeled character device nodes.
 </summary>
@@ -70226,7 +70436,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3254">
+<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3299">
 <summary>
 Allow caller to relabel unlabeled directories.
 </summary>
@@ -70236,7 +70446,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_files" lineno="3272">
+<interface name="kernel_relabelfrom_unlabeled_files" lineno="3317">
 <summary>
 Allow caller to relabel unlabeled files.
 </summary>
@@ -70246,7 +70456,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3291">
+<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3336">
 <summary>
 Allow caller to relabel unlabeled symbolic links.
 </summary>
@@ -70256,7 +70466,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3310">
+<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3355">
 <summary>
 Allow caller to relabel unlabeled named pipes.
 </summary>
@@ -70266,7 +70476,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_pipes" lineno="3329">
+<interface name="kernel_delete_unlabeled_pipes" lineno="3374">
 <summary>
 Delete unlabeled named pipes
 </summary>
@@ -70276,7 +70486,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3347">
+<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3392">
 <summary>
 Allow caller to relabel unlabeled named sockets.
 </summary>
@@ -70286,7 +70496,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_sockets" lineno="3366">
+<interface name="kernel_delete_unlabeled_sockets" lineno="3411">
 <summary>
 Delete unlabeled named sockets.
 </summary>
@@ -70296,7 +70506,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3384">
+<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3429">
 <summary>
 Allow caller to relabel from unlabeled block devices.
 </summary>
@@ -70306,7 +70516,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3402">
+<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3447">
 <summary>
 Allow caller to relabel from unlabeled character devices.
 </summary>
@@ -70316,7 +70526,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sendrecv_unlabeled_association" lineno="3435">
+<interface name="kernel_sendrecv_unlabeled_association" lineno="3480">
 <summary>
 Send and receive messages from an
 unlabeled IPSEC association.
@@ -70341,7 +70551,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3468">
+<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3513">
 <summary>
 Do not audit attempts to send and receive messages
 from an	unlabeled IPSEC association.
@@ -70366,7 +70576,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3495">
+<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3540">
 <summary>
 Receive TCP packets from an unlabeled connection.
 </summary>
@@ -70385,7 +70595,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3524">
+<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3569">
 <summary>
 Do not audit attempts to receive TCP packets from an unlabeled
 connection.
@@ -70406,7 +70616,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_udp_recvfrom_unlabeled" lineno="3551">
+<interface name="kernel_udp_recvfrom_unlabeled" lineno="3596">
 <summary>
 Receive UDP packets from an unlabeled connection.
 </summary>
@@ -70425,7 +70635,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3580">
+<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3625">
 <summary>
 Do not audit attempts to receive UDP packets from an unlabeled
 connection.
@@ -70446,7 +70656,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_raw_recvfrom_unlabeled" lineno="3607">
+<interface name="kernel_raw_recvfrom_unlabeled" lineno="3652">
 <summary>
 Receive Raw IP packets from an unlabeled connection.
 </summary>
@@ -70465,7 +70675,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3636">
+<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3681">
 <summary>
 Do not audit attempts to receive Raw IP packets from an unlabeled
 connection.
@@ -70486,7 +70696,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sendrecv_unlabeled_packets" lineno="3666">
+<interface name="kernel_sendrecv_unlabeled_packets" lineno="3711">
 <summary>
 Send and receive unlabeled packets.
 </summary>
@@ -70508,7 +70718,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_recvfrom_unlabeled_peer" lineno="3694">
+<interface name="kernel_recvfrom_unlabeled_peer" lineno="3739">
 <summary>
 Receive packets from an unlabeled peer.
 </summary>
@@ -70528,7 +70738,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3722">
+<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3767">
 <summary>
 Do not audit attempts to receive packets from an unlabeled peer.
 </summary>
@@ -70548,7 +70758,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_database" lineno="3740">
+<interface name="kernel_relabelfrom_unlabeled_database" lineno="3785">
 <summary>
 Relabel from unlabeled database objects.
 </summary>
@@ -70558,7 +70768,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_unconfined" lineno="3777">
+<interface name="kernel_unconfined" lineno="3822">
 <summary>
 Unconfined access to kernel module resources.
 </summary>
@@ -70568,7 +70778,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_vm_overcommit_sysctl" lineno="3797">
+<interface name="kernel_read_vm_overcommit_sysctl" lineno="3842">
 <summary>
 Read virtual memory overcommit sysctl.
 </summary>
@@ -70579,7 +70789,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3817">
+<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3862">
 <summary>
 Read and write virtual memory overcommit sysctl.
 </summary>
@@ -70590,7 +70800,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3836">
+<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3881">
 <summary>
 Access unlabeled infiniband pkeys.
 </summary>
@@ -70600,7 +70810,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3854">
+<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3899">
 <summary>
 Manage subnet on unlabeled Infiniband endports.
 </summary>
@@ -71885,7 +72095,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dev_filetrans_fixed_disk" lineno="305">
+<interface name="storage_dev_filetrans_fixed_disk" lineno="310">
 <summary>
 Create block devices in /dev with the fixed disk type
 via an automatic type transition.
@@ -71895,13 +72105,18 @@ via an automatic type transition.
 Domain allowed access.
 </summary>
 </param>
+<param name="object_class">
+<summary>
+The class of the object to be created.
+</summary>
+</param>
 <param name="filename" optional="true">
 <summary>
 Optional filename of the block device to be created
 </summary>
 </param>
 </interface>
-<interface name="storage_tmpfs_filetrans_fixed_disk" lineno="324">
+<interface name="storage_tmpfs_filetrans_fixed_disk" lineno="329">
 <summary>
 Create block devices in on a tmpfs filesystem with the
 fixed disk type via an automatic type transition.
@@ -71912,7 +72127,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_relabel_fixed_disk" lineno="342">
+<interface name="storage_relabel_fixed_disk" lineno="347">
 <summary>
 Relabel fixed disk device nodes.
 </summary>
@@ -71922,7 +72137,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_swapon_fixed_disk" lineno="361">
+<interface name="storage_swapon_fixed_disk" lineno="366">
 <summary>
 Enable a fixed disk device as swap space
 </summary>
@@ -71932,7 +72147,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_watch_fixed_disk" lineno="380">
+<interface name="storage_watch_fixed_disk" lineno="385">
 <summary>
 Watch fixed disk device nodes.
 </summary>
@@ -71942,7 +72157,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_getattr_fuse_dev" lineno="401">
+<interface name="storage_getattr_fuse_dev" lineno="406">
 <summary>
 Allow the caller to get the attributes
 of device nodes of fuse devices.
@@ -71953,7 +72168,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_rw_fuse" lineno="420">
+<interface name="storage_rw_fuse" lineno="425">
 <summary>
 read or write fuse device interfaces.
 </summary>
@@ -71963,7 +72178,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_rw_fuse" lineno="439">
+<interface name="storage_dontaudit_rw_fuse" lineno="444">
 <summary>
 Do not audit attempts to read or write
 fuse device interfaces.
@@ -71974,7 +72189,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_getattr_scsi_generic_dev" lineno="458">
+<interface name="storage_getattr_scsi_generic_dev" lineno="463">
 <summary>
 Allow the caller to get the attributes of
 the generic SCSI interface device nodes.
@@ -71985,7 +72200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_setattr_scsi_generic_dev" lineno="478">
+<interface name="storage_setattr_scsi_generic_dev" lineno="483">
 <summary>
 Allow the caller to set the attributes of
 the generic SCSI interface device nodes.
@@ -71996,7 +72211,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_read_scsi_generic" lineno="501">
+<interface name="storage_read_scsi_generic" lineno="506">
 <summary>
 Allow the caller to directly read, in a
 generic fashion, from any SCSI device.
@@ -72010,7 +72225,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_write_scsi_generic" lineno="526">
+<interface name="storage_write_scsi_generic" lineno="531">
 <summary>
 Allow the caller to directly write, in a
 generic fashion, from any SCSI device.
@@ -72024,7 +72239,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_setattr_scsi_generic_dev_dev" lineno="548">
+<interface name="storage_setattr_scsi_generic_dev_dev" lineno="553">
 <summary>
 Set attributes of the device nodes
 for the SCSI generic interface.
@@ -72035,7 +72250,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_rw_scsi_generic" lineno="568">
+<interface name="storage_dontaudit_rw_scsi_generic" lineno="573">
 <summary>
 Do not audit attempts to read or write
 SCSI generic device interfaces.
@@ -72046,7 +72261,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_getattr_removable_dev" lineno="587">
+<interface name="storage_getattr_removable_dev" lineno="592">
 <summary>
 Allow the caller to get the attributes of removable
 devices device nodes.
@@ -72057,7 +72272,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_getattr_removable_dev" lineno="607">
+<interface name="storage_dontaudit_getattr_removable_dev" lineno="612">
 <summary>
 Do not audit attempts made by the caller to get
 the attributes of removable devices device nodes.
@@ -72068,7 +72283,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_read_removable_device" lineno="626">
+<interface name="storage_dontaudit_read_removable_device" lineno="631">
 <summary>
 Do not audit attempts made by the caller to read
 removable devices device nodes.
@@ -72079,7 +72294,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_write_removable_device" lineno="646">
+<interface name="storage_dontaudit_write_removable_device" lineno="651">
 <summary>
 Do not audit attempts made by the caller to write
 removable devices device nodes.
@@ -72090,7 +72305,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_setattr_removable_dev" lineno="665">
+<interface name="storage_setattr_removable_dev" lineno="670">
 <summary>
 Allow the caller to set the attributes of removable
 devices device nodes.
@@ -72101,7 +72316,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_setattr_removable_dev" lineno="685">
+<interface name="storage_dontaudit_setattr_removable_dev" lineno="690">
 <summary>
 Do not audit attempts made by the caller to set
 the attributes of removable devices device nodes.
@@ -72112,7 +72327,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_raw_read_removable_device" lineno="707">
+<interface name="storage_raw_read_removable_device" lineno="712">
 <summary>
 Allow the caller to directly read from
 a removable device.
@@ -72126,7 +72341,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_raw_read_removable_device" lineno="726">
+<interface name="storage_dontaudit_raw_read_removable_device" lineno="731">
 <summary>
 Do not audit attempts to directly read removable devices.
 </summary>
@@ -72136,7 +72351,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_raw_write_removable_device" lineno="748">
+<interface name="storage_raw_write_removable_device" lineno="753">
 <summary>
 Allow the caller to directly write to
 a removable device.
@@ -72150,7 +72365,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_dontaudit_raw_write_removable_device" lineno="767">
+<interface name="storage_dontaudit_raw_write_removable_device" lineno="772">
 <summary>
 Do not audit attempts to directly write removable devices.
 </summary>
@@ -72160,7 +72375,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="storage_read_tape" lineno="786">
+<interface name="storage_read_tape" lineno="791">
 <summary>
 Allow the caller to directly read
 a tape device.
@@ -72171,7 +72386,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_write_tape" lineno="806">
+<interface name="storage_write_tape" lineno="811">
 <summary>
 Allow the caller to directly write
 a tape device.
@@ -72182,7 +72397,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_getattr_tape_dev" lineno="826">
+<interface name="storage_getattr_tape_dev" lineno="831">
 <summary>
 Allow the caller to get the attributes
 of device nodes of tape devices.
@@ -72193,7 +72408,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_setattr_tape_dev" lineno="846">
+<interface name="storage_setattr_tape_dev" lineno="851">
 <summary>
 Allow the caller to set the attributes
 of device nodes of tape devices.
@@ -72204,7 +72419,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="storage_unconfined" lineno="865">
+<interface name="storage_unconfined" lineno="870">
 <summary>
 Unconfined access to storage devices.
 </summary>
@@ -78959,6 +79174,15 @@ Allow containers to use eCryptfs filesystems.
 </p>
 </desc>
 </tunable>
+<tunable name="container_use_host_all_caps" dftval="false">
+<desc>
+<p>
+Allow containers to use all capabilities in a
+non-namespaced context for various privileged operations
+directly on the host.
+</p>
+</desc>
+</tunable>
 <tunable name="container_use_hugetlbfs" dftval="false">
 <desc>
 <p>
@@ -78966,6 +79190,14 @@ Allow containers to use huge pages.
 </p>
 </desc>
 </tunable>
+<tunable name="container_use_mknod" dftval="false">
+<desc>
+<p>
+Allow containers to use the mknod syscall, e.g. for
+creating special device files.
+</p>
+</desc>
+</tunable>
 <tunable name="container_use_nfs" dftval="false">
 <desc>
 <p>
@@ -78980,6 +79212,41 @@ Allow containers to use CIFS filesystems.
 </p>
 </desc>
 </tunable>
+<tunable name="container_use_sysadmin" dftval="false">
+<desc>
+<p>
+Allow containers to use the sysadmin capability, e.g.
+for mounting filesystems.
+</p>
+</desc>
+</tunable>
+<tunable name="container_use_userns_all_caps" dftval="false">
+<desc>
+<p>
+Allow containers to use all capabilities in a
+namespaced context for various privileged operations
+within the container itself.
+</p>
+</desc>
+</tunable>
+<tunable name="container_use_userns_mknod" dftval="false">
+<desc>
+<p>
+Allow containers to use the mknod syscall in a
+namespaced context, e.g. for creating special device
+files within the container itself.
+</p>
+</desc>
+</tunable>
+<tunable name="container_use_userns_sysadmin" dftval="false">
+<desc>
+<p>
+Allow containers to use the sysadmin capability in a
+namespaced context, e.g. for mounting filesystems
+within the container itself.
+</p>
+</desc>
+</tunable>
 </module>
 <module name="corosync" filename="policy/modules/services/corosync.if">
 <summary>Corosync Cluster Engine.</summary>
@@ -79644,7 +79911,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cron_read_system_job_lib_files" lineno="768">
+<interface name="cron_rw_inherited_tmp_files" lineno="768">
+<summary>
+Read and write inherited crond temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="cron_read_system_job_lib_files" lineno="786">
 <summary>
 Read system cron job lib files.
 </summary>
@@ -79654,7 +79931,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cron_manage_system_job_lib_files" lineno="788">
+<interface name="cron_manage_system_job_lib_files" lineno="806">
 <summary>
 Create, read, write, and delete
 system cron job lib files.
@@ -79665,7 +79942,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cron_write_system_job_pipes" lineno="807">
+<interface name="cron_write_system_job_pipes" lineno="825">
 <summary>
 Write system cron job unnamed pipes.
 </summary>
@@ -79675,7 +79952,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cron_rw_system_job_pipes" lineno="826">
+<interface name="cron_rw_system_job_pipes" lineno="844">
 <summary>
 Read and write system cron job
 unnamed pipes.
@@ -79686,7 +79963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cron_rw_system_job_stream_sockets" lineno="845">
+<interface name="cron_rw_system_job_stream_sockets" lineno="863">
 <summary>
 Read and write inherited system cron
 job unix domain stream sockets.
@@ -79697,7 +79974,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cron_read_system_job_tmp_files" lineno="863">
+<interface name="cron_read_system_job_tmp_files" lineno="881">
 <summary>
 Read system cron job temporary files.
 </summary>
@@ -79707,7 +79984,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="883">
+<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="901">
 <summary>
 Do not audit attempts to append temporary
 system cron job files.
@@ -79718,7 +79995,17 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="cron_rw_inherited_system_job_tmp_files" lineno="901">
+<interface name="cron_append_system_job_tmp_files" lineno="919">
+<summary>
+allow appending temporary system cron job files.
+</summary>
+<param name="domain">
+<summary>
+Domain to allow.
+</summary>
+</param>
+</interface>
+<interface name="cron_rw_inherited_system_job_tmp_files" lineno="937">
 <summary>
 Read and write to inherited system cron job temporary files.
 </summary>
@@ -79728,7 +80015,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="920">
+<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="956">
 <summary>
 Do not audit attempts to write temporary
 system cron job files.
@@ -79739,7 +80026,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="cron_exec_crontab" lineno="939">
+<interface name="cron_exec_crontab" lineno="975">
 <summary>
 Execute crontab in the caller domain.
 </summary>
@@ -79750,7 +80037,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="cron_admin" lineno="965">
+<interface name="cron_admin" lineno="1001">
 <summary>
 All of the rules required to
 administrate a cron environment.
@@ -80257,7 +80544,7 @@ User domain for the role
 </summary>
 </param>
 </template>
-<interface name="dbus_system_bus_client" lineno="137">
+<interface name="dbus_system_bus_client" lineno="140">
 <summary>
 Template for creating connections to
 the system bus.
@@ -80268,7 +80555,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_connect_all_session_bus" lineno="176">
+<interface name="dbus_connect_all_session_bus" lineno="181">
 <summary>
 Acquire service on all DBUS
 session busses.
@@ -80279,7 +80566,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="dbus_connect_spec_session_bus" lineno="202">
+<template name="dbus_connect_spec_session_bus" lineno="207">
 <summary>
 Acquire service on specified
 DBUS session bus.
@@ -80296,7 +80583,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="dbus_all_session_bus_client" lineno="222">
+<interface name="dbus_all_session_bus_client" lineno="227">
 <summary>
 Creating connections to all
 DBUS session busses.
@@ -80307,7 +80594,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="dbus_spec_session_bus_client" lineno="254">
+<template name="dbus_spec_session_bus_client" lineno="261">
 <summary>
 Creating connections to specified
 DBUS session bus.
@@ -80324,7 +80611,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="dbus_send_all_session_bus" lineno="281">
+<interface name="dbus_send_all_session_bus" lineno="288">
 <summary>
 Send messages to all DBUS
 session busses.
@@ -80335,7 +80622,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="dbus_send_spec_session_bus" lineno="307">
+<template name="dbus_send_spec_session_bus" lineno="314">
 <summary>
 Send messages to specified
 DBUS session busses.
@@ -80352,7 +80639,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="dbus_getattr_session_runtime_socket" lineno="327">
+<interface name="dbus_getattr_session_runtime_socket" lineno="334">
 <summary>
 Allow the specified domain to get the
 attributes of the session dbus sock file.
@@ -80363,7 +80650,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_write_session_runtime_socket" lineno="346">
+<interface name="dbus_write_session_runtime_socket" lineno="353">
 <summary>
 Allow the specified domain to write to
 the session dbus sock file.
@@ -80374,7 +80661,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_config" lineno="364">
+<interface name="dbus_read_config" lineno="371">
 <summary>
 Read dbus configuration content.
 </summary>
@@ -80384,7 +80671,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_lib_files" lineno="383">
+<interface name="dbus_read_lib_files" lineno="390">
 <summary>
 Read system dbus lib files.
 </summary>
@@ -80394,7 +80681,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_relabel_lib_dirs" lineno="403">
+<interface name="dbus_relabel_lib_dirs" lineno="410">
 <summary>
 Relabel system dbus lib directory.
 </summary>
@@ -80404,7 +80691,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_manage_lib_files" lineno="423">
+<interface name="dbus_manage_lib_files" lineno="430">
 <summary>
 Create, read, write, and delete
 system dbus lib files.
@@ -80415,7 +80702,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_all_session_domain" lineno="449">
+<interface name="dbus_all_session_domain" lineno="456">
 <summary>
 Allow a application domain to be
 started by the specified session bus.
@@ -80432,7 +80719,7 @@ entry point to this domain.
 </summary>
 </param>
 </interface>
-<template name="dbus_spec_session_domain" lineno="483">
+<template name="dbus_spec_session_domain" lineno="490">
 <summary>
 Allow a application domain to be
 started by the specified session bus.
@@ -80455,7 +80742,7 @@ entry point to this domain.
 </summary>
 </param>
 </template>
-<interface name="dbus_connect_system_bus" lineno="504">
+<interface name="dbus_connect_system_bus" lineno="511">
 <summary>
 Acquire service on the DBUS system bus.
 </summary>
@@ -80465,7 +80752,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_send_system_bus" lineno="523">
+<interface name="dbus_send_system_bus" lineno="530">
 <summary>
 Send messages to the DBUS system bus.
 </summary>
@@ -80475,7 +80762,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_system_bus_unconfined" lineno="542">
+<interface name="dbus_system_bus_unconfined" lineno="549">
 <summary>
 Unconfined access to DBUS system bus.
 </summary>
@@ -80485,7 +80772,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_system_domain" lineno="567">
+<interface name="dbus_system_domain" lineno="574">
 <summary>
 Create a domain for processes which
 can be started by the DBUS system bus.
@@ -80501,7 +80788,7 @@ Type of the program to be used as an entry point to this domain.
 </summary>
 </param>
 </interface>
-<interface name="dbus_use_system_bus_fds" lineno="605">
+<interface name="dbus_use_system_bus_fds" lineno="612">
 <summary>
 Use and inherit DBUS system bus
 file descriptors.
@@ -80512,7 +80799,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="624">
+<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="631">
 <summary>
 Do not audit attempts to read and
 write DBUS system bus TCP sockets.
@@ -80523,7 +80810,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dbus_watch_system_bus_runtime_dirs" lineno="642">
+<interface name="dbus_watch_system_bus_runtime_dirs" lineno="649">
 <summary>
 Watch system bus runtime directories.
 </summary>
@@ -80533,7 +80820,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_system_bus_runtime_files" lineno="660">
+<interface name="dbus_read_system_bus_runtime_files" lineno="667">
 <summary>
 Read system bus runtime files.
 </summary>
@@ -80543,7 +80830,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_list_system_bus_runtime" lineno="679">
+<interface name="dbus_list_system_bus_runtime" lineno="686">
 <summary>
 List system bus runtime directories.
 </summary>
@@ -80553,7 +80840,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="697">
+<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="704">
 <summary>
 Watch system bus runtime named sockets.
 </summary>
@@ -80563,7 +80850,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="715">
+<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="722">
 <summary>
 Read system bus runtime named sockets.
 </summary>
@@ -80573,7 +80860,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="734">
+<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="741">
 <summary>
 Do not audit attempts to write to
 system bus runtime named sockets.
@@ -80584,7 +80871,17 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dbus_unconfined" lineno="752">
+<interface name="dbus_rw_session_tmp_sockets" lineno="759">
+<summary>
+Read and write session named sockets in the tmp directory (/tmp).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_unconfined" lineno="777">
 <summary>
 Unconfined access to DBUS.
 </summary>
@@ -80594,7 +80891,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="782">
+<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="807">
 <summary>
 Create resources in /run or /var/run with the system_dbusd_runtime_t
 label. This method is deprecated in favor of the init_daemon_run_dir
@@ -80616,7 +80913,7 @@ Optional file name used for the resource
 </summary>
 </param>
 </interface>
-<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="796">
+<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="821">
 <summary>
 Create directories with the system_dbusd_runtime_t label
 </summary>
@@ -80626,6 +80923,16 @@ Domain allowed access
 </summary>
 </param>
 </interface>
+<tunable name="dbus_can_network" dftval="false">
+<desc>
+<p>
+Determine whether the dbus server
+can use the network (insecure
+except than in the case of the
+loopback interface).
+</p>
+</desc>
+</tunable>
 <tunable name="dbus_pass_tuntap_fd" dftval="false">
 <desc>
 <p>
@@ -81517,6 +81824,21 @@ Role allowed access.
 <rolecap/>
 </interface>
 </module>
+<module name="eg25manager" filename="policy/modules/services/eg25manager.if">
+<summary>Manager daemon for the Quectel EG25 modem</summary>
+
+<desc>
+eg25-manager (Debian package eg25-manager) is a daemon aimed at configuring
+and monitoring the Quectel EG25 modem on a running system. It is used on the
+PinePhone (Pro) and performs the
+following functions:
+* power on/off
+* startup configuration using AT commands
+* AGPS data upload
+* status monitoring (and restart if it becomes unavailable)
+Homepage: https://gitlab.com/mobian1/eg25-manager
+</desc>
+</module>
 <module name="entropyd" filename="policy/modules/services/entropyd.if">
 <summary>Generate entropy from audio input.</summary>
 <interface name="entropyd_admin" lineno="20">
@@ -83384,6 +83706,29 @@ Role allowed access.
 <rolecap/>
 </interface>
 </module>
+<module name="iiosensorproxy" filename="policy/modules/services/iiosensorproxy.if">
+<summary>IIO sensors to D-Bus proxy</summary>
+
+<desc>
+Industrial I/O subsystem is intended to provide support for devices
+that in some sense are analog to digital or digital to analog convertors
+.
+Devices that fall into this category are:
+* ADCs
+* Accelerometers
+* Gyros
+* IMUs
+* Capacitance to Digital Converters (CDCs)
+* Pressure Sensors
+* Color, Light and Proximity Sensors
+* Temperature Sensors
+* Magnetometers
+* DACs
+* DDS (Direct Digital Synthesis)
+* PLLs (Phase Locked Loops)
+* Variable/Programmable Gain Amplifiers (VGA, PGA)
+</desc>
+</module>
 <module name="inetd" filename="policy/modules/services/inetd.if">
 <summary>Internet services daemon.</summary>
 <interface name="inetd_core_service_domain" lineno="27">
@@ -84913,6 +85258,28 @@ Role allowed access.
 <rolecap/>
 </interface>
 </module>
+<module name="lowmemorymonitor" filename="policy/modules/services/lowmemorymonitor.if">
+<summary>low memory monitor daemon</summary>
+
+<desc>
+The Low Memory Monitor is an early boot daemon that will monitor memory
+pressure information coming from the kernel, and, first, send a signal
+to user-space applications when memory is running low, and then optionally
+activate the kernel's OOM killer when memory is running really low.
+https://gitlab.freedesktop.org/hadess/low-memory-monitor
+</desc>
+<interface name="low_mem_mon_dbus_chat" lineno="22">
+<summary>
+Send and receive messages from
+low_mem_mon_t over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+</module>
 <module name="lpd" filename="policy/modules/services/lpd.if">
 <summary>Line printer daemon.</summary>
 <template name="lpd_role" lineno="29">
@@ -86046,7 +86413,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_home_filetrans_mail_home_rw" lineno="295">
+<interface name="mta_home_filetrans_mail_home_rw" lineno="296">
 <summary>
 Create specified objects in user home
 directories with the generic mail
@@ -86068,7 +86435,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="mta_system_content" lineno="313">
+<interface name="mta_system_content" lineno="314">
 <summary>
 Make the specified type by a system MTA.
 </summary>
@@ -86078,7 +86445,7 @@ Type to be used as a mail client.
 </summary>
 </param>
 </interface>
-<interface name="mta_sendmail_mailserver" lineno="346">
+<interface name="mta_sendmail_mailserver" lineno="347">
 <summary>
 Modified mailserver interface for
 sendmail daemon use.
@@ -86103,7 +86470,7 @@ The type to be used for the mail server.
 </summary>
 </param>
 </interface>
-<interface name="mta_use_mailserver_fds" lineno="367">
+<interface name="mta_use_mailserver_fds" lineno="368">
 <summary>
 Inherit FDs from mailserver_domain domains
 </summary>
@@ -86113,7 +86480,7 @@ Type for a list server or delivery agent that inherits fds
 </summary>
 </param>
 </interface>
-<interface name="mta_mailserver_sender" lineno="386">
+<interface name="mta_mailserver_sender" lineno="387">
 <summary>
 Make a type a mailserver type used
 for sending mail.
@@ -86124,7 +86491,7 @@ Mail server domain type used for sending mail.
 </summary>
 </param>
 </interface>
-<interface name="mta_mailserver_delivery" lineno="405">
+<interface name="mta_mailserver_delivery" lineno="406">
 <summary>
 Make a type a mailserver type used
 for delivering mail to local users.
@@ -86135,7 +86502,7 @@ Mail server domain type used for delivering mail.
 </summary>
 </param>
 </interface>
-<interface name="mta_mailserver_user_agent" lineno="425">
+<interface name="mta_mailserver_user_agent" lineno="426">
 <summary>
 Make a type a mailserver type used
 for sending mail on behalf of local
@@ -86147,7 +86514,7 @@ Mail server domain type used for sending local mail.
 </summary>
 </param>
 </interface>
-<interface name="mta_send_mail" lineno="443">
+<interface name="mta_send_mail" lineno="444">
 <summary>
 Send mail from the system.
 </summary>
@@ -86157,7 +86524,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="mta_sendmail_domtrans" lineno="488">
+<interface name="mta_sendmail_domtrans" lineno="489">
 <summary>
 Execute send mail in a specified domain.
 </summary>
@@ -86182,7 +86549,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="mta_signal_system_mail" lineno="510">
+<interface name="mta_signal_system_mail" lineno="511">
 <summary>
 Send signals to system mail.
 </summary>
@@ -86192,7 +86559,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_kill_system_mail" lineno="528">
+<interface name="mta_kill_system_mail" lineno="529">
 <summary>
 Send kill signals to system mail.
 </summary>
@@ -86202,7 +86569,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_sendmail_exec" lineno="546">
+<interface name="mta_sendmail_exec" lineno="547">
 <summary>
 Execute sendmail in the caller domain.
 </summary>
@@ -86212,7 +86579,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_sendmail_entry_point" lineno="566">
+<interface name="mta_sendmail_entry_point" lineno="567">
 <summary>
 Make sendmail usable as an entry
 point for the domain.
@@ -86223,7 +86590,7 @@ Domain to be entered.
 </summary>
 </param>
 </interface>
-<interface name="mta_read_config" lineno="585">
+<interface name="mta_read_config" lineno="586">
 <summary>
 Read mail server configuration content.
 </summary>
@@ -86234,7 +86601,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="mta_write_config" lineno="607">
+<interface name="mta_write_config" lineno="608">
 <summary>
 Write mail server configuration files.
 </summary>
@@ -86245,7 +86612,18 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="mta_read_aliases" lineno="626">
+<interface name="mta_manage_config" lineno="628">
+<summary>
+Create, read, write, and delete
+mail server configuration content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="mta_read_aliases" lineno="648">
 <summary>
 Read mail address alias files.
 </summary>
@@ -86255,7 +86633,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_map_aliases" lineno="654">
+<interface name="mta_map_aliases" lineno="676">
 <summary>
 Read mail address alias files.
 </summary>
@@ -86265,7 +86643,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_manage_aliases" lineno="673">
+<interface name="mta_manage_aliases" lineno="695">
 <summary>
 Create, read, write, and delete
 mail address alias content.
@@ -86276,7 +86654,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_etc_filetrans_aliases" lineno="715">
+<interface name="mta_etc_filetrans_aliases" lineno="737">
 <summary>
 Create specified object in generic
 etc directories with the mail address
@@ -86298,7 +86676,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="mta_spec_filetrans_aliases" lineno="750">
+<interface name="mta_spec_filetrans_aliases" lineno="772">
 <summary>
 Create specified objects in specified
 directories with a type transition to
@@ -86325,7 +86703,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="mta_rw_aliases" lineno="769">
+<interface name="mta_rw_aliases" lineno="791">
 <summary>
 Read and write mail alias files.
 </summary>
@@ -86336,7 +86714,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="799">
+<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="821">
 <summary>
 Do not audit attempts to read
 and write TCP sockets of mail
@@ -86348,7 +86726,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="mta_list_spool" lineno="817">
+<interface name="mta_list_spool" lineno="839">
 <summary>
 Allow listing the mail spool.
 </summary>
@@ -86358,7 +86736,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="mta_read_spool_symlinks" lineno="836">
+<interface name="mta_read_spool_symlinks" lineno="858">
 <summary>
 Allow reading mail spool symlinks.
 </summary>
@@ -86368,7 +86746,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="mta_rw_inherited_delivery_pipes" lineno="854">
+<interface name="mta_rw_inherited_delivery_pipes" lineno="876">
 <summary>
 read and write fifo files inherited from delivery domains
 </summary>
@@ -86378,7 +86756,7 @@ Domain to use fifo files
 </summary>
 </param>
 </interface>
-<interface name="mta_dontaudit_read_spool_symlinks" lineno="875">
+<interface name="mta_dontaudit_read_spool_symlinks" lineno="897">
 <summary>
 Do not audit attempts to read
 mail spool symlinks.
@@ -86389,7 +86767,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="mta_getattr_spool" lineno="893">
+<interface name="mta_getattr_spool" lineno="915">
 <summary>
 Get attributes of mail spool content.
 </summary>
@@ -86399,7 +86777,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_dontaudit_getattr_spool_files" lineno="915">
+<interface name="mta_dontaudit_getattr_spool_files" lineno="937">
 <summary>
 Do not audit attempts to get
 attributes of mail spool files.
@@ -86410,7 +86788,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="mta_spool_filetrans" lineno="953">
+<interface name="mta_spool_filetrans" lineno="975">
 <summary>
 Create specified objects in the
 mail spool directory with a
@@ -86437,7 +86815,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="mta_read_spool_files" lineno="972">
+<interface name="mta_read_spool_files" lineno="994">
 <summary>
 Read mail spool files.
 </summary>
@@ -86447,7 +86825,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_rw_spool" lineno="992">
+<interface name="mta_rw_spool" lineno="1014">
 <summary>
 Read and write mail spool files.
 </summary>
@@ -86457,7 +86835,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_append_spool" lineno="1013">
+<interface name="mta_append_spool" lineno="1035">
 <summary>
 Create, read, and write mail spool files.
 </summary>
@@ -86467,7 +86845,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_delete_spool" lineno="1034">
+<interface name="mta_delete_spool" lineno="1056">
 <summary>
 Delete mail spool files.
 </summary>
@@ -86477,7 +86855,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_manage_spool" lineno="1054">
+<interface name="mta_manage_spool" lineno="1076">
 <summary>
 Create, read, write, and delete
 mail spool content.
@@ -86488,7 +86866,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_watch_spool" lineno="1076">
+<interface name="mta_watch_spool" lineno="1098">
 <summary>
 Watch mail spool content.
 </summary>
@@ -86498,7 +86876,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_queue_filetrans" lineno="1111">
+<interface name="mta_queue_filetrans" lineno="1133">
 <summary>
 Create specified objects in the
 mail queue spool directory with a
@@ -86525,7 +86903,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="mta_search_queue" lineno="1130">
+<interface name="mta_search_queue" lineno="1152">
 <summary>
 Search mail queue directories.
 </summary>
@@ -86535,7 +86913,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_list_queue" lineno="1149">
+<interface name="mta_list_queue" lineno="1171">
 <summary>
 List mail queue directories.
 </summary>
@@ -86545,7 +86923,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_read_queue" lineno="1168">
+<interface name="mta_read_queue" lineno="1190">
 <summary>
 Read mail queue files.
 </summary>
@@ -86555,7 +86933,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_dontaudit_rw_queue" lineno="1188">
+<interface name="mta_dontaudit_rw_queue" lineno="1210">
 <summary>
 Do not audit attempts to read and
 write mail queue content.
@@ -86566,7 +86944,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="mta_manage_queue" lineno="1208">
+<interface name="mta_manage_queue" lineno="1230">
 <summary>
 Create, read, write, and delete
 mail queue content.
@@ -86577,7 +86955,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_read_sendmail_bin" lineno="1228">
+<interface name="mta_read_sendmail_bin" lineno="1250">
 <summary>
 Read sendmail binary.
 </summary>
@@ -86587,7 +86965,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mta_rw_user_mail_stream_sockets" lineno="1247">
+<interface name="mta_rw_user_mail_stream_sockets" lineno="1269">
 <summary>
 Read and write unix domain stream
 sockets of all base mail domains.
@@ -87933,7 +88311,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ntp_rw_shm" lineno="189">
+<interface name="ntp_filetrans_drift" lineno="189">
+<summary>
+specified domain creates /var/lib/ntpsec/ with the correct type
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ntp_rw_shm" lineno="208">
 <summary>
 Read and write ntpd shared memory.
 </summary>
@@ -87943,7 +88331,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ntp_enabledisable" lineno="211">
+<interface name="ntp_enabledisable" lineno="230">
 <summary>
 Allow specified domain to enable/disable ntpd unit
 </summary>
@@ -87953,7 +88341,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ntp_startstop" lineno="232">
+<interface name="ntp_startstop" lineno="251">
 <summary>
 Allow specified domain to start/stop ntpd unit
 </summary>
@@ -87963,7 +88351,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ntp_status" lineno="253">
+<interface name="ntp_status" lineno="272">
 <summary>
 Allow specified domain to get status of ntpd unit
 </summary>
@@ -87973,7 +88361,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ntp_admin" lineno="281">
+<interface name="ntp_admin" lineno="300">
 <summary>
 All of the rules required to
 administrate an ntp environment.
@@ -87990,7 +88378,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="ntp_manage_config" lineno="333">
+<interface name="ntp_manage_config" lineno="352">
 <summary>
 Manage ntp(d) configuration.
 </summary>
@@ -89596,7 +89984,7 @@ Domain prefix to be used.
 </summary>
 </param>
 </template>
-<template name="postfix_server_domain_template" lineno="65">
+<template name="postfix_server_domain_template" lineno="68">
 <summary>
 The template to define a postfix server domain.
 </summary>
@@ -89606,7 +89994,7 @@ Domain prefix to be used.
 </summary>
 </param>
 </template>
-<template name="postfix_user_domain_template" lineno="105">
+<template name="postfix_user_domain_template" lineno="108">
 <summary>
 The template to define a postfix user domain.
 </summary>
@@ -89616,7 +90004,7 @@ Domain prefix to be used.
 </summary>
 </param>
 </template>
-<interface name="postfix_read_config" lineno="142">
+<interface name="postfix_read_config" lineno="145">
 <summary>
 Read postfix configuration content.
 </summary>
@@ -89627,7 +90015,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="postfix_config_filetrans" lineno="179">
+<interface name="postfix_config_filetrans" lineno="182">
 <summary>
 Create specified object in postfix
 etc directories with a type transition.
@@ -89653,7 +90041,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="postfix_dontaudit_rw_local_tcp_sockets" lineno="199">
+<interface name="postfix_dontaudit_rw_local_tcp_sockets" lineno="202">
 <summary>
 Do not audit attempts to read and
 write postfix local delivery
@@ -89665,7 +90053,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="postfix_rw_local_pipes" lineno="217">
+<interface name="postfix_rw_local_pipes" lineno="220">
 <summary>
 Read and write postfix local pipes.
 </summary>
@@ -89675,7 +90063,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_read_local_state" lineno="235">
+<interface name="postfix_read_local_state" lineno="238">
 <summary>
 Read postfix local process state files.
 </summary>
@@ -89685,7 +90073,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_rw_inherited_master_pipes" lineno="256">
+<interface name="postfix_rw_inherited_master_pipes" lineno="259">
 <summary>
 Read and write inherited postfix master pipes.
 </summary>
@@ -89695,7 +90083,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_read_master_state" lineno="275">
+<interface name="postfix_read_master_state" lineno="278">
 <summary>
 Read postfix master process state files.
 </summary>
@@ -89705,7 +90093,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_use_fds_master" lineno="296">
+<interface name="postfix_use_fds_master" lineno="299">
 <summary>
 Use postfix master file descriptors.
 </summary>
@@ -89715,7 +90103,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_dontaudit_use_fds" lineno="316">
+<interface name="postfix_dontaudit_use_fds" lineno="319">
 <summary>
 Do not audit attempts to use
 postfix master process file
@@ -89727,7 +90115,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="postfix_domtrans_map" lineno="334">
+<interface name="postfix_domtrans_map" lineno="337">
 <summary>
 Execute postfix_map in the postfix_map domain.
 </summary>
@@ -89737,7 +90125,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="postfix_run_map" lineno="361">
+<interface name="postfix_run_map" lineno="364">
 <summary>
 Execute postfix map in the postfix
 map domain, and allow the specified
@@ -89755,7 +90143,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="postfix_domtrans_master" lineno="381">
+<interface name="postfix_domtrans_master" lineno="384">
 <summary>
 Execute the master postfix program
 in the postfix_master domain.
@@ -89766,7 +90154,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="postfix_exec_master" lineno="401">
+<interface name="postfix_exec_master" lineno="404">
 <summary>
 Execute the master postfix program
 in the caller domain.
@@ -89777,7 +90165,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_stream_connect_master" lineno="422">
+<interface name="postfix_stream_connect_master" lineno="425">
 <summary>
 Connect to postfix master process
 using a unix domain stream socket.
@@ -89789,7 +90177,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="postfix_domtrans_postdrop" lineno="441">
+<interface name="postfix_domtrans_postdrop" lineno="444">
 <summary>
 Execute the master postdrop in the
 postfix postdrop domain.
@@ -89800,7 +90188,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="postfix_domtrans_postqueue" lineno="461">
+<interface name="postfix_domtrans_postqueue" lineno="464">
 <summary>
 Execute the master postqueue in the
 postfix postqueue domain.
@@ -89811,7 +90199,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="postfix_exec_postqueue" lineno="481">
+<interface name="postfix_exec_postqueue" lineno="484">
 <summary>
 Execute postfix postqueue in
 the caller domain.
@@ -89822,7 +90210,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_create_private_sockets" lineno="500">
+<interface name="postfix_create_private_sockets" lineno="503">
 <summary>
 Create postfix private sock files.
 </summary>
@@ -89832,7 +90220,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_manage_private_sockets" lineno="519">
+<interface name="postfix_manage_private_sockets" lineno="522">
 <summary>
 Create, read, write, and delete
 postfix private sock files.
@@ -89843,7 +90231,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_domtrans_smtp" lineno="538">
+<interface name="postfix_domtrans_smtp" lineno="541">
 <summary>
 Execute the smtp postfix program
 in the postfix smtp domain.
@@ -89854,7 +90242,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="postfix_getattr_all_spool_files" lineno="558">
+<interface name="postfix_getattr_all_spool_files" lineno="561">
 <summary>
 Get attributes of all postfix mail
 spool files.
@@ -89865,7 +90253,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_search_spool" lineno="577">
+<interface name="postfix_search_spool" lineno="580">
 <summary>
 Search postfix mail spool directories.
 </summary>
@@ -89875,7 +90263,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_list_spool" lineno="596">
+<interface name="postfix_list_spool" lineno="599">
 <summary>
 List postfix mail spool directories.
 </summary>
@@ -89885,7 +90273,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_read_spool_files" lineno="615">
+<interface name="postfix_read_spool_files" lineno="618">
 <summary>
 Read postfix mail spool files.
 </summary>
@@ -89895,7 +90283,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_manage_spool_files" lineno="635">
+<interface name="postfix_manage_spool_files" lineno="638">
 <summary>
 Create, read, write, and delete
 postfix mail spool files.
@@ -89906,7 +90294,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_domtrans_user_mail_handler" lineno="655">
+<interface name="postfix_domtrans_user_mail_handler" lineno="658">
 <summary>
 Execute postfix user mail programs
 in their respective domains.
@@ -89917,7 +90305,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="postfix_admin" lineno="680">
+<interface name="postfix_admin" lineno="683">
 <summary>
 All of the rules required to
 administrate an postfix environment.
@@ -90312,6 +90700,13 @@ Role allowed access.
 <rolecap/>
 </interface>
 </module>
+<module name="powerprofiles" filename="policy/modules/services/powerprofiles.if">
+<summary>power profiles daemon</summary>
+
+<desc>
+Daemon to control power profiles for laptop
+</desc>
+</module>
 <module name="ppp" filename="policy/modules/services/ppp.if">
 <summary>Point to Point Protocol daemon creates links in ppp networks.</summary>
 <interface name="ppp_manage_home_files" lineno="14">
@@ -91307,6 +91702,18 @@ Role allowed access.
 <rolecap/>
 </interface>
 </module>
+<module name="rasdaemon" filename="policy/modules/services/rasdaemon.if">
+<summary>RAS (Reliability, Availability and Serviceability) logging tool</summary>
+
+<desc>
+rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+tool.  It currently records memory errors, using the EDAC tracing events.
+EDAC are drivers in the Linux kernel that handle detection of ECC errors
+from memory controllers for most chipsets on x86 and ARM architectures.
+
+https://git.infradead.org/users/mchehab/rasdaemon.git
+</desc>
+</module>
 <module name="razor" filename="policy/modules/services/razor.if">
 <summary>A distributed, collaborative, spam detection and filtering network.</summary>
 <template name="razor_common_domain_template" lineno="13">
@@ -93583,6 +93990,17 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
+<interface name="fsdaemon_read_lib" lineno="71">
+<summary>
+Read fsdaemon /var/lib files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
 <tunable name="smartmon_3ware" dftval="false">
 <desc>
 <p>
@@ -93877,7 +94295,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="spamassassin_run_update" lineno="73">
+<interface name="spamassassin_run_update" lineno="75">
 <summary>
 Execute sa-update in the spamd-update domain,
 and allow the specified role
@@ -93895,7 +94313,7 @@ Role allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_exec" lineno="93">
+<interface name="spamassassin_exec" lineno="95">
 <summary>
 Execute the standalone spamassassin
 program in the caller directory.
@@ -93906,7 +94324,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_signal_spamd" lineno="112">
+<interface name="spamassassin_signal_spamd" lineno="114">
 <summary>
 Send generic signals to spamd.
 </summary>
@@ -93916,7 +94334,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_reload" lineno="131">
+<interface name="spamassassin_reload" lineno="133">
 <summary>
 reload SA service
 </summary>
@@ -93927,7 +94345,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="spamassassin_status" lineno="151">
+<interface name="spamassassin_status" lineno="153">
 <summary>
 Get SA service status
 </summary>
@@ -93938,7 +94356,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="spamassassin_exec_spamd" lineno="170">
+<interface name="spamassassin_exec_spamd" lineno="172">
 <summary>
 Execute spamd in the caller domain.
 </summary>
@@ -93948,7 +94366,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_domtrans_client" lineno="189">
+<interface name="spamassassin_domtrans_client" lineno="191">
 <summary>
 Execute spamc in the spamc domain.
 </summary>
@@ -93958,7 +94376,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_exec_client" lineno="208">
+<interface name="spamassassin_exec_client" lineno="210">
 <summary>
 Execute spamc in the caller domain.
 </summary>
@@ -93968,7 +94386,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_kill_client" lineno="227">
+<interface name="spamassassin_kill_client" lineno="229">
 <summary>
 Send kill signals to spamc.
 </summary>
@@ -93978,7 +94396,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_domtrans_local_client" lineno="246">
+<interface name="spamassassin_domtrans_local_client" lineno="248">
 <summary>
 Execute spamassassin standalone client
 in the user spamassassin domain.
@@ -93989,7 +94407,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_manage_spamd_home_content" lineno="266">
+<interface name="spamassassin_manage_spamd_home_content" lineno="268">
 <summary>
 Create, read, write, and delete
 spamd home content.
@@ -94000,7 +94418,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_relabel_spamd_home_content" lineno="287">
+<interface name="spamassassin_relabel_spamd_home_content" lineno="289">
 <summary>
 Relabel spamd home content.
 </summary>
@@ -94010,7 +94428,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_home_filetrans_spamd_home" lineno="319">
+<interface name="spamassassin_home_filetrans_spamd_home" lineno="321">
 <summary>
 Create objects in user home
 directories with the spamd home type.
@@ -94031,7 +94449,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_read_lib_files" lineno="337">
+<interface name="spamassassin_read_lib_files" lineno="339">
 <summary>
 Read spamd lib files.
 </summary>
@@ -94041,7 +94459,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_manage_lib_files" lineno="357">
+<interface name="spamassassin_manage_lib_files" lineno="359">
 <summary>
 Create, read, write, and delete
 spamd lib files.
@@ -94052,7 +94470,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_read_spamd_runtime_files" lineno="376">
+<interface name="spamassassin_read_spamd_runtime_files" lineno="378">
 <summary>
 Read spamd runtime files.
 </summary>
@@ -94062,7 +94480,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_read_spamd_tmp_files" lineno="395">
+<interface name="spamassassin_read_spamd_tmp_files" lineno="397">
 <summary>
 Read temporary spamd files.
 </summary>
@@ -94072,7 +94490,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_dontaudit_getattr_spamd_tmp_sockets" lineno="414">
+<interface name="spamassassin_dontaudit_getattr_spamd_tmp_sockets" lineno="416">
 <summary>
 Do not audit attempts to get
 attributes of temporary spamd sockets.
@@ -94083,7 +94501,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_stream_connect_spamd" lineno="433">
+<interface name="spamassassin_stream_connect_spamd" lineno="435">
 <summary>
 Connect to spamd with a unix
 domain stream socket.
@@ -94094,7 +94512,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="spamassassin_admin" lineno="459">
+<interface name="spamassassin_admin" lineno="461">
 <summary>
 All of the rules required to
 administrate an spamassassin environment.
@@ -94115,7 +94533,8 @@ Role allowed access.
 <desc>
 <p>
 Determine whether spamassassin
-clients can use the network.
+daemon or clients can use the
+network.
 </p>
 </desc>
 </tunable>
@@ -94127,6 +94546,15 @@ generic user home content.
 </p>
 </desc>
 </tunable>
+<tunable name="spamassassin_network_update" dftval="true">
+<desc>
+<p>
+Determine whether spamassassin
+can update the rules using the
+network.
+</p>
+</desc>
+</tunable>
 <tunable name="rspamd_spamd" dftval="false">
 <desc>
 <p>
@@ -94135,6 +94563,14 @@ be enabled to support rspamd.
 </p>
 </desc>
 </tunable>
+<tunable name="spamd_execmem" dftval="false">
+<desc>
+<p>
+Determine whether execmem should be allowed
+Needed if LUA JIT is enabled for rspamd
+</p>
+</desc>
+</tunable>
 </module>
 <module name="squid" filename="policy/modules/services/squid.if">
 <summary>Squid caching http proxy server.</summary>
@@ -94377,7 +94813,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="ssh_sigchld" lineno="486">
+<interface name="ssh_sigchld" lineno="488">
 <summary>
 Send a SIGCHLD signal to the ssh server.
 </summary>
@@ -94387,7 +94823,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_signal" lineno="504">
+<interface name="ssh_signal" lineno="506">
 <summary>
 Send a generic signal to the ssh server.
 </summary>
@@ -94397,7 +94833,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_signull" lineno="522">
+<interface name="ssh_signull" lineno="524">
 <summary>
 Send a null signal to sshd processes.
 </summary>
@@ -94407,7 +94843,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_pipes" lineno="540">
+<interface name="ssh_read_pipes" lineno="542">
 <summary>
 Read a ssh server unnamed pipe.
 </summary>
@@ -94417,7 +94853,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_pipes" lineno="557">
+<interface name="ssh_rw_pipes" lineno="559">
 <summary>
 Read and write a ssh server unnamed pipe.
 </summary>
@@ -94427,7 +94863,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_stream_sockets" lineno="575">
+<interface name="ssh_rw_stream_sockets" lineno="577">
 <summary>
 Read and write ssh server unix domain stream sockets.
 </summary>
@@ -94437,7 +94873,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_tcp_sockets" lineno="593">
+<interface name="ssh_rw_tcp_sockets" lineno="595">
 <summary>
 Read and write ssh server TCP sockets.
 </summary>
@@ -94447,7 +94883,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="612">
+<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="614">
 <summary>
 Do not audit attempts to read and write
 ssh server TCP sockets.
@@ -94458,7 +94894,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="ssh_exec_sshd" lineno="630">
+<interface name="ssh_exec_sshd" lineno="632">
 <summary>
 Execute the ssh daemon in the caller domain.
 </summary>
@@ -94468,7 +94904,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_domtrans" lineno="649">
+<interface name="ssh_domtrans" lineno="651">
 <summary>
 Execute the ssh daemon sshd domain.
 </summary>
@@ -94478,7 +94914,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_client_domtrans" lineno="667">
+<interface name="ssh_client_domtrans" lineno="669">
 <summary>
 Execute the ssh client in the ssh client domain.
 </summary>
@@ -94488,7 +94924,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_exec" lineno="685">
+<interface name="ssh_exec" lineno="687">
 <summary>
 Execute the ssh client in the caller domain.
 </summary>
@@ -94498,7 +94934,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_setattr_key_files" lineno="704">
+<interface name="ssh_setattr_key_files" lineno="706">
 <summary>
 Set the attributes of sshd key files.
 </summary>
@@ -94508,7 +94944,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_agent_exec" lineno="723">
+<interface name="ssh_agent_exec" lineno="725">
 <summary>
 Execute the ssh agent client in the caller domain.
 </summary>
@@ -94518,7 +94954,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_setattr_home_dirs" lineno="742">
+<interface name="ssh_setattr_home_dirs" lineno="744">
 <summary>
 Set the attributes of ssh home directory (~/.ssh)
 </summary>
@@ -94528,7 +94964,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_create_home_dirs" lineno="760">
+<interface name="ssh_create_home_dirs" lineno="762">
 <summary>
 Create ssh home directory (~/.ssh)
 </summary>
@@ -94538,7 +94974,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_user_home_files" lineno="779">
+<interface name="ssh_read_user_home_files" lineno="781">
 <summary>
 Read ssh home directory content
 </summary>
@@ -94548,7 +94984,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_domtrans_keygen" lineno="800">
+<interface name="ssh_domtrans_keygen" lineno="802">
 <summary>
 Execute the ssh key generator in the ssh keygen domain.
 </summary>
@@ -94558,7 +94994,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_server_keys" lineno="818">
+<interface name="ssh_read_server_keys" lineno="820">
 <summary>
 Read ssh server keys
 </summary>
@@ -94568,7 +95004,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_read_server_keys" lineno="836">
+<interface name="ssh_dontaudit_read_server_keys" lineno="838">
 <summary>
 Do not audit denials on reading ssh server keys
 </summary>
@@ -94578,7 +95014,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="ssh_manage_home_files" lineno="854">
+<interface name="ssh_manage_home_files" lineno="856">
 <summary>
 Manage ssh home directory content
 </summary>
@@ -94588,7 +95024,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_delete_tmp" lineno="873">
+<interface name="ssh_delete_tmp" lineno="875">
 <summary>
 Delete from the ssh temp files.
 </summary>
@@ -94598,7 +95034,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_agent_tmp" lineno="892">
+<interface name="ssh_dontaudit_agent_tmp" lineno="894">
 <summary>
 dontaudit access to ssh agent tmp dirs
 </summary>
@@ -94858,6 +95294,13 @@ Role allowed access.
 <rolecap/>
 </interface>
 </module>
+<module name="switcheroo" filename="policy/modules/services/switcheroo.if">
+<summary>switcheroo daemon</summary>
+
+<desc>
+Daemon to control which apps use a integrated GPU and which use discrete
+</desc>
+</module>
 <module name="sympa" filename="policy/modules/services/sympa.if">
 <summary>Sympa mailing list manager</summary>
 <desc>
@@ -95321,6 +95764,13 @@ Role allowed access.
 <rolecap/>
 </interface>
 </module>
+<module name="thunderbolt" filename="policy/modules/services/thunderbolt.if">
+<summary>thunderbolt daemon</summary>
+
+<desc>
+Daemon to control authentication for Thunderbolt.
+</desc>
+</module>
 <module name="timidity" filename="policy/modules/services/timidity.if">
 <summary>MIDI to WAV converter and player configured as a service.</summary>
 </module>
@@ -97084,7 +97534,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<template name="xserver_role" lineno="168">
+<template name="xserver_role" lineno="171">
 <summary>
 Rules required for using the X Windows server
 and environment.
@@ -97111,7 +97561,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="xserver_ro_session" lineno="241">
+<interface name="xserver_ro_session" lineno="252">
 <summary>
 Create sessions on the X server, with read-only
 access to the X server shared
@@ -97128,11 +97578,11 @@ The type of the domain SYSV tmpfs files.
 </summary>
 </param>
 </interface>
-<interface name="xserver_rw_session" lineno="283">
+<interface name="xserver_rw_session" lineno="294">
 <summary>
 Create sessions on the X server, with read and write
-access to the X server shared
-memory segments.
+access to the X server shared memory segments, but
+do not bypass existing tunable policy logic.
 </summary>
 <param name="domain">
 <summary>
@@ -97145,7 +97595,7 @@ The type of the domain SYSV tmpfs files.
 </summary>
 </param>
 </interface>
-<interface name="xserver_non_drawing_client" lineno="303">
+<interface name="xserver_non_drawing_client" lineno="320">
 <summary>
 Create non-drawing client sessions on an X server.
 </summary>
@@ -97155,7 +97605,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="xserver_common_x_domain_template" lineno="342">
+<template name="xserver_common_x_domain_template" lineno="359">
 <summary>
 Interface to provide X object permissions on a given X server to
 an X client domain.  Provides the minimal set required by a basic
@@ -97173,7 +97623,7 @@ Client domain allowed access.
 </summary>
 </param>
 </template>
-<template name="xserver_object_types_template" lineno="401">
+<template name="xserver_object_types_template" lineno="418">
 <summary>
 Template for creating the set of types used
 in an X windows domain.
@@ -97185,7 +97635,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="xserver_user_x_domain_template" lineno="443">
+<template name="xserver_user_x_domain_template" lineno="460">
 <summary>
 Interface to provide X object permissions on a given X server to
 an X client domain.  Provides the minimal set required by a basic
@@ -97208,7 +97658,7 @@ The type of the domain SYSV tmpfs files.
 </summary>
 </param>
 </template>
-<interface name="xserver_use_user_fonts" lineno="510">
+<interface name="xserver_use_user_fonts" lineno="530">
 <summary>
 Read user fonts, user font configuration,
 and manage the user font cache.
@@ -97229,7 +97679,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_domtrans_xauth" lineno="542">
+<interface name="xserver_domtrans_xauth" lineno="562">
 <summary>
 Transition to the Xauthority domain.
 </summary>
@@ -97239,7 +97689,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="xserver_user_home_dir_filetrans_user_xauth" lineno="565">
+<interface name="xserver_user_home_dir_filetrans_user_xauth" lineno="585">
 <summary>
 Create a Xauthority file in the user home directory.
 </summary>
@@ -97254,7 +97704,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="xserver_user_home_dir_filetrans_user_iceauth" lineno="589">
+<interface name="xserver_user_home_dir_filetrans_user_iceauth" lineno="609">
 <summary>
 Create a ICEauthority file in
 the user home directory.
@@ -97270,7 +97720,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="xserver_user_home_dir_filetrans_user_xsession_log" lineno="608">
+<interface name="xserver_user_home_dir_filetrans_user_xsession_log" lineno="628">
 <summary>
 Create a .xsession-errors log
 file in the user home directory.
@@ -97281,7 +97731,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_user_xauth" lineno="626">
+<interface name="xserver_read_user_xauth" lineno="646">
 <summary>
 Read all users .Xauthority.
 </summary>
@@ -97291,7 +97741,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_user_dmrc" lineno="645">
+<interface name="xserver_read_user_dmrc" lineno="665">
 <summary>
 Read all users .dmrc.
 </summary>
@@ -97301,7 +97751,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_user_iceauth" lineno="664">
+<interface name="xserver_read_user_iceauth" lineno="684">
 <summary>
 Read all users .ICEauthority.
 </summary>
@@ -97311,7 +97761,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_setattr_console_pipes" lineno="683">
+<interface name="xserver_setattr_console_pipes" lineno="703">
 <summary>
 Set the attributes of the X windows console named pipes.
 </summary>
@@ -97321,7 +97771,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_rw_console" lineno="701">
+<interface name="xserver_rw_console" lineno="721">
 <summary>
 Read and write the X windows console named pipe.
 </summary>
@@ -97331,7 +97781,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_create_console_pipes" lineno="719">
+<interface name="xserver_create_console_pipes" lineno="739">
 <summary>
 Create the X windows console named pipes.
 </summary>
@@ -97341,7 +97791,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_relabel_console_pipes" lineno="737">
+<interface name="xserver_relabel_console_pipes" lineno="757">
 <summary>
 relabel the X windows console named pipes.
 </summary>
@@ -97351,7 +97801,32 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_use_xdm_fds" lineno="755">
+<interface name="xserver_xdm_auth_filetrans" lineno="790">
+<summary>
+Create xdm authorization files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="file_type">
+<summary>
+The type of the object to be created
+</summary>
+</param>
+<param name="object_class">
+<summary>
+The object class.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
+</summary>
+</param>
+</interface>
+<interface name="xserver_use_xdm_fds" lineno="808">
 <summary>
 Use file descriptors for xdm.
 </summary>
@@ -97361,7 +97836,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dontaudit_use_xdm_fds" lineno="774">
+<interface name="xserver_dontaudit_use_xdm_fds" lineno="827">
 <summary>
 Do not audit attempts to inherit
 XDM file descriptors.
@@ -97372,7 +97847,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="xserver_sigchld_xdm" lineno="792">
+<interface name="xserver_sigchld_xdm" lineno="845">
 <summary>
 Allow domain to send sigchld to xdm_t
 </summary>
@@ -97382,7 +97857,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_rw_xdm_pipes" lineno="810">
+<interface name="xserver_rw_xdm_pipes" lineno="863">
 <summary>
 Read and write XDM unnamed pipes.
 </summary>
@@ -97392,7 +97867,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dontaudit_rw_xdm_pipes" lineno="829">
+<interface name="xserver_dontaudit_rw_xdm_pipes" lineno="882">
 <summary>
 Do not audit attempts to read and write
 XDM unnamed pipes.
@@ -97403,7 +97878,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dbus_chat_xdm" lineno="849">
+<interface name="xserver_dbus_chat_xdm" lineno="902">
 <summary>
 Send and receive messages from
 xdm over dbus.
@@ -97414,7 +97889,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_xdm_state" lineno="869">
+<interface name="xserver_read_xdm_state" lineno="922">
 <summary>
 Read xdm process state files.
 </summary>
@@ -97424,7 +97899,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_setsched_xdm" lineno="891">
+<interface name="xserver_setsched_xdm" lineno="944">
 <summary>
 Set the priority of the X Display
 Manager (XDM).
@@ -97435,7 +97910,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_stream_connect_xdm" lineno="910">
+<interface name="xserver_stream_connect_xdm" lineno="963">
 <summary>
 Connect to XDM over a unix domain
 stream socket.
@@ -97446,7 +97921,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_xdm_rw_config" lineno="929">
+<interface name="xserver_read_xdm_rw_config" lineno="982">
 <summary>
 Read xdm-writable configuration files.
 </summary>
@@ -97456,7 +97931,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_setattr_xdm_tmp_dirs" lineno="948">
+<interface name="xserver_setattr_xdm_tmp_dirs" lineno="1001">
 <summary>
 Set the attributes of XDM temporary directories.
 </summary>
@@ -97466,7 +97941,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_create_xdm_tmp_sockets" lineno="967">
+<interface name="xserver_create_xdm_tmp_sockets" lineno="1020">
 <summary>
 Create a named socket in a XDM
 temporary directory.
@@ -97477,7 +97952,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_delete_xdm_tmp_sockets" lineno="988">
+<interface name="xserver_delete_xdm_tmp_sockets" lineno="1041">
 <summary>
 Delete a named socket in a XDM
 temporary directory.
@@ -97488,7 +97963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_xdm_runtime_files" lineno="1007">
+<interface name="xserver_read_xdm_runtime_files" lineno="1060">
 <summary>
 Read XDM runtime files.
 </summary>
@@ -97498,7 +97973,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_xdm_lib_files" lineno="1026">
+<interface name="xserver_read_xdm_lib_files" lineno="1079">
 <summary>
 Read XDM var lib files.
 </summary>
@@ -97508,7 +97983,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_xsession_entry_type" lineno="1044">
+<interface name="xserver_xsession_entry_type" lineno="1097">
 <summary>
 Make an X session script an entrypoint for the specified domain.
 </summary>
@@ -97518,7 +97993,7 @@ The domain for which the shell is an entrypoint.
 </summary>
 </param>
 </interface>
-<interface name="xserver_xsession_spec_domtrans" lineno="1081">
+<interface name="xserver_xsession_spec_domtrans" lineno="1134">
 <summary>
 Execute an X session in the target domain.  This
 is an explicit transition, requiring the
@@ -97547,7 +98022,7 @@ The type of the shell process.
 </summary>
 </param>
 </interface>
-<interface name="xserver_write_inherited_xsession_log" lineno="1100">
+<interface name="xserver_write_inherited_xsession_log" lineno="1153">
 <summary>
 Write to inherited  xsession log
 files such as .xsession-errors.
@@ -97558,7 +98033,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_rw_xsession_log" lineno="1120">
+<interface name="xserver_rw_xsession_log" lineno="1173">
 <summary>
 Read and write xsession log
 files such as .xsession-errors.
@@ -97569,7 +98044,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_manage_xsession_log" lineno="1139">
+<interface name="xserver_manage_xsession_log" lineno="1192">
 <summary>
 Manage xsession log files such
 as .xsession-errors.
@@ -97580,7 +98055,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_write_inherited_log" lineno="1158">
+<interface name="xserver_write_inherited_log" lineno="1211">
 <summary>
 Write to inherited X server log
 files like /var/log/lightdm/lightdm.log
@@ -97591,7 +98066,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_getattr_log" lineno="1176">
+<interface name="xserver_getattr_log" lineno="1229">
 <summary>
 Get the attributes of X server logs.
 </summary>
@@ -97601,7 +98076,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dontaudit_write_log" lineno="1196">
+<interface name="xserver_dontaudit_write_log" lineno="1249">
 <summary>
 Do not audit attempts to write the X server
 log files.
@@ -97612,7 +98087,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="xserver_delete_log" lineno="1214">
+<interface name="xserver_delete_log" lineno="1267">
 <summary>
 Delete X server log files.
 </summary>
@@ -97622,7 +98097,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_xkb_libs" lineno="1235">
+<interface name="xserver_read_xkb_libs" lineno="1288">
 <summary>
 Read X keyboard extension libraries.
 </summary>
@@ -97632,7 +98107,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_create_xdm_tmp_dirs" lineno="1256">
+<interface name="xserver_create_xdm_tmp_dirs" lineno="1310">
 <summary>
 Create xdm temporary directories.
 </summary>
@@ -97642,7 +98117,7 @@ Domain to allow access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_xdm_tmp_files" lineno="1274">
+<interface name="xserver_read_xdm_tmp_files" lineno="1328">
 <summary>
 Read xdm temporary files.
 </summary>
@@ -97652,7 +98127,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dontaudit_read_xdm_tmp_files" lineno="1293">
+<interface name="xserver_dontaudit_read_xdm_tmp_files" lineno="1347">
 <summary>
 Do not audit attempts to read xdm temporary files.
 </summary>
@@ -97662,7 +98137,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="xserver_rw_xdm_tmp_files" lineno="1312">
+<interface name="xserver_rw_xdm_tmp_files" lineno="1366">
 <summary>
 Read write xdm temporary files.
 </summary>
@@ -97672,7 +98147,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_manage_xdm_tmp_files" lineno="1331">
+<interface name="xserver_manage_xdm_tmp_files" lineno="1385">
 <summary>
 Create, read, write, and delete xdm temporary files.
 </summary>
@@ -97682,7 +98157,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dontaudit_getattr_xdm_tmp_sockets" lineno="1350">
+<interface name="xserver_dontaudit_getattr_xdm_tmp_sockets" lineno="1404">
 <summary>
 Do not audit attempts to get the attributes of
 xdm temporary named sockets.
@@ -97693,7 +98168,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="xserver_list_xdm_tmp" lineno="1368">
+<interface name="xserver_list_xdm_tmp" lineno="1422">
 <summary>
 list xdm_tmp_t directories
 </summary>
@@ -97703,7 +98178,7 @@ Domain to allow
 </summary>
 </param>
 </interface>
-<interface name="xserver_domtrans" lineno="1386">
+<interface name="xserver_domtrans" lineno="1440">
 <summary>
 Execute the X server in the X server domain.
 </summary>
@@ -97713,7 +98188,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="xserver_signal" lineno="1405">
+<interface name="xserver_signal" lineno="1459">
 <summary>
 Signal X servers
 </summary>
@@ -97723,7 +98198,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_kill" lineno="1423">
+<interface name="xserver_kill" lineno="1477">
 <summary>
 Kill X servers
 </summary>
@@ -97733,7 +98208,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_state" lineno="1441">
+<interface name="xserver_read_state" lineno="1495">
 <summary>
 Allow reading xserver_t files to get cgroup and sessionid
 </summary>
@@ -97743,7 +98218,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_rw_shm" lineno="1461">
+<interface name="xserver_rw_shm" lineno="1515">
 <summary>
 Read and write X server Sys V Shared
 memory segments.
@@ -97754,7 +98229,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dontaudit_rw_tcp_sockets" lineno="1480">
+<interface name="xserver_dontaudit_rw_tcp_sockets" lineno="1536">
 <summary>
 Do not audit attempts to read and write to
 X server sockets.
@@ -97765,7 +98240,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dontaudit_rw_stream_sockets" lineno="1499">
+<interface name="xserver_dontaudit_rw_stream_sockets" lineno="1555">
 <summary>
 Do not audit attempts to read and write X server
 unix domain stream sockets.
@@ -97776,7 +98251,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="xserver_stream_connect" lineno="1518">
+<interface name="xserver_stream_connect" lineno="1574">
 <summary>
 Connect to the X server over a unix domain
 stream socket.
@@ -97787,7 +98262,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_read_tmp_files" lineno="1537">
+<interface name="xserver_read_tmp_files" lineno="1593">
 <summary>
 Read X server temporary files.
 </summary>
@@ -97797,7 +98272,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_dbus_chat" lineno="1556">
+<interface name="xserver_dbus_chat" lineno="1612">
 <summary>
 talk to xserver_t by dbus
 </summary>
@@ -97807,7 +98282,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_manage_core_devices" lineno="1578">
+<interface name="xserver_manage_core_devices" lineno="1634">
 <summary>
 Interface to provide X object permissions on a given X server to
 an X client domain.  Gives the domain permission to read the
@@ -97819,7 +98294,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_unconfined" lineno="1601">
+<interface name="xserver_unconfined" lineno="1657">
 <summary>
 Interface to provide X object permissions on a given X server to
 an X client domain.  Gives the domain complete control over the
@@ -97831,7 +98306,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_rw_xdm_keys" lineno="1621">
+<interface name="xserver_rw_xdm_keys" lineno="1677">
 <summary>
 Manage keys for xdm.
 </summary>
@@ -97841,7 +98316,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_link_xdm_keys" lineno="1639">
+<interface name="xserver_link_xdm_keys" lineno="1695">
 <summary>
 Manage keys for xdm.
 </summary>
@@ -97851,7 +98326,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_rw_mesa_shader_cache" lineno="1657">
+<interface name="xserver_rw_mesa_shader_cache" lineno="1713">
 <summary>
 Read and write the mesa shader cache.
 </summary>
@@ -97861,7 +98336,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xserver_manage_mesa_shader_cache" lineno="1678">
+<interface name="xserver_manage_mesa_shader_cache" lineno="1734">
 <summary>
 Manage the mesa shader cache.
 </summary>
@@ -97871,6 +98346,29 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<tunable name="xserver_can_network" dftval="false">
+<desc>
+<p>
+Allows the X server to use TCP/IP
+networking functionality (insecure).
+</p>
+</desc>
+</tunable>
+<tunable name="xserver_xdm_can_network" dftval="false">
+<desc>
+<p>
+Allows the X display manager to use
+TCP/IP networking functionality (insecure).
+</p>
+</desc>
+</tunable>
+<tunable name="xdm_sysadm_login" dftval="false">
+<desc>
+<p>
+Allow xdm logins as sysadm
+</p>
+</desc>
+</tunable>
 <tunable name="allow_write_xshm" dftval="false">
 <desc>
 <p>
@@ -97879,10 +98377,11 @@ memory segments.
 </p>
 </desc>
 </tunable>
-<tunable name="xdm_sysadm_login" dftval="false">
+<tunable name="xserver_client_writes_xserver_tmpfs" dftval="false">
 <desc>
 <p>
-Allow xdm logins as sysadm
+Allows clients to write to the X server tmpfs
+files.
 </p>
 </desc>
 </tunable>
@@ -98429,7 +98928,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_login_pgm_domain" lineno="145">
+<interface name="auth_read_pam_motd_dynamic" lineno="146">
+<summary>
+Read the pam module motd with dynamic support during authentication.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_login_pgm_domain" lineno="165">
 <summary>
 Make the specified domain used for a login program.
 </summary>
@@ -98439,7 +98948,7 @@ Domain type used for a login program domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_login_entry_type" lineno="232">
+<interface name="auth_login_entry_type" lineno="252">
 <summary>
 Use the login program as an entry point program.
 </summary>
@@ -98449,7 +98958,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_login_program" lineno="255">
+<interface name="auth_domtrans_login_program" lineno="275">
 <summary>
 Execute a login_program in the target domain.
 </summary>
@@ -98464,7 +98973,7 @@ The type of the login_program process.
 </summary>
 </param>
 </interface>
-<interface name="auth_ranged_domtrans_login_program" lineno="285">
+<interface name="auth_ranged_domtrans_login_program" lineno="305">
 <summary>
 Execute a login_program in the target domain,
 with a range transition.
@@ -98485,7 +98994,7 @@ Range of the login program.
 </summary>
 </param>
 </interface>
-<interface name="auth_search_cache" lineno="311">
+<interface name="auth_search_cache" lineno="331">
 <summary>
 Search authentication cache
 </summary>
@@ -98495,7 +99004,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_cache" lineno="329">
+<interface name="auth_read_cache" lineno="349">
 <summary>
 Read authentication cache
 </summary>
@@ -98505,7 +99014,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_cache" lineno="347">
+<interface name="auth_rw_cache" lineno="367">
 <summary>
 Read/Write authentication cache
 </summary>
@@ -98515,7 +99024,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_cache" lineno="365">
+<interface name="auth_manage_cache" lineno="385">
 <summary>
 Manage authentication cache
 </summary>
@@ -98525,7 +99034,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_var_filetrans_cache" lineno="384">
+<interface name="auth_var_filetrans_cache" lineno="404">
 <summary>
 Automatic transition from cache_t to cache.
 </summary>
@@ -98535,7 +99044,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_chk_passwd" lineno="402">
+<interface name="auth_domtrans_chk_passwd" lineno="422">
 <summary>
 Run unix_chkpwd to check a password.
 </summary>
@@ -98545,7 +99054,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_chkpwd" lineno="446">
+<interface name="auth_domtrans_chkpwd" lineno="466">
 <summary>
 Run unix_chkpwd to check a password.
 Stripped down version to be called within boolean
@@ -98556,7 +99065,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_chk_passwd" lineno="468">
+<interface name="auth_run_chk_passwd" lineno="488">
 <summary>
 Execute chkpwd programs in the chkpwd domain.
 </summary>
@@ -98571,7 +99080,7 @@ The role to allow the chkpwd domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_upd_passwd" lineno="487">
+<interface name="auth_domtrans_upd_passwd" lineno="507">
 <summary>
 Execute a domain transition to run unix_update.
 </summary>
@@ -98581,7 +99090,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_upd_passwd" lineno="512">
+<interface name="auth_run_upd_passwd" lineno="532">
 <summary>
 Execute updpwd programs in the updpwd domain.
 </summary>
@@ -98596,7 +99105,7 @@ The role to allow the updpwd domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_getattr_shadow" lineno="531">
+<interface name="auth_getattr_shadow" lineno="551">
 <summary>
 Get the attributes of the shadow passwords file.
 </summary>
@@ -98606,7 +99115,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_getattr_shadow" lineno="551">
+<interface name="auth_dontaudit_getattr_shadow" lineno="571">
 <summary>
 Do not audit attempts to get the attributes
 of the shadow passwords file.
@@ -98617,7 +99126,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_shadow" lineno="573">
+<interface name="auth_read_shadow" lineno="593">
 <summary>
 Read the shadow passwords file (/etc/shadow)
 </summary>
@@ -98627,7 +99136,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_map_shadow" lineno="588">
+<interface name="auth_map_shadow" lineno="609">
 <summary>
 Map the shadow passwords file (/etc/shadow)
 </summary>
@@ -98637,7 +99146,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_can_read_shadow_passwords" lineno="614">
+<interface name="auth_can_read_shadow_passwords" lineno="635">
 <summary>
 Pass shadow assertion for reading.
 </summary>
@@ -98656,7 +99165,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_tunable_read_shadow" lineno="640">
+<interface name="auth_tunable_read_shadow" lineno="661">
 <summary>
 Read the shadow password file.
 </summary>
@@ -98674,7 +99183,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_read_shadow" lineno="660">
+<interface name="auth_dontaudit_read_shadow" lineno="681">
 <summary>
 Do not audit attempts to read the shadow
 password file (/etc/shadow).
@@ -98685,7 +99194,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_shadow" lineno="678">
+<interface name="auth_rw_shadow" lineno="699">
 <summary>
 Read and write the shadow password file (/etc/shadow).
 </summary>
@@ -98695,7 +99204,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_shadow" lineno="701">
+<interface name="auth_manage_shadow" lineno="722">
 <summary>
 Create, read, write, and delete the shadow
 password file.
@@ -98706,7 +99215,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_etc_filetrans_shadow" lineno="727">
+<interface name="auth_etc_filetrans_shadow" lineno="749">
 <summary>
 Automatic transition from etc to shadow.
 </summary>
@@ -98721,7 +99230,27 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabelto_shadow" lineno="746">
+<interface name="auth_read_shadow_history" lineno="767">
+<summary>
+Read the shadow history file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_manage_shadow_history" lineno="786">
+<summary>
+Manage the shadow history file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_relabelto_shadow" lineno="806">
 <summary>
 Relabel to the shadow
 password file type.
@@ -98732,7 +99261,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_shadow" lineno="768">
+<interface name="auth_relabel_shadow" lineno="828">
 <summary>
 Relabel from and to the shadow
 password file type.
@@ -98743,7 +99272,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_shadow_lock" lineno="789">
+<interface name="auth_rw_shadow_lock" lineno="849">
 <summary>
 Read/Write shadow lock files.
 </summary>
@@ -98753,7 +99282,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_append_faillog" lineno="807">
+<interface name="auth_append_faillog" lineno="867">
 <summary>
 Append to the login failure log.
 </summary>
@@ -98763,7 +99292,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_create_faillog_files" lineno="826">
+<interface name="auth_create_faillog_files" lineno="886">
 <summary>
 Create fail log lock (in /run/faillock).
 </summary>
@@ -98773,7 +99302,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_faillog" lineno="844">
+<interface name="auth_rw_faillog" lineno="904">
 <summary>
 Read and write the login failure log.
 </summary>
@@ -98783,7 +99312,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_faillog" lineno="863">
+<interface name="auth_manage_faillog" lineno="923">
 <summary>
 Manage the login failure logs.
 </summary>
@@ -98793,7 +99322,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_setattr_faillog_files" lineno="882">
+<interface name="auth_setattr_faillog_files" lineno="942">
 <summary>
 Setattr the login failure logs.
 </summary>
@@ -98803,7 +99332,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_lastlog" lineno="901">
+<interface name="auth_read_lastlog" lineno="961">
 <summary>
 Read the last logins log.
 </summary>
@@ -98814,7 +99343,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_append_lastlog" lineno="920">
+<interface name="auth_append_lastlog" lineno="980">
 <summary>
 Append only to the last logins log.
 </summary>
@@ -98824,7 +99353,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_lastlog" lineno="939">
+<interface name="auth_relabel_lastlog" lineno="999">
 <summary>
 relabel the last logins log.
 </summary>
@@ -98834,7 +99363,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_lastlog" lineno="958">
+<interface name="auth_rw_lastlog" lineno="1018">
 <summary>
 Read and write to the last logins log.
 </summary>
@@ -98844,7 +99373,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_lastlog" lineno="977">
+<interface name="auth_manage_lastlog" lineno="1037">
 <summary>
 Manage the last logins log.
 </summary>
@@ -98854,7 +99383,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_pam" lineno="996">
+<interface name="auth_domtrans_pam" lineno="1056">
 <summary>
 Execute pam programs in the pam domain.
 </summary>
@@ -98864,7 +99393,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_signal_pam" lineno="1014">
+<interface name="auth_signal_pam" lineno="1074">
 <summary>
 Send generic signals to pam processes.
 </summary>
@@ -98874,7 +99403,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_pam" lineno="1037">
+<interface name="auth_run_pam" lineno="1097">
 <summary>
 Execute pam programs in the PAM domain.
 </summary>
@@ -98889,7 +99418,7 @@ The role to allow the PAM domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_exec_pam" lineno="1056">
+<interface name="auth_exec_pam" lineno="1116">
 <summary>
 Execute the pam program.
 </summary>
@@ -98899,7 +99428,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_var_auth" lineno="1075">
+<interface name="auth_read_var_auth" lineno="1135">
 <summary>
 Read var auth files. Used by various other applications
 and pam applets etc.
@@ -98910,7 +99439,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_var_auth" lineno="1095">
+<interface name="auth_rw_var_auth" lineno="1155">
 <summary>
 Read and write var auth files. Used by various other applications
 and pam applets etc.
@@ -98921,7 +99450,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_var_auth" lineno="1115">
+<interface name="auth_manage_var_auth" lineno="1175">
 <summary>
 Manage var auth files. Used by various other applications
 and pam applets etc.
@@ -98932,7 +99461,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_runtime_dirs" lineno="1136">
+<interface name="auth_manage_pam_runtime_dirs" lineno="1196">
 <summary>
 Manage pam runtime dirs.
 </summary>
@@ -98942,7 +99471,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_runtime_filetrans_pam_runtime" lineno="1167">
+<interface name="auth_runtime_filetrans_pam_runtime" lineno="1227">
 <summary>
 Create specified objects in
 pid directories with the pam runtime
@@ -98964,7 +99493,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_pam_runtime_files" lineno="1185">
+<interface name="auth_read_pam_runtime_files" lineno="1245">
 <summary>
 Read PAM runtime files.
 </summary>
@@ -98974,7 +99503,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1205">
+<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1265">
 <summary>
 Do not audit attempts to read PAM runtime files.
 </summary>
@@ -98984,7 +99513,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_delete_pam_runtime_files" lineno="1223">
+<interface name="auth_delete_pam_runtime_files" lineno="1283">
 <summary>
 Delete pam runtime files.
 </summary>
@@ -98994,7 +99523,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_runtime_files" lineno="1242">
+<interface name="auth_manage_pam_runtime_files" lineno="1302">
 <summary>
 Create, read, write, and delete pam runtime files.
 </summary>
@@ -99004,7 +99533,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_pam_console" lineno="1261">
+<interface name="auth_domtrans_pam_console" lineno="1321">
 <summary>
 Execute pam_console with a domain transition.
 </summary>
@@ -99014,7 +99543,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_search_pam_console_data" lineno="1280">
+<interface name="auth_search_pam_console_data" lineno="1340">
 <summary>
 Search the contents of the
 pam_console data directory.
@@ -99025,7 +99554,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_list_pam_console_data" lineno="1300">
+<interface name="auth_list_pam_console_data" lineno="1360">
 <summary>
 List the contents of the pam_console
 data directory.
@@ -99036,7 +99565,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_create_pam_console_data_dirs" lineno="1319">
+<interface name="auth_create_pam_console_data_dirs" lineno="1379">
 <summary>
 Create pam var console pid directories.
 </summary>
@@ -99046,7 +99575,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_pam_console_data_dirs" lineno="1338">
+<interface name="auth_relabel_pam_console_data_dirs" lineno="1398">
 <summary>
 Relabel pam_console data directories.
 </summary>
@@ -99056,7 +99585,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_pam_console_data" lineno="1356">
+<interface name="auth_read_pam_console_data" lineno="1416">
 <summary>
 Read pam_console data files.
 </summary>
@@ -99066,7 +99595,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_console_data" lineno="1377">
+<interface name="auth_manage_pam_console_data" lineno="1437">
 <summary>
 Create, read, write, and delete
 pam_console data files.
@@ -99077,7 +99606,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_delete_pam_console_data" lineno="1397">
+<interface name="auth_delete_pam_console_data" lineno="1457">
 <summary>
 Delete pam_console data.
 </summary>
@@ -99087,7 +99616,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_runtime_filetrans_pam_var_console" lineno="1430">
+<interface name="auth_runtime_filetrans_pam_var_console" lineno="1490">
 <summary>
 Create specified objects in generic
 runtime directories with the pam var
@@ -99110,7 +99639,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_utempter" lineno="1448">
+<interface name="auth_domtrans_utempter" lineno="1508">
 <summary>
 Execute utempter programs in the utempter domain.
 </summary>
@@ -99120,7 +99649,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_utempter" lineno="1471">
+<interface name="auth_run_utempter" lineno="1531">
 <summary>
 Execute utempter programs in the utempter domain.
 </summary>
@@ -99135,7 +99664,7 @@ The role to allow the utempter domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_exec_utempter" lineno="1490">
+<interface name="auth_dontaudit_exec_utempter" lineno="1550">
 <summary>
 Do not audit attempts to execute utempter executable.
 </summary>
@@ -99145,7 +99674,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_setattr_login_records" lineno="1508">
+<interface name="auth_setattr_login_records" lineno="1568">
 <summary>
 Set the attributes of login record files.
 </summary>
@@ -99155,7 +99684,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_login_records" lineno="1528">
+<interface name="auth_read_login_records" lineno="1588">
 <summary>
 Read login records files (/var/log/wtmp).
 </summary>
@@ -99166,7 +99695,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_dontaudit_read_login_records" lineno="1549">
+<interface name="auth_dontaudit_read_login_records" lineno="1609">
 <summary>
 Do not audit attempts to read login records
 files (/var/log/wtmp).
@@ -99178,7 +99707,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_dontaudit_write_login_records" lineno="1568">
+<interface name="auth_dontaudit_write_login_records" lineno="1628">
 <summary>
 Do not audit attempts to write to
 login records files.
@@ -99189,7 +99718,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_append_login_records" lineno="1586">
+<interface name="auth_append_login_records" lineno="1646">
 <summary>
 Append to login records (wtmp).
 </summary>
@@ -99199,7 +99728,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_write_login_records" lineno="1605">
+<interface name="auth_write_login_records" lineno="1665">
 <summary>
 Write to login records (wtmp).
 </summary>
@@ -99209,7 +99738,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_login_records" lineno="1623">
+<interface name="auth_rw_login_records" lineno="1683">
 <summary>
 Read and write login records.
 </summary>
@@ -99219,7 +99748,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_log_filetrans_login_records" lineno="1643">
+<interface name="auth_log_filetrans_login_records" lineno="1703">
 <summary>
 Create a login records in the log directory
 using a type transition.
@@ -99230,7 +99759,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_login_records" lineno="1662">
+<interface name="auth_manage_login_records" lineno="1722">
 <summary>
 Create, read, write, and delete login
 records files.
@@ -99241,7 +99770,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_login_records" lineno="1681">
+<interface name="auth_relabel_login_records" lineno="1741">
 <summary>
 Relabel login record files.
 </summary>
@@ -99251,7 +99780,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_use_nsswitch" lineno="1709">
+<interface name="auth_use_nsswitch" lineno="1769">
 <summary>
 Use nsswitch to look up user, password, group, or
 host information.
@@ -99271,7 +99800,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="auth_unconfined" lineno="1737">
+<interface name="auth_unconfined" lineno="1797">
 <summary>
 Unconfined access to the authlogin module.
 </summary>
@@ -99569,7 +100098,37 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fstools_relabelto_entry_files" lineno="132">
+<interface name="fstools_read_fsadm_db_files" lineno="131">
+<summary>
+Read fsadm_db_t files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fstools_manage_fsadm_db_files" lineno="149">
+<summary>
+Manage all fsadm_db_t files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fstools_watch_fsadm_db_dirs" lineno="169">
+<summary>
+Watch fsadm_db_t directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fstools_relabelto_entry_files" lineno="188">
 <summary>
 Relabel a file to the type used by the
 filesystem tools programs.
@@ -99580,7 +100139,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fstools_manage_entry_files" lineno="151">
+<interface name="fstools_manage_entry_files" lineno="207">
 <summary>
 Create, read, write, and delete a file used by the
 filesystem tools programs.
@@ -99591,7 +100150,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fstools_write_log" lineno="169">
+<interface name="fstools_write_log" lineno="225">
 <summary>
 Write to fsadm_log_t
 </summary>
@@ -99601,7 +100160,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fstools_manage_runtime_files" lineno="188">
+<interface name="fstools_manage_runtime_files" lineno="244">
 <summary>
 Create, read, write, and delete filesystem tools
 runtime files.
@@ -99612,7 +100171,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fstools_getattr_swap_files" lineno="206">
+<interface name="fstools_getattr_swap_files" lineno="262">
 <summary>
 Getattr swapfile
 </summary>
@@ -99622,7 +100181,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fstools_dontaudit_getattr_swap_files" lineno="224">
+<interface name="fstools_dontaudit_getattr_swap_files" lineno="280">
 <summary>
 Ignore access to a swapfile.
 </summary>
@@ -99632,7 +100191,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fstools_relabelto_swap_files" lineno="242">
+<interface name="fstools_relabelto_swap_files" lineno="298">
 <summary>
 Relabel to swapfile.
 </summary>
@@ -99642,7 +100201,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fstools_manage_swap_files" lineno="260">
+<interface name="fstools_manage_swap_files" lineno="316">
 <summary>
 Manage swapfile.
 </summary>
@@ -99652,6 +100211,26 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<interface name="fstools_runtime_filetrans" lineno="344">
+<summary>
+Create objects in the runtime directory with an automatic type transition to the fsadm runtime type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object">
+<summary>
+The object class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
+</summary>
+</param>
+</interface>
 </module>
 <module name="getty" filename="policy/modules/system/getty.if">
 <summary>Manages physical or virtual terminals.</summary>
@@ -100314,7 +100893,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_fds" lineno="1055">
+<interface name="init_unix_stream_socket_sendto" lineno="1016">
+<summary>
+Send to init with a unix socket.
+Without any additional permissions.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_use_fds" lineno="1074">
 <summary>
 Inherit and use file descriptors from init.
 </summary>
@@ -100364,7 +100954,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="1"/>
 </interface>
-<interface name="init_dontaudit_use_fds" lineno="1074">
+<interface name="init_dontaudit_use_fds" lineno="1093">
 <summary>
 Do not audit attempts to inherit file
 descriptors from init.
@@ -100375,7 +100965,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_dgram_send" lineno="1093">
+<interface name="init_dgram_send" lineno="1112">
 <summary>
 Send messages to init unix datagram sockets.
 </summary>
@@ -100386,7 +100976,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_rw_inherited_stream_socket" lineno="1113">
+<interface name="init_rw_inherited_stream_socket" lineno="1132">
 <summary>
 Read and write to inherited init unix streams.
 </summary>
@@ -100396,7 +100986,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_stream_sockets" lineno="1132">
+<interface name="init_rw_stream_sockets" lineno="1151">
 <summary>
 Allow the specified domain to read/write to
 init with unix domain stream sockets.
@@ -100407,7 +100997,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_search_keys" lineno="1150">
+<interface name="init_dontaudit_search_keys" lineno="1169">
 <summary>
 Do not audit attempts to search init keys.
 </summary>
@@ -100417,7 +101007,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_system" lineno="1168">
+<interface name="init_start_system" lineno="1187">
 <summary>
 start service (systemd).
 </summary>
@@ -100427,7 +101017,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_system" lineno="1186">
+<interface name="init_stop_system" lineno="1205">
 <summary>
 stop service (systemd).
 </summary>
@@ -100437,7 +101027,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_system_status" lineno="1204">
+<interface name="init_get_system_status" lineno="1223">
 <summary>
 Get all service status (systemd).
 </summary>
@@ -100447,7 +101037,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_enable" lineno="1222">
+<interface name="init_enable" lineno="1241">
 <summary>
 Enable all systemd services (systemd).
 </summary>
@@ -100457,7 +101047,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_disable" lineno="1240">
+<interface name="init_disable" lineno="1259">
 <summary>
 Disable all services (systemd).
 </summary>
@@ -100467,7 +101057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_reload" lineno="1258">
+<interface name="init_reload" lineno="1277">
 <summary>
 Reload all services (systemd).
 </summary>
@@ -100477,7 +101067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_reboot_system" lineno="1276">
+<interface name="init_reboot_system" lineno="1295">
 <summary>
 Reboot the system (systemd).
 </summary>
@@ -100487,7 +101077,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_shutdown_system" lineno="1294">
+<interface name="init_shutdown_system" lineno="1313">
 <summary>
 Shutdown (halt) the system (systemd).
 </summary>
@@ -100497,7 +101087,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_service_status" lineno="1312">
+<interface name="init_service_status" lineno="1331">
 <summary>
 Allow specified domain to get init status
 </summary>
@@ -100507,7 +101097,7 @@ Domain to allow access.
 </summary>
 </param>
 </interface>
-<interface name="init_service_start" lineno="1331">
+<interface name="init_service_start" lineno="1350">
 <summary>
 Allow specified domain to get init start
 </summary>
@@ -100517,7 +101107,7 @@ Domain to allow access.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_chat" lineno="1351">
+<interface name="init_dbus_chat" lineno="1370">
 <summary>
 Send and receive messages from
 systemd over dbus.
@@ -100528,7 +101118,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_run_bpf" lineno="1371">
+<interface name="init_run_bpf" lineno="1390">
 <summary>
 Run init BPF programs.
 </summary>
@@ -100538,7 +101128,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_var_lib_links" lineno="1390">
+<interface name="init_read_var_lib_links" lineno="1409">
 <summary>
 read/follow symlinks under /var/lib/systemd/
 </summary>
@@ -100548,7 +101138,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_search_var_lib_dirs" lineno="1409">
+<interface name="init_search_var_lib_dirs" lineno="1428">
 <summary>
 Search /var/lib/systemd/ dirs
 </summary>
@@ -100558,7 +101148,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_var_lib_dirs" lineno="1428">
+<interface name="init_list_var_lib_dirs" lineno="1447">
 <summary>
 List /var/lib/systemd/ dir
 </summary>
@@ -100568,7 +101158,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_relabel_var_lib_dirs" lineno="1446">
+<interface name="init_relabel_var_lib_dirs" lineno="1465">
 <summary>
 Relabel dirs in /var/lib/systemd/.
 </summary>
@@ -100578,7 +101168,20 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_var_lib_files" lineno="1464">
+<interface name="init_manage_random_seed" lineno="1486">
+<summary>
+Create, read, write, and delete the
+pseudorandom number generator seed
+file in /var/lib or /var/run
+directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_manage_var_lib_files" lineno="1507">
 <summary>
 Manage files in /var/lib/systemd/.
 </summary>
@@ -100588,7 +101191,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_var_lib_filetrans" lineno="1499">
+<interface name="init_var_lib_filetrans" lineno="1542">
 <summary>
 Create files in /var/lib/systemd
 with an automatic type transition.
@@ -100614,7 +101217,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_search_runtime" lineno="1518">
+<interface name="init_search_runtime" lineno="1561">
 <summary>
 Search init runtime directories, e.g. /run/systemd.
 </summary>
@@ -100624,7 +101227,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_runtime" lineno="1536">
+<interface name="init_list_runtime" lineno="1579">
 <summary>
 List init runtime directories, e.g. /run/systemd.
 </summary>
@@ -100634,7 +101237,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_runtime_dirs" lineno="1556">
+<interface name="init_manage_runtime_dirs" lineno="1599">
 <summary>
 Create, read, write, and delete
 directories in the /run/systemd directory.
@@ -100645,7 +101248,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_runtime_filetrans" lineno="1589">
+<interface name="init_runtime_filetrans" lineno="1632">
 <summary>
 Create files in an init runtime directory with a private type.
 </summary>
@@ -100670,7 +101273,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_write_runtime_files" lineno="1608">
+<interface name="init_write_runtime_files" lineno="1651">
 <summary>
 Write init runtime files, e.g. in /run/systemd.
 </summary>
@@ -100680,7 +101283,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_create_runtime_files" lineno="1626">
+<interface name="init_create_runtime_files" lineno="1669">
 <summary>
 Create init runtime files, e.g. in /run/systemd.
 </summary>
@@ -100690,7 +101293,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_runtime_symlinks" lineno="1644">
+<interface name="init_manage_runtime_symlinks" lineno="1687">
 <summary>
 Create init runtime symbolic links, e.g. in /run/systemd.
 </summary>
@@ -100700,7 +101303,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_initctl" lineno="1662">
+<interface name="init_getattr_initctl" lineno="1705">
 <summary>
 Get the attributes of initctl.
 </summary>
@@ -100710,7 +101313,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_getattr_initctl" lineno="1683">
+<interface name="init_dontaudit_getattr_initctl" lineno="1726">
 <summary>
 Do not audit attempts to get the
 attributes of initctl.
@@ -100721,7 +101324,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_write_initctl" lineno="1701">
+<interface name="init_write_initctl" lineno="1744">
 <summary>
 Write to initctl.
 </summary>
@@ -100731,7 +101334,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_telinit" lineno="1722">
+<interface name="init_telinit" lineno="1765">
 <summary>
 Use telinit (Read and write initctl).
 </summary>
@@ -100742,7 +101345,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_rw_initctl" lineno="1755">
+<interface name="init_rw_initctl" lineno="1798">
 <summary>
 Read and write initctl.
 </summary>
@@ -100752,7 +101355,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_rw_initctl" lineno="1776">
+<interface name="init_dontaudit_rw_initctl" lineno="1819">
 <summary>
 Do not audit attempts to read and
 write initctl.
@@ -100763,7 +101366,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_script_file_entry_type" lineno="1795">
+<interface name="init_script_file_entry_type" lineno="1838">
 <summary>
 Make init scripts an entry point for
 the specified domain.
@@ -100774,7 +101377,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_spec_domtrans_script" lineno="1818">
+<interface name="init_spec_domtrans_script" lineno="1861">
 <summary>
 Execute init scripts with a specified domain transition.
 </summary>
@@ -100784,7 +101387,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_domtrans_script" lineno="1845">
+<interface name="init_domtrans_script" lineno="1888">
 <summary>
 Execute init scripts with an automatic domain transition.
 </summary>
@@ -100794,7 +101397,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_domtrans_labeled_script" lineno="1880">
+<interface name="init_domtrans_labeled_script" lineno="1923">
 <summary>
 Execute labelled init scripts with an automatic domain transition.
 </summary>
@@ -100804,7 +101407,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_script_file_domtrans" lineno="1926">
+<interface name="init_script_file_domtrans" lineno="1969">
 <summary>
 Execute a init script in a specified domain.
 </summary>
@@ -100829,7 +101432,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="init_kill_scripts" lineno="1945">
+<interface name="init_kill_scripts" lineno="1988">
 <summary>
 Send a kill signal to init scripts.
 </summary>
@@ -100839,7 +101442,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_script_service" lineno="1963">
+<interface name="init_manage_script_service" lineno="2006">
 <summary>
 Allow manage service for initrc_exec_t scripts
 </summary>
@@ -100849,7 +101452,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_labeled_script_domtrans" lineno="1988">
+<interface name="init_labeled_script_domtrans" lineno="2031">
 <summary>
 Transition to the init script domain
 on a specified labeled init script.
@@ -100865,7 +101468,7 @@ Labeled init script file.
 </summary>
 </param>
 </interface>
-<interface name="init_all_labeled_script_domtrans" lineno="2010">
+<interface name="init_all_labeled_script_domtrans" lineno="2053">
 <summary>
 Transition to the init script domain
 for all labeled init script types
@@ -100876,7 +101479,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_get_script_status" lineno="2028">
+<interface name="init_get_script_status" lineno="2071">
 <summary>
 Allow getting service status of initrc_exec_t scripts
 </summary>
@@ -100886,7 +101489,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_startstop_service" lineno="2068">
+<interface name="init_startstop_service" lineno="2111">
 <summary>
 Allow the role to start and stop
 labeled services.
@@ -100917,7 +101520,7 @@ Systemd unit file type.
 </summary>
 </param>
 </interface>
-<interface name="init_run_daemon" lineno="2124">
+<interface name="init_run_daemon" lineno="2167">
 <summary>
 Start and stop daemon programs directly.
 </summary>
@@ -100939,7 +101542,7 @@ The role to be performing this action.
 </summary>
 </param>
 </interface>
-<interface name="init_startstop_all_script_services" lineno="2146">
+<interface name="init_startstop_all_script_services" lineno="2189">
 <summary>
 Start and stop init_script_file_type services
 </summary>
@@ -100949,7 +101552,7 @@ domain that can start and stop the services
 </summary>
 </param>
 </interface>
-<interface name="init_read_state" lineno="2165">
+<interface name="init_read_state" lineno="2208">
 <summary>
 Read the process state (/proc/pid) of init.
 </summary>
@@ -100959,7 +101562,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_state" lineno="2185">
+<interface name="init_dontaudit_read_state" lineno="2228">
 <summary>
 Dontaudit read the process state (/proc/pid) of init.
 </summary>
@@ -100969,7 +101572,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_ptrace" lineno="2206">
+<interface name="init_ptrace" lineno="2249">
 <summary>
 Ptrace init
 </summary>
@@ -100980,7 +101583,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_getattr" lineno="2225">
+<interface name="init_getattr" lineno="2268">
 <summary>
 get init process stats
 </summary>
@@ -100991,7 +101594,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_read_script_pipes" lineno="2243">
+<interface name="init_read_script_pipes" lineno="2286">
 <summary>
 Read an init script unnamed pipe.
 </summary>
@@ -101001,7 +101604,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_write_script_pipes" lineno="2261">
+<interface name="init_write_script_pipes" lineno="2304">
 <summary>
 Write an init script unnamed pipe.
 </summary>
@@ -101011,7 +101614,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_script_files" lineno="2279">
+<interface name="init_getattr_script_files" lineno="2322">
 <summary>
 Get the attribute of init script entrypoint files.
 </summary>
@@ -101021,7 +101624,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_files" lineno="2298">
+<interface name="init_read_script_files" lineno="2341">
 <summary>
 Read init scripts.
 </summary>
@@ -101031,7 +101634,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_exec_script_files" lineno="2317">
+<interface name="init_exec_script_files" lineno="2360">
 <summary>
 Execute init scripts in the caller domain.
 </summary>
@@ -101041,7 +101644,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_all_script_files" lineno="2336">
+<interface name="init_getattr_all_script_files" lineno="2379">
 <summary>
 Get the attribute of all init script entrypoint files.
 </summary>
@@ -101051,7 +101654,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_all_script_files" lineno="2355">
+<interface name="init_read_all_script_files" lineno="2398">
 <summary>
 Read all init script files.
 </summary>
@@ -101061,7 +101664,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_all_script_files" lineno="2379">
+<interface name="init_dontaudit_read_all_script_files" lineno="2422">
 <summary>
 Dontaudit read all init script files.
 </summary>
@@ -101071,7 +101674,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_exec_all_script_files" lineno="2397">
+<interface name="init_exec_all_script_files" lineno="2440">
 <summary>
 Execute all init scripts in the caller domain.
 </summary>
@@ -101081,7 +101684,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_state" lineno="2416">
+<interface name="init_read_script_state" lineno="2459">
 <summary>
 Read the process state (/proc/pid) of the init scripts.
 </summary>
@@ -101091,7 +101694,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_script_fds" lineno="2435">
+<interface name="init_use_script_fds" lineno="2478">
 <summary>
 Inherit and use init script file descriptors.
 </summary>
@@ -101101,7 +101704,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_use_script_fds" lineno="2454">
+<interface name="init_dontaudit_use_script_fds" lineno="2497">
 <summary>
 Do not audit attempts to inherit
 init script file descriptors.
@@ -101112,7 +101715,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_search_script_keys" lineno="2472">
+<interface name="init_search_script_keys" lineno="2515">
 <summary>
 Search init script keys.
 </summary>
@@ -101122,7 +101725,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getpgid_script" lineno="2490">
+<interface name="init_getpgid_script" lineno="2533">
 <summary>
 Get the process group ID of init scripts.
 </summary>
@@ -101132,7 +101735,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_sigchld_script" lineno="2508">
+<interface name="init_sigchld_script" lineno="2551">
 <summary>
 Send SIGCHLD signals to init scripts.
 </summary>
@@ -101142,7 +101745,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signal_script" lineno="2526">
+<interface name="init_signal_script" lineno="2569">
 <summary>
 Send generic signals to init scripts.
 </summary>
@@ -101152,7 +101755,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signull_script" lineno="2544">
+<interface name="init_signull_script" lineno="2587">
 <summary>
 Send null signals to init scripts.
 </summary>
@@ -101162,7 +101765,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_pipes" lineno="2562">
+<interface name="init_rw_script_pipes" lineno="2605">
 <summary>
 Read and write init script unnamed pipes.
 </summary>
@@ -101172,7 +101775,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stream_connect_script" lineno="2581">
+<interface name="init_stream_connect_script" lineno="2624">
 <summary>
 Allow the specified domain to connect to
 init scripts with a unix socket.
@@ -101183,7 +101786,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_stream_sockets" lineno="2600">
+<interface name="init_rw_script_stream_sockets" lineno="2643">
 <summary>
 Allow the specified domain to read/write to
 init scripts with a unix domain stream sockets.
@@ -101194,7 +101797,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_stream_connect_script" lineno="2619">
+<interface name="init_dontaudit_stream_connect_script" lineno="2662">
 <summary>
 Dont audit the specified domain connecting to
 init scripts with a unix domain stream socket.
@@ -101205,7 +101808,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_send_script" lineno="2636">
+<interface name="init_dbus_send_script" lineno="2679">
 <summary>
 Send messages to init scripts over dbus.
 </summary>
@@ -101215,7 +101818,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_chat_script" lineno="2656">
+<interface name="init_dbus_chat_script" lineno="2699">
 <summary>
 Send and receive messages from
 init scripts over dbus.
@@ -101226,7 +101829,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_script_ptys" lineno="2685">
+<interface name="init_use_script_ptys" lineno="2728">
 <summary>
 Read and write the init script pty.
 </summary>
@@ -101245,7 +101848,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_inherited_script_ptys" lineno="2704">
+<interface name="init_use_inherited_script_ptys" lineno="2747">
 <summary>
 Read and write inherited init script ptys.
 </summary>
@@ -101255,7 +101858,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_use_script_ptys" lineno="2726">
+<interface name="init_dontaudit_use_script_ptys" lineno="2769">
 <summary>
 Do not audit attempts to read and
 write the init script pty.
@@ -101266,7 +101869,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_script_status_files" lineno="2745">
+<interface name="init_getattr_script_status_files" lineno="2788">
 <summary>
 Get the attributes of init script
 status files.
@@ -101277,7 +101880,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_script_status_files" lineno="2764">
+<interface name="init_dontaudit_read_script_status_files" lineno="2807">
 <summary>
 Do not audit attempts to read init script
 status files.
@@ -101288,7 +101891,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_search_run" lineno="2783">
+<interface name="init_search_run" lineno="2826">
 <summary>
 Search the /run/systemd directory.
 </summary>
@@ -101298,7 +101901,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_tmp_files" lineno="2802">
+<interface name="init_read_script_tmp_files" lineno="2845">
 <summary>
 Read init script temporary data.
 </summary>
@@ -101308,7 +101911,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_inherited_script_tmp_files" lineno="2821">
+<interface name="init_rw_inherited_script_tmp_files" lineno="2864">
 <summary>
 Read and write init script inherited temporary data.
 </summary>
@@ -101318,7 +101921,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_tmp_files" lineno="2839">
+<interface name="init_rw_script_tmp_files" lineno="2882">
 <summary>
 Read and write init script temporary data.
 </summary>
@@ -101328,7 +101931,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_script_tmp_filetrans" lineno="2874">
+<interface name="init_script_tmp_filetrans" lineno="2917">
 <summary>
 Create files in a init script
 temporary data directory.
@@ -101354,7 +101957,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_utmp" lineno="2893">
+<interface name="init_getattr_utmp" lineno="2936">
 <summary>
 Get the attributes of init script process id files.
 </summary>
@@ -101364,7 +101967,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_utmp" lineno="2911">
+<interface name="init_read_utmp" lineno="2954">
 <summary>
 Read utmp.
 </summary>
@@ -101374,7 +101977,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_write_utmp" lineno="2930">
+<interface name="init_dontaudit_write_utmp" lineno="2973">
 <summary>
 Do not audit attempts to write utmp.
 </summary>
@@ -101384,7 +101987,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_write_utmp" lineno="2948">
+<interface name="init_write_utmp" lineno="2991">
 <summary>
 Write to utmp.
 </summary>
@@ -101394,7 +101997,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_lock_utmp" lineno="2968">
+<interface name="init_dontaudit_lock_utmp" lineno="3011">
 <summary>
 Do not audit attempts to lock
 init script pid files.
@@ -101405,7 +102008,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_utmp" lineno="2986">
+<interface name="init_rw_utmp" lineno="3029">
 <summary>
 Read and write utmp.
 </summary>
@@ -101415,7 +102018,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_rw_utmp" lineno="3005">
+<interface name="init_dontaudit_rw_utmp" lineno="3048">
 <summary>
 Do not audit attempts to read and write utmp.
 </summary>
@@ -101425,7 +102028,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_utmp" lineno="3023">
+<interface name="init_manage_utmp" lineno="3066">
 <summary>
 Create, read, write, and delete utmp.
 </summary>
@@ -101435,7 +102038,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_watch_utmp" lineno="3042">
+<interface name="init_watch_utmp" lineno="3085">
 <summary>
 Add a watch on utmp.
 </summary>
@@ -101445,7 +102048,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_relabel_utmp" lineno="3060">
+<interface name="init_relabel_utmp" lineno="3103">
 <summary>
 Relabel utmp.
 </summary>
@@ -101455,7 +102058,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_runtime_filetrans_utmp" lineno="3079">
+<interface name="init_runtime_filetrans_utmp" lineno="3122">
 <summary>
 Create files in /var/run with the
 utmp file type.
@@ -101466,7 +102069,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_create_runtime_dirs" lineno="3097">
+<interface name="init_create_runtime_dirs" lineno="3140">
 <summary>
 Create a directory in the /run/systemd directory.
 </summary>
@@ -101476,7 +102079,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_files" lineno="3116">
+<interface name="init_read_runtime_files" lineno="3159">
 <summary>
 Read init_runtime_t files
 </summary>
@@ -101486,7 +102089,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_rename_runtime_files" lineno="3134">
+<interface name="init_rename_runtime_files" lineno="3177">
 <summary>
 Rename init_runtime_t files
 </summary>
@@ -101496,7 +102099,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_setattr_runtime_files" lineno="3152">
+<interface name="init_setattr_runtime_files" lineno="3195">
 <summary>
 Setattr init_runtime_t files
 </summary>
@@ -101506,7 +102109,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_delete_runtime_files" lineno="3170">
+<interface name="init_delete_runtime_files" lineno="3213">
 <summary>
 Delete init_runtime_t files
 </summary>
@@ -101516,7 +102119,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_write_runtime_socket" lineno="3189">
+<interface name="init_write_runtime_socket" lineno="3232">
 <summary>
 Allow the specified domain to write to
 init sock file.
@@ -101527,7 +102130,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_write_runtime_socket" lineno="3208">
+<interface name="init_dontaudit_write_runtime_socket" lineno="3251">
 <summary>
 Do not audit attempts to write to
 init sock files.
@@ -101538,7 +102141,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_pipes" lineno="3226">
+<interface name="init_read_runtime_pipes" lineno="3269">
 <summary>
 Read init unnamed pipes.
 </summary>
@@ -101548,7 +102151,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_symlinks" lineno="3244">
+<interface name="init_read_runtime_symlinks" lineno="3287">
 <summary>
 read systemd unit symlinks (usually under /run/systemd/units/)
 </summary>
@@ -101558,7 +102161,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_tcp_recvfrom_all_daemons" lineno="3262">
+<interface name="init_tcp_recvfrom_all_daemons" lineno="3305">
 <summary>
 Allow the specified domain to connect to daemon with a tcp socket
 </summary>
@@ -101568,7 +102171,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_udp_recvfrom_all_daemons" lineno="3280">
+<interface name="init_udp_recvfrom_all_daemons" lineno="3323">
 <summary>
 Allow the specified domain to connect to daemon with a udp socket
 </summary>
@@ -101578,7 +102181,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_status_files" lineno="3299">
+<interface name="init_read_script_status_files" lineno="3342">
 <summary>
 Allow reading the init script state files
 </summary>
@@ -101588,7 +102191,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="init_relabelto_script_state" lineno="3317">
+<interface name="init_relabelto_script_state" lineno="3360">
 <summary>
 Label to init script status files
 </summary>
@@ -101598,7 +102201,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="init_script_readable_type" lineno="3336">
+<interface name="init_script_readable_type" lineno="3379">
 <summary>
 Mark as a readable type for the initrc_t domain
 </summary>
@@ -101608,7 +102211,7 @@ Type that initrc_t needs read access to
 </summary>
 </param>
 </interface>
-<interface name="init_search_units" lineno="3354">
+<interface name="init_search_units" lineno="3397">
 <summary>
 Search systemd unit dirs.
 </summary>
@@ -101618,7 +102221,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_unit_dirs" lineno="3379">
+<interface name="init_list_unit_dirs" lineno="3422">
 <summary>
 List systemd unit dirs.
 </summary>
@@ -101628,7 +102231,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_generic_units_files" lineno="3399">
+<interface name="init_getattr_generic_units_files" lineno="3442">
 <summary>
 Get the attributes of systemd unit files
 </summary>
@@ -101638,7 +102241,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_generic_units_files" lineno="3417">
+<interface name="init_read_generic_units_files" lineno="3460">
 <summary>
 Read systemd unit files
 </summary>
@@ -101648,7 +102251,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_generic_units_symlinks" lineno="3435">
+<interface name="init_read_generic_units_symlinks" lineno="3478">
 <summary>
 Read systemd unit links
 </summary>
@@ -101658,7 +102261,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_generic_units_status" lineno="3453">
+<interface name="init_get_generic_units_status" lineno="3496">
 <summary>
 Get status of generic systemd units.
 </summary>
@@ -101668,7 +102271,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_generic_units" lineno="3472">
+<interface name="init_start_generic_units" lineno="3515">
 <summary>
 Start generic systemd units.
 </summary>
@@ -101678,7 +102281,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_generic_units" lineno="3491">
+<interface name="init_stop_generic_units" lineno="3534">
 <summary>
 Stop generic systemd units.
 </summary>
@@ -101688,7 +102291,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_generic_units" lineno="3510">
+<interface name="init_reload_generic_units" lineno="3553">
 <summary>
 Reload generic systemd units.
 </summary>
@@ -101698,7 +102301,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_runtime_units_status" lineno="3529">
+<interface name="init_get_runtime_units_status" lineno="3572">
 <summary>
 Get the status of runtime systemd units.
 </summary>
@@ -101708,7 +102311,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_runtime_units" lineno="3548">
+<interface name="init_start_runtime_units" lineno="3591">
 <summary>
 Start runtime systemd units.
 </summary>
@@ -101718,7 +102321,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_runtime_units" lineno="3567">
+<interface name="init_stop_runtime_units" lineno="3610">
 <summary>
 Stop runtime systemd units.
 </summary>
@@ -101728,7 +102331,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_transient_units_status" lineno="3586">
+<interface name="init_get_transient_units_status" lineno="3629">
 <summary>
 Get status of transient systemd units.
 </summary>
@@ -101738,7 +102341,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_transient_units" lineno="3605">
+<interface name="init_start_transient_units" lineno="3648">
 <summary>
 Start transient systemd units.
 </summary>
@@ -101748,7 +102351,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_transient_units" lineno="3624">
+<interface name="init_stop_transient_units" lineno="3667">
 <summary>
 Stop transient systemd units.
 </summary>
@@ -101758,7 +102361,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_transient_units" lineno="3643">
+<interface name="init_reload_transient_units" lineno="3686">
 <summary>
 Reload transient systemd units.
 </summary>
@@ -101768,7 +102371,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_all_units_status" lineno="3663">
+<interface name="init_get_all_units_status" lineno="3706">
 <summary>
 Get status of all systemd units.
 </summary>
@@ -101778,7 +102381,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_all_units" lineno="3682">
+<interface name="init_manage_all_units" lineno="3725">
 <summary>
 All perms on all systemd units.
 </summary>
@@ -101788,7 +102391,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_all_units" lineno="3702">
+<interface name="init_start_all_units" lineno="3745">
 <summary>
 Start all systemd units.
 </summary>
@@ -101798,7 +102401,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_all_units" lineno="3721">
+<interface name="init_stop_all_units" lineno="3764">
 <summary>
 Stop all systemd units.
 </summary>
@@ -101808,7 +102411,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_all_units" lineno="3740">
+<interface name="init_reload_all_units" lineno="3783">
 <summary>
 Reload all systemd units.
 </summary>
@@ -101818,7 +102421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_all_unit_files" lineno="3759">
+<interface name="init_manage_all_unit_files" lineno="3802">
 <summary>
 Manage systemd unit dirs and the files in them
 </summary>
@@ -101828,7 +102431,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_linkable_keyring" lineno="3780">
+<interface name="init_linkable_keyring" lineno="3823">
 <summary>
 Associate the specified domain to be a domain whose
 keyring init should be allowed to link.
@@ -101839,7 +102442,7 @@ Domain whose keyring init should be allowed to link.
 </summary>
 </param>
 </interface>
-<interface name="init_admin" lineno="3798">
+<interface name="init_admin" lineno="3841">
 <summary>
 Allow unconfined access to send instructions to init
 </summary>
@@ -101849,7 +102452,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_getrlimit" lineno="3830">
+<interface name="init_getrlimit" lineno="3873">
 <summary>
 Allow getting init_t rlimit
 </summary>
@@ -101859,6 +102462,16 @@ Source domain
 </summary>
 </param>
 </interface>
+<interface name="init_search_keys" lineno="3891">
+<summary>
+Allow searching init_t keys
+</summary>
+<param name="domain">
+<summary>
+Source domain
+</summary>
+</param>
+</interface>
 <tunable name="init_upstart" dftval="false">
 <desc>
 <p>
@@ -102656,7 +103269,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="libs_relabel_shared_libs" lineno="545">
+<interface name="libs_watch_shared_libs_dirs" lineno="543">
+<summary>
+watch lib dirs
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="libs_relabel_shared_libs" lineno="563">
 <summary>
 Relabel to and from the type used for
 shared libraries.
@@ -102667,7 +103290,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="libs_generic_etc_filetrans_ld_so_cache" lineno="578">
+<interface name="libs_generic_etc_filetrans_ld_so_cache" lineno="596">
 <summary>
 Create an object in etc with a type transition to
 the ld_so_cache_t type
@@ -102690,7 +103313,7 @@ Name of the resource created for which a type transition occurs
 </summary>
 </param>
 </interface>
-<interface name="libs_lib_filetrans" lineno="612">
+<interface name="libs_lib_filetrans" lineno="630">
 <summary>
 Create an object in the generic lib location with a type transition
 to the provided type
@@ -102716,7 +103339,7 @@ Name of the resource created for which a type transition should occur
 </summary>
 </param>
 </interface>
-<interface name="libs_relabel_lib_dirs" lineno="633">
+<interface name="libs_relabel_lib_dirs" lineno="651">
 <summary>
 Relabel to and from the type used
 for generic lib directories.
@@ -103309,7 +103932,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_delete_devlog_socket" lineno="859">
+<interface name="logging_stream_connect_journald_varlink" lineno="858">
+<summary>
+Connect syslog varlink socket files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="logging_delete_devlog_socket" lineno="878">
 <summary>
 Delete the syslog socket files
 </summary>
@@ -103320,7 +103953,7 @@ Domain allowed access
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_manage_runtime_sockets" lineno="877">
+<interface name="logging_manage_runtime_sockets" lineno="896">
 <summary>
 Create, read, write, and delete syslog PID sockets.
 </summary>
@@ -103330,7 +103963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_search_logs" lineno="898">
+<interface name="logging_search_logs" lineno="917">
 <summary>
 Allows the domain to open a file in the
 log directory, but does not allow the listing
@@ -103342,7 +103975,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_dontaudit_search_logs" lineno="918">
+<interface name="logging_dontaudit_search_logs" lineno="937">
 <summary>
 Do not audit attempts to search the var log directory.
 </summary>
@@ -103352,7 +103985,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="logging_list_logs" lineno="936">
+<interface name="logging_list_logs" lineno="955">
 <summary>
 List the contents of the generic log directory (/var/log).
 </summary>
@@ -103362,7 +103995,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_rw_generic_log_dirs" lineno="956">
+<interface name="logging_rw_generic_log_dirs" lineno="975">
 <summary>
 Read and write the generic log directory (/var/log).
 </summary>
@@ -103372,7 +104005,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_search_all_logs" lineno="977">
+<interface name="logging_search_all_logs" lineno="996">
 <summary>
 Search through all log dirs.
 </summary>
@@ -103383,7 +104016,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_setattr_all_log_dirs" lineno="996">
+<interface name="logging_setattr_all_log_dirs" lineno="1015">
 <summary>
 Set attributes on all log dirs.
 </summary>
@@ -103394,7 +104027,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_dontaudit_getattr_all_logs" lineno="1015">
+<interface name="logging_dontaudit_getattr_all_logs" lineno="1034">
 <summary>
 Do not audit attempts to get the attributes
 of any log files.
@@ -103405,7 +104038,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="logging_getattr_all_logs" lineno="1033">
+<interface name="logging_getattr_all_logs" lineno="1052">
 <summary>
 Read the attributes of any log file
 </summary>
@@ -103415,7 +104048,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="logging_append_all_logs" lineno="1051">
+<interface name="logging_append_all_logs" lineno="1070">
 <summary>
 Append to all log files.
 </summary>
@@ -103425,7 +104058,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_append_all_inherited_logs" lineno="1072">
+<interface name="logging_append_all_inherited_logs" lineno="1091">
 <summary>
 Append to all log files.
 </summary>
@@ -103435,7 +104068,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_read_all_logs" lineno="1091">
+<interface name="logging_read_all_logs" lineno="1110">
 <summary>
 Read all log files.
 </summary>
@@ -103446,7 +104079,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_watch_all_logs" lineno="1112">
+<interface name="logging_watch_all_logs" lineno="1131">
 <summary>
 Watch all log files.
 </summary>
@@ -103457,17 +104090,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_exec_all_logs" lineno="1132">
-<summary>
-Execute all log files in the caller domain.
-</summary>
-<param name="domain">
-<summary>
-Domain allowed access.
-</summary>
-</param>
-</interface>
-<interface name="logging_rw_all_logs" lineno="1152">
+<interface name="logging_rw_all_logs" lineno="1149">
 <summary>
 read/write to all log files.
 </summary>
@@ -103477,7 +104100,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_manage_all_logs" lineno="1172">
+<interface name="logging_manage_all_logs" lineno="1169">
 <summary>
 Create, read, write, and delete all log files.
 </summary>
@@ -103488,7 +104111,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_manage_generic_log_dirs" lineno="1193">
+<interface name="logging_manage_generic_log_dirs" lineno="1190">
 <summary>
 Create, read, write, and delete generic log directories.
 </summary>
@@ -103499,7 +104122,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_relabel_generic_log_dirs" lineno="1213">
+<interface name="logging_relabel_generic_log_dirs" lineno="1210">
 <summary>
 Relabel from and to generic log directory type.
 </summary>
@@ -103510,7 +104133,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_read_generic_logs" lineno="1233">
+<interface name="logging_read_generic_logs" lineno="1230">
 <summary>
 Read generic log files.
 </summary>
@@ -103521,7 +104144,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_mmap_generic_logs" lineno="1254">
+<interface name="logging_mmap_generic_logs" lineno="1251">
 <summary>
 Map generic log files.
 </summary>
@@ -103532,7 +104155,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_write_generic_logs" lineno="1272">
+<interface name="logging_write_generic_logs" lineno="1269">
 <summary>
 Write generic log files.
 </summary>
@@ -103542,7 +104165,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_dontaudit_write_generic_logs" lineno="1293">
+<interface name="logging_dontaudit_write_generic_logs" lineno="1290">
 <summary>
 Dontaudit Write generic log files.
 </summary>
@@ -103552,7 +104175,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="logging_rw_generic_logs" lineno="1311">
+<interface name="logging_rw_generic_logs" lineno="1308">
 <summary>
 Read and write generic log files.
 </summary>
@@ -103562,7 +104185,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_manage_generic_logs" lineno="1334">
+<interface name="logging_manage_generic_logs" lineno="1331">
 <summary>
 Create, read, write, and delete
 generic log files.
@@ -103574,7 +104197,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_watch_generic_logs_dir" lineno="1353">
+<interface name="logging_watch_generic_logs_dir" lineno="1350">
 <summary>
 Watch generic log dirs.
 </summary>
@@ -103584,7 +104207,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="logging_admin_audit" lineno="1378">
+<interface name="logging_admin_audit" lineno="1375">
 <summary>
 All of the rules required to administrate
 the audit environment
@@ -103601,7 +104224,7 @@ User role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_admin_syslog" lineno="1422">
+<interface name="logging_admin_syslog" lineno="1419">
 <summary>
 All of the rules required to administrate
 the syslog environment
@@ -103618,7 +104241,7 @@ User role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_admin" lineno="1478">
+<interface name="logging_admin" lineno="1475">
 <summary>
 All of the rules required to administrate
 the logging environment
@@ -103635,7 +104258,7 @@ User role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="logging_syslog_managed_log_file" lineno="1501">
+<interface name="logging_syslog_managed_log_file" lineno="1498">
 <summary>
 Mark the type as a syslog managed log file
 and introduce the proper file transition when
@@ -103653,7 +104276,7 @@ Name to use for the file
 </summary>
 </param>
 </interface>
-<interface name="logging_syslog_managed_log_dir" lineno="1540">
+<interface name="logging_syslog_managed_log_dir" lineno="1537">
 <summary>
 Mark the type as a syslog managed log dir
 and introduce the proper file transition when
@@ -103680,7 +104303,7 @@ Name to use for the directory
 </summary>
 </param>
 </interface>
-<interface name="logging_mmap_journal" lineno="1562">
+<interface name="logging_mmap_journal" lineno="1559">
 <summary>
 Map files in /run/log/journal/ directory.
 </summary>
@@ -103690,6 +104313,14 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<tunable name="logging_syslog_can_network" dftval="false">
+<desc>
+<p>
+Allows syslogd internet domain sockets
+functionality (dangerous).
+</p>
+</desc>
+</tunable>
 </module>
 <module name="lvm" filename="policy/modules/system/lvm.if">
 <summary>Policy for logical volume management programs.</summary>
@@ -104599,7 +105230,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_read_state" lineno="82">
+<interface name="mount_read_state" lineno="79">
 <summary>
 Read the process state (/proc/pid) of mount.
 </summary>
@@ -104609,7 +105240,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_signal" lineno="100">
+<interface name="mount_signal" lineno="97">
 <summary>
 Send a generic signal to mount.
 </summary>
@@ -104619,7 +105250,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_use_fds" lineno="118">
+<interface name="mount_use_fds" lineno="115">
 <summary>
 Use file descriptors for mount.
 </summary>
@@ -104629,7 +105260,7 @@ The type of the process performing this action.
 </summary>
 </param>
 </interface>
-<interface name="mount_domtrans_unconfined" lineno="136">
+<interface name="mount_domtrans_unconfined" lineno="133">
 <summary>
 Execute mount in the unconfined mount domain.
 </summary>
@@ -104639,7 +105270,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="mount_run_unconfined" lineno="162">
+<interface name="mount_run_unconfined" lineno="159">
 <summary>
 Execute mount in the unconfined mount domain, and
 allow the specified role the unconfined mount domain,
@@ -104657,7 +105288,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="mount_read_loopback_files" lineno="181">
+<interface name="mount_read_loopback_files" lineno="178">
 <summary>
 Read loopback filesystem image files.
 </summary>
@@ -104667,7 +105298,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_rw_loopback_files" lineno="199">
+<interface name="mount_rw_loopback_files" lineno="196">
 <summary>
 Read and write loopback filesystem image files.
 </summary>
@@ -104677,7 +105308,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_list_runtime" lineno="217">
+<interface name="mount_list_runtime" lineno="214">
 <summary>
 List mount runtime files.
 </summary>
@@ -104687,7 +105318,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_watch_runtime_dirs" lineno="235">
+<interface name="mount_watch_runtime_dirs" lineno="232">
 <summary>
 Watch mount runtime dirs.
 </summary>
@@ -104697,7 +105328,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_watch_runtime_files" lineno="253">
+<interface name="mount_watch_runtime_files" lineno="250">
 <summary>
 Watch mount runtime files.
 </summary>
@@ -104707,7 +105338,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_watch_reads_runtime_files" lineno="271">
+<interface name="mount_watch_reads_runtime_files" lineno="268">
 <summary>
 Watch reads on mount runtime files.
 </summary>
@@ -104717,7 +105348,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_getattr_runtime_files" lineno="289">
+<interface name="mount_getattr_runtime_files" lineno="286">
 <summary>
 Getattr on mount_runtime_t files
 </summary>
@@ -104727,7 +105358,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_read_runtime_files" lineno="307">
+<interface name="mount_read_runtime_files" lineno="304">
 <summary>
 Read mount runtime files.
 </summary>
@@ -104737,7 +105368,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_rw_runtime_files" lineno="325">
+<interface name="mount_rw_runtime_files" lineno="322">
 <summary>
 Read and write mount runtime files.
 </summary>
@@ -104747,7 +105378,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="mount_rw_pipes" lineno="345">
+<interface name="mount_rw_pipes" lineno="342">
 <summary>
 Read and write mount unnamed pipes
 </summary>
@@ -105909,7 +106540,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_read_dhcpc_runtime_files" lineno="580">
+<interface name="sysnet_watch_config_dirs" lineno="580">
+<summary>
+Watch a network config dir
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sysnet_read_dhcpc_runtime_files" lineno="598">
 <summary>
 Read dhcp client runtime files.
 </summary>
@@ -105919,7 +106560,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_delete_dhcpc_runtime_files" lineno="599">
+<interface name="sysnet_delete_dhcpc_runtime_files" lineno="617">
 <summary>
 Delete the dhcp client runtime files.
 </summary>
@@ -105929,7 +106570,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_manage_dhcpc_runtime_files" lineno="617">
+<interface name="sysnet_manage_dhcpc_runtime_files" lineno="635">
 <summary>
 Create, read, write, and delete dhcp client runtime files.
 </summary>
@@ -105939,7 +106580,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_domtrans_ifconfig" lineno="635">
+<interface name="sysnet_domtrans_ifconfig" lineno="653">
 <summary>
 Execute ifconfig in the ifconfig domain.
 </summary>
@@ -105949,7 +106590,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_run_ifconfig" lineno="662">
+<interface name="sysnet_run_ifconfig" lineno="680">
 <summary>
 Execute ifconfig in the ifconfig domain, and
 allow the specified role the ifconfig domain,
@@ -105967,7 +106608,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="sysnet_exec_ifconfig" lineno="682">
+<interface name="sysnet_exec_ifconfig" lineno="700">
 <summary>
 Execute ifconfig in the caller domain.
 </summary>
@@ -105977,7 +106618,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_signal_ifconfig" lineno="702">
+<interface name="sysnet_signal_ifconfig" lineno="720">
 <summary>
 Send a generic signal to ifconfig.
 </summary>
@@ -105988,7 +106629,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="sysnet_signull_ifconfig" lineno="721">
+<interface name="sysnet_signull_ifconfig" lineno="739">
 <summary>
 Send null signals to ifconfig.
 </summary>
@@ -105999,7 +106640,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="sysnet_create_netns_dirs" lineno="740">
+<interface name="sysnet_create_netns_dirs" lineno="758">
 <summary>
 Create the /run/netns directory with
 an automatic type transition.
@@ -106010,7 +106651,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_netns_filetrans" lineno="774">
+<interface name="sysnet_netns_filetrans" lineno="792">
 <summary>
 Create an object in the /run/netns
 directory with a private type.
@@ -106036,7 +106677,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_read_dhcp_config" lineno="795">
+<interface name="sysnet_read_dhcp_config" lineno="813">
 <summary>
 Read the DHCP configuration files.
 </summary>
@@ -106046,7 +106687,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_search_dhcp_state" lineno="815">
+<interface name="sysnet_search_dhcp_state" lineno="833">
 <summary>
 Search the DHCP state data directory.
 </summary>
@@ -106056,7 +106697,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_dhcp_state_filetrans" lineno="859">
+<interface name="sysnet_dhcp_state_filetrans" lineno="877">
 <summary>
 Create DHCP state data.
 </summary>
@@ -106091,7 +106732,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_dns_name_resolve" lineno="879">
+<interface name="sysnet_dns_name_resolve" lineno="897">
 <summary>
 Perform a DNS name resolution.
 </summary>
@@ -106102,7 +106743,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="sysnet_use_ldap" lineno="930">
+<interface name="sysnet_use_ldap" lineno="948">
 <summary>
 Connect and use a LDAP server.
 </summary>
@@ -106112,7 +106753,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_use_portmap" lineno="957">
+<interface name="sysnet_use_portmap" lineno="975">
 <summary>
 Connect and use remote port mappers.
 </summary>
@@ -106122,7 +106763,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sysnet_dhcpc_script_entry" lineno="991">
+<interface name="sysnet_dhcpc_script_entry" lineno="1009">
 <summary>
 Make the specified program domain
 accessable from the DHCP hooks/scripts.
@@ -106149,7 +106790,7 @@ can manage samba
 </module>
 <module name="systemd" filename="policy/modules/system/systemd.if">
 <summary>Systemd components (not PID 1)</summary>
-<template name="systemd_role_template" lineno="28">
+<template name="systemd_role_template" lineno="23">
 <summary>
 Template for systemd --user per-role domains.
 </summary>
@@ -106168,13 +106809,8 @@ The user role.
 The user domain for the role.
 </summary>
 </param>
-<param name="pty_type">
-<summary>
-The type for the user pty
-</summary>
-</param>
 </template>
-<template name="systemd_user_daemon_domain" lineno="222">
+<template name="systemd_user_daemon_domain" lineno="225">
 <summary>
 Allow the specified domain to be started as a daemon by the
 specified systemd user instance.
@@ -106195,7 +106831,7 @@ Domain to allow the systemd user domain to run.
 </summary>
 </param>
 </template>
-<interface name="systemd_user_activated_sock_file" lineno="243">
+<interface name="systemd_user_activated_sock_file" lineno="246">
 <summary>
 Associate the specified file type to be a type whose sock files
 can be managed by systemd user instances for socket activation.
@@ -106206,7 +106842,7 @@ File type to be associated.
 </summary>
 </param>
 </interface>
-<interface name="systemd_user_unix_stream_activated_socket" lineno="268">
+<interface name="systemd_user_unix_stream_activated_socket" lineno="271">
 <summary>
 Associate the specified domain to be a domain whose unix stream
 sockets and sock files can be managed by systemd user instances
@@ -106223,7 +106859,18 @@ File type of the domain's sock files to be associated.
 </summary>
 </param>
 </interface>
-<template name="systemd_user_send_systemd_notify" lineno="294">
+<interface name="systemd_write_notify_socket" lineno="291">
+<summary>
+Allow the specified domain to write to
+systemd-notify socket
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<template name="systemd_user_send_systemd_notify" lineno="318">
 <summary>
 Allow the target domain the permissions necessary
 to use systemd notify when started by the specified
@@ -106240,7 +106887,7 @@ Domain to be allowed systemd notify permissions.
 </summary>
 </param>
 </template>
-<template name="systemd_user_app_status" lineno="322">
+<template name="systemd_user_app_status" lineno="346">
 <summary>
 Allow the target domain to be monitored and have its output
 captured by the specified systemd user instance domain.
@@ -106256,7 +106903,7 @@ Domain to allow the systemd user instance to monitor.
 </summary>
 </param>
 </template>
-<template name="systemd_read_user_manager_state" lineno="362">
+<template name="systemd_read_user_manager_state" lineno="386">
 <summary>
 Read the process state (/proc/pid) of
 the specified systemd user instance.
@@ -106272,7 +106919,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_start" lineno="386">
+<template name="systemd_user_manager_system_start" lineno="410">
 <summary>
 Send a start request to the specified
 systemd user instance system object.
@@ -106288,7 +106935,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_stop" lineno="410">
+<template name="systemd_user_manager_system_stop" lineno="434">
 <summary>
 Send a stop request to the specified
 systemd user instance system object.
@@ -106304,7 +106951,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_status" lineno="434">
+<template name="systemd_user_manager_system_status" lineno="458">
 <summary>
 Get the status of the specified
 systemd user instance system object.
@@ -106320,7 +106967,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_dbus_chat" lineno="458">
+<template name="systemd_user_manager_dbus_chat" lineno="482">
 <summary>
 Send and receive messages from the
 specified systemd user instance over dbus.
@@ -106336,7 +106983,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="systemd_search_conf_home_content" lineno="479">
+<interface name="systemd_search_conf_home_content" lineno="503">
 <summary>
 Allow the specified domain to search systemd config home
 content.
@@ -106347,7 +106994,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_conf_home_content" lineno="498">
+<interface name="systemd_manage_conf_home_content" lineno="522">
 <summary>
 Allow the specified domain to manage systemd config home
 content.
@@ -106358,7 +107005,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabel_conf_home_content" lineno="519">
+<interface name="systemd_relabel_conf_home_content" lineno="543">
 <summary>
 Allow the specified domain to relabel systemd config home
 content.
@@ -106369,7 +107016,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_data_home_content" lineno="540">
+<interface name="systemd_search_data_home_content" lineno="564">
 <summary>
 Allow the specified domain to search systemd data home
 content.
@@ -106380,7 +107027,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_data_home_content" lineno="559">
+<interface name="systemd_manage_data_home_content" lineno="583">
 <summary>
 Allow the specified domain to manage systemd data home
 content.
@@ -106391,7 +107038,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabel_data_home_content" lineno="580">
+<interface name="systemd_relabel_data_home_content" lineno="604">
 <summary>
 Allow the specified domain to relabel systemd data home
 content.
@@ -106402,7 +107049,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_runtime" lineno="601">
+<interface name="systemd_search_user_runtime" lineno="625">
 <summary>
 Allow the specified domain to search systemd user runtime
 content.
@@ -106413,7 +107060,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_files" lineno="619">
+<interface name="systemd_read_user_runtime_files" lineno="643">
 <summary>
 Allow the specified domain to read systemd user runtime files.
 </summary>
@@ -106423,7 +107070,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_lnk_files" lineno="637">
+<interface name="systemd_read_user_runtime_lnk_files" lineno="661">
 <summary>
 Allow the specified domain to read systemd user runtime lnk files.
 </summary>
@@ -106433,7 +107080,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_user_runtime_socket" lineno="656">
+<interface name="systemd_write_user_runtime_socket" lineno="680">
 <summary>
 Allow the specified domain to write to
 the systemd user runtime named socket.
@@ -106444,7 +107091,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_unit_files" lineno="675">
+<interface name="systemd_read_user_unit_files" lineno="699">
 <summary>
 Allow the specified domain to read system-wide systemd
 user unit files.  (Deprecated)
@@ -106455,7 +107102,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_units_files" lineno="691">
+<interface name="systemd_read_user_units_files" lineno="715">
 <summary>
 Allow the specified domain to read system-wide systemd
 user unit files.
@@ -106466,7 +107113,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_units" lineno="711">
+<interface name="systemd_read_user_runtime_units" lineno="735">
 <summary>
 Allow the specified domain to read systemd user runtime unit files.  (Deprecated)
 </summary>
@@ -106476,7 +107123,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_units_files" lineno="726">
+<interface name="systemd_read_user_runtime_units_files" lineno="750">
 <summary>
 Allow the specified domain to read systemd user runtime unit files.
 </summary>
@@ -106486,7 +107133,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_runtime_unit_dirs" lineno="746">
+<interface name="systemd_search_user_runtime_unit_dirs" lineno="770">
 <summary>
 Allow the specified domain to search systemd user runtime unit
 directories.
@@ -106497,7 +107144,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_user_runtime_unit_dirs" lineno="765">
+<interface name="systemd_list_user_runtime_unit_dirs" lineno="789">
 <summary>
 Allow the specified domain to list the contents of systemd
 user runtime unit directories.
@@ -106508,7 +107155,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_user_runtime_units" lineno="783">
+<interface name="systemd_status_user_runtime_units" lineno="807">
 <summary>
 Allow the specified domain to get the status of systemd user runtime units.  (Deprecated)
 </summary>
@@ -106518,7 +107165,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_runtime_units_status" lineno="798">
+<interface name="systemd_get_user_runtime_units_status" lineno="822">
 <summary>
 Allow the specified domain to get the status of systemd user runtime units.
 </summary>
@@ -106528,7 +107175,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_runtime_units" lineno="817">
+<interface name="systemd_start_user_runtime_units" lineno="841">
 <summary>
 Allow the specified domain to start systemd user runtime units.
 </summary>
@@ -106538,7 +107185,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_runtime_units" lineno="836">
+<interface name="systemd_stop_user_runtime_units" lineno="860">
 <summary>
 Allow the specified domain to stop systemd user runtime units.
 </summary>
@@ -106548,7 +107195,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_runtime_units" lineno="855">
+<interface name="systemd_reload_user_runtime_units" lineno="879">
 <summary>
 Allow the specified domain to reload systemd user runtime units.
 </summary>
@@ -106558,7 +107205,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_transient_units_files" lineno="874">
+<interface name="systemd_read_user_transient_units_files" lineno="898">
 <summary>
 Allow the specified domain to read systemd user transient unit files.
 </summary>
@@ -106568,7 +107215,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_transient_unit_dirs" lineno="894">
+<interface name="systemd_search_user_transient_unit_dirs" lineno="918">
 <summary>
 Allow the specified domain to search systemd user transient unit
 directories.
@@ -106579,7 +107226,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_user_transient_unit_dirs" lineno="913">
+<interface name="systemd_list_user_transient_unit_dirs" lineno="937">
 <summary>
 Allow the specified domain to list the contents of systemd
 user transient unit directories.
@@ -106590,7 +107237,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_transient_units_status" lineno="931">
+<interface name="systemd_get_user_transient_units_status" lineno="955">
 <summary>
 Allow the specified domain to get the status of systemd user transient units.
 </summary>
@@ -106600,7 +107247,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_transient_units" lineno="950">
+<interface name="systemd_start_user_transient_units" lineno="974">
 <summary>
 Allow the specified domain to start systemd user transient units.
 </summary>
@@ -106610,7 +107257,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_transient_units" lineno="969">
+<interface name="systemd_stop_user_transient_units" lineno="993">
 <summary>
 Allow the specified domain to stop systemd user transient units.
 </summary>
@@ -106620,7 +107267,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_transient_units" lineno="988">
+<interface name="systemd_reload_user_transient_units" lineno="1012">
 <summary>
 Allow the specified domain to reload systemd user transient units.
 </summary>
@@ -106630,7 +107277,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_log_parse_environment" lineno="1008">
+<interface name="systemd_log_parse_environment" lineno="1032">
 <summary>
 Make the specified type usable as an
 log parse environment type.
@@ -106641,7 +107288,7 @@ Type to be used as a log parse environment type.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_nss" lineno="1028">
+<interface name="systemd_use_nss" lineno="1052">
 <summary>
 Allow domain to use systemd's Name Service Switch (NSS) module.
 This module provides UNIX user and group name resolution for dynamic users
@@ -106653,7 +107300,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_PrivateDevices" lineno="1055">
+<interface name="systemd_PrivateDevices" lineno="1079">
 <summary>
 Allow domain to be used as a systemd service with a unit
 that uses PrivateDevices=yes in section [Service].
@@ -106664,7 +107311,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_rw_homework_semaphores" lineno="1072">
+<interface name="systemd_rw_homework_semaphores" lineno="1096">
 <summary>
 Read and write systemd-homework semaphores.
 </summary>
@@ -106674,7 +107321,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_hwdb" lineno="1090">
+<interface name="systemd_read_hwdb" lineno="1114">
 <summary>
 Allow domain to read udev hwdb file
 </summary>
@@ -106684,7 +107331,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_map_hwdb" lineno="1108">
+<interface name="systemd_map_hwdb" lineno="1132">
 <summary>
 Allow domain to map udev hwdb file
 </summary>
@@ -106694,7 +107341,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_logind_runtime_dirs" lineno="1126">
+<interface name="systemd_watch_logind_runtime_dirs" lineno="1150">
 <summary>
 Watch systemd-logind runtime dirs.
 </summary>
@@ -106704,7 +107351,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_runtime_files" lineno="1145">
+<interface name="systemd_read_logind_runtime_files" lineno="1169">
 <summary>
 Read systemd-logind runtime files.
 </summary>
@@ -106714,7 +107361,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_logind_runtime_pipes" lineno="1165">
+<interface name="systemd_manage_logind_runtime_pipes" lineno="1189">
 <summary>
 Manage systemd-logind runtime pipes.
 </summary>
@@ -106724,7 +107371,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_logind_runtime_pipes" lineno="1184">
+<interface name="systemd_write_logind_runtime_pipes" lineno="1208">
 <summary>
 Write systemd-logind runtime named pipe.
 </summary>
@@ -106734,7 +107381,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_logind_fds" lineno="1205">
+<interface name="systemd_use_logind_fds" lineno="1229">
 <summary>
 Use inherited systemd
 logind file descriptors.
@@ -106745,7 +107392,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_logind_sessions_dirs" lineno="1223">
+<interface name="systemd_watch_logind_sessions_dirs" lineno="1247">
 <summary>
 Watch logind sessions dirs.
 </summary>
@@ -106755,7 +107402,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_sessions_files" lineno="1242">
+<interface name="systemd_read_logind_sessions_files" lineno="1266">
 <summary>
 Read logind sessions files.
 </summary>
@@ -106765,7 +107412,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1263">
+<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1287">
 <summary>
 Write inherited logind sessions pipes.
 </summary>
@@ -106775,7 +107422,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1283">
+<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1307">
 <summary>
 Write inherited logind inhibit pipes.
 </summary>
@@ -106785,7 +107432,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_logind" lineno="1304">
+<interface name="systemd_dbus_chat_logind" lineno="1328">
 <summary>
 Send and receive messages from
 systemd logind over dbus.
@@ -106796,7 +107443,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_logind" lineno="1324">
+<interface name="systemd_status_logind" lineno="1348">
 <summary>
 Get the system status information from systemd_login
 </summary>
@@ -106806,7 +107453,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_signull_logind" lineno="1343">
+<interface name="systemd_signull_logind" lineno="1367">
 <summary>
 Send systemd_login a null signal.
 </summary>
@@ -106816,7 +107463,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_userdb_runtime_dirs" lineno="1361">
+<interface name="systemd_list_userdb_runtime_dirs" lineno="1385">
 <summary>
 List the contents of systemd userdb runtime directories.
 </summary>
@@ -106826,7 +107473,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_dirs" lineno="1379">
+<interface name="systemd_manage_userdb_runtime_dirs" lineno="1403">
 <summary>
 Manage systemd userdb runtime directories.
 </summary>
@@ -106836,7 +107483,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_userdb_runtime_files" lineno="1397">
+<interface name="systemd_read_userdb_runtime_files" lineno="1421">
 <summary>
 Read systemd userdb runtime files.
 </summary>
@@ -106846,7 +107493,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1415">
+<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1439">
 <summary>
 Manage symbolic links under /run/systemd/userdb.
 </summary>
@@ -106856,7 +107503,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1433">
+<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1457">
 <summary>
 Manage socket files under /run/systemd/userdb .
 </summary>
@@ -106866,7 +107513,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_userdb" lineno="1451">
+<interface name="systemd_stream_connect_userdb" lineno="1475">
 <summary>
 Connect to /run/systemd/userdb/io.systemd.DynamicUser .
 </summary>
@@ -106876,7 +107523,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_machines" lineno="1473">
+<interface name="systemd_read_machines" lineno="1497">
 <summary>
 Allow reading /run/systemd/machines
 </summary>
@@ -106886,7 +107533,7 @@ Domain that can access the machines files
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_machines_dirs" lineno="1492">
+<interface name="systemd_watch_machines_dirs" lineno="1516">
 <summary>
 Allow watching /run/systemd/machines
 </summary>
@@ -106896,7 +107543,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_connect_machined" lineno="1510">
+<interface name="systemd_connect_machined" lineno="1534">
 <summary>
 Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
 </summary>
@@ -106906,7 +107553,17 @@ Domain that can access the socket
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_machined" lineno="1529">
+<interface name="systemd_dontaudit_connect_machined" lineno="1552">
+<summary>
+dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket
+</summary>
+<param name="domain">
+<summary>
+Domain that can access the socket
+</summary>
+</param>
+</interface>
+<interface name="systemd_dbus_chat_machined" lineno="1571">
 <summary>
 Send and receive messages from
 systemd machined over dbus.
@@ -106917,7 +107574,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_hostnamed" lineno="1550">
+<interface name="systemd_dbus_chat_hostnamed" lineno="1592">
 <summary>
 Send and receive messages from
 systemd hostnamed over dbus.
@@ -106928,7 +107585,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_passwd_agent_fds" lineno="1570">
+<interface name="systemd_use_passwd_agent_fds" lineno="1612">
 <summary>
 allow systemd_passwd_agent to inherit fds
 </summary>
@@ -106938,7 +107595,7 @@ Domain that owns the fds
 </summary>
 </param>
 </interface>
-<interface name="systemd_run_passwd_agent" lineno="1593">
+<interface name="systemd_run_passwd_agent" lineno="1635">
 <summary>
 allow systemd_passwd_agent to be run by admin
 </summary>
@@ -106953,7 +107610,7 @@ role that it runs in
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_passwd_agent" lineno="1614">
+<interface name="systemd_use_passwd_agent" lineno="1656">
 <summary>
 Allow a systemd_passwd_agent_t process to interact with a daemon
 that needs a password from the sysadmin.
@@ -106964,7 +107621,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1638">
+<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1680">
 <summary>
 Transition to systemd_passwd_runtime_t when creating dirs
 </summary>
@@ -106974,7 +107631,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1659">
+<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1701">
 <summary>
 Transition to systemd_userdbd_runtime_t when
 creating the userdb directory inside an init runtime
@@ -106986,7 +107643,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1677">
+<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1719">
 <summary>
 Allow to domain to create systemd-passwd symlink
 </summary>
@@ -106996,7 +107653,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_passwd_runtime_dirs" lineno="1695">
+<interface name="systemd_watch_passwd_runtime_dirs" lineno="1737">
 <summary>
 Allow a domain to watch systemd-passwd runtime dirs.
 </summary>
@@ -107006,7 +107663,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_journal_dirs" lineno="1713">
+<interface name="systemd_list_journal_dirs" lineno="1755">
 <summary>
 Allow domain to list the contents of systemd_journal_t dirs
 </summary>
@@ -107016,7 +107673,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_journal_files" lineno="1731">
+<interface name="systemd_read_journal_files" lineno="1773">
 <summary>
 Allow domain to read systemd_journal_t files
 </summary>
@@ -107026,7 +107683,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_journal_files" lineno="1750">
+<interface name="systemd_manage_journal_files" lineno="1792">
 <summary>
 Allow domain to create/manage systemd_journal_t files
 </summary>
@@ -107036,7 +107693,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_journal_dirs" lineno="1770">
+<interface name="systemd_watch_journal_dirs" lineno="1812">
 <summary>
 Allow domain to add a watch on systemd_journal_t directories
 </summary>
@@ -107046,7 +107703,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelfrom_journal_files" lineno="1788">
+<interface name="systemd_relabelfrom_journal_files" lineno="1830">
 <summary>
 Relabel from systemd-journald file type.
 </summary>
@@ -107056,7 +107713,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_journal_dirs" lineno="1806">
+<interface name="systemd_relabelto_journal_dirs" lineno="1848">
 <summary>
 Relabel to systemd-journald directory type.
 </summary>
@@ -107066,7 +107723,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_journal_files" lineno="1825">
+<interface name="systemd_relabelto_journal_files" lineno="1867">
 <summary>
 Relabel to systemd-journald file type.
 </summary>
@@ -107076,7 +107733,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_networkd_units" lineno="1845">
+<interface name="systemd_read_networkd_units" lineno="1887">
 <summary>
 Allow domain to read systemd_networkd_t unit files
 </summary>
@@ -107086,7 +107743,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_networkd_units" lineno="1865">
+<interface name="systemd_manage_networkd_units" lineno="1907">
 <summary>
 Allow domain to create/manage systemd_networkd_t unit files
 </summary>
@@ -107096,7 +107753,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_enabledisable_networkd" lineno="1885">
+<interface name="systemd_enabledisable_networkd" lineno="1927">
 <summary>
 Allow specified domain to enable systemd-networkd units
 </summary>
@@ -107106,7 +107763,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_startstop_networkd" lineno="1904">
+<interface name="systemd_startstop_networkd" lineno="1946">
 <summary>
 Allow specified domain to start systemd-networkd units
 </summary>
@@ -107116,7 +107773,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_networkd" lineno="1924">
+<interface name="systemd_dbus_chat_networkd" lineno="1966">
 <summary>
 Send and receive messages from
 systemd networkd over dbus.
@@ -107127,7 +107784,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_networkd" lineno="1944">
+<interface name="systemd_status_networkd" lineno="1986">
 <summary>
 Allow specified domain to get status of systemd-networkd
 </summary>
@@ -107137,7 +107794,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="1963">
+<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="2005">
 <summary>
 Relabel systemd_networkd tun socket.
 </summary>
@@ -107147,7 +107804,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="1981">
+<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="2023">
 <summary>
 Read/Write from systemd_networkd netlink route socket.
 </summary>
@@ -107157,7 +107814,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_networkd_runtime" lineno="1999">
+<interface name="systemd_list_networkd_runtime" lineno="2041">
 <summary>
 Allow domain to list dirs under /run/systemd/netif
 </summary>
@@ -107167,7 +107824,7 @@ domain permitted the access
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_networkd_runtime_dirs" lineno="2018">
+<interface name="systemd_watch_networkd_runtime_dirs" lineno="2060">
 <summary>
 Watch directories under /run/systemd/netif
 </summary>
@@ -107177,7 +107834,7 @@ Domain permitted the access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_networkd_runtime" lineno="2037">
+<interface name="systemd_read_networkd_runtime" lineno="2079">
 <summary>
 Allow domain to read files generated by systemd_networkd
 </summary>
@@ -107187,7 +107844,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_state" lineno="2056">
+<interface name="systemd_read_logind_state" lineno="2098">
 <summary>
 Allow systemd_logind_t to read process state for cgroup file
 </summary>
@@ -107197,7 +107854,7 @@ Domain systemd_logind_t may access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_create_logind_linger_dir" lineno="2077">
+<interface name="systemd_create_logind_linger_dir" lineno="2119">
 <summary>
 Allow the specified domain to create
 the systemd-logind linger directory with
@@ -107209,7 +107866,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_manager_units" lineno="2097">
+<interface name="systemd_start_user_manager_units" lineno="2139">
 <summary>
 Allow the specified domain to start systemd
 user manager units (systemd --user).
@@ -107220,7 +107877,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_manager_units" lineno="2117">
+<interface name="systemd_stop_user_manager_units" lineno="2159">
 <summary>
 Allow the specified domain to stop systemd
 user manager units (systemd --user).
@@ -107231,7 +107888,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_manager_units" lineno="2137">
+<interface name="systemd_reload_user_manager_units" lineno="2179">
 <summary>
 Allow the specified domain to reload systemd
 user manager units (systemd --user).
@@ -107242,7 +107899,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_manager_units_status" lineno="2157">
+<interface name="systemd_get_user_manager_units_status" lineno="2199">
 <summary>
 Get the status of systemd user manager
 units (systemd --user).
@@ -107253,7 +107910,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_power_units" lineno="2176">
+<interface name="systemd_start_power_units" lineno="2218">
 <summary>
 Allow specified domain to start power units
 </summary>
@@ -107263,7 +107920,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_power_units" lineno="2195">
+<interface name="systemd_status_power_units" lineno="2237">
 <summary>
 Get the system status information about power units
 </summary>
@@ -107273,7 +107930,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_socket_proxyd" lineno="2214">
+<interface name="systemd_stream_connect_socket_proxyd" lineno="2256">
 <summary>
 Allows connections to the systemd-socket-proxyd's socket.
 </summary>
@@ -107283,7 +107940,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_conf_file" lineno="2233">
+<interface name="systemd_tmpfiles_conf_file" lineno="2275">
 <summary>
 Make the specified type usable for
 systemd tmpfiles config files.
@@ -107294,7 +107951,7 @@ Type to be used for systemd tmpfiles config files.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_creator" lineno="2254">
+<interface name="systemd_tmpfiles_creator" lineno="2296">
 <summary>
 Allow the specified domain to create
 the tmpfiles config directory with
@@ -107306,7 +107963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_conf_filetrans" lineno="2290">
+<interface name="systemd_tmpfiles_conf_filetrans" lineno="2332">
 <summary>
 Create an object in the systemd tmpfiles config
 directory, with a private type
@@ -107333,7 +107990,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_tmpfiles_conf" lineno="2309">
+<interface name="systemd_list_tmpfiles_conf" lineno="2351">
 <summary>
 Allow domain to list systemd tmpfiles config directory
 </summary>
@@ -107343,7 +108000,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2327">
+<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2369">
 <summary>
 Allow domain to relabel to systemd tmpfiles config directory
 </summary>
@@ -107353,7 +108010,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2345">
+<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2387">
 <summary>
 Allow domain to relabel to systemd tmpfiles config files
 </summary>
@@ -107363,7 +108020,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfilesd_managed" lineno="2363">
+<interface name="systemd_tmpfilesd_managed" lineno="2405">
 <summary>
 Allow systemd_tmpfiles_t to manage filesystem objects
 </summary>
@@ -107373,7 +108030,7 @@ Type of object to manage
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_resolved" lineno="2390">
+<interface name="systemd_stream_connect_resolved" lineno="2432">
 <summary>
 Connect to systemd resolved over
 /run/systemd/resolve/io.systemd.Resolve .
@@ -107384,7 +108041,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_resolved" lineno="2411">
+<interface name="systemd_dbus_chat_resolved" lineno="2453">
 <summary>
 Send and receive messages from
 systemd resolved over dbus.
@@ -107395,7 +108052,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_resolved_runtime" lineno="2431">
+<interface name="systemd_read_resolved_runtime" lineno="2473">
 <summary>
 Allow domain to read resolv.conf file generated by systemd_resolved
 </summary>
@@ -107405,7 +108062,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_exec_systemctl" lineno="2453">
+<interface name="systemd_exec_systemctl" lineno="2495">
 <summary>
 Execute the systemctl program.
 </summary>
@@ -107415,7 +108072,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_getattr_updated_runtime" lineno="2484">
+<interface name="systemd_getattr_updated_runtime" lineno="2526">
 <summary>
 Allow domain to getattr on .updated file (generated by systemd-update-done
 </summary>
@@ -107425,7 +108082,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_all_user_keys" lineno="2502">
+<interface name="systemd_search_all_user_keys" lineno="2544">
 <summary>
 Search keys for the all systemd --user domains.
 </summary>
@@ -107435,7 +108092,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_create_all_user_keys" lineno="2520">
+<interface name="systemd_create_all_user_keys" lineno="2562">
 <summary>
 Create keys for the all systemd --user domains.
 </summary>
@@ -107445,7 +108102,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_all_user_keys" lineno="2538">
+<interface name="systemd_write_all_user_keys" lineno="2580">
 <summary>
 Write keys for the all systemd --user domains.
 </summary>
@@ -107455,7 +108112,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_domtrans_sysusers" lineno="2557">
+<interface name="systemd_domtrans_sysusers" lineno="2599">
 <summary>
 Execute systemd-sysusers in the
 systemd sysusers domain.
@@ -107466,7 +108123,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_run_sysusers" lineno="2582">
+<interface name="systemd_run_sysusers" lineno="2624">
 <summary>
 Run systemd-sysusers with a domain transition.
 </summary>
@@ -107482,7 +108139,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="systemd_use_inherited_machined_ptys" lineno="2602">
+<interface name="systemd_use_inherited_machined_ptys" lineno="2644">
 <summary>
 receive and use a systemd_machined_devpts_t file handle
 </summary>
@@ -108462,7 +109119,7 @@ is the prefix for user_t).
 </param>
 <rolebase/>
 </template>
-<template name="userdom_user_content_access_template" lineno="181">
+<template name="userdom_user_content_access_template" lineno="188">
 <summary>
 Template for handling user content through standard tunables
 </summary>
@@ -108491,7 +109148,7 @@ The application domain which is granted the necessary privileges
 </param>
 <rolebase/>
 </template>
-<interface name="userdom_application_exec_domain" lineno="266">
+<interface name="userdom_application_exec_domain" lineno="273">
 <summary>
 Associate the specified domain to be
 a domain capable of executing other
@@ -108511,7 +109168,7 @@ is the prefix for user_t).
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_ro_home_role" lineno="300">
+<interface name="userdom_ro_home_role" lineno="307">
 <summary>
 Allow a home directory for which the
 role has read-only access.
@@ -108537,7 +109194,7 @@ The user domain
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_manage_home_role" lineno="377">
+<interface name="userdom_manage_home_role" lineno="384">
 <summary>
 Allow a home directory for which the
 role has full access.
@@ -108563,7 +109220,7 @@ The user domain
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_manage_tmp_role" lineno="472">
+<interface name="userdom_manage_tmp_role" lineno="479">
 <summary>
 Manage user temporary files
 </summary>
@@ -108579,7 +109236,7 @@ Domain allowed access.
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_exec_user_tmp_files" lineno="499">
+<interface name="userdom_exec_user_tmp_files" lineno="506">
 <summary>
 The execute access user temporary files.
 </summary>
@@ -108590,7 +109247,7 @@ Domain allowed access.
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_manage_tmpfs_role" lineno="535">
+<interface name="userdom_manage_tmpfs_role" lineno="542">
 <summary>
 Role access for the user tmpfs type
 that the user has full access.
@@ -108616,7 +109273,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<template name="userdom_basic_networking_template" lineno="561">
+<template name="userdom_basic_networking_template" lineno="568">
 <summary>
 The template allowing the user basic
 network permissions
@@ -108629,7 +109286,7 @@ is the prefix for user_t).
 </param>
 <rolebase/>
 </template>
-<template name="userdom_change_password_template" lineno="601">
+<template name="userdom_change_password_template" lineno="608">
 <summary>
 The template for allowing the user to change passwords.
 </summary>
@@ -108641,7 +109298,7 @@ is the prefix for user_t).
 </param>
 <rolebase/>
 </template>
-<template name="userdom_common_user_template" lineno="631">
+<template name="userdom_common_user_template" lineno="638">
 <summary>
 The template containing rules common to unprivileged
 users and administrative users.
@@ -108659,7 +109316,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_login_user_template" lineno="958">
+<template name="userdom_login_user_template" lineno="965">
 <summary>
 The template for creating a login user.
 </summary>
@@ -108677,7 +109334,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_restricted_user_template" lineno="1081">
+<template name="userdom_restricted_user_template" lineno="1089">
 <summary>
 The template for creating a unprivileged login user.
 </summary>
@@ -108695,7 +109352,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_restricted_xwindows_user_template" lineno="1122">
+<template name="userdom_restricted_xwindows_user_template" lineno="1130">
 <summary>
 The template for creating a unprivileged xwindows login user.
 </summary>
@@ -108716,7 +109373,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_unpriv_user_template" lineno="1205">
+<template name="userdom_unpriv_user_template" lineno="1211">
 <summary>
 The template for creating a unprivileged user roughly
 equivalent to a regular linux user.
@@ -108739,7 +109396,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_admin_user_template" lineno="1325">
+<template name="userdom_admin_user_template" lineno="1331">
 <summary>
 The template for creating an administrative user.
 </summary>
@@ -108768,7 +109425,7 @@ is the prefix for sysadm_t).
 </summary>
 </param>
 </template>
-<interface name="userdom_security_admin_template" lineno="1506">
+<interface name="userdom_security_admin_template" lineno="1512">
 <summary>
 Allow user to run as a secadm
 </summary>
@@ -108794,7 +109451,7 @@ The role  of the object to create.
 </summary>
 </param>
 </interface>
-<template name="userdom_xdg_user_template" lineno="1609">
+<template name="userdom_xdg_user_template" lineno="1615">
 <summary>
 Allow user to interact with xdg content types
 </summary>
@@ -108815,7 +109472,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="userdom_user_application_type" lineno="1658">
+<interface name="userdom_user_application_type" lineno="1664">
 <summary>
 Make the specified type usable as
 a user application domain type.
@@ -108826,7 +109483,7 @@ Type to be used as a user application domain.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_application_domain" lineno="1679">
+<interface name="userdom_user_application_domain" lineno="1685">
 <summary>
 Make the specified type usable as
 a user application domain.
@@ -108842,7 +109499,7 @@ Type to be used as the domain entry point.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_content" lineno="1696">
+<interface name="userdom_user_home_content" lineno="1702">
 <summary>
 Make the specified type usable in a
 user home directory.
@@ -108854,7 +109511,7 @@ user home directory.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmp_file" lineno="1722">
+<interface name="userdom_user_tmp_file" lineno="1728">
 <summary>
 Make the specified type usable as a
 user temporary file.
@@ -108866,7 +109523,7 @@ temporary directories.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmpfs_file" lineno="1739">
+<interface name="userdom_user_tmpfs_file" lineno="1745">
 <summary>
 Make the specified type usable as a
 user tmpfs file.
@@ -108878,7 +109535,7 @@ tmpfs directories.
 </summary>
 </param>
 </interface>
-<interface name="userdom_attach_admin_tun_iface" lineno="1754">
+<interface name="userdom_attach_admin_tun_iface" lineno="1760">
 <summary>
 Allow domain to attach to TUN devices created by administrative users.
 </summary>
@@ -108888,7 +109545,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_user_ptys" lineno="1773">
+<interface name="userdom_setattr_user_ptys" lineno="1779">
 <summary>
 Set the attributes of a user pty.
 </summary>
@@ -108898,7 +109555,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_user_pty" lineno="1791">
+<interface name="userdom_create_user_pty" lineno="1797">
 <summary>
 Create a user pty.
 </summary>
@@ -108908,7 +109565,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_user_home_dirs" lineno="1809">
+<interface name="userdom_getattr_user_home_dirs" lineno="1815">
 <summary>
 Get the attributes of user home directories.
 </summary>
@@ -108918,7 +109575,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1828">
+<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1834">
 <summary>
 Do not audit attempts to get the attributes of user home directories.
 </summary>
@@ -108928,7 +109585,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_home_dirs" lineno="1846">
+<interface name="userdom_search_user_home_dirs" lineno="1852">
 <summary>
 Search user home directories.
 </summary>
@@ -108938,7 +109595,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1873">
+<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1879">
 <summary>
 Do not audit attempts to search user home directories.
 </summary>
@@ -108956,7 +109613,7 @@ Domain to not audit.
 </param>
 <infoflow type="none"/>
 </interface>
-<interface name="userdom_list_user_home_dirs" lineno="1891">
+<interface name="userdom_list_user_home_dirs" lineno="1897">
 <summary>
 List user home directories.
 </summary>
@@ -108966,7 +109623,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1910">
+<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1916">
 <summary>
 Do not audit attempts to list user home subdirectories.
 </summary>
@@ -108976,7 +109633,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_user_home_dirs" lineno="1928">
+<interface name="userdom_create_user_home_dirs" lineno="1934">
 <summary>
 Create user home directories.
 </summary>
@@ -108986,7 +109643,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_dirs" lineno="1946">
+<interface name="userdom_manage_user_home_dirs" lineno="1952">
 <summary>
 Manage user home directories.
 </summary>
@@ -108996,7 +109653,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1965">
+<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1971">
 <summary>
 Do not audit attempts to manage user
 home directories.
@@ -109007,7 +109664,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_home_dirs" lineno="1983">
+<interface name="userdom_relabelto_user_home_dirs" lineno="1989">
 <summary>
 Relabel to user home directories.
 </summary>
@@ -109017,7 +109674,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_home_filetrans_user_home_dir" lineno="2007">
+<interface name="userdom_home_filetrans_user_home_dir" lineno="2013">
 <summary>
 Create directories in the home dir root with
 the user home directory type.
@@ -109033,7 +109690,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_domtrans" lineno="2044">
+<interface name="userdom_user_home_domtrans" lineno="2050">
 <summary>
 Do a domain transition to the specified
 domain when executing a program in the
@@ -109062,7 +109719,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_home_content" lineno="2064">
+<interface name="userdom_dontaudit_search_user_home_content" lineno="2070">
 <summary>
 Do not audit attempts to search user home content directories.
 </summary>
@@ -109072,7 +109729,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_all_user_home_content" lineno="2082">
+<interface name="userdom_list_all_user_home_content" lineno="2088">
 <summary>
 List all users home content directories.
 </summary>
@@ -109082,7 +109739,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_user_home_content" lineno="2101">
+<interface name="userdom_list_user_home_content" lineno="2107">
 <summary>
 List contents of users home directory.
 </summary>
@@ -109092,7 +109749,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_dirs" lineno="2120">
+<interface name="userdom_manage_user_home_content_dirs" lineno="2126">
 <summary>
 Create, read, write, and delete directories
 in a user home subdirectory.
@@ -109103,7 +109760,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_dirs" lineno="2139">
+<interface name="userdom_delete_all_user_home_content_dirs" lineno="2145">
 <summary>
 Delete all user home content directories.
 </summary>
@@ -109113,7 +109770,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_dirs" lineno="2159">
+<interface name="userdom_delete_user_home_content_dirs" lineno="2165">
 <summary>
 Delete directories in a user home subdirectory.
 </summary>
@@ -109123,7 +109780,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2177">
+<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2183">
 <summary>
 Set attributes of all user home content directories.
 </summary>
@@ -109133,7 +109790,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2197">
+<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2203">
 <summary>
 Do not audit attempts to set the
 attributes of user home files.
@@ -109144,7 +109801,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_home_content_files" lineno="2215">
+<interface name="userdom_map_user_home_content_files" lineno="2221">
 <summary>
 Map user home files.
 </summary>
@@ -109154,7 +109811,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_mmap_user_home_content_files" lineno="2233">
+<interface name="userdom_mmap_user_home_content_files" lineno="2239">
 <summary>
 Mmap user home files.
 </summary>
@@ -109164,7 +109821,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_home_content_files" lineno="2252">
+<interface name="userdom_read_user_home_content_files" lineno="2258">
 <summary>
 Read user home files.
 </summary>
@@ -109174,7 +109831,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2271">
+<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2277">
 <summary>
 Do not audit attempts to read user home files.
 </summary>
@@ -109184,7 +109841,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_user_home_content" lineno="2290">
+<interface name="userdom_read_all_user_home_content" lineno="2296">
 <summary>
 Read all user home content, including application-specific resources.
 </summary>
@@ -109194,7 +109851,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_all_user_home_content" lineno="2312">
+<interface name="userdom_manage_all_user_home_content" lineno="2318">
 <summary>
 Manage all user home content, including application-specific resources.
 </summary>
@@ -109204,7 +109861,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_all_user_home_content_files" lineno="2334">
+<interface name="userdom_map_all_user_home_content_files" lineno="2340">
 <summary>
 Map all user home content, including application-specific resources.
 </summary>
@@ -109214,7 +109871,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2352">
+<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2358">
 <summary>
 Do not audit attempts to append user home files.
 </summary>
@@ -109224,7 +109881,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2370">
+<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2376">
 <summary>
 Do not audit attempts to write user home files.
 </summary>
@@ -109234,7 +109891,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_files" lineno="2388">
+<interface name="userdom_delete_all_user_home_content_files" lineno="2394">
 <summary>
 Delete all user home content files.
 </summary>
@@ -109244,7 +109901,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_files" lineno="2408">
+<interface name="userdom_delete_user_home_content_files" lineno="2414">
 <summary>
 Delete files in a user home subdirectory.
 </summary>
@@ -109254,7 +109911,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_generic_user_home_dirs" lineno="2426">
+<interface name="userdom_relabel_generic_user_home_dirs" lineno="2432">
 <summary>
 Relabel generic user home dirs.
 </summary>
@@ -109264,7 +109921,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_generic_user_home_files" lineno="2444">
+<interface name="userdom_relabel_generic_user_home_files" lineno="2450">
 <summary>
 Relabel generic user home files.
 </summary>
@@ -109274,7 +109931,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2462">
+<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2468">
 <summary>
 Do not audit attempts to relabel user home files.
 </summary>
@@ -109284,7 +109941,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_home_content_symlinks" lineno="2480">
+<interface name="userdom_read_user_home_content_symlinks" lineno="2486">
 <summary>
 Read user home subdirectory symbolic links.
 </summary>
@@ -109294,7 +109951,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_exec_user_home_content_files" lineno="2500">
+<interface name="userdom_exec_user_home_content_files" lineno="2506">
 <summary>
 Execute user home files.
 </summary>
@@ -109305,7 +109962,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2527">
+<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2533">
 <summary>
 Do not audit attempts to execute user home files.
 </summary>
@@ -109315,7 +109972,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_files" lineno="2546">
+<interface name="userdom_manage_user_home_content_files" lineno="2552">
 <summary>
 Create, read, write, and delete files
 in a user home subdirectory.
@@ -109326,7 +109983,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2567">
+<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2573">
 <summary>
 Do not audit attempts to create, read, write, and delete directories
 in a user home subdirectory.
@@ -109337,7 +109994,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_symlinks" lineno="2586">
+<interface name="userdom_manage_user_home_content_symlinks" lineno="2592">
 <summary>
 Create, read, write, and delete symbolic links
 in a user home subdirectory.
@@ -109348,7 +110005,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2606">
+<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2612">
 <summary>
 Delete all user home content symbolic links.
 </summary>
@@ -109358,7 +110015,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_symlinks" lineno="2626">
+<interface name="userdom_delete_user_home_content_symlinks" lineno="2632">
 <summary>
 Delete symbolic links in a user home directory.
 </summary>
@@ -109368,7 +110025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_pipes" lineno="2645">
+<interface name="userdom_manage_user_home_content_pipes" lineno="2651">
 <summary>
 Create, read, write, and delete named pipes
 in a user home subdirectory.
@@ -109379,7 +110036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_sockets" lineno="2666">
+<interface name="userdom_manage_user_home_content_sockets" lineno="2672">
 <summary>
 Create, read, write, and delete named sockets
 in a user home subdirectory.
@@ -109390,7 +110047,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans" lineno="2703">
+<interface name="userdom_user_home_dir_filetrans" lineno="2709">
 <summary>
 Create objects in a user home directory
 with an automatic type transition to
@@ -109417,7 +110074,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_content_filetrans" lineno="2740">
+<interface name="userdom_user_home_content_filetrans" lineno="2746">
 <summary>
 Create objects in a directory located
 in a user home directory with an
@@ -109445,7 +110102,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2771">
+<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2777">
 <summary>
 Automatically use the user_cert_t label for selected resources
 created in a users home directory
@@ -109466,7 +110123,7 @@ Name of the resource that is being created
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2801">
+<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2807">
 <summary>
 Create objects in a user home directory
 with an automatic type transition to
@@ -109488,7 +110145,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_exec_user_bin_files" lineno="2820">
+<interface name="userdom_exec_user_bin_files" lineno="2826">
 <summary>
 Execute user executable files.
 </summary>
@@ -109498,7 +110155,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_bin" lineno="2840">
+<interface name="userdom_manage_user_bin" lineno="2846">
 <summary>
 Manage user executable files.
 </summary>
@@ -109508,7 +110165,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_certs" lineno="2862">
+<interface name="userdom_read_user_certs" lineno="2868">
 <summary>
 Read user SSL certificates.
 </summary>
@@ -109519,7 +110176,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_dontaudit_manage_user_certs" lineno="2885">
+<interface name="userdom_dontaudit_manage_user_certs" lineno="2891">
 <summary>
 Do not audit attempts to manage
 the user SSL certificates.
@@ -109531,7 +110188,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_manage_user_certs" lineno="2905">
+<interface name="userdom_manage_user_certs" lineno="2911">
 <summary>
 Manage user SSL certificates.
 </summary>
@@ -109541,7 +110198,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_user_tmp_sockets" lineno="2926">
+<interface name="userdom_write_user_tmp_sockets" lineno="2932">
 <summary>
 Write to user temporary named sockets.
 </summary>
@@ -109551,7 +110208,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_user_tmp" lineno="2946">
+<interface name="userdom_list_user_tmp" lineno="2952">
 <summary>
 List user temporary directories.
 </summary>
@@ -109561,7 +110218,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_list_user_tmp" lineno="2968">
+<interface name="userdom_dontaudit_list_user_tmp" lineno="2974">
 <summary>
 Do not audit attempts to list user
 temporary directories.
@@ -109572,7 +110229,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_dirs" lineno="2986">
+<interface name="userdom_delete_user_tmp_dirs" lineno="2992">
 <summary>
 Delete users temporary directories.
 </summary>
@@ -109582,7 +110239,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3005">
+<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3011">
 <summary>
 Do not audit attempts to manage users
 temporary directories.
@@ -109593,7 +110250,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmp_files" lineno="3023">
+<interface name="userdom_read_user_tmp_files" lineno="3029">
 <summary>
 Read user temporary files.
 </summary>
@@ -109603,7 +110260,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_tmp_files" lineno="3044">
+<interface name="userdom_map_user_tmp_files" lineno="3050">
 <summary>
 Map user temporary files.
 </summary>
@@ -109613,7 +110270,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3063">
+<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3069">
 <summary>
 Do not audit attempts to read users
 temporary files.
@@ -109624,7 +110281,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3082">
+<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3088">
 <summary>
 Do not audit attempts to append users
 temporary files.
@@ -109635,7 +110292,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_user_tmp_files" lineno="3100">
+<interface name="userdom_rw_user_tmp_files" lineno="3106">
 <summary>
 Read and write user temporary files.
 </summary>
@@ -109645,7 +110302,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_files" lineno="3121">
+<interface name="userdom_delete_user_tmp_files" lineno="3127">
 <summary>
 Delete users temporary files.
 </summary>
@@ -109655,7 +110312,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3140">
+<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3146">
 <summary>
 Do not audit attempts to manage users
 temporary files.
@@ -109666,7 +110323,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmp_symlinks" lineno="3158">
+<interface name="userdom_read_user_tmp_symlinks" lineno="3164">
 <summary>
 Read user temporary symbolic links.
 </summary>
@@ -109676,7 +110333,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_symlinks" lineno="3179">
+<interface name="userdom_delete_user_tmp_symlinks" lineno="3185">
 <summary>
 Delete users temporary symbolic links.
 </summary>
@@ -109686,7 +110343,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_dirs" lineno="3198">
+<interface name="userdom_manage_user_tmp_dirs" lineno="3204">
 <summary>
 Create, read, write, and delete user
 temporary directories.
@@ -109697,7 +110354,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_named_pipes" lineno="3218">
+<interface name="userdom_delete_user_tmp_named_pipes" lineno="3224">
 <summary>
 Delete users temporary named pipes.
 </summary>
@@ -109707,7 +110364,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_files" lineno="3237">
+<interface name="userdom_manage_user_tmp_files" lineno="3243">
 <summary>
 Create, read, write, and delete user
 temporary files.
@@ -109718,7 +110375,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_named_sockets" lineno="3257">
+<interface name="userdom_delete_user_tmp_named_sockets" lineno="3263">
 <summary>
 Delete users temporary named sockets.
 </summary>
@@ -109728,7 +110385,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_symlinks" lineno="3276">
+<interface name="userdom_manage_user_tmp_symlinks" lineno="3282">
 <summary>
 Create, read, write, and delete user
 temporary symbolic links.
@@ -109739,7 +110396,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3297">
+<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3303">
 <summary>
 Do not audit attempts to read and write
 temporary pipes.
@@ -109750,7 +110407,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_pipes" lineno="3316">
+<interface name="userdom_manage_user_tmp_pipes" lineno="3322">
 <summary>
 Create, read, write, and delete user
 temporary named pipes.
@@ -109761,7 +110418,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_sockets" lineno="3337">
+<interface name="userdom_manage_user_tmp_sockets" lineno="3343">
 <summary>
 Create, read, write, and delete user
 temporary named sockets.
@@ -109772,7 +110429,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmp_filetrans" lineno="3374">
+<interface name="userdom_user_tmp_filetrans" lineno="3380">
 <summary>
 Create objects in a user temporary directory
 with an automatic type transition to
@@ -109799,7 +110456,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_tmp_filetrans_user_tmp" lineno="3406">
+<interface name="userdom_tmp_filetrans_user_tmp" lineno="3412">
 <summary>
 Create objects in the temporary directory
 with an automatic type transition to
@@ -109821,7 +110478,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_tmpfs_files" lineno="3424">
+<interface name="userdom_map_user_tmpfs_files" lineno="3430">
 <summary>
 Map user tmpfs files.
 </summary>
@@ -109831,7 +110488,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmpfs_files" lineno="3442">
+<interface name="userdom_read_user_tmpfs_files" lineno="3448">
 <summary>
 Read user tmpfs files.
 </summary>
@@ -109841,7 +110498,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3462">
+<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3468">
 <summary>
 dontaudit Read attempts of user tmpfs files.
 </summary>
@@ -109851,7 +110508,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3481">
+<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3487">
 <summary>
 relabel to/from user tmpfs dirs
 </summary>
@@ -109861,7 +110518,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_tmpfs_files" lineno="3500">
+<interface name="userdom_relabel_user_tmpfs_files" lineno="3506">
 <summary>
 relabel to/from user tmpfs files
 </summary>
@@ -109871,7 +110528,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_content" lineno="3522">
+<interface name="userdom_user_runtime_content" lineno="3528">
 <summary>
 Make the specified type usable in
 the directory /run/user/%{USERID}/.
@@ -109883,7 +110540,7 @@ user_runtime_content_dir_t.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_runtime" lineno="3542">
+<interface name="userdom_search_user_runtime" lineno="3548">
 <summary>
 Search users runtime directories.
 </summary>
@@ -109893,7 +110550,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_runtime_root" lineno="3561">
+<interface name="userdom_search_user_runtime_root" lineno="3567">
 <summary>
 Search user runtime root directories.
 </summary>
@@ -109903,7 +110560,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3581">
+<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3587">
 <summary>
 Do not audit attempts to search
 user runtime root directories.
@@ -109914,7 +110571,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_runtime_root_dirs" lineno="3600">
+<interface name="userdom_manage_user_runtime_root_dirs" lineno="3606">
 <summary>
 Create, read, write, and delete user
 runtime root dirs.
@@ -109925,7 +110582,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3619">
+<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3625">
 <summary>
 Relabel to and from user runtime root dirs.
 </summary>
@@ -109935,7 +110592,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_runtime_dirs" lineno="3638">
+<interface name="userdom_manage_user_runtime_dirs" lineno="3644">
 <summary>
 Create, read, write, and delete user
 runtime dirs.
@@ -109946,7 +110603,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_mounton_user_runtime_dirs" lineno="3658">
+<interface name="userdom_mounton_user_runtime_dirs" lineno="3664">
 <summary>
 Mount a filesystem on user runtime dir
 directories.
@@ -109957,7 +110614,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_runtime_dirs" lineno="3676">
+<interface name="userdom_relabelto_user_runtime_dirs" lineno="3682">
 <summary>
 Relabel to user runtime directories.
 </summary>
@@ -109967,7 +110624,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3694">
+<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3700">
 <summary>
 Relabel from user runtime directories.
 </summary>
@@ -109977,7 +110634,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_runtime_files" lineno="3712">
+<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3718">
+<summary>
+write user runtime socket files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_delete_user_runtime_files" lineno="3737">
 <summary>
 delete user runtime files
 </summary>
@@ -109987,7 +110654,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_all_user_runtime" lineno="3731">
+<interface name="userdom_search_all_user_runtime" lineno="3756">
 <summary>
 Search users runtime directories.
 </summary>
@@ -109997,7 +110664,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_all_user_runtime" lineno="3750">
+<interface name="userdom_list_all_user_runtime" lineno="3775">
 <summary>
 List user runtime directories.
 </summary>
@@ -110007,7 +110674,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_dirs" lineno="3769">
+<interface name="userdom_delete_all_user_runtime_dirs" lineno="3794">
 <summary>
 delete user runtime directories
 </summary>
@@ -110017,7 +110684,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_files" lineno="3787">
+<interface name="userdom_delete_all_user_runtime_files" lineno="3812">
 <summary>
 delete user runtime files
 </summary>
@@ -110027,7 +110694,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3805">
+<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3830">
 <summary>
 delete user runtime symlink files
 </summary>
@@ -110037,7 +110704,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3823">
+<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3848">
 <summary>
 delete user runtime fifo files
 </summary>
@@ -110047,7 +110714,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3841">
+<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3866">
 <summary>
 delete user runtime socket files
 </summary>
@@ -110057,7 +110724,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3859">
+<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3884">
 <summary>
 delete user runtime blk files
 </summary>
@@ -110067,7 +110734,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3877">
+<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3902">
 <summary>
 delete user runtime chr files
 </summary>
@@ -110077,7 +110744,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3907">
+<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3932">
 <summary>
 Create objects in the runtime directory
 with an automatic type transition to
@@ -110099,7 +110766,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_filetrans" lineno="3943">
+<interface name="userdom_user_runtime_filetrans" lineno="3968">
 <summary>
 Create objects in a user runtime
 directory with an automatic type
@@ -110127,7 +110794,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3974">
+<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3999">
 <summary>
 Create objects in the user runtime directory
 with an automatic type transition to
@@ -110149,7 +110816,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4004">
+<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4029">
 <summary>
 Create objects in the user runtime root
 directory with an automatic type transition
@@ -110171,7 +110838,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_run_filetrans_user_runtime" lineno="4035">
+<interface name="userdom_user_run_filetrans_user_runtime" lineno="4060">
 <summary>
 Create objects in the user runtime root
 directory with an automatic type transition
@@ -110193,7 +110860,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_user_tmpfs_files" lineno="4053">
+<interface name="userdom_rw_user_tmpfs_files" lineno="4078">
 <summary>
 Read and write user tmpfs files.
 </summary>
@@ -110203,7 +110870,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmpfs_files" lineno="4074">
+<interface name="userdom_delete_user_tmpfs_files" lineno="4099">
 <summary>
 Delete user tmpfs files.
 </summary>
@@ -110213,7 +110880,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmpfs_files" lineno="4093">
+<interface name="userdom_manage_user_tmpfs_files" lineno="4118">
 <summary>
 Create, read, write, and delete user tmpfs files.
 </summary>
@@ -110223,7 +110890,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_user_ttys" lineno="4113">
+<interface name="userdom_getattr_user_ttys" lineno="4138">
 <summary>
 Get the attributes of a user domain tty.
 </summary>
@@ -110233,7 +110900,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4131">
+<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4156">
 <summary>
 Do not audit attempts to get the attributes of a user domain tty.
 </summary>
@@ -110243,7 +110910,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_user_ttys" lineno="4149">
+<interface name="userdom_setattr_user_ttys" lineno="4174">
 <summary>
 Set the attributes of a user domain tty.
 </summary>
@@ -110253,7 +110920,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4167">
+<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4192">
 <summary>
 Do not audit attempts to set the attributes of a user domain tty.
 </summary>
@@ -110263,7 +110930,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_user_ttys" lineno="4185">
+<interface name="userdom_use_user_ttys" lineno="4210">
 <summary>
 Read and write a user domain tty.
 </summary>
@@ -110273,7 +110940,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_user_ptys" lineno="4203">
+<interface name="userdom_use_user_ptys" lineno="4228">
 <summary>
 Read and write a user domain pty.
 </summary>
@@ -110283,7 +110950,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_inherited_user_terminals" lineno="4238">
+<interface name="userdom_use_inherited_user_terminals" lineno="4263">
 <summary>
 Read and write a user TTYs and PTYs.
 </summary>
@@ -110309,7 +110976,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="userdom_use_user_terminals" lineno="4279">
+<interface name="userdom_use_user_terminals" lineno="4304">
 <summary>
 Read, write and open a user TTYs and PTYs.
 </summary>
@@ -110341,7 +111008,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="userdom_dontaudit_use_user_terminals" lineno="4295">
+<interface name="userdom_dontaudit_use_user_terminals" lineno="4320">
 <summary>
 Do not audit attempts to read and write
 a user domain tty and pty.
@@ -110352,7 +111019,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_lock_user_terminals" lineno="4314">
+<interface name="userdom_lock_user_terminals" lineno="4339">
 <summary>
 Lock user TTYs and PTYs.
 </summary>
@@ -110362,7 +111029,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_spec_domtrans_all_users" lineno="4335">
+<interface name="userdom_spec_domtrans_all_users" lineno="4360">
 <summary>
 Execute a shell in all user domains.  This
 is an explicit transition, requiring the
@@ -110374,7 +111041,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4358">
+<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4383">
 <summary>
 Execute an Xserver session in all user domains.  This
 is an explicit transition, requiring the
@@ -110386,7 +111053,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_spec_domtrans_unpriv_users" lineno="4381">
+<interface name="userdom_spec_domtrans_unpriv_users" lineno="4406">
 <summary>
 Execute a shell in all unprivileged user domains.  This
 is an explicit transition, requiring the
@@ -110398,7 +111065,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4404">
+<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4429">
 <summary>
 Execute an Xserver session in all unprivileged user domains.  This
 is an explicit transition, requiring the
@@ -110410,7 +111077,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_unpriv_user_semaphores" lineno="4425">
+<interface name="userdom_rw_unpriv_user_semaphores" lineno="4450">
 <summary>
 Read and write unpriviledged user SysV sempaphores.
 </summary>
@@ -110420,7 +111087,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_unpriv_user_semaphores" lineno="4443">
+<interface name="userdom_manage_unpriv_user_semaphores" lineno="4468">
 <summary>
 Manage unpriviledged user SysV sempaphores.
 </summary>
@@ -110430,7 +111097,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4462">
+<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4487">
 <summary>
 Read and write unpriviledged user SysV shared
 memory segments.
@@ -110441,7 +111108,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4481">
+<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4506">
 <summary>
 Manage unpriviledged user SysV shared
 memory segments.
@@ -110452,7 +111119,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4501">
+<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4526">
 <summary>
 Execute bin_t in the unprivileged user domains. This
 is an explicit transition, requiring the
@@ -110464,7 +111131,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4524">
+<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4549">
 <summary>
 Execute all entrypoint files in unprivileged user
 domains. This is an explicit transition, requiring the
@@ -110476,7 +111143,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_home_content" lineno="4545">
+<interface name="userdom_search_user_home_content" lineno="4570">
 <summary>
 Search users home directories.
 </summary>
@@ -110486,7 +111153,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signull_unpriv_users" lineno="4564">
+<interface name="userdom_watch_user_home_dirs" lineno="4589">
+<summary>
+watch users home directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_signull_unpriv_users" lineno="4607">
 <summary>
 Send signull to unprivileged user domains.
 </summary>
@@ -110496,7 +111173,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signal_unpriv_users" lineno="4582">
+<interface name="userdom_signal_unpriv_users" lineno="4625">
 <summary>
 Send general signals to unprivileged user domains.
 </summary>
@@ -110506,7 +111183,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_unpriv_users_fds" lineno="4600">
+<interface name="userdom_use_unpriv_users_fds" lineno="4643">
 <summary>
 Inherit the file descriptors from unprivileged user domains.
 </summary>
@@ -110516,7 +111193,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4628">
+<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4671">
 <summary>
 Do not audit attempts to inherit the file descriptors
 from unprivileged user domains.
@@ -110536,7 +111213,7 @@ Domain to not audit.
 </param>
 <infoflow type="none"/>
 </interface>
-<interface name="userdom_dontaudit_use_user_ptys" lineno="4646">
+<interface name="userdom_dontaudit_use_user_ptys" lineno="4689">
 <summary>
 Do not audit attempts to use user ptys.
 </summary>
@@ -110546,7 +111223,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_ptys" lineno="4664">
+<interface name="userdom_relabelto_user_ptys" lineno="4707">
 <summary>
 Relabel files to unprivileged user pty types.
 </summary>
@@ -110556,7 +111233,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4683">
+<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4726">
 <summary>
 Do not audit attempts to relabel files from
 user pty types.
@@ -110567,7 +111244,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_user_tmp_files" lineno="4701">
+<interface name="userdom_write_user_tmp_files" lineno="4744">
 <summary>
 Write all users files in /tmp
 </summary>
@@ -110577,7 +111254,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4720">
+<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4763">
 <summary>
 Do not audit attempts to write users
 temporary files.
@@ -110588,7 +111265,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_user_ttys" lineno="4738">
+<interface name="userdom_dontaudit_use_user_ttys" lineno="4781">
 <summary>
 Do not audit attempts to use user ttys.
 </summary>
@@ -110598,7 +111275,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_users_state" lineno="4756">
+<interface name="userdom_read_all_users_state" lineno="4799">
 <summary>
 Read the process state of all user domains.
 </summary>
@@ -110608,7 +111285,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_all_users" lineno="4776">
+<interface name="userdom_getattr_all_users" lineno="4819">
 <summary>
 Get the attributes of all user domains.
 </summary>
@@ -110618,7 +111295,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_all_users_fds" lineno="4794">
+<interface name="userdom_use_all_users_fds" lineno="4837">
 <summary>
 Inherit the file descriptors from all user domains
 </summary>
@@ -110628,7 +111305,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_all_users_fds" lineno="4813">
+<interface name="userdom_dontaudit_use_all_users_fds" lineno="4856">
 <summary>
 Do not audit attempts to inherit the file
 descriptors from any user domains.
@@ -110639,7 +111316,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signal_all_users" lineno="4831">
+<interface name="userdom_signal_all_users" lineno="4874">
 <summary>
 Send general signals to all user domains.
 </summary>
@@ -110649,7 +111326,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_sigchld_all_users" lineno="4849">
+<interface name="userdom_sigchld_all_users" lineno="4892">
 <summary>
 Send a SIGCHLD signal to all user domains.
 </summary>
@@ -110659,7 +111336,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_users_keys" lineno="4867">
+<interface name="userdom_read_all_users_keys" lineno="4910">
 <summary>
 Read keys for all user domains.
 </summary>
@@ -110669,7 +111346,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_all_users_keys" lineno="4885">
+<interface name="userdom_write_all_users_keys" lineno="4928">
 <summary>
 Write keys for all user domains.
 </summary>
@@ -110679,7 +111356,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_all_users_keys" lineno="4903">
+<interface name="userdom_rw_all_users_keys" lineno="4946">
 <summary>
 Read and write keys for all user domains.
 </summary>
@@ -110689,7 +111366,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_all_users_keys" lineno="4921">
+<interface name="userdom_create_all_users_keys" lineno="4964">
 <summary>
 Create keys for all user domains.
 </summary>
@@ -110699,7 +111376,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_all_users_keys" lineno="4939">
+<interface name="userdom_manage_all_users_keys" lineno="4982">
 <summary>
 Manage keys for all user domains.
 </summary>
@@ -110709,7 +111386,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dbus_send_all_users" lineno="4957">
+<interface name="userdom_dbus_send_all_users" lineno="5000">
 <summary>
 Send a dbus message to all user domains.
 </summary>
@@ -110719,7 +111396,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_chr_files" lineno="4979">
+<interface name="userdom_manage_user_tmp_chr_files" lineno="5022">
 <summary>
 Create, read, write, and delete user
 temporary character files.
@@ -110730,7 +111407,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_certs" lineno="5000">
+<interface name="userdom_relabel_user_certs" lineno="5043">
 <summary>
 Allow relabeling resources to user_cert_t
 </summary>
@@ -110740,7 +111417,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5023">
+<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5066">
 <summary>
 Do not audit attempts to read and write
 unserdomain stream.
@@ -110765,6 +111442,13 @@ Allow users to connect to PostgreSQL
 </p>
 </desc>
 </tunable>
+<tunable name="user_all_users_send_syslog" dftval="true">
+<desc>
+<p>
+Allow all users to send syslog messages
+</p>
+</desc>
+</tunable>
 <tunable name="user_direct_mouse" dftval="false">
 <desc>
 <p>
diff --git a/policy/booleans.conf b/policy/booleans.conf
index 7ef0cb2d3..f244d9c51 100644
--- a/policy/booleans.conf
+++ b/policy/booleans.conf
@@ -551,6 +551,12 @@ openoffice_manage_all_user_content = false
 # 
 pulseaudio_execmem = false
 
+#
+# Determine whether pulseaudio
+# can use the network.
+# 
+pulseaudio_can_network = false
+
 #
 # Determine whether qemu has full
 # access to the network.
@@ -1260,11 +1266,24 @@ container_use_dri = false
 # 
 container_use_ecryptfs = false
 
+#
+# Allow containers to use all capabilities in a
+# non-namespaced context for various privileged operations
+# directly on the host.
+# 
+container_use_host_all_caps = false
+
 #
 # Allow containers to use huge pages.
 # 
 container_use_hugetlbfs = false
 
+#
+# Allow containers to use the mknod syscall, e.g. for
+# creating special device files.
+# 
+container_use_mknod = false
+
 #
 # Allow containers to use NFS filesystems.
 # 
@@ -1275,6 +1294,33 @@ container_use_nfs = false
 # 
 container_use_samba = false
 
+#
+# Allow containers to use the sysadmin capability, e.g.
+# for mounting filesystems.
+# 
+container_use_sysadmin = false
+
+#
+# Allow containers to use all capabilities in a
+# namespaced context for various privileged operations
+# within the container itself.
+# 
+container_use_userns_all_caps = false
+
+#
+# Allow containers to use the mknod syscall in a
+# namespaced context, e.g. for creating special device
+# files within the container itself.
+# 
+container_use_userns_mknod = false
+
+#
+# Allow containers to use the sysadmin capability in a
+# namespaced context, e.g. for mounting filesystems
+# within the container itself.
+# 
+container_use_userns_sysadmin = false
+
 #
 # Determine whether system cron jobs
 # can relabel filesystem for
@@ -1329,6 +1375,14 @@ allow_cvs_read_shadow = false
 # 
 allow_httpd_cvs_script_anon_write = false
 
+#
+# Determine whether the dbus server
+# can use the network (insecure
+# except than in the case of the
+# loopback interface).
+# 
+dbus_can_network = false
+
 #
 # Allow dbus-daemon system bus to access /dev/net/tun
 # which is needed to pass tun/tap device file descriptors
@@ -1913,7 +1967,8 @@ allow_httpd_smokeping_cgi_script_anon_write = false
 
 #
 # Determine whether spamassassin
-# clients can use the network.
+# daemon or clients can use the
+# network.
 # 
 spamassassin_can_network = false
 
@@ -1923,12 +1978,25 @@ spamassassin_can_network = false
 # 
 spamd_enable_home_dirs = false
 
+#
+# Determine whether spamassassin
+# can update the rules using the
+# network.
+# 
+spamassassin_network_update = true
+
 #
 # Determine whether extra rules should
 # be enabled to support rspamd.
 # 
 rspamd_spamd = false
 
+#
+# Determine whether execmem should be allowed
+# Needed if LUA JIT is enabled for rspamd
+# 
+spamd_execmem = false
+
 #
 # Determine whether squid can
 # connect to all TCP ports.
@@ -2057,6 +2125,23 @@ virt_use_vfio = false
 # 
 virt_use_evdev = false
 
+#
+# Allows the X server to use TCP/IP
+# networking functionality (insecure).
+# 
+xserver_can_network = false
+
+#
+# Allows the X display manager to use
+# TCP/IP networking functionality (insecure).
+# 
+xserver_xdm_can_network = false
+
+#
+# Allow xdm logins as sysadm
+# 
+xdm_sysadm_login = false
+
 #
 # Allows clients to write to the X server shared
 # memory segments.
@@ -2064,9 +2149,10 @@ virt_use_evdev = false
 allow_write_xshm = false
 
 #
-# Allow xdm logins as sysadm
+# Allows clients to write to the X server tmpfs
+# files.
 # 
-xdm_sysadm_login = false
+xserver_client_writes_xserver_tmpfs = false
 
 #
 # Use gnome-shell in gdm mode as the
@@ -2131,6 +2217,12 @@ init_mounton_non_security = false
 # 
 racoon_read_shadow = false
 
+#
+# Allows syslogd internet domain sockets
+# functionality (dangerous).
+# 
+logging_syslog_can_network = false
+
 #
 # Allow the mount command to mount any directory or file.
 # 
@@ -2195,6 +2287,11 @@ allow_user_mysql_connect = false
 # 
 allow_user_postgresql_connect = false
 
+#
+# Allow all users to send syslog messages
+# 
+user_all_users_send_syslog = true
+
 #
 # Allow regular users direct mouse access
 # 
diff --git a/policy/modules.conf b/policy/modules.conf
index 055d20fa1..8741c1eb5 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -1512,6 +1512,13 @@ dovecot = module
 # 
 drbd = module
 
+# Layer: services
+# Module: eg25manager
+#
+# Manager daemon for the Quectel EG25 modem
+# 
+eg25manager = module
+
 # Layer: services
 # Module: entropyd
 #
@@ -1694,6 +1701,13 @@ icecast = module
 # 
 ifplugd = module
 
+# Layer: services
+# Module: iiosensorproxy
+#
+# IIO sensors to D-Bus proxy
+# 
+iiosensorproxy = module
+
 # Layer: services
 # Module: inetd
 #
@@ -1820,6 +1834,13 @@ lircd = module
 # 
 lldpad = module
 
+# Layer: services
+# Module: lowmemorymonitor
+#
+# low memory monitor daemon
+# 
+lowmemorymonitor = module
+
 # Layer: services
 # Module: lpd
 #
@@ -2240,6 +2261,13 @@ postgresql = module
 # 
 postgrey = module
 
+# Layer: services
+# Module: powerprofiles
+#
+# power profiles daemon
+# 
+powerprofiles = module
+
 # Layer: services
 # Module: ppp
 #
@@ -2345,6 +2373,13 @@ radius = module
 # 
 radvd = module
 
+# Layer: services
+# Module: rasdaemon
+#
+# RAS (Reliability, Availability and Serviceability) logging tool
+# 
+rasdaemon = module
+
 # Layer: services
 # Module: razor
 #
@@ -2611,6 +2646,13 @@ stunnel = module
 # 
 svnserve = module
 
+# Layer: services
+# Module: switcheroo
+#
+# switcheroo daemon
+# 
+switcheroo = module
+
 # Layer: services
 # Module: sympa
 #
@@ -2667,6 +2709,13 @@ tftp = module
 # 
 tgtd = module
 
+# Layer: services
+# Module: thunderbolt
+#
+# thunderbolt daemon
+# 
+thunderbolt = module
+
 # Layer: services
 # Module: timidity
 #