diff --git a/doc/policy.xml b/doc/policy.xml
index 3966b1186..ecaf35ed9 100644
--- a/doc/policy.xml
+++ b/doc/policy.xml
@@ -1053,6 +1053,13 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<tunable name="cloudinit_growpart" dftval="false">
+<desc>
+<p>
+Enable support for the cloud-init-growpart module.
+</p>
+</desc>
+</tunable>
 <tunable name="cloudinit_manage_non_security" dftval="false">
 <desc>
 <p>
@@ -3818,7 +3825,7 @@ The role associated with the user domain.
 </summary>
 </param>
 </template>
-<template name="su_role_template" lineno="154">
+<template name="su_role_template" lineno="155">
 <summary>
 The role template for the su module.
 </summary>
@@ -3844,7 +3851,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="su_exec" lineno="314">
+<interface name="su_exec" lineno="316">
 <summary>
 Execute su in the caller domain.
 </summary>
@@ -3854,6 +3861,16 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
+<interface name="su_signal_all" lineno="335">
+<summary>
+Send signals to all su domains.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
 <tunable name="su_allow_user_exec_domains" dftval="false">
 <desc>
 <p>
@@ -3900,7 +3917,7 @@ Role allowed access
 </summary>
 </param>
 </template>
-<interface name="sudo_sigchld" lineno="233">
+<interface name="sudo_sigchld" lineno="244">
 <summary>
 Send a SIGCHLD signal to the sudo domain.
 </summary>
@@ -3910,7 +3927,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sudo_exec" lineno="251">
+<interface name="sudo_exec" lineno="262">
 <summary>
 Execute sudo in the caller domain.
 </summary>
@@ -8452,7 +8469,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="vmware_read_system_config" lineno="84">
+<interface name="vmware_exec_guest" lineno="84">
+<summary>
+Execute vmware guest executables
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vmware_read_system_config" lineno="103">
 <summary>
 Read vmware system configuration files.
 </summary>
@@ -8462,7 +8489,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="vmware_append_system_config" lineno="103">
+<interface name="vmware_append_system_config" lineno="122">
 <summary>
 Append vmware system configuration files.
 </summary>
@@ -8472,7 +8499,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="vmware_append_log" lineno="122">
+<interface name="vmware_append_log" lineno="141">
 <summary>
 Append vmware log files.
 </summary>
@@ -9881,7 +9908,7 @@ Role allowed access.
 <desc>
 <p>
 Allow rtorrent to use dht.
-The correspondig port must be rtorrent_udp_port_t.
+The corresponding port must be rtorrent_udp_port_t.
 </p>
 </desc>
 </tunable>
@@ -9928,14 +9955,14 @@ Role allowed access
 <tunable name="salt_master_read_nfs" dftval="false">
 <desc>
 <p>
-Determine wether the salt master can read NFS files
+Determine whether the salt master can read NFS files
 </p>
 </desc>
 </tunable>
 <tunable name="salt_minion_manage_nfs" dftval="false">
 <desc>
 <p>
-Determine wether the salt minion can manage NFS files
+Determine whether the salt minion can manage NFS files
 </p>
 </desc>
 </tunable>
@@ -11673,7 +11700,7 @@ Domain allowed access.
 </interface>
 <interface name="corenet_dontaudit_tcp_bind_all_ports" lineno="1627">
 <summary>
-Do not audit attepts to bind TCP sockets to any ports.
+Do not audit attempts to bind TCP sockets to any ports.
 </summary>
 <param name="domain">
 <summary>
@@ -11703,7 +11730,7 @@ Domain allowed access.
 </interface>
 <interface name="corenet_dontaudit_udp_bind_all_ports" lineno="1682">
 <summary>
-Do not audit attepts to bind UDP sockets to any ports.
+Do not audit attempts to bind UDP sockets to any ports.
 </summary>
 <param name="domain">
 <summary>
@@ -12187,7 +12214,7 @@ Domain allowed access.
 </interface>
 <interface name="corenet_tcp_recvfrom_unlabeled" lineno="2508">
 <summary>
-Receive TCP packets from an unlabled connection.
+Receive TCP packets from an unlabeled connection.
 </summary>
 <param name="domain">
 <summary>
@@ -12683,7 +12710,7 @@ Domain allowed access.
 </interface>
 <interface name="corenet_sctp_recvfrom_unlabeled" lineno="3359">
 <summary>
-Receive SCTP packets from an unlabled connection.
+Receive SCTP packets from an unlabeled connection.
 </summary>
 <param name="domain">
 <summary>
@@ -56091,7 +56118,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_remount_fs" lineno="121">
+<interface name="dev_unmount_fs" lineno="121">
+<summary>
+Unmount device filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_remount_fs" lineno="139">
 <summary>
 Remount device filesystems.
 </summary>
@@ -56101,7 +56138,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_watch_dev_dirs" lineno="139">
+<interface name="dev_watch_dev_dirs" lineno="157">
 <summary>
 Watch the directories in /dev.
 </summary>
@@ -56111,7 +56148,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton" lineno="157">
+<interface name="dev_mounton" lineno="175">
 <summary>
 Mount a filesystem on /dev
 </summary>
@@ -56121,7 +56158,7 @@ Domain allow access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_all_dev_nodes" lineno="176">
+<interface name="dev_relabel_all_dev_nodes" lineno="194">
 <summary>
 Allow full relabeling (to and from) of all device nodes.
 </summary>
@@ -56132,7 +56169,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_relabel_all_dev_files" lineno="202">
+<interface name="dev_relabel_all_dev_files" lineno="220">
 <summary>
 Allow full relabeling (to and from) of all device files.
 </summary>
@@ -56143,7 +56180,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_list_all_dev_nodes" lineno="220">
+<interface name="dev_list_all_dev_nodes" lineno="238">
 <summary>
 List all of the device nodes in a device directory.
 </summary>
@@ -56153,7 +56190,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_generic_dirs" lineno="239">
+<interface name="dev_setattr_generic_dirs" lineno="257">
 <summary>
 Set the attributes of /dev directories.
 </summary>
@@ -56163,7 +56200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_list_all_dev_nodes" lineno="257">
+<interface name="dev_dontaudit_list_all_dev_nodes" lineno="275">
 <summary>
 Dontaudit attempts to list all device nodes.
 </summary>
@@ -56173,7 +56210,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_execute_dev_nodes" lineno="275">
+<interface name="dev_dontaudit_execute_dev_nodes" lineno="293">
 <summary>
 Dontaudit attempts to execute device nodes.
 </summary>
@@ -56183,7 +56220,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_add_entry_generic_dirs" lineno="293">
+<interface name="dev_add_entry_generic_dirs" lineno="311">
 <summary>
 Add entries to directories in /dev.
 </summary>
@@ -56193,7 +56230,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_remove_entry_generic_dirs" lineno="311">
+<interface name="dev_remove_entry_generic_dirs" lineno="329">
 <summary>
 Remove entries from directories in /dev.
 </summary>
@@ -56203,7 +56240,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_generic_dirs" lineno="329">
+<interface name="dev_create_generic_dirs" lineno="347">
 <summary>
 Create a directory in the device directory.
 </summary>
@@ -56213,7 +56250,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_dirs" lineno="348">
+<interface name="dev_delete_generic_dirs" lineno="366">
 <summary>
 Delete a directory in the device directory.
 </summary>
@@ -56223,7 +56260,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_dirs" lineno="366">
+<interface name="dev_manage_generic_dirs" lineno="384">
 <summary>
 Manage of directories in /dev.
 </summary>
@@ -56233,7 +56270,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_generic_dev_dirs" lineno="384">
+<interface name="dev_relabel_generic_dev_dirs" lineno="402">
 <summary>
 Allow full relabeling (to and from) of directories in /dev.
 </summary>
@@ -56243,7 +56280,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_generic_files" lineno="402">
+<interface name="dev_dontaudit_getattr_generic_files" lineno="420">
 <summary>
 dontaudit getattr generic files in /dev.
 </summary>
@@ -56253,7 +56290,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_files" lineno="420">
+<interface name="dev_read_generic_files" lineno="438">
 <summary>
 Read generic files in /dev.
 </summary>
@@ -56263,7 +56300,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_files" lineno="438">
+<interface name="dev_rw_generic_files" lineno="456">
 <summary>
 Read and write generic files in /dev.
 </summary>
@@ -56273,7 +56310,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_files" lineno="456">
+<interface name="dev_delete_generic_files" lineno="474">
 <summary>
 Delete generic files in /dev.
 </summary>
@@ -56283,7 +56320,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_files" lineno="474">
+<interface name="dev_manage_generic_files" lineno="492">
 <summary>
 Create a file in the device directory.
 </summary>
@@ -56293,7 +56330,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_generic_pipes" lineno="492">
+<interface name="dev_dontaudit_getattr_generic_pipes" lineno="510">
 <summary>
 Dontaudit getattr on generic pipes.
 </summary>
@@ -56303,7 +56340,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_generic_sockets" lineno="510">
+<interface name="dev_write_generic_sockets" lineno="528">
 <summary>
 Write generic socket files in /dev.
 </summary>
@@ -56313,7 +56350,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_generic_blk_files" lineno="528">
+<interface name="dev_getattr_generic_blk_files" lineno="546">
 <summary>
 Allow getattr on generic block devices.
 </summary>
@@ -56323,7 +56360,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_generic_blk_files" lineno="546">
+<interface name="dev_dontaudit_getattr_generic_blk_files" lineno="564">
 <summary>
 Dontaudit getattr on generic block devices.
 </summary>
@@ -56333,7 +56370,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_generic_blk_files" lineno="565">
+<interface name="dev_setattr_generic_blk_files" lineno="583">
 <summary>
 Set the attributes on generic
 block devices.
@@ -56344,7 +56381,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_generic_blk_files" lineno="583">
+<interface name="dev_dontaudit_setattr_generic_blk_files" lineno="601">
 <summary>
 Dontaudit setattr on generic block devices.
 </summary>
@@ -56354,7 +56391,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_generic_blk_files" lineno="601">
+<interface name="dev_create_generic_blk_files" lineno="619">
 <summary>
 Create generic block device files.
 </summary>
@@ -56364,7 +56401,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_blk_files" lineno="619">
+<interface name="dev_delete_generic_blk_files" lineno="637">
 <summary>
 Delete generic block device files.
 </summary>
@@ -56374,7 +56411,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_relabelto_generic_blk_files" lineno="638">
+<interface name="dev_dontaudit_relabelto_generic_blk_files" lineno="656">
 <summary>
 Dontaudit relabelto the generic device
 type on block files.
@@ -56385,7 +56422,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_generic_chr_files" lineno="656">
+<interface name="dev_getattr_generic_chr_files" lineno="674">
 <summary>
 Allow getattr for generic character device files.
 </summary>
@@ -56395,7 +56432,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_generic_chr_files" lineno="674">
+<interface name="dev_dontaudit_getattr_generic_chr_files" lineno="692">
 <summary>
 Dontaudit getattr for generic character device files.
 </summary>
@@ -56405,7 +56442,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_generic_chr_files" lineno="693">
+<interface name="dev_setattr_generic_chr_files" lineno="711">
 <summary>
 Set the attributes for generic
 character device files.
@@ -56416,7 +56453,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_generic_chr_files" lineno="711">
+<interface name="dev_dontaudit_setattr_generic_chr_files" lineno="729">
 <summary>
 Dontaudit setattr for generic character device files.
 </summary>
@@ -56426,7 +56463,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_chr_files" lineno="729">
+<interface name="dev_read_generic_chr_files" lineno="747">
 <summary>
 Read generic character device files.
 </summary>
@@ -56436,7 +56473,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_chr_files" lineno="747">
+<interface name="dev_rw_generic_chr_files" lineno="765">
 <summary>
 Read and write generic character device files.
 </summary>
@@ -56446,7 +56483,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_blk_files" lineno="765">
+<interface name="dev_rw_generic_blk_files" lineno="783">
 <summary>
 Read and write generic block device files.
 </summary>
@@ -56456,7 +56493,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_generic_chr_files" lineno="783">
+<interface name="dev_dontaudit_rw_generic_chr_files" lineno="801">
 <summary>
 Dontaudit attempts to read/write generic character device files.
 </summary>
@@ -56466,7 +56503,7 @@ Domain to dontaudit access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_generic_chr_files" lineno="801">
+<interface name="dev_create_generic_chr_files" lineno="819">
 <summary>
 Create generic character device files.
 </summary>
@@ -56476,7 +56513,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_chr_files" lineno="819">
+<interface name="dev_delete_generic_chr_files" lineno="837">
 <summary>
 Delete generic character device files.
 </summary>
@@ -56486,7 +56523,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabelfrom_generic_chr_files" lineno="837">
+<interface name="dev_relabelfrom_generic_chr_files" lineno="855">
 <summary>
 Relabel from generic character device files.
 </summary>
@@ -56496,7 +56533,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_generic_symlinks" lineno="856">
+<interface name="dev_dontaudit_setattr_generic_symlinks" lineno="874">
 <summary>
 Do not audit attempts to set the attributes
 of symbolic links in device directories (/dev).
@@ -56507,7 +56544,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_symlinks" lineno="874">
+<interface name="dev_read_generic_symlinks" lineno="892">
 <summary>
 Read symbolic links in device directories.
 </summary>
@@ -56517,7 +56554,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_generic_symlinks" lineno="892">
+<interface name="dev_create_generic_symlinks" lineno="910">
 <summary>
 Create symbolic links in device directories.
 </summary>
@@ -56527,7 +56564,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_symlinks" lineno="910">
+<interface name="dev_delete_generic_symlinks" lineno="928">
 <summary>
 Delete symbolic links in device directories.
 </summary>
@@ -56537,7 +56574,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_symlinks" lineno="928">
+<interface name="dev_manage_generic_symlinks" lineno="946">
 <summary>
 Create, delete, read, and write symbolic links in device directories.
 </summary>
@@ -56547,7 +56584,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_generic_symlinks" lineno="946">
+<interface name="dev_relabel_generic_symlinks" lineno="964">
 <summary>
 Relabel symbolic links in device directories.
 </summary>
@@ -56557,7 +56594,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_generic_sock_files" lineno="964">
+<interface name="dev_write_generic_sock_files" lineno="982">
 <summary>
 Write generic sock files in /dev.
 </summary>
@@ -56567,7 +56604,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_all_dev_nodes" lineno="982">
+<interface name="dev_manage_all_dev_nodes" lineno="1000">
 <summary>
 Create, delete, read, and write device nodes in device directories.
 </summary>
@@ -56577,7 +56614,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_generic_dev_nodes" lineno="1023">
+<interface name="dev_dontaudit_rw_generic_dev_nodes" lineno="1041">
 <summary>
 Dontaudit getattr for generic device files.
 </summary>
@@ -56587,7 +56624,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_blk_files" lineno="1041">
+<interface name="dev_manage_generic_blk_files" lineno="1059">
 <summary>
 Create, delete, read, and write block device files.
 </summary>
@@ -56597,7 +56634,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_generic_chr_files" lineno="1059">
+<interface name="dev_manage_generic_chr_files" lineno="1077">
 <summary>
 Create, delete, read, and write character device files.
 </summary>
@@ -56607,7 +56644,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans" lineno="1094">
+<interface name="dev_filetrans" lineno="1112">
 <summary>
 Create, read, and write device nodes. The node
 will be transitioned to the type provided.
@@ -56634,7 +56671,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_tmpfs_filetrans_dev" lineno="1129">
+<interface name="dev_tmpfs_filetrans_dev" lineno="1147">
 <summary>
 Create, read, and write device nodes. The node
 will be transitioned to the type provided.  This is
@@ -56658,7 +56695,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_all_blk_files" lineno="1148">
+<interface name="dev_getattr_all_blk_files" lineno="1166">
 <summary>
 Getattr on all block file device nodes.
 </summary>
@@ -56669,7 +56706,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_dontaudit_getattr_all_blk_files" lineno="1167">
+<interface name="dev_dontaudit_getattr_all_blk_files" lineno="1185">
 <summary>
 Dontaudit getattr on all block file device nodes.
 </summary>
@@ -56679,7 +56716,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_all_chr_files" lineno="1187">
+<interface name="dev_getattr_all_chr_files" lineno="1205">
 <summary>
 Getattr on all character file device nodes.
 </summary>
@@ -56690,7 +56727,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_dontaudit_getattr_all_chr_files" lineno="1206">
+<interface name="dev_dontaudit_getattr_all_chr_files" lineno="1224">
 <summary>
 Dontaudit getattr on all character file device nodes.
 </summary>
@@ -56700,7 +56737,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_all_blk_files" lineno="1226">
+<interface name="dev_setattr_all_blk_files" lineno="1244">
 <summary>
 Setattr on all block file device nodes.
 </summary>
@@ -56711,7 +56748,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_setattr_all_chr_files" lineno="1246">
+<interface name="dev_setattr_all_chr_files" lineno="1264">
 <summary>
 Setattr on all character file device nodes.
 </summary>
@@ -56722,7 +56759,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="dev_dontaudit_read_all_blk_files" lineno="1265">
+<interface name="dev_dontaudit_read_all_blk_files" lineno="1283">
 <summary>
 Dontaudit read on all block file device nodes.
 </summary>
@@ -56732,7 +56769,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_all_blk_files" lineno="1283">
+<interface name="dev_dontaudit_write_all_blk_files" lineno="1301">
 <summary>
 Dontaudit write on all block file device nodes.
 </summary>
@@ -56742,7 +56779,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_all_chr_files" lineno="1301">
+<interface name="dev_dontaudit_read_all_chr_files" lineno="1319">
 <summary>
 Dontaudit read on all character file device nodes.
 </summary>
@@ -56752,7 +56789,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_all_chr_files" lineno="1319">
+<interface name="dev_dontaudit_write_all_chr_files" lineno="1337">
 <summary>
 Dontaudit write on all character file device nodes.
 </summary>
@@ -56762,7 +56799,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_all_blk_files" lineno="1337">
+<interface name="dev_create_all_blk_files" lineno="1355">
 <summary>
 Create all block device files.
 </summary>
@@ -56772,7 +56809,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_all_chr_files" lineno="1356">
+<interface name="dev_create_all_chr_files" lineno="1374">
 <summary>
 Create all character device files.
 </summary>
@@ -56782,7 +56819,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_all_blk_files" lineno="1375">
+<interface name="dev_delete_all_blk_files" lineno="1393">
 <summary>
 Delete all block device files.
 </summary>
@@ -56792,7 +56829,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_all_chr_files" lineno="1394">
+<interface name="dev_delete_all_chr_files" lineno="1412">
 <summary>
 Delete all character device files.
 </summary>
@@ -56802,7 +56839,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rename_all_blk_files" lineno="1413">
+<interface name="dev_rename_all_blk_files" lineno="1431">
 <summary>
 Rename all block device files.
 </summary>
@@ -56812,7 +56849,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rename_all_chr_files" lineno="1432">
+<interface name="dev_rename_all_chr_files" lineno="1450">
 <summary>
 Rename all character device files.
 </summary>
@@ -56822,7 +56859,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_all_blk_files" lineno="1451">
+<interface name="dev_manage_all_blk_files" lineno="1469">
 <summary>
 Read, write, create, and delete all block device files.
 </summary>
@@ -56832,7 +56869,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_all_chr_files" lineno="1476">
+<interface name="dev_manage_all_chr_files" lineno="1494">
 <summary>
 Read, write, create, and delete all character device files.
 </summary>
@@ -56842,7 +56879,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_acpi_bios_dev" lineno="1497">
+<interface name="dev_getattr_acpi_bios_dev" lineno="1515">
 <summary>
 Get the attributes of the apm bios device node.
 </summary>
@@ -56852,7 +56889,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_acpi_bios_dev" lineno="1516">
+<interface name="dev_dontaudit_getattr_acpi_bios_dev" lineno="1534">
 <summary>
 Do not audit attempts to get the attributes of
 the apm bios device node.
@@ -56863,7 +56900,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_acpi_bios_dev" lineno="1534">
+<interface name="dev_setattr_acpi_bios_dev" lineno="1552">
 <summary>
 Set the attributes of the apm bios device node.
 </summary>
@@ -56873,7 +56910,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_acpi_bios_dev" lineno="1553">
+<interface name="dev_dontaudit_setattr_acpi_bios_dev" lineno="1571">
 <summary>
 Do not audit attempts to set the attributes of
 the apm bios device node.
@@ -56884,7 +56921,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_acpi_bios" lineno="1571">
+<interface name="dev_rw_acpi_bios" lineno="1589">
 <summary>
 Read and write the apm bios.
 </summary>
@@ -56894,7 +56931,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_agp_dev" lineno="1589">
+<interface name="dev_getattr_agp_dev" lineno="1607">
 <summary>
 Getattr the agp devices.
 </summary>
@@ -56904,7 +56941,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_agp" lineno="1607">
+<interface name="dev_rw_agp" lineno="1625">
 <summary>
 Read and write the agp devices.
 </summary>
@@ -56914,7 +56951,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_autofs_dev" lineno="1626">
+<interface name="dev_getattr_autofs_dev" lineno="1644">
 <summary>
 Get the attributes of the autofs device node.
 </summary>
@@ -56924,7 +56961,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_autofs_dev" lineno="1645">
+<interface name="dev_dontaudit_getattr_autofs_dev" lineno="1663">
 <summary>
 Do not audit attempts to get the attributes of
 the autofs device node.
@@ -56935,7 +56972,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_autofs_dev" lineno="1663">
+<interface name="dev_setattr_autofs_dev" lineno="1681">
 <summary>
 Set the attributes of the autofs device node.
 </summary>
@@ -56945,7 +56982,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_autofs_dev" lineno="1682">
+<interface name="dev_dontaudit_setattr_autofs_dev" lineno="1700">
 <summary>
 Do not audit attempts to set the attributes of
 the autofs device node.
@@ -56956,7 +56993,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_autofs" lineno="1700">
+<interface name="dev_rw_autofs" lineno="1718">
 <summary>
 Read and write the autofs device.
 </summary>
@@ -56966,7 +57003,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_autofs_dev" lineno="1718">
+<interface name="dev_relabel_autofs_dev" lineno="1736">
 <summary>
 Relabel the autofs device node.
 </summary>
@@ -56976,7 +57013,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_cachefiles" lineno="1737">
+<interface name="dev_rw_cachefiles" lineno="1755">
 <summary>
 Read and write cachefiles character
 device nodes.
@@ -56987,7 +57024,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_cardmgr" lineno="1755">
+<interface name="dev_rw_cardmgr" lineno="1773">
 <summary>
 Read and write the PCMCIA card manager device.
 </summary>
@@ -56997,7 +57034,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_cardmgr" lineno="1774">
+<interface name="dev_dontaudit_rw_cardmgr" lineno="1792">
 <summary>
 Do not audit attempts to read and
 write the PCMCIA card manager device.
@@ -57008,7 +57045,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_cardmgr_dev" lineno="1794">
+<interface name="dev_create_cardmgr_dev" lineno="1812">
 <summary>
 Create, read, write, and delete
 the PCMCIA card manager device
@@ -57020,7 +57057,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_cardmgr_dev" lineno="1814">
+<interface name="dev_manage_cardmgr_dev" lineno="1832">
 <summary>
 Create, read, write, and delete
 the PCMCIA card manager device.
@@ -57031,7 +57068,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_cardmgr" lineno="1840">
+<interface name="dev_filetrans_cardmgr" lineno="1858">
 <summary>
 Automatic type transition to the type
 for PCMCIA card manager device nodes when
@@ -57048,7 +57085,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_cpu_dev" lineno="1859">
+<interface name="dev_getattr_cpu_dev" lineno="1877">
 <summary>
 Get the attributes of the CPU
 microcode and id interfaces.
@@ -57059,7 +57096,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_cpu_dev" lineno="1878">
+<interface name="dev_setattr_cpu_dev" lineno="1896">
 <summary>
 Set the attributes of the CPU
 microcode and id interfaces.
@@ -57070,7 +57107,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_cpuid" lineno="1896">
+<interface name="dev_read_cpuid" lineno="1914">
 <summary>
 Read the CPU identity.
 </summary>
@@ -57080,7 +57117,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_cpu_microcode" lineno="1915">
+<interface name="dev_rw_cpu_microcode" lineno="1933">
 <summary>
 Read and write the the CPU microcode device. This
 is required to load CPU microcode.
@@ -57091,7 +57128,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_crash" lineno="1933">
+<interface name="dev_read_crash" lineno="1951">
 <summary>
 Read the kernel crash device
 </summary>
@@ -57101,7 +57138,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_crypto" lineno="1951">
+<interface name="dev_rw_crypto" lineno="1969">
 <summary>
 Read and write the the hardware SSL accelerator.
 </summary>
@@ -57111,7 +57148,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_dlm_control" lineno="1969">
+<interface name="dev_setattr_dlm_control" lineno="1987">
 <summary>
 Set the attributes of the dlm control devices.
 </summary>
@@ -57121,7 +57158,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_dlm_control" lineno="1987">
+<interface name="dev_rw_dlm_control" lineno="2005">
 <summary>
 Read and write the the dlm control device
 </summary>
@@ -57131,7 +57168,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_dri_dev" lineno="2005">
+<interface name="dev_rw_dma_dev" lineno="2023">
+<summary>
+Read and write the the dma device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_getattr_dri_dev" lineno="2041">
 <summary>
 getattr the dri devices.
 </summary>
@@ -57141,7 +57188,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_dri_dev" lineno="2023">
+<interface name="dev_setattr_dri_dev" lineno="2059">
 <summary>
 Setattr the dri devices.
 </summary>
@@ -57151,7 +57198,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_ioctl_dri_dev" lineno="2041">
+<interface name="dev_ioctl_dri_dev" lineno="2077">
 <summary>
 IOCTL the dri devices.
 </summary>
@@ -57161,7 +57208,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_dri" lineno="2059">
+<interface name="dev_rw_dri" lineno="2095">
 <summary>
 Read and write the dri devices.
 </summary>
@@ -57171,7 +57218,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_dri" lineno="2078">
+<interface name="dev_dontaudit_rw_dri" lineno="2114">
 <summary>
 Dontaudit read and write on the dri devices.
 </summary>
@@ -57181,7 +57228,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_dri_dev" lineno="2096">
+<interface name="dev_manage_dri_dev" lineno="2132">
 <summary>
 Create, read, write, and delete the dri devices.
 </summary>
@@ -57191,7 +57238,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_dri_dev" lineno="2115">
+<interface name="dev_mounton_dri_dev" lineno="2151">
 <summary>
 Mount on the dri devices.
 </summary>
@@ -57201,7 +57248,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_dri" lineno="2139">
+<interface name="dev_filetrans_dri" lineno="2175">
 <summary>
 Automatic type transition to the type
 for DRI device nodes when created in /dev.
@@ -57217,7 +57264,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_input_dev" lineno="2163">
+<interface name="dev_filetrans_input_dev" lineno="2199">
 <summary>
 Automatic type transition to the type
 for event device nodes when created in /dev.
@@ -57233,7 +57280,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_input_dev" lineno="2181">
+<interface name="dev_getattr_input_dev" lineno="2217">
 <summary>
 Get the attributes of the event devices.
 </summary>
@@ -57243,7 +57290,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_input_dev" lineno="2200">
+<interface name="dev_setattr_input_dev" lineno="2236">
 <summary>
 Set the attributes of the event devices.
 </summary>
@@ -57253,7 +57300,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_input" lineno="2219">
+<interface name="dev_read_input" lineno="2255">
 <summary>
 Read input event devices (/dev/input).
 </summary>
@@ -57263,7 +57310,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_input_dev" lineno="2237">
+<interface name="dev_rw_input_dev" lineno="2273">
 <summary>
 Read and write input event devices (/dev/input).
 </summary>
@@ -57273,7 +57320,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_input_dev" lineno="2255">
+<interface name="dev_manage_input_dev" lineno="2291">
 <summary>
 Create, read, write, and delete input event devices (/dev/input).
 </summary>
@@ -57283,7 +57330,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_ioctl_input_dev" lineno="2273">
+<interface name="dev_ioctl_input_dev" lineno="2309">
 <summary>
 IOCTL the input event devices (/dev/input).
 </summary>
@@ -57293,7 +57340,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_ipmi_dev" lineno="2291">
+<interface name="dev_rw_ipmi_dev" lineno="2327">
 <summary>
 Read and write ipmi devices (/dev/ipmi*).
 </summary>
@@ -57303,7 +57350,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_framebuffer_dev" lineno="2309">
+<interface name="dev_getattr_framebuffer_dev" lineno="2345">
 <summary>
 Get the attributes of the framebuffer device node.
 </summary>
@@ -57313,7 +57360,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_framebuffer_dev" lineno="2327">
+<interface name="dev_setattr_framebuffer_dev" lineno="2363">
 <summary>
 Set the attributes of the framebuffer device node.
 </summary>
@@ -57323,7 +57370,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_framebuffer_dev" lineno="2346">
+<interface name="dev_dontaudit_setattr_framebuffer_dev" lineno="2382">
 <summary>
 Dot not audit attempts to set the attributes
 of the framebuffer device node.
@@ -57334,7 +57381,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_framebuffer" lineno="2364">
+<interface name="dev_read_framebuffer" lineno="2400">
 <summary>
 Read the framebuffer.
 </summary>
@@ -57344,7 +57391,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_framebuffer" lineno="2382">
+<interface name="dev_dontaudit_read_framebuffer" lineno="2418">
 <summary>
 Do not audit attempts to read the framebuffer.
 </summary>
@@ -57354,7 +57401,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_framebuffer" lineno="2400">
+<interface name="dev_write_framebuffer" lineno="2436">
 <summary>
 Write the framebuffer.
 </summary>
@@ -57364,7 +57411,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_framebuffer" lineno="2418">
+<interface name="dev_rw_framebuffer" lineno="2454">
 <summary>
 Read and write the framebuffer.
 </summary>
@@ -57374,7 +57421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_hyperv_kvp" lineno="2436">
+<interface name="dev_rw_hyperv_kvp" lineno="2472">
 <summary>
 Allow read/write the hypervkvp device
 </summary>
@@ -57384,7 +57431,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_hyperv_vss" lineno="2454">
+<interface name="dev_rw_hyperv_vss" lineno="2490">
 <summary>
 Allow read/write the hypervvssd device
 </summary>
@@ -57394,7 +57441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_iio" lineno="2472">
+<interface name="dev_read_iio" lineno="2508">
 <summary>
 Allow read/write access to InfiniBand devices.
 </summary>
@@ -57404,7 +57451,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_infiniband" lineno="2490">
+<interface name="dev_rw_infiniband" lineno="2526">
 <summary>
 Allow read/write access to InfiniBand devices.
 </summary>
@@ -57414,7 +57461,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_kmsg" lineno="2508">
+<interface name="dev_read_kmsg" lineno="2544">
 <summary>
 Read the kernel messages
 </summary>
@@ -57424,7 +57471,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_kmsg" lineno="2526">
+<interface name="dev_dontaudit_read_kmsg" lineno="2562">
 <summary>
 Do not audit attempts to read the kernel messages
 </summary>
@@ -57434,7 +57481,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_kmsg" lineno="2544">
+<interface name="dev_write_kmsg" lineno="2580">
 <summary>
 Write to the kernel messages device
 </summary>
@@ -57444,7 +57491,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_kmsg" lineno="2562">
+<interface name="dev_rw_kmsg" lineno="2598">
 <summary>
 Read and write to the kernel messages device
 </summary>
@@ -57454,7 +57501,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_kmsg" lineno="2580">
+<interface name="dev_mounton_kmsg" lineno="2616">
 <summary>
 Mount on the kernel messages device
 </summary>
@@ -57464,7 +57511,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_ksm_dev" lineno="2598">
+<interface name="dev_getattr_ksm_dev" lineno="2634">
 <summary>
 Get the attributes of the ksm devices.
 </summary>
@@ -57474,7 +57521,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_ksm_dev" lineno="2616">
+<interface name="dev_setattr_ksm_dev" lineno="2652">
 <summary>
 Set the attributes of the ksm devices.
 </summary>
@@ -57484,7 +57531,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_ksm" lineno="2634">
+<interface name="dev_read_ksm" lineno="2670">
 <summary>
 Read the ksm devices.
 </summary>
@@ -57494,7 +57541,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_ksm" lineno="2652">
+<interface name="dev_rw_ksm" lineno="2688">
 <summary>
 Read and write to ksm devices.
 </summary>
@@ -57504,7 +57551,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_kvm_dev" lineno="2670">
+<interface name="dev_getattr_kvm_dev" lineno="2706">
 <summary>
 Get the attributes of the kvm devices.
 </summary>
@@ -57514,7 +57561,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_kvm_dev" lineno="2688">
+<interface name="dev_setattr_kvm_dev" lineno="2724">
 <summary>
 Set the attributes of the kvm devices.
 </summary>
@@ -57524,7 +57571,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_kvm" lineno="2706">
+<interface name="dev_read_kvm" lineno="2742">
 <summary>
 Read the kvm devices.
 </summary>
@@ -57534,7 +57581,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_kvm" lineno="2724">
+<interface name="dev_rw_kvm" lineno="2760">
 <summary>
 Read and write to kvm devices.
 </summary>
@@ -57544,7 +57591,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_lirc" lineno="2742">
+<interface name="dev_read_lirc" lineno="2778">
 <summary>
 Read the lirc device.
 </summary>
@@ -57554,7 +57601,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_lirc" lineno="2760">
+<interface name="dev_rw_lirc" lineno="2796">
 <summary>
 Read and write the lirc device.
 </summary>
@@ -57564,7 +57611,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_lirc" lineno="2784">
+<interface name="dev_filetrans_lirc" lineno="2820">
 <summary>
 Automatic type transition to the type
 for lirc device nodes when created in /dev.
@@ -57580,7 +57627,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_loop_control" lineno="2802">
+<interface name="dev_rw_loop_control" lineno="2838">
 <summary>
 Read and write the loop-control device.
 </summary>
@@ -57590,7 +57637,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_lvm_control" lineno="2820">
+<interface name="dev_getattr_lvm_control" lineno="2856">
 <summary>
 Get the attributes of the lvm comtrol device.
 </summary>
@@ -57600,7 +57647,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_lvm_control" lineno="2838">
+<interface name="dev_read_lvm_control" lineno="2874">
 <summary>
 Read the lvm comtrol device.
 </summary>
@@ -57610,7 +57657,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_lvm_control" lineno="2856">
+<interface name="dev_rw_lvm_control" lineno="2892">
 <summary>
 Read and write the lvm control device.
 </summary>
@@ -57620,7 +57667,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_lvm_control" lineno="2874">
+<interface name="dev_dontaudit_rw_lvm_control" lineno="2910">
 <summary>
 Do not audit attempts to read and write lvm control device.
 </summary>
@@ -57630,7 +57677,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_lvm_control_dev" lineno="2892">
+<interface name="dev_delete_lvm_control_dev" lineno="2928">
 <summary>
 Delete the lvm control device.
 </summary>
@@ -57640,7 +57687,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_memory_dev" lineno="2910">
+<interface name="dev_dontaudit_rw_mei" lineno="2947">
+<summary>
+Do not audit attempts to read and write the
+Intel Management Engine Interface device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_dontaudit_getattr_memory_dev" lineno="2965">
 <summary>
 dontaudit getattr raw memory devices (e.g. /dev/mem).
 </summary>
@@ -57650,7 +57708,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_raw_memory" lineno="2931">
+<interface name="dev_read_raw_memory" lineno="2986">
 <summary>
 Read raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57663,7 +57721,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_raw_memory_cond" lineno="2961">
+<interface name="dev_read_raw_memory_cond" lineno="3016">
 <summary>
 Read raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57681,7 +57739,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_raw_memory" lineno="2988">
+<interface name="dev_dontaudit_read_raw_memory" lineno="3043">
 <summary>
 Do not audit attempts to read raw memory devices
 (e.g. /dev/mem).
@@ -57695,7 +57753,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_raw_memory" lineno="3009">
+<interface name="dev_write_raw_memory" lineno="3064">
 <summary>
 Write raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57708,7 +57766,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_raw_memory_cond" lineno="3039">
+<interface name="dev_write_raw_memory_cond" lineno="3094">
 <summary>
 Write raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57726,7 +57784,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_rx_raw_memory" lineno="3065">
+<interface name="dev_rx_raw_memory" lineno="3120">
 <summary>
 Read and execute raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57739,7 +57797,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_wx_raw_memory" lineno="3087">
+<interface name="dev_wx_raw_memory" lineno="3142">
 <summary>
 Write and execute raw memory devices (e.g. /dev/mem).
 This is extremely dangerous as it can bypass the
@@ -57752,7 +57810,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_wx_raw_memory_cond" lineno="3114">
+<interface name="dev_wx_raw_memory_cond" lineno="3169">
 <summary>
 Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set.
 This is extremely dangerous as it can bypass the
@@ -57770,7 +57828,7 @@ Tunable to depend on
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_misc_dev" lineno="3137">
+<interface name="dev_getattr_misc_dev" lineno="3192">
 <summary>
 Get the attributes of miscellaneous devices.
 </summary>
@@ -57780,7 +57838,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_misc_dev" lineno="3156">
+<interface name="dev_dontaudit_getattr_misc_dev" lineno="3211">
 <summary>
 Do not audit attempts to get the attributes
 of miscellaneous devices.
@@ -57791,7 +57849,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_misc_dev" lineno="3174">
+<interface name="dev_setattr_misc_dev" lineno="3229">
 <summary>
 Set the attributes of miscellaneous devices.
 </summary>
@@ -57801,7 +57859,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_misc_dev" lineno="3193">
+<interface name="dev_dontaudit_setattr_misc_dev" lineno="3248">
 <summary>
 Do not audit attempts to set the attributes
 of miscellaneous devices.
@@ -57812,7 +57870,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_misc" lineno="3211">
+<interface name="dev_read_misc" lineno="3266">
 <summary>
 Read miscellaneous devices.
 </summary>
@@ -57822,7 +57880,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_misc" lineno="3229">
+<interface name="dev_write_misc" lineno="3284">
 <summary>
 Write miscellaneous devices.
 </summary>
@@ -57832,7 +57890,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_rw_misc" lineno="3247">
+<interface name="dev_dontaudit_rw_misc" lineno="3302">
 <summary>
 Do not audit attempts to read and write miscellaneous devices.
 </summary>
@@ -57842,7 +57900,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_modem_dev" lineno="3265">
+<interface name="dev_getattr_modem_dev" lineno="3320">
 <summary>
 Get the attributes of the modem devices.
 </summary>
@@ -57852,7 +57910,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_modem_dev" lineno="3283">
+<interface name="dev_setattr_modem_dev" lineno="3338">
 <summary>
 Set the attributes of the modem devices.
 </summary>
@@ -57862,7 +57920,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_modem" lineno="3301">
+<interface name="dev_read_modem" lineno="3356">
 <summary>
 Read the modem devices.
 </summary>
@@ -57872,7 +57930,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_modem" lineno="3319">
+<interface name="dev_rw_modem" lineno="3374">
 <summary>
 Read and write to modem devices.
 </summary>
@@ -57882,7 +57940,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_mouse_dev" lineno="3337">
+<interface name="dev_getattr_mouse_dev" lineno="3392">
 <summary>
 Get the attributes of the mouse devices.
 </summary>
@@ -57892,7 +57950,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_mouse_dev" lineno="3355">
+<interface name="dev_setattr_mouse_dev" lineno="3410">
 <summary>
 Set the attributes of the mouse devices.
 </summary>
@@ -57902,7 +57960,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_mouse_dev" lineno="3373">
+<interface name="dev_delete_mouse_dev" lineno="3428">
 <summary>
 Delete the mouse devices.
 </summary>
@@ -57912,7 +57970,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_mouse" lineno="3391">
+<interface name="dev_read_mouse" lineno="3446">
 <summary>
 Read the mouse devices.
 </summary>
@@ -57922,7 +57980,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_mouse" lineno="3409">
+<interface name="dev_rw_mouse" lineno="3464">
 <summary>
 Read and write to mouse devices.
 </summary>
@@ -57932,7 +57990,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_mtrr_dev" lineno="3428">
+<interface name="dev_getattr_mtrr_dev" lineno="3483">
 <summary>
 Get the attributes of the memory type range
 registers (MTRR) device.
@@ -57943,7 +58001,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_mtrr" lineno="3448">
+<interface name="dev_dontaudit_write_mtrr" lineno="3503">
 <summary>
 Do not audit attempts to write the memory type
 range registers (MTRR).
@@ -57954,7 +58012,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_mtrr" lineno="3467">
+<interface name="dev_rw_mtrr" lineno="3522">
 <summary>
 Read and write the memory type range registers (MTRR).
 </summary>
@@ -57964,7 +58022,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_null_dev" lineno="3486">
+<interface name="dev_getattr_null_dev" lineno="3541">
 <summary>
 Get the attributes of the null device nodes.
 </summary>
@@ -57974,7 +58032,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_null_dev" lineno="3504">
+<interface name="dev_setattr_null_dev" lineno="3559">
 <summary>
 Set the attributes of the null device nodes.
 </summary>
@@ -57984,7 +58042,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_null_dev" lineno="3523">
+<interface name="dev_dontaudit_setattr_null_dev" lineno="3578">
 <summary>
 Do not audit attempts to set the attributes of
 the null device nodes.
@@ -57995,7 +58053,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_null" lineno="3541">
+<interface name="dev_delete_null" lineno="3596">
 <summary>
 Delete the null device (/dev/null).
 </summary>
@@ -58005,7 +58063,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_null" lineno="3559">
+<interface name="dev_rw_null" lineno="3614">
 <summary>
 Read and write to the null device (/dev/null).
 </summary>
@@ -58015,7 +58073,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_null_dev" lineno="3577">
+<interface name="dev_create_null_dev" lineno="3632">
 <summary>
 Create the null device (/dev/null).
 </summary>
@@ -58025,7 +58083,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_null_service" lineno="3596">
+<interface name="dev_manage_null_service" lineno="3651">
 <summary>
 Manage services with script type null_device_t for when
 /lib/systemd/system/something.service is a link to /dev/null
@@ -58036,7 +58094,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3616">
+<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3671">
 <summary>
 Do not audit attempts to get the attributes
 of the BIOS non-volatile RAM device.
@@ -58047,7 +58105,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_nvram" lineno="3634">
+<interface name="dev_rw_nvram" lineno="3689">
 <summary>
 Read and write BIOS non-volatile RAM.
 </summary>
@@ -58057,7 +58115,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_printer_dev" lineno="3652">
+<interface name="dev_getattr_printer_dev" lineno="3707">
 <summary>
 Get the attributes of the printer device nodes.
 </summary>
@@ -58067,7 +58125,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_printer_dev" lineno="3670">
+<interface name="dev_setattr_printer_dev" lineno="3725">
 <summary>
 Set the attributes of the printer device nodes.
 </summary>
@@ -58077,7 +58135,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_append_printer" lineno="3689">
+<interface name="dev_append_printer" lineno="3744">
 <summary>
 Append the printer device.
 </summary>
@@ -58087,7 +58145,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_printer" lineno="3707">
+<interface name="dev_rw_printer" lineno="3762">
 <summary>
 Read and write the printer device.
 </summary>
@@ -58097,7 +58155,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_pmqos_dev" lineno="3725">
+<interface name="dev_getattr_pmqos_dev" lineno="3780">
 <summary>
 Get the attributes of PM QoS devices
 </summary>
@@ -58107,7 +58165,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_pmqos" lineno="3743">
+<interface name="dev_read_pmqos" lineno="3798">
 <summary>
 Read the PM QoS devices.
 </summary>
@@ -58117,7 +58175,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_pmqos" lineno="3761">
+<interface name="dev_rw_pmqos" lineno="3816">
 <summary>
 Read and write the the PM QoS devices.
 </summary>
@@ -58127,7 +58185,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_qemu_dev" lineno="3780">
+<interface name="dev_getattr_qemu_dev" lineno="3835">
 <summary>
 Get the attributes of the QEMU
 microcode and id interfaces.
@@ -58138,7 +58196,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_qemu_dev" lineno="3799">
+<interface name="dev_setattr_qemu_dev" lineno="3854">
 <summary>
 Set the attributes of the QEMU
 microcode and id interfaces.
@@ -58149,7 +58207,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_qemu" lineno="3817">
+<interface name="dev_read_qemu" lineno="3872">
 <summary>
 Read the QEMU device
 </summary>
@@ -58159,7 +58217,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_qemu" lineno="3835">
+<interface name="dev_rw_qemu" lineno="3890">
 <summary>
 Read and write the the QEMU device.
 </summary>
@@ -58169,7 +58227,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_rand" lineno="3869">
+<interface name="dev_read_rand" lineno="3924">
 <summary>
 Read from random number generator
 devices (e.g., /dev/random).
@@ -58195,7 +58253,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_dontaudit_read_rand" lineno="3888">
+<interface name="dev_dontaudit_read_rand" lineno="3943">
 <summary>
 Do not audit attempts to read from random
 number generator devices (e.g., /dev/random)
@@ -58206,7 +58264,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_append_rand" lineno="3907">
+<interface name="dev_dontaudit_append_rand" lineno="3962">
 <summary>
 Do not audit attempts to append to random
 number generator devices (e.g., /dev/random)
@@ -58217,7 +58275,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_rand" lineno="3927">
+<interface name="dev_write_rand" lineno="3982">
 <summary>
 Write to the random device (e.g., /dev/random). This adds
 entropy used to generate the random data read from the
@@ -58229,7 +58287,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_rand_dev" lineno="3945">
+<interface name="dev_create_rand_dev" lineno="4000">
 <summary>
 Create the random device (/dev/random).
 </summary>
@@ -58239,7 +58297,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_realtime_clock" lineno="3963">
+<interface name="dev_read_realtime_clock" lineno="4018">
 <summary>
 Read the realtime clock (/dev/rtc).
 </summary>
@@ -58249,7 +58307,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_realtime_clock" lineno="3981">
+<interface name="dev_write_realtime_clock" lineno="4036">
 <summary>
 Set the realtime clock (/dev/rtc).
 </summary>
@@ -58259,7 +58317,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_realtime_clock" lineno="4001">
+<interface name="dev_rw_realtime_clock" lineno="4056">
 <summary>
 Read and set the realtime clock (/dev/rtc).
 </summary>
@@ -58269,7 +58327,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_scanner_dev" lineno="4016">
+<interface name="dev_getattr_scanner_dev" lineno="4071">
 <summary>
 Get the attributes of the scanner device.
 </summary>
@@ -58279,7 +58337,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_scanner_dev" lineno="4035">
+<interface name="dev_dontaudit_getattr_scanner_dev" lineno="4090">
 <summary>
 Do not audit attempts to get the attributes of
 the scanner device.
@@ -58290,7 +58348,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_scanner_dev" lineno="4053">
+<interface name="dev_setattr_scanner_dev" lineno="4108">
 <summary>
 Set the attributes of the scanner device.
 </summary>
@@ -58300,7 +58358,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_scanner_dev" lineno="4072">
+<interface name="dev_dontaudit_setattr_scanner_dev" lineno="4127">
 <summary>
 Do not audit attempts to set the attributes of
 the scanner device.
@@ -58311,7 +58369,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_scanner" lineno="4090">
+<interface name="dev_rw_scanner" lineno="4145">
 <summary>
 Read and write the scanner device.
 </summary>
@@ -58321,7 +58379,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sound_dev" lineno="4108">
+<interface name="dev_getattr_sound_dev" lineno="4163">
 <summary>
 Get the attributes of the sound devices.
 </summary>
@@ -58331,7 +58389,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_sound_dev" lineno="4126">
+<interface name="dev_setattr_sound_dev" lineno="4181">
 <summary>
 Set the attributes of the sound devices.
 </summary>
@@ -58341,7 +58399,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sound" lineno="4144">
+<interface name="dev_read_sound" lineno="4199">
 <summary>
 Read the sound devices.
 </summary>
@@ -58351,7 +58409,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sound" lineno="4163">
+<interface name="dev_write_sound" lineno="4218">
 <summary>
 Write the sound devices.
 </summary>
@@ -58361,7 +58419,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sound_mixer" lineno="4182">
+<interface name="dev_read_sound_mixer" lineno="4237">
 <summary>
 Read the sound mixer devices.
 </summary>
@@ -58371,7 +58429,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sound_mixer" lineno="4201">
+<interface name="dev_write_sound_mixer" lineno="4256">
 <summary>
 Write the sound mixer devices.
 </summary>
@@ -58381,7 +58439,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_power_mgmt_dev" lineno="4220">
+<interface name="dev_getattr_power_mgmt_dev" lineno="4275">
 <summary>
 Get the attributes of the the power management device.
 </summary>
@@ -58391,7 +58449,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_power_mgmt_dev" lineno="4238">
+<interface name="dev_setattr_power_mgmt_dev" lineno="4293">
 <summary>
 Set the attributes of the the power management device.
 </summary>
@@ -58401,7 +58459,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_power_management" lineno="4256">
+<interface name="dev_rw_power_management" lineno="4311">
 <summary>
 Read and write the the power management device.
 </summary>
@@ -58411,7 +58469,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_smartcard_dev" lineno="4274">
+<interface name="dev_getattr_smartcard_dev" lineno="4329">
 <summary>
 Getattr on smartcard devices
 </summary>
@@ -58421,7 +58479,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4293">
+<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4348">
 <summary>
 dontaudit getattr on smartcard devices
 </summary>
@@ -58431,7 +58489,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_smartcard" lineno="4312">
+<interface name="dev_rw_smartcard" lineno="4367">
 <summary>
 Read and write smartcard devices.
 </summary>
@@ -58441,7 +58499,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_smartcard" lineno="4330">
+<interface name="dev_manage_smartcard" lineno="4385">
 <summary>
 Create, read, write, and delete smartcard devices.
 </summary>
@@ -58451,7 +58509,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_sysdig" lineno="4348">
+<interface name="dev_rw_sysdig" lineno="4403">
 <summary>
 Read, write and map the sysdig device.
 </summary>
@@ -58461,7 +58519,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_sysfs" lineno="4367">
+<interface name="dev_mounton_sysfs" lineno="4422">
 <summary>
 Mount a filesystem on sysfs.  (Deprecated)
 </summary>
@@ -58471,7 +58529,7 @@ Domain allow access.
 </summary>
 </param>
 </interface>
-<interface name="dev_associate_sysfs" lineno="4382">
+<interface name="dev_associate_sysfs" lineno="4437">
 <summary>
 Associate a file to a sysfs filesystem.
 </summary>
@@ -58481,7 +58539,7 @@ The type of the file to be associated to sysfs.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sysfs_dirs" lineno="4400">
+<interface name="dev_getattr_sysfs_dirs" lineno="4455">
 <summary>
 Get the attributes of sysfs directories.
 </summary>
@@ -58491,7 +58549,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_sysfs" lineno="4418">
+<interface name="dev_getattr_sysfs" lineno="4473">
 <summary>
 Get the attributes of sysfs filesystem
 </summary>
@@ -58501,7 +58559,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mount_sysfs" lineno="4436">
+<interface name="dev_mount_sysfs" lineno="4491">
 <summary>
 mount a sysfs filesystem
 </summary>
@@ -58511,7 +58569,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_remount_sysfs" lineno="4454">
+<interface name="dev_remount_sysfs" lineno="4509">
 <summary>
 Remount a sysfs filesystem.
 </summary>
@@ -58521,7 +58579,7 @@ Domain allow access.
 </summary>
 </param>
 </interface>
-<interface name="dev_unmount_sysfs" lineno="4472">
+<interface name="dev_unmount_sysfs" lineno="4527">
 <summary>
 unmount a sysfs filesystem
 </summary>
@@ -58531,7 +58589,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_sysfs" lineno="4490">
+<interface name="dev_dontaudit_getattr_sysfs" lineno="4545">
 <summary>
 Do not audit getting the attributes of sysfs filesystem
 </summary>
@@ -58541,7 +58599,7 @@ Domain to dontaudit access from
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_sysfs" lineno="4508">
+<interface name="dev_dontaudit_read_sysfs" lineno="4563">
 <summary>
 Dont audit attempts to read hardware state information
 </summary>
@@ -58551,7 +58609,7 @@ Domain for which the attempts do not need to be audited
 </summary>
 </param>
 </interface>
-<interface name="dev_mounton_sysfs_dirs" lineno="4528">
+<interface name="dev_mounton_sysfs_dirs" lineno="4583">
 <summary>
 Mount on sysfs directories.
 </summary>
@@ -58561,7 +58619,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_search_sysfs" lineno="4546">
+<interface name="dev_search_sysfs" lineno="4601">
 <summary>
 Search the sysfs directories.
 </summary>
@@ -58571,7 +58629,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_search_sysfs" lineno="4564">
+<interface name="dev_dontaudit_search_sysfs" lineno="4619">
 <summary>
 Do not audit attempts to search sysfs.
 </summary>
@@ -58581,7 +58639,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_list_sysfs" lineno="4582">
+<interface name="dev_list_sysfs" lineno="4637">
 <summary>
 List the contents of the sysfs directories.
 </summary>
@@ -58591,7 +58649,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_sysfs_dirs" lineno="4601">
+<interface name="dev_write_sysfs_dirs" lineno="4656">
 <summary>
 Write in a sysfs directories.
 </summary>
@@ -58601,7 +58659,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4619">
+<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4674">
 <summary>
 Do not audit attempts to write in a sysfs directory.
 </summary>
@@ -58611,7 +58669,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_write_sysfs_files" lineno="4637">
+<interface name="dev_dontaudit_write_sysfs_files" lineno="4692">
 <summary>
 Do not audit attempts to write to a sysfs file.
 </summary>
@@ -58621,7 +58679,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_sysfs_dirs" lineno="4656">
+<interface name="dev_manage_sysfs_dirs" lineno="4711">
 <summary>
 Create, read, write, and delete sysfs
 directories.
@@ -58632,7 +58690,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_sysfs" lineno="4683">
+<interface name="dev_read_sysfs" lineno="4738">
 <summary>
 Read hardware state information.
 </summary>
@@ -58651,7 +58709,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_write_sysfs" lineno="4711">
+<interface name="dev_write_sysfs" lineno="4766">
 <summary>
 Write to hardware state information.
 </summary>
@@ -58668,7 +58726,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_rw_sysfs" lineno="4730">
+<interface name="dev_rw_sysfs" lineno="4785">
 <summary>
 Allow caller to modify hardware state information.
 </summary>
@@ -58678,7 +58736,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_sysfs_files" lineno="4751">
+<interface name="dev_create_sysfs_files" lineno="4806">
 <summary>
 Add a sysfs file
 </summary>
@@ -58688,7 +58746,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_sysfs_dirs" lineno="4769">
+<interface name="dev_relabel_sysfs_dirs" lineno="4824">
 <summary>
 Relabel hardware state directories.
 </summary>
@@ -58698,7 +58756,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_all_sysfs" lineno="4787">
+<interface name="dev_relabel_all_sysfs" lineno="4842">
 <summary>
 Relabel from/to all sysfs types.
 </summary>
@@ -58708,7 +58766,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_all_sysfs" lineno="4807">
+<interface name="dev_setattr_all_sysfs" lineno="4862">
 <summary>
 Set the attributes of sysfs files, directories and symlinks.
 </summary>
@@ -58718,7 +58776,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_tpm" lineno="4827">
+<interface name="dev_rw_tpm" lineno="4882">
 <summary>
 Read and write the TPM device.
 </summary>
@@ -58728,7 +58786,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_urand" lineno="4868">
+<interface name="dev_rw_uhid" lineno="4901">
+<summary>
+Allow open/read/write uhid device
+</summary>
+<param name="domain">
+<summary>
+Domain allowed rw to uhid device
+to communicate with uhid input node
+</summary>
+</param>
+</interface>
+<interface name="dev_read_urand" lineno="4942">
 <summary>
 Read from pseudo random number generator devices (e.g., /dev/urandom).
 </summary>
@@ -58761,7 +58830,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="dev_dontaudit_read_urand" lineno="4887">
+<interface name="dev_dontaudit_read_urand" lineno="4961">
 <summary>
 Do not audit attempts to read from pseudo
 random devices (e.g., /dev/urandom)
@@ -58772,7 +58841,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_urand" lineno="4906">
+<interface name="dev_write_urand" lineno="4980">
 <summary>
 Write to the pseudo random device (e.g., /dev/urandom). This
 sets the random number generator seed.
@@ -58783,7 +58852,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_urand_dev" lineno="4924">
+<interface name="dev_create_urand_dev" lineno="4998">
 <summary>
 Create the urandom device (/dev/urandom).
 </summary>
@@ -58793,7 +58862,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_urand_dev" lineno="4942">
+<interface name="dev_setattr_urand_dev" lineno="5016">
 <summary>
 Set attributes on the urandom device (/dev/urandom).
 </summary>
@@ -58803,7 +58872,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_generic_usb_dev" lineno="4960">
+<interface name="dev_getattr_generic_usb_dev" lineno="5034">
 <summary>
 Getattr generic the USB devices.
 </summary>
@@ -58813,7 +58882,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_generic_usb_dev" lineno="4978">
+<interface name="dev_setattr_generic_usb_dev" lineno="5052">
 <summary>
 Setattr generic the USB devices.
 </summary>
@@ -58823,7 +58892,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_generic_usb_dev" lineno="4996">
+<interface name="dev_read_generic_usb_dev" lineno="5070">
 <summary>
 Read generic the USB devices.
 </summary>
@@ -58833,7 +58902,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_generic_usb_dev" lineno="5014">
+<interface name="dev_rw_generic_usb_dev" lineno="5088">
 <summary>
 Read and write generic the USB devices.
 </summary>
@@ -58843,7 +58912,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_delete_generic_usb_dev" lineno="5032">
+<interface name="dev_delete_generic_usb_dev" lineno="5106">
 <summary>
 Delete the generic USB devices.
 </summary>
@@ -58853,7 +58922,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_generic_usb_dev" lineno="5050">
+<interface name="dev_relabel_generic_usb_dev" lineno="5124">
 <summary>
 Relabel generic the USB devices.
 </summary>
@@ -58863,7 +58932,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_usbmon_dev" lineno="5068">
+<interface name="dev_read_usbmon_dev" lineno="5142">
 <summary>
 Read USB monitor devices.
 </summary>
@@ -58873,7 +58942,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_usbmon_dev" lineno="5086">
+<interface name="dev_write_usbmon_dev" lineno="5160">
 <summary>
 Write USB monitor devices.
 </summary>
@@ -58883,7 +58952,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_mount_usbfs" lineno="5104">
+<interface name="dev_mount_usbfs" lineno="5178">
 <summary>
 Mount a usbfs filesystem.
 </summary>
@@ -58893,7 +58962,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_associate_usbfs" lineno="5122">
+<interface name="dev_associate_usbfs" lineno="5196">
 <summary>
 Associate a file to a usbfs filesystem.
 </summary>
@@ -58903,7 +58972,7 @@ The type of the file to be associated to usbfs.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_usbfs_dirs" lineno="5140">
+<interface name="dev_getattr_usbfs_dirs" lineno="5214">
 <summary>
 Get the attributes of a directory in the usb filesystem.
 </summary>
@@ -58913,7 +58982,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5159">
+<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5233">
 <summary>
 Do not audit attempts to get the attributes
 of a directory in the usb filesystem.
@@ -58924,7 +58993,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_search_usbfs" lineno="5177">
+<interface name="dev_search_usbfs" lineno="5251">
 <summary>
 Search the directory containing USB hardware information.
 </summary>
@@ -58934,7 +59003,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_list_usbfs" lineno="5195">
+<interface name="dev_list_usbfs" lineno="5269">
 <summary>
 Allow caller to get a list of usb hardware.
 </summary>
@@ -58944,7 +59013,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_usbfs_files" lineno="5216">
+<interface name="dev_setattr_usbfs_files" lineno="5290">
 <summary>
 Set the attributes of usbfs filesystem.
 </summary>
@@ -58954,7 +59023,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_usbfs" lineno="5236">
+<interface name="dev_read_usbfs" lineno="5310">
 <summary>
 Read USB hardware information using
 the usbfs filesystem interface.
@@ -58965,7 +59034,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_usbfs" lineno="5256">
+<interface name="dev_rw_usbfs" lineno="5330">
 <summary>
 Allow caller to modify usb hardware configuration files.
 </summary>
@@ -58975,7 +59044,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_video_dev" lineno="5276">
+<interface name="dev_getattr_video_dev" lineno="5350">
 <summary>
 Get the attributes of video4linux devices.
 </summary>
@@ -58985,7 +59054,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_userio_dev" lineno="5294">
+<interface name="dev_rw_userio_dev" lineno="5368">
 <summary>
 Read and write userio device.
 </summary>
@@ -58995,7 +59064,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_getattr_video_dev" lineno="5313">
+<interface name="dev_dontaudit_getattr_video_dev" lineno="5387">
 <summary>
 Do not audit attempts to get the attributes
 of video4linux device nodes.
@@ -59006,7 +59075,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_video_dev" lineno="5331">
+<interface name="dev_setattr_video_dev" lineno="5405">
 <summary>
 Set the attributes of video4linux device nodes.
 </summary>
@@ -59016,7 +59085,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_setattr_video_dev" lineno="5350">
+<interface name="dev_dontaudit_setattr_video_dev" lineno="5424">
 <summary>
 Do not audit attempts to set the attributes
 of video4linux device nodes.
@@ -59027,7 +59096,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_video_dev" lineno="5368">
+<interface name="dev_read_video_dev" lineno="5442">
 <summary>
 Read the video4linux devices.
 </summary>
@@ -59037,7 +59106,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_video_dev" lineno="5386">
+<interface name="dev_write_video_dev" lineno="5460">
 <summary>
 Write the video4linux devices.
 </summary>
@@ -59047,7 +59116,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vfio_dev" lineno="5404">
+<interface name="dev_rw_vfio_dev" lineno="5478">
 <summary>
 Read and write vfio devices.
 </summary>
@@ -59057,7 +59126,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabelfrom_vfio_dev" lineno="5422">
+<interface name="dev_relabelfrom_vfio_dev" lineno="5496">
 <summary>
 Relabel vfio devices.
 </summary>
@@ -59067,7 +59136,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vhost" lineno="5440">
+<interface name="dev_getattr_vhost_dev" lineno="5514">
+<summary>
+Get the attributes of the vhost devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_vhost" lineno="5532">
 <summary>
 Allow read/write the vhost devices
 </summary>
@@ -59077,7 +59156,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_vmware" lineno="5458">
+<interface name="dev_rw_vmware" lineno="5550">
 <summary>
 Read and write VMWare devices.
 </summary>
@@ -59087,7 +59166,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rwx_vmware" lineno="5476">
+<interface name="dev_rwx_vmware" lineno="5568">
 <summary>
 Read, write, and mmap VMWare devices.
 </summary>
@@ -59097,7 +59176,48 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_watchdog" lineno="5495">
+<interface name="dev_read_vsock" lineno="5587">
+<summary>
+Read the vsock device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_write_vsock" lineno="5605">
+<summary>
+Write the vsock device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_rw_vsock" lineno="5623">
+<summary>
+Read and write the vsock device.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_filetrans_vsock_dev" lineno="5642">
+<summary>
+Automatic type transition to the type
+for the vsock device nodes when created in /dev.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dev_read_watchdog" lineno="5660">
 <summary>
 Read from watchdog devices.
 </summary>
@@ -59107,7 +59227,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_write_watchdog" lineno="5513">
+<interface name="dev_write_watchdog" lineno="5678">
 <summary>
 Write to watchdog devices.
 </summary>
@@ -59117,7 +59237,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_wireless" lineno="5531">
+<interface name="dev_read_wireless" lineno="5696">
 <summary>
 Read the wireless device.
 </summary>
@@ -59127,7 +59247,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_wireless" lineno="5549">
+<interface name="dev_rw_wireless" lineno="5714">
 <summary>
 Read and write the the wireless device.
 </summary>
@@ -59137,7 +59257,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_wireless" lineno="5567">
+<interface name="dev_manage_wireless" lineno="5732">
 <summary>
 manage the wireless device.
 </summary>
@@ -59147,7 +59267,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_xen" lineno="5585">
+<interface name="dev_rw_xen" lineno="5750">
 <summary>
 Read and write Xen devices.
 </summary>
@@ -59157,7 +59277,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_manage_xen" lineno="5604">
+<interface name="dev_manage_xen" lineno="5769">
 <summary>
 Create, read, write, and delete Xen devices.
 </summary>
@@ -59167,7 +59287,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_filetrans_xen" lineno="5628">
+<interface name="dev_filetrans_xen" lineno="5793">
 <summary>
 Automatic type transition to the type
 for xen device nodes when created in /dev.
@@ -59183,7 +59303,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="dev_getattr_xserver_misc_dev" lineno="5646">
+<interface name="dev_getattr_xserver_misc_dev" lineno="5811">
 <summary>
 Get the attributes of X server miscellaneous devices.
 </summary>
@@ -59193,7 +59313,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_setattr_xserver_misc_dev" lineno="5664">
+<interface name="dev_setattr_xserver_misc_dev" lineno="5829">
 <summary>
 Set the attributes of X server miscellaneous devices.
 </summary>
@@ -59203,7 +59323,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_xserver_misc" lineno="5682">
+<interface name="dev_rw_xserver_misc" lineno="5847">
 <summary>
 Read and write X server miscellaneous devices.
 </summary>
@@ -59213,7 +59333,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_map_xserver_misc" lineno="5700">
+<interface name="dev_map_xserver_misc" lineno="5865">
 <summary>
 Map X server miscellaneous devices.
 </summary>
@@ -59223,7 +59343,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_zero" lineno="5718">
+<interface name="dev_rw_zero" lineno="5883">
 <summary>
 Read and write to the zero device (/dev/zero).
 </summary>
@@ -59233,7 +59353,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rwx_zero" lineno="5736">
+<interface name="dev_rwx_zero" lineno="5901">
 <summary>
 Read, write, and execute the zero device (/dev/zero).
 </summary>
@@ -59243,7 +59363,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_execmod_zero" lineno="5755">
+<interface name="dev_execmod_zero" lineno="5920">
 <summary>
 Execmod the zero device (/dev/zero).
 </summary>
@@ -59253,7 +59373,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_create_zero_dev" lineno="5774">
+<interface name="dev_create_zero_dev" lineno="5939">
 <summary>
 Create the zero device (/dev/zero).
 </summary>
@@ -59263,7 +59383,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_read_cpu_online" lineno="5797">
+<interface name="dev_read_cpu_online" lineno="5962">
 <summary>
 Read cpu online hardware state information
 </summary>
@@ -59278,7 +59398,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_rw_gpiochip" lineno="5817">
+<interface name="dev_rw_gpiochip" lineno="5982">
 <summary>
 Read and write to the gpiochip device, /dev/gpiochip[0-9]
 </summary>
@@ -59288,7 +59408,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_unconfined" lineno="5835">
+<interface name="dev_unconfined" lineno="6000">
 <summary>
 Unconfined access to devices.
 </summary>
@@ -59298,7 +59418,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_relabel_cpu_online" lineno="5855">
+<interface name="dev_relabel_cpu_online" lineno="6020">
 <summary>
 Relabel cpu online hardware state information.
 </summary>
@@ -59308,7 +59428,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dev_dontaudit_read_usbmon_dev" lineno="5874">
+<interface name="dev_dontaudit_read_usbmon_dev" lineno="6039">
 <summary>
 Dont audit attempts to read usbmon devices
 </summary>
@@ -59596,7 +59716,7 @@ Domain to not audit.
 <interface name="domain_sigchld_interactive_fds" lineno="429">
 <summary>
 Send a SIGCHLD signal to domains whose file
-discriptors are widely inheritable.
+descriptors are widely inheritable.
 </summary>
 <param name="domain">
 <summary>
@@ -60752,7 +60872,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_execmod_all_files" lineno="757">
+<interface name="files_mmap_read_all_files" lineno="749">
+<summary>
+Read and memory map all files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_execmod_all_files" lineno="781">
 <summary>
 Allow shared library text relocations in all files.
 </summary>
@@ -60770,7 +60900,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_non_security_files" lineno="776">
+<interface name="files_read_non_security_files" lineno="800">
 <summary>
 Read all non-security files.
 </summary>
@@ -60781,7 +60911,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_write_non_security_files" lineno="796">
+<interface name="files_write_non_security_files" lineno="820">
 <summary>
 Write all non-security files.
 </summary>
@@ -60792,7 +60922,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_create_non_security_files" lineno="816">
+<interface name="files_create_non_security_files" lineno="840">
 <summary>
 Create all non-security files.
 </summary>
@@ -60803,7 +60933,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_all_dirs_except" lineno="842">
+<interface name="files_read_all_dirs_except" lineno="866">
 <summary>
 Read all directories on the filesystem, except
 the listed exceptions.
@@ -60820,7 +60950,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_files_except" lineno="867">
+<interface name="files_read_all_files_except" lineno="891">
 <summary>
 Read all files on the filesystem, except
 the listed exceptions.
@@ -60837,7 +60967,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_symlinks_except" lineno="892">
+<interface name="files_read_all_symlinks_except" lineno="916">
 <summary>
 Read all symbolic links on the filesystem, except
 the listed exceptions.
@@ -60854,7 +60984,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_symlinks" lineno="910">
+<interface name="files_getattr_all_symlinks" lineno="934">
 <summary>
 Get the attributes of all symbolic links.
 </summary>
@@ -60864,7 +60994,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_symlinks" lineno="929">
+<interface name="files_dontaudit_getattr_all_symlinks" lineno="953">
 <summary>
 Do not audit attempts to get the attributes
 of all symbolic links.
@@ -60875,7 +61005,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_all_symlinks" lineno="947">
+<interface name="files_dontaudit_read_all_symlinks" lineno="971">
 <summary>
 Do not audit attempts to read all symbolic links.
 </summary>
@@ -60885,7 +61015,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_symlinks" lineno="966">
+<interface name="files_dontaudit_getattr_non_security_symlinks" lineno="990">
 <summary>
 Do not audit attempts to get the attributes
 of non security symbolic links.
@@ -60896,7 +61026,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_blk_files" lineno="985">
+<interface name="files_dontaudit_getattr_non_security_blk_files" lineno="1009">
 <summary>
 Do not audit attempts to get the attributes
 of non security block devices.
@@ -60907,7 +61037,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_chr_files" lineno="1004">
+<interface name="files_dontaudit_getattr_non_security_chr_files" lineno="1028">
 <summary>
 Do not audit attempts to get the attributes
 of non security character devices.
@@ -60918,7 +61048,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_symlinks" lineno="1023">
+<interface name="files_read_all_symlinks" lineno="1047">
 <summary>
 Read all symbolic links.
 </summary>
@@ -60929,7 +61059,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_all_pipes" lineno="1042">
+<interface name="files_getattr_all_pipes" lineno="1066">
 <summary>
 Get the attributes of all named pipes.
 </summary>
@@ -60939,7 +61069,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_pipes" lineno="1062">
+<interface name="files_dontaudit_getattr_all_pipes" lineno="1086">
 <summary>
 Do not audit attempts to get the attributes
 of all named pipes.
@@ -60950,7 +61080,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_pipes" lineno="1081">
+<interface name="files_dontaudit_getattr_non_security_pipes" lineno="1105">
 <summary>
 Do not audit attempts to get the attributes
 of non security named pipes.
@@ -60961,7 +61091,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_sockets" lineno="1099">
+<interface name="files_getattr_all_sockets" lineno="1123">
 <summary>
 Get the attributes of all named sockets.
 </summary>
@@ -60971,7 +61101,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_sockets" lineno="1119">
+<interface name="files_dontaudit_getattr_all_sockets" lineno="1143">
 <summary>
 Do not audit attempts to get the attributes
 of all named sockets.
@@ -60982,7 +61112,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_non_security_sockets" lineno="1138">
+<interface name="files_dontaudit_getattr_non_security_sockets" lineno="1162">
 <summary>
 Do not audit attempts to get the attributes
 of non security named sockets.
@@ -60993,7 +61123,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_blk_files" lineno="1156">
+<interface name="files_read_all_blk_files" lineno="1180">
 <summary>
 Read all block nodes with file types.
 </summary>
@@ -61003,7 +61133,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_chr_files" lineno="1174">
+<interface name="files_read_all_chr_files" lineno="1198">
 <summary>
 Read all character nodes with file types.
 </summary>
@@ -61013,7 +61143,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_files" lineno="1200">
+<interface name="files_relabel_all_files" lineno="1224">
 <summary>
 Relabel all files on the filesystem, except
 the listed exceptions.
@@ -61031,7 +61161,7 @@ must be negated by the caller.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_rw_all_files" lineno="1238">
+<interface name="files_rw_all_files" lineno="1262">
 <summary>
 rw all files on the filesystem, except
 the listed exceptions.
@@ -61049,7 +61179,7 @@ must be negated by the caller.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_files" lineno="1264">
+<interface name="files_manage_all_files" lineno="1288">
 <summary>
 Manage all files on the filesystem, except
 the listed exceptions.
@@ -61067,7 +61197,7 @@ must be negated by the caller.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_search_all" lineno="1287">
+<interface name="files_search_all" lineno="1311">
 <summary>
 Search the contents of all directories on
 extended attribute filesystems.
@@ -61078,7 +61208,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_all" lineno="1306">
+<interface name="files_list_all" lineno="1330">
 <summary>
 List the contents of all directories on
 extended attribute filesystems.
@@ -61089,7 +61219,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_files_as" lineno="1324">
+<interface name="files_create_all_files_as" lineno="1348">
 <summary>
 Create all files as is.
 </summary>
@@ -61099,7 +61229,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_all_dirs" lineno="1344">
+<interface name="files_dontaudit_search_all_dirs" lineno="1368">
 <summary>
 Do not audit attempts to search the
 contents of any directories on extended
@@ -61111,7 +61241,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_file_type_fs" lineno="1367">
+<interface name="files_getattr_all_file_type_fs" lineno="1391">
 <summary>
 Get the attributes of all filesystems
 with the type of a file.
@@ -61122,7 +61252,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_all_file_type_fs" lineno="1385">
+<interface name="files_relabelto_all_file_type_fs" lineno="1409">
 <summary>
 Relabel a filesystem to the type of a file.
 </summary>
@@ -61132,7 +61262,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_file_type_fs" lineno="1403">
+<interface name="files_relabel_all_file_type_fs" lineno="1427">
 <summary>
 Relabel a filesystem to and from the type of a file.
 </summary>
@@ -61142,7 +61272,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mount_all_file_type_fs" lineno="1421">
+<interface name="files_mount_all_file_type_fs" lineno="1445">
 <summary>
 Mount all filesystems with the type of a file.
 </summary>
@@ -61152,7 +61282,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_unmount_all_file_type_fs" lineno="1439">
+<interface name="files_unmount_all_file_type_fs" lineno="1463">
 <summary>
 Unmount all filesystems with the type of a file.
 </summary>
@@ -61162,7 +61292,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_all_dirs" lineno="1457">
+<interface name="files_watch_all_dirs" lineno="1481">
 <summary>
 watch all directories of file_type
 </summary>
@@ -61172,7 +61302,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_non_auth_dirs" lineno="1477">
+<interface name="files_list_non_auth_dirs" lineno="1501">
 <summary>
 Read all non-authentication related
 directories.
@@ -61183,7 +61313,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_non_auth_files" lineno="1496">
+<interface name="files_read_non_auth_files" lineno="1520">
 <summary>
 Read all non-authentication related
 files.
@@ -61194,7 +61324,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_non_auth_symlinks" lineno="1515">
+<interface name="files_read_non_auth_symlinks" lineno="1539">
 <summary>
 Read all non-authentication related
 symbolic links.
@@ -61205,7 +61335,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_non_auth_files" lineno="1533">
+<interface name="files_rw_non_auth_files" lineno="1557">
 <summary>
 rw non-authentication related files.
 </summary>
@@ -61215,7 +61345,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_non_auth_files" lineno="1553">
+<interface name="files_manage_non_auth_files" lineno="1577">
 <summary>
 Manage non-authentication related
 files.
@@ -61227,7 +61357,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_map_non_auth_files" lineno="1577">
+<interface name="files_map_non_auth_files" lineno="1601">
 <summary>
 Mmap non-authentication related
 files.
@@ -61239,7 +61369,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_non_auth_files" lineno="1597">
+<interface name="files_relabel_non_auth_files" lineno="1621">
 <summary>
 Relabel all non-authentication related
 files.
@@ -61251,7 +61381,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_config_dirs" lineno="1630">
+<interface name="files_manage_config_dirs" lineno="1654">
 <summary>
 Manage all configuration directories on filesystem
 </summary>
@@ -61262,7 +61392,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_relabel_config_dirs" lineno="1649">
+<interface name="files_relabel_config_dirs" lineno="1673">
 <summary>
 Relabel configuration directories
 </summary>
@@ -61273,7 +61403,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_dontaudit_relabel_config_dirs" lineno="1668">
+<interface name="files_dontaudit_relabel_config_dirs" lineno="1692">
 <summary>
 Do not audit attempts to relabel configuration directories
 </summary>
@@ -61284,7 +61414,7 @@ Domain not to audit.
 </param>
 
 </interface>
-<interface name="files_read_config_files" lineno="1686">
+<interface name="files_read_config_files" lineno="1710">
 <summary>
 Read config files in /etc.
 </summary>
@@ -61294,7 +61424,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_config_files" lineno="1707">
+<interface name="files_manage_config_files" lineno="1731">
 <summary>
 Manage all configuration files on filesystem
 </summary>
@@ -61305,7 +61435,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_relabel_config_files" lineno="1726">
+<interface name="files_relabel_config_files" lineno="1750">
 <summary>
 Relabel configuration files
 </summary>
@@ -61316,7 +61446,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_dontaudit_relabel_config_files" lineno="1745">
+<interface name="files_dontaudit_relabel_config_files" lineno="1769">
 <summary>
 Do not audit attempts to relabel configuration files
 </summary>
@@ -61327,7 +61457,7 @@ Domain not to audit.
 </param>
 
 </interface>
-<interface name="files_relabel_config_symlinks" lineno="1764">
+<interface name="files_relabel_config_symlinks" lineno="1788">
 <summary>
 Relabel configuration symlinks.
 </summary>
@@ -61338,7 +61468,7 @@ Domain allowed access.
 </param>
 
 </interface>
-<interface name="files_mounton_all_mountpoints" lineno="1782">
+<interface name="files_mounton_all_mountpoints" lineno="1806">
 <summary>
 Mount a filesystem on all mount points.
 </summary>
@@ -61348,7 +61478,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_mountpoints" lineno="1803">
+<interface name="files_getattr_all_mountpoints" lineno="1827">
 <summary>
 Get the attributes of all mount points.
 </summary>
@@ -61358,7 +61488,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_all_mountpoints" lineno="1821">
+<interface name="files_setattr_all_mountpoints" lineno="1845">
 <summary>
 Set the attributes of all mount points.
 </summary>
@@ -61368,7 +61498,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_setattr_all_mountpoints" lineno="1839">
+<interface name="files_dontaudit_setattr_all_mountpoints" lineno="1863">
 <summary>
 Do not audit attempts to set the attributes on all mount points.
 </summary>
@@ -61378,7 +61508,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_all_mountpoints" lineno="1857">
+<interface name="files_search_all_mountpoints" lineno="1881">
 <summary>
 Search all mount points.
 </summary>
@@ -61388,7 +61518,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_all_mountpoints" lineno="1875">
+<interface name="files_dontaudit_search_all_mountpoints" lineno="1899">
 <summary>
 Do not audit searching of all mount points.
 </summary>
@@ -61398,7 +61528,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_all_mountpoints" lineno="1893">
+<interface name="files_list_all_mountpoints" lineno="1917">
 <summary>
 List all mount points.
 </summary>
@@ -61408,7 +61538,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_all_mountpoints" lineno="1911">
+<interface name="files_dontaudit_list_all_mountpoints" lineno="1935">
 <summary>
 Do not audit listing of all mount points.
 </summary>
@@ -61418,7 +61548,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_all_mountpoints" lineno="1929">
+<interface name="files_watch_all_mountpoints" lineno="1953">
 <summary>
 Watch all mountpoints.
 </summary>
@@ -61428,7 +61558,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_all_mount_perm" lineno="1947">
+<interface name="files_watch_all_mount_perm" lineno="1971">
 <summary>
 Watch all mountpoints.
 </summary>
@@ -61438,7 +61568,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_all_mountpoints" lineno="1965">
+<interface name="files_watch_all_mount_sb" lineno="1989">
+<summary>
+Watch all mount superblock changes
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="files_write_all_mountpoints" lineno="2007">
 <summary>
 Check if all mountpoints are writable.
 </summary>
@@ -61448,7 +61588,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_all_mountpoints" lineno="1983">
+<interface name="files_dontaudit_write_all_mountpoints" lineno="2025">
 <summary>
 Do not audit attempts to write to mount points.
 </summary>
@@ -61458,7 +61598,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_root" lineno="2001">
+<interface name="files_list_root" lineno="2043">
 <summary>
 List the contents of the root directory.
 </summary>
@@ -61468,7 +61608,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_root_symlinks" lineno="2021">
+<interface name="files_delete_root_symlinks" lineno="2063">
 <summary>
 Delete symbolic links in the
 root directory.
@@ -61479,7 +61619,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_root_dirs" lineno="2039">
+<interface name="files_dontaudit_write_root_dirs" lineno="2081">
 <summary>
 Do not audit attempts to write to / dirs.
 </summary>
@@ -61489,7 +61629,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_root_dir" lineno="2058">
+<interface name="files_dontaudit_rw_root_dir" lineno="2100">
 <summary>
 Do not audit attempts to write
 files in the root directory.
@@ -61500,7 +61640,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_root_dirs" lineno="2076">
+<interface name="files_watch_root_dirs" lineno="2118">
 <summary>
 Watch the root directory.
 </summary>
@@ -61510,7 +61650,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_root_filetrans" lineno="2110">
+<interface name="files_root_filetrans" lineno="2152">
 <summary>
 Create an object in the root directory, with a private
 type using a type transition.
@@ -61536,7 +61676,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_root_files" lineno="2129">
+<interface name="files_dontaudit_read_root_files" lineno="2171">
 <summary>
 Do not audit attempts to read files in
 the root directory.
@@ -61547,7 +61687,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_root_files" lineno="2148">
+<interface name="files_dontaudit_rw_root_files" lineno="2190">
 <summary>
 Do not audit attempts to read or write
 files in the root directory.
@@ -61558,7 +61698,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_root_chr_files" lineno="2167">
+<interface name="files_dontaudit_rw_root_chr_files" lineno="2209">
 <summary>
 Do not audit attempts to read or write
 character device nodes in the root directory.
@@ -61569,7 +61709,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_root_chr_files" lineno="2186">
+<interface name="files_delete_root_chr_files" lineno="2228">
 <summary>
 Delete character device nodes in
 the root directory.
@@ -61580,7 +61720,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_root_files" lineno="2204">
+<interface name="files_delete_root_files" lineno="2246">
 <summary>
 Delete files in the root directory.
 </summary>
@@ -61590,7 +61730,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_root_files" lineno="2222">
+<interface name="files_exec_root_files" lineno="2264">
 <summary>
 Execute files in the root directory.
 </summary>
@@ -61600,7 +61740,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_root_dir_entry" lineno="2240">
+<interface name="files_delete_root_dir_entry" lineno="2282">
 <summary>
 Remove entries from the root directory.
 </summary>
@@ -61610,7 +61750,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_root_dir" lineno="2258">
+<interface name="files_manage_root_dir" lineno="2300">
 <summary>
 Manage the root directory.
 </summary>
@@ -61620,7 +61760,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_rootfs" lineno="2277">
+<interface name="files_getattr_rootfs" lineno="2319">
 <summary>
 Get the attributes of a rootfs
 file system.
@@ -61631,7 +61771,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_associate_rootfs" lineno="2295">
+<interface name="files_associate_rootfs" lineno="2337">
 <summary>
 Associate to root file system.
 </summary>
@@ -61641,7 +61781,7 @@ Type of the file to associate.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_rootfs" lineno="2313">
+<interface name="files_relabel_rootfs" lineno="2355">
 <summary>
 Relabel to and from rootfs file system.
 </summary>
@@ -61651,7 +61791,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_unmount_rootfs" lineno="2331">
+<interface name="files_unmount_rootfs" lineno="2373">
 <summary>
 Unmount a rootfs filesystem.
 </summary>
@@ -61661,7 +61801,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_root" lineno="2349">
+<interface name="files_mounton_root" lineno="2391">
 <summary>
 Mount on the root directory (/)
 </summary>
@@ -61671,7 +61811,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_boot_fs" lineno="2368">
+<interface name="files_getattr_boot_fs" lineno="2410">
 <summary>
 Get the attributes of a filesystem
 mounted on /boot.
@@ -61682,7 +61822,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_remount_boot" lineno="2386">
+<interface name="files_remount_boot" lineno="2428">
 <summary>
 Remount a filesystem mounted on /boot.
 </summary>
@@ -61692,7 +61832,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_boot_dirs" lineno="2404">
+<interface name="files_getattr_boot_dirs" lineno="2446">
 <summary>
 Get attributes of the /boot directory.
 </summary>
@@ -61702,7 +61842,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_boot_dirs" lineno="2423">
+<interface name="files_dontaudit_getattr_boot_dirs" lineno="2465">
 <summary>
 Do not audit attempts to get attributes
 of the /boot directory.
@@ -61713,7 +61853,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_boot" lineno="2441">
+<interface name="files_search_boot" lineno="2483">
 <summary>
 Search the /boot directory.
 </summary>
@@ -61723,7 +61863,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_boot" lineno="2459">
+<interface name="files_dontaudit_search_boot" lineno="2501">
 <summary>
 Do not audit attempts to search the /boot directory.
 </summary>
@@ -61733,7 +61873,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_boot" lineno="2477">
+<interface name="files_list_boot" lineno="2519">
 <summary>
 List the /boot directory.
 </summary>
@@ -61743,7 +61883,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_boot" lineno="2495">
+<interface name="files_dontaudit_list_boot" lineno="2537">
 <summary>
 Do not audit attempts to list the /boot directory.
 </summary>
@@ -61753,7 +61893,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_boot_dirs" lineno="2513">
+<interface name="files_create_boot_dirs" lineno="2555">
 <summary>
 Create directories in /boot
 </summary>
@@ -61763,7 +61903,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_boot_dirs" lineno="2532">
+<interface name="files_manage_boot_dirs" lineno="2574">
 <summary>
 Create, read, write, and delete
 directories in /boot.
@@ -61774,7 +61914,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_boot_filetrans" lineno="2566">
+<interface name="files_boot_filetrans" lineno="2608">
 <summary>
 Create a private type object in boot
 with an automatic type transition
@@ -61800,7 +61940,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_read_boot_files" lineno="2585">
+<interface name="files_read_boot_files" lineno="2627">
 <summary>
 read files in the /boot directory.
 </summary>
@@ -61811,7 +61951,18 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_boot_files" lineno="2605">
+<interface name="files_mmap_read_boot_files" lineno="2646">
+<summary>
+Read and memory map files in the /boot directory.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="files_manage_boot_files" lineno="2666">
 <summary>
 Create, read, write, and delete files
 in the /boot directory.
@@ -61823,7 +61974,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabelfrom_boot_files" lineno="2623">
+<interface name="files_relabelfrom_boot_files" lineno="2684">
 <summary>
 Relabel from files in the /boot directory.
 </summary>
@@ -61833,7 +61984,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_boot_symlinks" lineno="2641">
+<interface name="files_read_boot_symlinks" lineno="2702">
 <summary>
 Read symbolic links in the /boot directory.
 </summary>
@@ -61843,7 +61994,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_boot_symlinks" lineno="2660">
+<interface name="files_rw_boot_symlinks" lineno="2721">
 <summary>
 Read and write symbolic links
 in the /boot directory.
@@ -61854,7 +62005,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_boot_symlinks" lineno="2680">
+<interface name="files_manage_boot_symlinks" lineno="2741">
 <summary>
 Create, read, write, and delete symbolic links
 in the /boot directory.
@@ -61865,7 +62016,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_kernel_img" lineno="2698">
+<interface name="files_read_kernel_img" lineno="2759">
 <summary>
 Read kernel files in the /boot directory.
 </summary>
@@ -61875,7 +62026,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_kernel_img" lineno="2719">
+<interface name="files_create_kernel_img" lineno="2780">
 <summary>
 Install a kernel into the /boot directory.
 </summary>
@@ -61886,7 +62037,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_delete_kernel" lineno="2739">
+<interface name="files_delete_kernel" lineno="2800">
 <summary>
 Delete a kernel from /boot.
 </summary>
@@ -61897,7 +62048,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_default_dirs" lineno="2757">
+<interface name="files_getattr_default_dirs" lineno="2818">
 <summary>
 Getattr of directories with the default file type.
 </summary>
@@ -61907,7 +62058,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_default_dirs" lineno="2776">
+<interface name="files_dontaudit_getattr_default_dirs" lineno="2837">
 <summary>
 Do not audit attempts to get the attributes of
 directories with the default file type.
@@ -61918,7 +62069,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_default" lineno="2794">
+<interface name="files_search_default" lineno="2855">
 <summary>
 Search the contents of directories with the default file type.
 </summary>
@@ -61928,7 +62079,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_default" lineno="2812">
+<interface name="files_list_default" lineno="2873">
 <summary>
 List contents of directories with the default file type.
 </summary>
@@ -61938,7 +62089,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_default" lineno="2831">
+<interface name="files_dontaudit_list_default" lineno="2892">
 <summary>
 Do not audit attempts to list contents of
 directories with the default file type.
@@ -61949,7 +62100,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_default_dirs" lineno="2850">
+<interface name="files_manage_default_dirs" lineno="2911">
 <summary>
 Create, read, write, and delete directories with
 the default file type.
@@ -61960,7 +62111,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_default" lineno="2868">
+<interface name="files_mounton_default" lineno="2929">
 <summary>
 Mount a filesystem on a directory with the default file type.
 </summary>
@@ -61970,7 +62121,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_default_files" lineno="2887">
+<interface name="files_dontaudit_getattr_default_files" lineno="2948">
 <summary>
 Do not audit attempts to get the attributes of
 files with the default file type.
@@ -61981,7 +62132,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_files" lineno="2905">
+<interface name="files_read_default_files" lineno="2966">
 <summary>
 Read files with the default file type.
 </summary>
@@ -61991,7 +62142,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_default_files" lineno="2924">
+<interface name="files_dontaudit_read_default_files" lineno="2985">
 <summary>
 Do not audit attempts to read files
 with the default file type.
@@ -62002,7 +62153,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_execute_default_files" lineno="2943">
+<interface name="files_dontaudit_execute_default_files" lineno="3004">
 <summary>
 Do not audit attempts to execute files
 with the default file type.
@@ -62013,7 +62164,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_default_files" lineno="2962">
+<interface name="files_manage_default_files" lineno="3023">
 <summary>
 Create, read, write, and delete files with
 the default file type.
@@ -62024,7 +62175,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_symlinks" lineno="2980">
+<interface name="files_read_default_symlinks" lineno="3041">
 <summary>
 Read symbolic links with the default file type.
 </summary>
@@ -62034,7 +62185,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_sockets" lineno="2998">
+<interface name="files_read_default_sockets" lineno="3059">
 <summary>
 Read sockets with the default file type.
 </summary>
@@ -62044,7 +62195,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_default_pipes" lineno="3016">
+<interface name="files_read_default_pipes" lineno="3077">
 <summary>
 Read named pipes with the default file type.
 </summary>
@@ -62054,7 +62205,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_etc" lineno="3034">
+<interface name="files_search_etc" lineno="3095">
 <summary>
 Search the contents of /etc directories.
 </summary>
@@ -62064,7 +62215,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_etc_dirs" lineno="3052">
+<interface name="files_setattr_etc_dirs" lineno="3113">
 <summary>
 Set the attributes of the /etc directories.
 </summary>
@@ -62074,7 +62225,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_etc" lineno="3070">
+<interface name="files_list_etc" lineno="3131">
 <summary>
 List the contents of /etc directories.
 </summary>
@@ -62084,7 +62235,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_etc_dirs" lineno="3088">
+<interface name="files_dontaudit_write_etc_dirs" lineno="3149">
 <summary>
 Do not audit attempts to write to /etc dirs.
 </summary>
@@ -62094,7 +62245,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_dirs" lineno="3106">
+<interface name="files_rw_etc_dirs" lineno="3167">
 <summary>
 Add and remove entries from /etc directories.
 </summary>
@@ -62104,7 +62255,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_dirs" lineno="3125">
+<interface name="files_manage_etc_dirs" lineno="3186">
 <summary>
 Manage generic directories in /etc
 </summary>
@@ -62115,7 +62266,7 @@ Domain allowed access
 </param>
 
 </interface>
-<interface name="files_relabelto_etc_dirs" lineno="3143">
+<interface name="files_relabelto_etc_dirs" lineno="3204">
 <summary>
 Relabel directories to etc_t.
 </summary>
@@ -62125,7 +62276,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_etc_dirs" lineno="3162">
+<interface name="files_mounton_etc_dirs" lineno="3223">
 <summary>
 Mount a filesystem on the
 etc directories.
@@ -62136,7 +62287,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_remount_etc" lineno="3180">
+<interface name="files_remount_etc" lineno="3241">
 <summary>
 Remount etc filesystems.
 </summary>
@@ -62146,7 +62297,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_dirs" lineno="3198">
+<interface name="files_watch_etc_dirs" lineno="3259">
 <summary>
 Watch /etc directories
 </summary>
@@ -62156,7 +62307,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_files" lineno="3250">
+<interface name="files_read_etc_files" lineno="3311">
 <summary>
 Read generic files in /etc.
 </summary>
@@ -62200,7 +62351,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_map_etc_files" lineno="3282">
+<interface name="files_map_etc_files" lineno="3343">
 <summary>
 Map generic files in /etc.
 </summary>
@@ -62222,7 +62373,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_dontaudit_write_etc_files" lineno="3300">
+<interface name="files_dontaudit_write_etc_files" lineno="3361">
 <summary>
 Do not audit attempts to write generic files in /etc.
 </summary>
@@ -62232,7 +62383,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_files" lineno="3319">
+<interface name="files_rw_etc_files" lineno="3380">
 <summary>
 Read and write generic files in /etc.
 </summary>
@@ -62243,7 +62394,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_etc_files" lineno="3341">
+<interface name="files_manage_etc_files" lineno="3402">
 <summary>
 Create, read, write, and delete generic
 files in /etc.
@@ -62255,7 +62406,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_manage_etc_files" lineno="3362">
+<interface name="files_dontaudit_manage_etc_files" lineno="3423">
 <summary>
 Do not audit attempts to create, read, write,
 and delete generic files in /etc.
@@ -62267,7 +62418,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_delete_etc_files" lineno="3380">
+<interface name="files_delete_etc_files" lineno="3441">
 <summary>
 Delete system configuration files in /etc.
 </summary>
@@ -62277,7 +62428,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_etc_files" lineno="3398">
+<interface name="files_exec_etc_files" lineno="3459">
 <summary>
 Execute generic files in /etc.
 </summary>
@@ -62287,7 +62438,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_files" lineno="3418">
+<interface name="files_watch_etc_files" lineno="3479">
 <summary>
 Watch /etc files.
 </summary>
@@ -62297,7 +62448,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_get_etc_unit_status" lineno="3436">
+<interface name="files_get_etc_unit_status" lineno="3497">
 <summary>
 Get etc_t service status.
 </summary>
@@ -62307,7 +62458,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_start_etc_service" lineno="3455">
+<interface name="files_start_etc_service" lineno="3516">
 <summary>
 start etc_t service
 </summary>
@@ -62317,7 +62468,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_stop_etc_service" lineno="3474">
+<interface name="files_stop_etc_service" lineno="3535">
 <summary>
 stop etc_t service
 </summary>
@@ -62327,7 +62478,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_etc_files" lineno="3493">
+<interface name="files_relabel_etc_files" lineno="3554">
 <summary>
 Relabel from and to generic files in /etc.
 </summary>
@@ -62337,7 +62488,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_symlinks" lineno="3512">
+<interface name="files_read_etc_symlinks" lineno="3573">
 <summary>
 Read symbolic links in /etc.
 </summary>
@@ -62347,7 +62498,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_etc_symlinks" lineno="3530">
+<interface name="files_watch_etc_symlinks" lineno="3591">
 <summary>
 Watch /etc symlinks
 </summary>
@@ -62357,7 +62508,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_symlinks" lineno="3548">
+<interface name="files_manage_etc_symlinks" lineno="3609">
 <summary>
 Create, read, write, and delete symbolic links in /etc.
 </summary>
@@ -62367,7 +62518,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_etc_filetrans" lineno="3582">
+<interface name="files_etc_filetrans" lineno="3643">
 <summary>
 Create objects in /etc with a private
 type using a type_transition.
@@ -62393,7 +62544,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_create_boot_flag" lineno="3612">
+<interface name="files_create_boot_flag" lineno="3673">
 <summary>
 Create a boot flag.
 </summary>
@@ -62415,7 +62566,7 @@ The name of the object being created.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_delete_boot_flag" lineno="3638">
+<interface name="files_delete_boot_flag" lineno="3699">
 <summary>
 Delete a boot flag.
 </summary>
@@ -62432,7 +62583,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_etc_runtime_dirs" lineno="3657">
+<interface name="files_getattr_etc_runtime_dirs" lineno="3718">
 <summary>
 Get the attributes of the
 etc_runtime directories.
@@ -62443,7 +62594,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_etc_runtime_dirs" lineno="3676">
+<interface name="files_mounton_etc_runtime_dirs" lineno="3737">
 <summary>
 Mount a filesystem on the
 etc_runtime directories.
@@ -62454,7 +62605,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_etc_runtime_dirs" lineno="3694">
+<interface name="files_relabelto_etc_runtime_dirs" lineno="3755">
 <summary>
 Relabel to etc_runtime_t dirs.
 </summary>
@@ -62464,7 +62615,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3712">
+<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3773">
 <summary>
 Do not audit attempts to set the attributes of the etc_runtime files
 </summary>
@@ -62474,7 +62625,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_runtime_files" lineno="3750">
+<interface name="files_read_etc_runtime_files" lineno="3811">
 <summary>
 Read files in /etc that are dynamically
 created on boot, such as mtab.
@@ -62504,7 +62655,7 @@ Domain allowed access.
 <infoflow type="read" weight="10" />
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_read_etc_runtime_files" lineno="3772">
+<interface name="files_dontaudit_read_etc_runtime_files" lineno="3833">
 <summary>
 Do not audit attempts to read files
 in /etc that are dynamically
@@ -62516,9 +62667,21 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_execuite_etc_runtime_files" lineno="3792">
+<interface name="files_dontaudit_exec_etc_runtime_files" lineno="3853">
+<summary>
+Do not audit attempts to execute files
+in /etc that are dynamically
+created on boot, such as mtab.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="files_dontaudit_execuite_etc_runtime_files" lineno="3873">
 <summary>
-Do not audit attempts to execuite files
+Do not audit attempts to execute files
 in /etc that are dynamically
 created on boot, such as mtab.
 </summary>
@@ -62528,7 +62691,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_read_etc_files" lineno="3811">
+<interface name="files_dontaudit_read_etc_files" lineno="3889">
 <summary>
 Do not audit attempts to read files
 in /etc
@@ -62539,7 +62702,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_etc_runtime_files" lineno="3830">
+<interface name="files_dontaudit_write_etc_runtime_files" lineno="3908">
 <summary>
 Do not audit attempts to write
 etc runtime files.
@@ -62550,7 +62713,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_etc_runtime_files" lineno="3850">
+<interface name="files_rw_etc_runtime_files" lineno="3928">
 <summary>
 Read and write files in /etc that are dynamically
 created on boot, such as mtab.
@@ -62562,7 +62725,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_etc_runtime_files" lineno="3872">
+<interface name="files_manage_etc_runtime_files" lineno="3950">
 <summary>
 Create, read, write, and delete files in
 /etc that are dynamically created on boot,
@@ -62575,7 +62738,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabelto_etc_runtime_files" lineno="3890">
+<interface name="files_relabelto_etc_runtime_files" lineno="3968">
 <summary>
 Relabel to etc_runtime_t files.
 </summary>
@@ -62585,7 +62748,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_etc_filetrans_etc_runtime" lineno="3919">
+<interface name="files_etc_filetrans_etc_runtime" lineno="3997">
 <summary>
 Create, etc runtime objects with an automatic
 type transition.
@@ -62606,7 +62769,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_home_dir" lineno="3938">
+<interface name="files_getattr_home_dir" lineno="4016">
 <summary>
 Get the attributes of the home directories root
 (/home).
@@ -62617,7 +62780,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_home_dir" lineno="3959">
+<interface name="files_dontaudit_getattr_home_dir" lineno="4037">
 <summary>
 Do not audit attempts to get the
 attributes of the home directories root
@@ -62629,7 +62792,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_search_home" lineno="3978">
+<interface name="files_search_home" lineno="4056">
 <summary>
 Search home directories root (/home).
 </summary>
@@ -62639,7 +62802,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_home" lineno="3998">
+<interface name="files_dontaudit_search_home" lineno="4076">
 <summary>
 Do not audit attempts to search
 home directories root (/home).
@@ -62650,7 +62813,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_home" lineno="4018">
+<interface name="files_dontaudit_list_home" lineno="4096">
 <summary>
 Do not audit attempts to list
 home directories root (/home).
@@ -62661,7 +62824,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_home" lineno="4037">
+<interface name="files_list_home" lineno="4115">
 <summary>
 Get listing of home directories.
 </summary>
@@ -62671,7 +62834,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_home" lineno="4056">
+<interface name="files_relabelto_home" lineno="4134">
 <summary>
 Relabel to user home root (/home).
 </summary>
@@ -62681,7 +62844,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelfrom_home" lineno="4074">
+<interface name="files_relabelfrom_home" lineno="4152">
 <summary>
 Relabel from user home root (/home).
 </summary>
@@ -62691,7 +62854,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_home" lineno="4092">
+<interface name="files_watch_home" lineno="4170">
 <summary>
 Watch the user home root (/home).
 </summary>
@@ -62701,7 +62864,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_home_filetrans" lineno="4125">
+<interface name="files_home_filetrans" lineno="4203">
 <summary>
 Create objects in /home.
 </summary>
@@ -62726,7 +62889,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_lost_found_dirs" lineno="4143">
+<interface name="files_getattr_lost_found_dirs" lineno="4221">
 <summary>
 Get the attributes of lost+found directories.
 </summary>
@@ -62736,7 +62899,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4162">
+<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4240">
 <summary>
 Do not audit attempts to get the attributes of
 lost+found directories.
@@ -62747,7 +62910,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_lost_found" lineno="4180">
+<interface name="files_list_lost_found" lineno="4258">
 <summary>
 List the contents of lost+found directories.
 </summary>
@@ -62757,7 +62920,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_lost_found" lineno="4200">
+<interface name="files_manage_lost_found" lineno="4278">
 <summary>
 Create, read, write, and delete objects in
 lost+found directories.
@@ -62769,7 +62932,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_search_mnt" lineno="4222">
+<interface name="files_search_mnt" lineno="4300">
 <summary>
 Search the contents of /mnt.
 </summary>
@@ -62779,7 +62942,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_mnt" lineno="4240">
+<interface name="files_dontaudit_search_mnt" lineno="4318">
 <summary>
 Do not audit attempts to search /mnt.
 </summary>
@@ -62789,7 +62952,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_mnt" lineno="4258">
+<interface name="files_list_mnt" lineno="4336">
 <summary>
 List the contents of /mnt.
 </summary>
@@ -62799,7 +62962,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_mnt" lineno="4276">
+<interface name="files_dontaudit_list_mnt" lineno="4354">
 <summary>
 Do not audit attempts to list the contents of /mnt.
 </summary>
@@ -62809,7 +62972,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_mnt" lineno="4294">
+<interface name="files_mounton_mnt" lineno="4372">
 <summary>
 Mount a filesystem on /mnt.
 </summary>
@@ -62819,7 +62982,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mnt_dirs" lineno="4313">
+<interface name="files_manage_mnt_dirs" lineno="4391">
 <summary>
 Create, read, write, and delete directories in /mnt.
 </summary>
@@ -62830,7 +62993,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_mnt_files" lineno="4331">
+<interface name="files_manage_mnt_files" lineno="4409">
 <summary>
 Create, read, write, and delete files in /mnt.
 </summary>
@@ -62840,7 +63003,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_mnt_files" lineno="4349">
+<interface name="files_read_mnt_files" lineno="4427">
 <summary>
 read files in /mnt.
 </summary>
@@ -62850,7 +63013,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_mnt_symlinks" lineno="4367">
+<interface name="files_read_mnt_symlinks" lineno="4445">
 <summary>
 Read symbolic links in /mnt.
 </summary>
@@ -62860,7 +63023,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mnt_symlinks" lineno="4385">
+<interface name="files_manage_mnt_symlinks" lineno="4463">
 <summary>
 Create, read, write, and delete symbolic links in /mnt.
 </summary>
@@ -62870,7 +63033,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_kernel_modules" lineno="4403">
+<interface name="files_search_kernel_modules" lineno="4481">
 <summary>
 Search the contents of the kernel module directories.
 </summary>
@@ -62880,7 +63043,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_kernel_modules" lineno="4422">
+<interface name="files_list_kernel_modules" lineno="4500">
 <summary>
 List the contents of the kernel module directories.
 </summary>
@@ -62890,7 +63053,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_kernel_modules" lineno="4441">
+<interface name="files_getattr_kernel_modules" lineno="4519">
 <summary>
 Get the attributes of kernel module files.
 </summary>
@@ -62900,7 +63063,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_kernel_modules" lineno="4459">
+<interface name="files_read_kernel_modules" lineno="4537">
 <summary>
 Read kernel module files.
 </summary>
@@ -62910,7 +63073,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mmap_read_kernel_modules" lineno="4479">
+<interface name="files_mmap_read_kernel_modules" lineno="4557">
 <summary>
 Read and mmap kernel module files.
 </summary>
@@ -62920,7 +63083,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_kernel_modules" lineno="4500">
+<interface name="files_write_kernel_modules" lineno="4578">
 <summary>
 Write kernel module files.
 </summary>
@@ -62930,7 +63093,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_kernel_modules" lineno="4519">
+<interface name="files_delete_kernel_modules" lineno="4597">
 <summary>
 Delete kernel module files.
 </summary>
@@ -62940,7 +63103,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_kernel_modules" lineno="4539">
+<interface name="files_manage_kernel_modules" lineno="4617">
 <summary>
 Create, read, write, and delete
 kernel module files.
@@ -62952,7 +63115,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_kernel_modules" lineno="4559">
+<interface name="files_relabel_kernel_modules" lineno="4637">
 <summary>
 Relabel from and to kernel module files.
 </summary>
@@ -62962,7 +63125,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_kernel_modules_dirs" lineno="4578">
+<interface name="files_mounton_kernel_modules_dirs" lineno="4656">
 <summary>
 Mount on kernel module directories.
 </summary>
@@ -62972,7 +63135,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_kernel_modules_filetrans" lineno="4612">
+<interface name="files_kernel_modules_filetrans" lineno="4690">
 <summary>
 Create objects in the kernel module directories
 with a private type via an automatic type transition.
@@ -62998,7 +63161,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_load_kernel_modules" lineno="4630">
+<interface name="files_load_kernel_modules" lineno="4708">
 <summary>
 Load kernel module files.
 </summary>
@@ -63008,7 +63171,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_load_kernel_modules" lineno="4649">
+<interface name="files_dontaudit_load_kernel_modules" lineno="4727">
 <summary>
 Load kernel module files.
 </summary>
@@ -63018,7 +63181,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_world_readable" lineno="4669">
+<interface name="files_list_world_readable" lineno="4747">
 <summary>
 List world-readable directories.
 </summary>
@@ -63029,7 +63192,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_files" lineno="4688">
+<interface name="files_read_world_readable_files" lineno="4766">
 <summary>
 Read world-readable files.
 </summary>
@@ -63040,7 +63203,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_symlinks" lineno="4707">
+<interface name="files_read_world_readable_symlinks" lineno="4785">
 <summary>
 Read world-readable symbolic links.
 </summary>
@@ -63051,7 +63214,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_world_readable_pipes" lineno="4725">
+<interface name="files_read_world_readable_pipes" lineno="4803">
 <summary>
 Read world-readable named pipes.
 </summary>
@@ -63061,7 +63224,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_world_readable_sockets" lineno="4743">
+<interface name="files_read_world_readable_sockets" lineno="4821">
 <summary>
 Read world-readable sockets.
 </summary>
@@ -63071,7 +63234,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_associate_tmp" lineno="4763">
+<interface name="files_associate_tmp" lineno="4841">
 <summary>
 Allow the specified type to associate
 to a filesystem with the type of the
@@ -63083,7 +63246,7 @@ Type of the file to associate.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_tmp_dirs" lineno="4781">
+<interface name="files_getattr_tmp_dirs" lineno="4859">
 <summary>
 Get the	attributes of the tmp directory (/tmp).
 </summary>
@@ -63093,7 +63256,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4800">
+<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4878">
 <summary>
 Do not audit attempts to get the
 attributes of the tmp directory (/tmp).
@@ -63104,7 +63267,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_tmp" lineno="4818">
+<interface name="files_search_tmp" lineno="4896">
 <summary>
 Search the tmp directory (/tmp).
 </summary>
@@ -63114,7 +63277,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_tmp" lineno="4836">
+<interface name="files_dontaudit_search_tmp" lineno="4914">
 <summary>
 Do not audit attempts to search the tmp directory (/tmp).
 </summary>
@@ -63124,7 +63287,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_tmp" lineno="4854">
+<interface name="files_list_tmp" lineno="4932">
 <summary>
 Read the tmp directory (/tmp).
 </summary>
@@ -63134,7 +63297,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_tmp" lineno="4872">
+<interface name="files_dontaudit_list_tmp" lineno="4950">
 <summary>
 Do not audit listing of the tmp directory (/tmp).
 </summary>
@@ -63144,7 +63307,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_tmp_dir_entry" lineno="4890">
+<interface name="files_delete_tmp_dir_entry" lineno="4968">
 <summary>
 Remove entries from the tmp directory.
 </summary>
@@ -63154,7 +63317,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_tmp_files" lineno="4908">
+<interface name="files_read_generic_tmp_files" lineno="4986">
 <summary>
 Read files in the tmp directory (/tmp).
 </summary>
@@ -63164,7 +63327,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_tmp_dirs" lineno="4926">
+<interface name="files_manage_generic_tmp_dirs" lineno="5004">
 <summary>
 Manage temporary directories in /tmp.
 </summary>
@@ -63174,7 +63337,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_generic_tmp_dirs" lineno="4944">
+<interface name="files_relabel_generic_tmp_dirs" lineno="5022">
 <summary>
 Relabel temporary directories in /tmp.
 </summary>
@@ -63184,7 +63347,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_tmp_files" lineno="4962">
+<interface name="files_manage_generic_tmp_files" lineno="5040">
 <summary>
 Manage temporary files and directories in /tmp.
 </summary>
@@ -63194,7 +63357,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_tmp_symlinks" lineno="4980">
+<interface name="files_read_generic_tmp_symlinks" lineno="5058">
 <summary>
 Read symbolic links in the tmp directory (/tmp).
 </summary>
@@ -63204,7 +63367,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_generic_tmp_sockets" lineno="4998">
+<interface name="files_rw_generic_tmp_sockets" lineno="5076">
 <summary>
 Read and write generic named sockets in the tmp directory (/tmp).
 </summary>
@@ -63214,7 +63377,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_tmp" lineno="5016">
+<interface name="files_mounton_tmp" lineno="5094">
 <summary>
 Mount filesystems in the tmp directory (/tmp)
 </summary>
@@ -63224,7 +63387,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_all_tmp_dirs" lineno="5034">
+<interface name="files_setattr_all_tmp_dirs" lineno="5112">
 <summary>
 Set the attributes of all tmp directories.
 </summary>
@@ -63234,7 +63397,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_all_tmp" lineno="5052">
+<interface name="files_list_all_tmp" lineno="5130">
 <summary>
 List all tmp directories.
 </summary>
@@ -63244,7 +63407,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_tmp_dirs" lineno="5072">
+<interface name="files_relabel_all_tmp_dirs" lineno="5150">
 <summary>
 Relabel to and from all temporary
 directory types.
@@ -63256,7 +63419,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5093">
+<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5171">
 <summary>
 Do not audit attempts to get the attributes
 of all tmp files.
@@ -63267,7 +63430,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_tmp_files" lineno="5112">
+<interface name="files_getattr_all_tmp_files" lineno="5190">
 <summary>
 Allow attempts to get the attributes
 of all tmp files.
@@ -63278,7 +63441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_tmp_files" lineno="5132">
+<interface name="files_relabel_all_tmp_files" lineno="5210">
 <summary>
 Relabel to and from all temporary
 file types.
@@ -63290,7 +63453,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5153">
+<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5231">
 <summary>
 Do not audit attempts to get the attributes
 of all tmp sock_file.
@@ -63301,7 +63464,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_tmp_files" lineno="5171">
+<interface name="files_read_all_tmp_files" lineno="5249">
 <summary>
 Read all tmp files.
 </summary>
@@ -63311,7 +63474,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_tmp_filetrans" lineno="5205">
+<interface name="files_tmp_filetrans" lineno="5283">
 <summary>
 Create an object in the tmp directories, with a private
 type using a type transition.
@@ -63337,7 +63500,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_purge_tmp" lineno="5223">
+<interface name="files_purge_tmp" lineno="5301">
 <summary>
 Delete the contents of /tmp.
 </summary>
@@ -63347,7 +63510,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_all_tmpfs_files" lineno="5246">
+<interface name="files_getattr_all_tmpfs_files" lineno="5324">
 <summary>
 Get the attributes of all tmpfs files.
 </summary>
@@ -63357,7 +63520,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_usr_dirs" lineno="5265">
+<interface name="files_setattr_usr_dirs" lineno="5343">
 <summary>
 Set the attributes of the /usr directory.
 </summary>
@@ -63367,7 +63530,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_usr" lineno="5283">
+<interface name="files_search_usr" lineno="5361">
 <summary>
 Search the content of /usr.
 </summary>
@@ -63377,7 +63540,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_usr" lineno="5302">
+<interface name="files_list_usr" lineno="5380">
 <summary>
 List the contents of generic
 directories in /usr.
@@ -63388,7 +63551,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_usr_dirs" lineno="5320">
+<interface name="files_dontaudit_write_usr_dirs" lineno="5398">
 <summary>
 Do not audit write of /usr dirs
 </summary>
@@ -63398,7 +63561,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_usr_dirs" lineno="5338">
+<interface name="files_rw_usr_dirs" lineno="5416">
 <summary>
 Add and remove entries from /usr directories.
 </summary>
@@ -63408,7 +63571,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_usr_dirs" lineno="5357">
+<interface name="files_dontaudit_rw_usr_dirs" lineno="5435">
 <summary>
 Do not audit attempts to add and remove
 entries from /usr directories.
@@ -63419,7 +63582,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_usr_dirs" lineno="5375">
+<interface name="files_delete_usr_dirs" lineno="5453">
 <summary>
 Delete generic directories in /usr in the caller domain.
 </summary>
@@ -63429,7 +63592,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_usr_dirs" lineno="5393">
+<interface name="files_watch_usr_dirs" lineno="5471">
 <summary>
 Watch generic directories in /usr.
 </summary>
@@ -63439,7 +63602,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_usr_files" lineno="5411">
+<interface name="files_delete_usr_files" lineno="5489">
 <summary>
 Delete generic files in /usr in the caller domain.
 </summary>
@@ -63449,7 +63612,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_usr_files" lineno="5429">
+<interface name="files_getattr_usr_files" lineno="5507">
 <summary>
 Get the attributes of files in /usr.
 </summary>
@@ -63459,7 +63622,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_map_usr_files" lineno="5448">
+<interface name="files_map_usr_files" lineno="5526">
 <summary>
 Map generic files in /usr.
 </summary>
@@ -63470,7 +63633,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_read_usr_files" lineno="5484">
+<interface name="files_read_usr_files" lineno="5562">
 <summary>
 Read generic files in /usr.
 </summary>
@@ -63498,7 +63661,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="files_exec_usr_files" lineno="5504">
+<interface name="files_exec_usr_files" lineno="5582">
 <summary>
 Execute generic programs in /usr in the caller domain.
 </summary>
@@ -63508,7 +63671,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_usr_files" lineno="5524">
+<interface name="files_dontaudit_write_usr_files" lineno="5602">
 <summary>
 dontaudit write of /usr files
 </summary>
@@ -63518,7 +63681,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_usr_files" lineno="5542">
+<interface name="files_manage_usr_files" lineno="5620">
 <summary>
 Create, read, write, and delete files in the /usr directory.
 </summary>
@@ -63528,7 +63691,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelto_usr_files" lineno="5560">
+<interface name="files_relabelto_usr_files" lineno="5638">
 <summary>
 Relabel a file to the type used in /usr.
 </summary>
@@ -63538,7 +63701,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabelfrom_usr_files" lineno="5578">
+<interface name="files_relabelfrom_usr_files" lineno="5656">
 <summary>
 Relabel a file from the type used in /usr.
 </summary>
@@ -63548,7 +63711,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_usr_symlinks" lineno="5596">
+<interface name="files_read_usr_symlinks" lineno="5674">
 <summary>
 Read symbolic links in /usr.
 </summary>
@@ -63558,7 +63721,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_usr_filetrans" lineno="5629">
+<interface name="files_usr_filetrans" lineno="5707">
 <summary>
 Create objects in the /usr directory
 </summary>
@@ -63583,7 +63746,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_search_src" lineno="5647">
+<interface name="files_search_src" lineno="5725">
 <summary>
 Search directories in /usr/src.
 </summary>
@@ -63593,7 +63756,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_src" lineno="5665">
+<interface name="files_dontaudit_search_src" lineno="5743">
 <summary>
 Do not audit attempts to search /usr/src.
 </summary>
@@ -63603,7 +63766,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_usr_src_files" lineno="5683">
+<interface name="files_getattr_usr_src_files" lineno="5761">
 <summary>
 Get the attributes of files in /usr/src.
 </summary>
@@ -63613,7 +63776,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_usr_src_files" lineno="5704">
+<interface name="files_read_usr_src_files" lineno="5782">
 <summary>
 Read files in /usr/src.
 </summary>
@@ -63623,7 +63786,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_usr_src_files" lineno="5725">
+<interface name="files_exec_usr_src_files" lineno="5803">
 <summary>
 Execute programs in /usr/src in the caller domain.
 </summary>
@@ -63633,7 +63796,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_kernel_symbol_table" lineno="5745">
+<interface name="files_create_kernel_symbol_table" lineno="5823">
 <summary>
 Install a system.map into the /boot directory.
 </summary>
@@ -63643,7 +63806,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_kernel_symbol_table" lineno="5764">
+<interface name="files_read_kernel_symbol_table" lineno="5842">
 <summary>
 Read system.map in the /boot directory.
 </summary>
@@ -63653,7 +63816,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_kernel_symbol_table" lineno="5783">
+<interface name="files_delete_kernel_symbol_table" lineno="5861">
 <summary>
 Delete a system.map in the /boot directory.
 </summary>
@@ -63663,7 +63826,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_kernel_symbol_table" lineno="5802">
+<interface name="files_mounton_kernel_symbol_table" lineno="5880">
 <summary>
 Mount on a system.map in the /boot directory (for bind mounts).
 </summary>
@@ -63673,7 +63836,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_var" lineno="5821">
+<interface name="files_search_var" lineno="5899">
 <summary>
 Search the contents of /var.
 </summary>
@@ -63683,7 +63846,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_var_dirs" lineno="5839">
+<interface name="files_dontaudit_write_var_dirs" lineno="5917">
 <summary>
 Do not audit attempts to write to /var.
 </summary>
@@ -63693,7 +63856,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_write_var_dirs" lineno="5857">
+<interface name="files_write_var_dirs" lineno="5935">
 <summary>
 Allow attempts to write to /var.dirs
 </summary>
@@ -63703,7 +63866,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_var" lineno="5876">
+<interface name="files_dontaudit_search_var" lineno="5954">
 <summary>
 Do not audit attempts to search
 the contents of /var.
@@ -63714,7 +63877,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_var" lineno="5894">
+<interface name="files_list_var" lineno="5972">
 <summary>
 List the contents of /var.
 </summary>
@@ -63724,7 +63887,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_list_var" lineno="5913">
+<interface name="files_dontaudit_list_var" lineno="5991">
 <summary>
 Do not audit attempts to list
 the contents of /var.
@@ -63735,7 +63898,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_dirs" lineno="5932">
+<interface name="files_manage_var_dirs" lineno="6010">
 <summary>
 Create, read, write, and delete directories
 in the /var directory.
@@ -63746,7 +63909,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_var_dirs" lineno="5950">
+<interface name="files_relabel_var_dirs" lineno="6028">
 <summary>
 relabelto/from var directories
 </summary>
@@ -63756,7 +63919,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_files" lineno="5968">
+<interface name="files_read_var_files" lineno="6046">
 <summary>
 Read files in the /var directory.
 </summary>
@@ -63766,7 +63929,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_append_var_files" lineno="5986">
+<interface name="files_append_var_files" lineno="6064">
 <summary>
 Append files in the /var directory.
 </summary>
@@ -63776,7 +63939,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_var_files" lineno="6004">
+<interface name="files_rw_var_files" lineno="6082">
 <summary>
 Read and write files in the /var directory.
 </summary>
@@ -63786,7 +63949,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_rw_var_files" lineno="6023">
+<interface name="files_dontaudit_rw_var_files" lineno="6101">
 <summary>
 Do not audit attempts to read and write
 files in the /var directory.
@@ -63797,7 +63960,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_files" lineno="6041">
+<interface name="files_manage_var_files" lineno="6119">
 <summary>
 Create, read, write, and delete files in the /var directory.
 </summary>
@@ -63807,7 +63970,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_symlinks" lineno="6059">
+<interface name="files_read_var_symlinks" lineno="6137">
 <summary>
 Read symbolic links in the /var directory.
 </summary>
@@ -63817,7 +63980,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_symlinks" lineno="6078">
+<interface name="files_manage_var_symlinks" lineno="6156">
 <summary>
 Create, read, write, and delete symbolic
 links in the /var directory.
@@ -63828,7 +63991,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_var_filetrans" lineno="6111">
+<interface name="files_var_filetrans" lineno="6189">
 <summary>
 Create objects in the /var directory
 </summary>
@@ -63853,7 +64016,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_getattr_var_lib_dirs" lineno="6129">
+<interface name="files_getattr_var_lib_dirs" lineno="6207">
 <summary>
 Get the attributes of the /var/lib directory.
 </summary>
@@ -63863,7 +64026,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_var_lib" lineno="6161">
+<interface name="files_search_var_lib" lineno="6239">
 <summary>
 Search the /var/lib directory.
 </summary>
@@ -63887,7 +64050,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="5"/>
 </interface>
-<interface name="files_dontaudit_search_var_lib" lineno="6181">
+<interface name="files_dontaudit_search_var_lib" lineno="6259">
 <summary>
 Do not audit attempts to search the
 contents of /var/lib.
@@ -63899,7 +64062,7 @@ Domain to not audit.
 </param>
 <infoflow type="read" weight="5"/>
 </interface>
-<interface name="files_list_var_lib" lineno="6199">
+<interface name="files_list_var_lib" lineno="6277">
 <summary>
 List the contents of the /var/lib directory.
 </summary>
@@ -63909,7 +64072,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_var_lib_dirs" lineno="6217">
+<interface name="files_rw_var_lib_dirs" lineno="6295">
 <summary>
 Read-write /var/lib directories
 </summary>
@@ -63919,7 +64082,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_var_lib_dirs" lineno="6235">
+<interface name="files_manage_var_lib_dirs" lineno="6313">
 <summary>
 manage var_lib_t dirs
 </summary>
@@ -63929,7 +64092,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_var_lib_dirs" lineno="6254">
+<interface name="files_relabel_var_lib_dirs" lineno="6332">
 <summary>
 relabel var_lib_t dirs
 </summary>
@@ -63939,7 +64102,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_var_lib_filetrans" lineno="6288">
+<interface name="files_var_lib_filetrans" lineno="6366">
 <summary>
 Create objects in the /var/lib directory
 </summary>
@@ -63964,7 +64127,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_lib_files" lineno="6307">
+<interface name="files_read_var_lib_files" lineno="6385">
 <summary>
 Read generic files in /var/lib.
 </summary>
@@ -63974,7 +64137,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_var_lib_symlinks" lineno="6326">
+<interface name="files_read_var_lib_symlinks" lineno="6404">
 <summary>
 Read generic symbolic links in /var/lib
 </summary>
@@ -63984,7 +64147,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_urandom_seed" lineno="6348">
+<interface name="files_manage_urandom_seed" lineno="6426">
 <summary>
 Create, read, write, and delete the
 pseudorandom number generator seed.
@@ -63995,7 +64158,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_mounttab" lineno="6367">
+<interface name="files_manage_mounttab" lineno="6445">
 <summary>
 Allow domain to manage mount tables
 necessary for rpcd, nfsd, etc.
@@ -64006,7 +64169,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_lock_dirs" lineno="6386">
+<interface name="files_setattr_lock_dirs" lineno="6464">
 <summary>
 Set the attributes of the generic lock directories.
 </summary>
@@ -64016,7 +64179,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_locks" lineno="6404">
+<interface name="files_search_locks" lineno="6482">
 <summary>
 Search the locks directory (/var/lock).
 </summary>
@@ -64026,7 +64189,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_locks" lineno="6424">
+<interface name="files_dontaudit_search_locks" lineno="6502">
 <summary>
 Do not audit attempts to search the
 locks directory (/var/lock).
@@ -64037,7 +64200,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_locks" lineno="6443">
+<interface name="files_list_locks" lineno="6521">
 <summary>
 List generic lock directories.
 </summary>
@@ -64047,7 +64210,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_check_write_lock_dirs" lineno="6462">
+<interface name="files_check_write_lock_dirs" lineno="6540">
 <summary>
 Test write access on lock directories.
 </summary>
@@ -64057,7 +64220,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_add_entry_lock_dirs" lineno="6481">
+<interface name="files_add_entry_lock_dirs" lineno="6559">
 <summary>
 Add entries in the /var/lock directories.
 </summary>
@@ -64067,7 +64230,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_lock_dirs" lineno="6501">
+<interface name="files_rw_lock_dirs" lineno="6579">
 <summary>
 Add and remove entries in the /var/lock
 directories.
@@ -64078,7 +64241,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_lock_dirs" lineno="6520">
+<interface name="files_create_lock_dirs" lineno="6598">
 <summary>
 Create lock directories
 </summary>
@@ -64088,7 +64251,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_lock_dirs" lineno="6541">
+<interface name="files_relabel_all_lock_dirs" lineno="6619">
 <summary>
 Relabel to and from all lock directory types.
 </summary>
@@ -64099,7 +64262,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_getattr_generic_locks" lineno="6562">
+<interface name="files_getattr_generic_locks" lineno="6640">
 <summary>
 Get the attributes of generic lock files.
 </summary>
@@ -64109,7 +64272,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_generic_locks" lineno="6583">
+<interface name="files_delete_generic_locks" lineno="6661">
 <summary>
 Delete generic lock files.
 </summary>
@@ -64119,7 +64282,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_locks" lineno="6604">
+<interface name="files_manage_generic_locks" lineno="6682">
 <summary>
 Create, read, write, and delete generic
 lock files.
@@ -64130,7 +64293,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_locks" lineno="6626">
+<interface name="files_delete_all_locks" lineno="6704">
 <summary>
 Delete all lock files.
 </summary>
@@ -64141,7 +64304,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_read_all_locks" lineno="6647">
+<interface name="files_read_all_locks" lineno="6725">
 <summary>
 Read all lock files.
 </summary>
@@ -64151,7 +64314,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_all_locks" lineno="6670">
+<interface name="files_manage_all_locks" lineno="6748">
 <summary>
 manage all lock files.
 </summary>
@@ -64161,7 +64324,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_locks" lineno="6693">
+<interface name="files_relabel_all_locks" lineno="6771">
 <summary>
 Relabel from/to all lock files.
 </summary>
@@ -64171,7 +64334,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_lock_filetrans" lineno="6732">
+<interface name="files_lock_filetrans" lineno="6810">
 <summary>
 Create an object in the locks directory, with a private
 type using a type transition.
@@ -64197,7 +64360,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6753">
+<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6831">
 <summary>
 Do not audit attempts to get the attributes
 of the /var/run directory.
@@ -64208,7 +64371,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_runtime_dirs" lineno="6772">
+<interface name="files_mounton_runtime_dirs" lineno="6850">
 <summary>
 mounton a /var/run directory.
 </summary>
@@ -64218,7 +64381,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_setattr_runtime_dirs" lineno="6790">
+<interface name="files_setattr_runtime_dirs" lineno="6868">
 <summary>
 Set the attributes of the /var/run directory.
 </summary>
@@ -64228,7 +64391,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_runtime" lineno="6810">
+<interface name="files_search_runtime" lineno="6888">
 <summary>
 Search the contents of runtime process
 ID directories (/var/run).
@@ -64239,7 +64402,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_runtime" lineno="6830">
+<interface name="files_dontaudit_search_runtime" lineno="6908">
 <summary>
 Do not audit attempts to search
 the /var/run directory.
@@ -64250,7 +64413,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_runtime" lineno="6850">
+<interface name="files_list_runtime" lineno="6928">
 <summary>
 List the contents of the runtime process
 ID directories (/var/run).
@@ -64261,7 +64424,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_check_write_runtime_dirs" lineno="6869">
+<interface name="files_check_write_runtime_dirs" lineno="6947">
 <summary>
 Check write access on /var/run directories.
 </summary>
@@ -64271,7 +64434,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_runtime_dirs" lineno="6887">
+<interface name="files_create_runtime_dirs" lineno="6965">
 <summary>
 Create a /var/run directory.
 </summary>
@@ -64281,7 +64444,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_runtime_dirs" lineno="6905">
+<interface name="files_rw_runtime_dirs" lineno="6983">
 <summary>
 Read and write a /var/run directory.
 </summary>
@@ -64291,7 +64454,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_var_lib_dirs" lineno="6923">
+<interface name="files_watch_var_lib_dirs" lineno="7001">
 <summary>
 Watch /var/lib directories.
 </summary>
@@ -64301,7 +64464,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_runtime_dirs" lineno="6941">
+<interface name="files_watch_runtime_dirs" lineno="7019">
 <summary>
 Watch /var/run directories.
 </summary>
@@ -64311,7 +64474,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_watch_var_dirs" lineno="6959">
+<interface name="files_watch_var_dirs" lineno="7037">
 <summary>
 Watch /var directories.
 </summary>
@@ -64321,7 +64484,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_runtime_files" lineno="6977">
+<interface name="files_read_runtime_files" lineno="7055">
 <summary>
 Read generic runtime files.
 </summary>
@@ -64331,7 +64494,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_exec_runtime" lineno="6997">
+<interface name="files_exec_runtime" lineno="7075">
 <summary>
 Execute generic programs in /var/run in the caller domain.
 </summary>
@@ -64341,7 +64504,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_exec_runtime" lineno="7015">
+<interface name="files_dontaudit_exec_runtime" lineno="7093">
 <summary>
 Dontaudit attempt to execute generic programs in /var/run in the caller domain.
 </summary>
@@ -64351,7 +64514,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_rw_runtime_files" lineno="7033">
+<interface name="files_rw_runtime_files" lineno="7111">
 <summary>
 Read and write generic runtime files.
 </summary>
@@ -64361,7 +64524,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_runtime_symlinks" lineno="7053">
+<interface name="files_delete_runtime_symlinks" lineno="7131">
 <summary>
 Delete generic runtime symlinks.
 </summary>
@@ -64371,7 +64534,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_write_runtime_pipes" lineno="7071">
+<interface name="files_write_runtime_pipes" lineno="7149">
 <summary>
 Write named generic runtime pipes.
 </summary>
@@ -64381,7 +64544,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_dirs" lineno="7091">
+<interface name="files_delete_all_runtime_dirs" lineno="7169">
 <summary>
 Delete all runtime dirs.
 </summary>
@@ -64392,7 +64555,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_dirs" lineno="7109">
+<interface name="files_manage_all_runtime_dirs" lineno="7187">
 <summary>
 Create, read, write, and delete all runtime directories.
 </summary>
@@ -64402,7 +64565,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_dirs" lineno="7127">
+<interface name="files_relabel_all_runtime_dirs" lineno="7205">
 <summary>
 Relabel all runtime directories.
 </summary>
@@ -64412,7 +64575,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7146">
+<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7224">
 <summary>
 Do not audit attempts to get the attributes of
 all runtime data files.
@@ -64423,7 +64586,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_read_all_runtime_files" lineno="7167">
+<interface name="files_read_all_runtime_files" lineno="7245">
 <summary>
 Read all runtime files.
 </summary>
@@ -64434,7 +64597,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7188">
+<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7266">
 <summary>
 Do not audit attempts to ioctl all runtime files.
 </summary>
@@ -64444,7 +64607,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_write_all_runtime_files" lineno="7208">
+<interface name="files_dontaudit_write_all_runtime_files" lineno="7286">
 <summary>
 Do not audit attempts to write to all runtime files.
 </summary>
@@ -64454,7 +64617,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_files" lineno="7229">
+<interface name="files_delete_all_runtime_files" lineno="7307">
 <summary>
 Delete all runtime files.
 </summary>
@@ -64465,7 +64628,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_files" lineno="7248">
+<interface name="files_manage_all_runtime_files" lineno="7326">
 <summary>
 Create, read, write and delete all
 var_run (pid) files
@@ -64476,7 +64639,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_files" lineno="7266">
+<interface name="files_relabel_all_runtime_files" lineno="7344">
 <summary>
 Relabel all runtime files.
 </summary>
@@ -64486,7 +64649,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_symlinks" lineno="7285">
+<interface name="files_delete_all_runtime_symlinks" lineno="7363">
 <summary>
 Delete all runtime symlinks.
 </summary>
@@ -64497,7 +64660,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_runtime_symlinks" lineno="7304">
+<interface name="files_manage_all_runtime_symlinks" lineno="7382">
 <summary>
 Create, read, write and delete all
 var_run (pid) symbolic links.
@@ -64508,7 +64671,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_symlinks" lineno="7322">
+<interface name="files_relabel_all_runtime_symlinks" lineno="7400">
 <summary>
 Relabel all runtime symbolic links.
 </summary>
@@ -64518,7 +64681,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_runtime_pipes" lineno="7340">
+<interface name="files_create_all_runtime_pipes" lineno="7418">
 <summary>
 Create all runtime named pipes
 </summary>
@@ -64528,7 +64691,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_pipes" lineno="7359">
+<interface name="files_delete_all_runtime_pipes" lineno="7437">
 <summary>
 Delete all runtime named pipes
 </summary>
@@ -64538,7 +64701,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_runtime_sockets" lineno="7378">
+<interface name="files_create_all_runtime_sockets" lineno="7456">
 <summary>
 Create all runtime sockets.
 </summary>
@@ -64548,7 +64711,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_runtime_sockets" lineno="7396">
+<interface name="files_delete_all_runtime_sockets" lineno="7474">
 <summary>
 Delete all runtime sockets.
 </summary>
@@ -64558,7 +64721,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_runtime_sockets" lineno="7414">
+<interface name="files_relabel_all_runtime_sockets" lineno="7492">
 <summary>
 Relabel all runtime named sockets.
 </summary>
@@ -64568,7 +64731,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_runtime_filetrans" lineno="7474">
+<interface name="files_runtime_filetrans" lineno="7552">
 <summary>
 Create an object in the /run directory, with a private type.
 </summary>
@@ -64620,7 +64783,7 @@ The name of the object being created.
 </param>
 <infoflow type="write" weight="10"/>
 </interface>
-<interface name="files_runtime_filetrans_lock_dir" lineno="7499">
+<interface name="files_runtime_filetrans_lock_dir" lineno="7577">
 <summary>
 Create a generic lock directory within the run directories.
 </summary>
@@ -64635,7 +64798,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_create_all_spool_sockets" lineno="7517">
+<interface name="files_create_all_spool_sockets" lineno="7595">
 <summary>
 Create all spool sockets
 </summary>
@@ -64645,7 +64808,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_delete_all_spool_sockets" lineno="7535">
+<interface name="files_delete_all_spool_sockets" lineno="7613">
 <summary>
 Delete all spool sockets
 </summary>
@@ -64655,7 +64818,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_mounton_all_poly_members" lineno="7554">
+<interface name="files_mounton_all_poly_members" lineno="7632">
 <summary>
 Mount filesystems on all polyinstantiation
 member directories.
@@ -64666,7 +64829,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_search_spool" lineno="7573">
+<interface name="files_search_spool" lineno="7651">
 <summary>
 Search the contents of generic spool
 directories (/var/spool).
@@ -64677,7 +64840,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_dontaudit_search_spool" lineno="7592">
+<interface name="files_dontaudit_search_spool" lineno="7670">
 <summary>
 Do not audit attempts to search generic
 spool directories.
@@ -64688,7 +64851,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="files_list_spool" lineno="7611">
+<interface name="files_list_spool" lineno="7689">
 <summary>
 List the contents of generic spool
 (/var/spool) directories.
@@ -64699,7 +64862,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_spool_dirs" lineno="7630">
+<interface name="files_manage_generic_spool_dirs" lineno="7708">
 <summary>
 Create, read, write, and delete generic
 spool directories (/var/spool).
@@ -64710,7 +64873,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_read_generic_spool" lineno="7649">
+<interface name="files_read_generic_spool" lineno="7727">
 <summary>
 Read generic spool files.
 </summary>
@@ -64720,7 +64883,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_generic_spool" lineno="7669">
+<interface name="files_manage_generic_spool" lineno="7747">
 <summary>
 Create, read, write, and delete generic
 spool files.
@@ -64731,7 +64894,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_spool_filetrans" lineno="7705">
+<interface name="files_spool_filetrans" lineno="7783">
 <summary>
 Create objects in the spool directory
 with a private type with a type transition.
@@ -64758,7 +64921,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="files_polyinstantiate_all" lineno="7725">
+<interface name="files_polyinstantiate_all" lineno="7803">
 <summary>
 Allow access to manage all polyinstantiated
 directories on the system.
@@ -64769,7 +64932,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_unconfined" lineno="7779">
+<interface name="files_unconfined" lineno="7857">
 <summary>
 Unconfined access to files.
 </summary>
@@ -64779,7 +64942,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_manage_etc_runtime_lnk_files" lineno="7801">
+<interface name="files_manage_etc_runtime_lnk_files" lineno="7879">
 <summary>
 Create, read, write, and delete symbolic links in
 /etc that are dynamically created on boot.
@@ -64791,7 +64954,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_dontaudit_read_etc_runtime" lineno="7819">
+<interface name="files_dontaudit_read_etc_runtime" lineno="7897">
 <summary>
 Do not audit attempts to read etc_runtime resources
 </summary>
@@ -64801,7 +64964,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="files_list_src" lineno="7837">
+<interface name="files_list_src" lineno="7915">
 <summary>
 List usr/src files
 </summary>
@@ -64811,7 +64974,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_read_src_files" lineno="7855">
+<interface name="files_read_src_files" lineno="7933">
 <summary>
 Read usr/src files
 </summary>
@@ -64821,7 +64984,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_manage_src_files" lineno="7873">
+<interface name="files_manage_src_files" lineno="7951">
 <summary>
 Manage /usr/src files
 </summary>
@@ -64831,7 +64994,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_lib_filetrans_kernel_modules" lineno="7904">
+<interface name="files_lib_filetrans_kernel_modules" lineno="7982">
 <summary>
 Create a resource in the generic lib location
 with an automatic type transition towards the kernel modules
@@ -64853,7 +65016,7 @@ Optional name of the resource
 </summary>
 </param>
 </interface>
-<interface name="files_read_etc_runtime" lineno="7922">
+<interface name="files_read_etc_runtime" lineno="8000">
 <summary>
 Read etc runtime resources
 </summary>
@@ -64863,7 +65026,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="files_relabel_all_non_security_file_types" lineno="7944">
+<interface name="files_relabel_all_non_security_file_types" lineno="8022">
 <summary>
 Allow relabel from and to non-security types
 </summary>
@@ -64874,7 +65037,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_manage_all_non_security_file_types" lineno="7974">
+<interface name="files_manage_all_non_security_file_types" lineno="8052">
 <summary>
 Manage non-security-sensitive resource types
 </summary>
@@ -64885,7 +65048,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="files_relabel_all_pidfiles" lineno="7996">
+<interface name="files_relabel_all_pidfiles" lineno="8074">
 <summary>
 Allow relabeling from and to any pidfile associated type
 </summary>
@@ -65344,7 +65507,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_bpf_files" lineno="745">
+<interface name="fs_manage_bpf_dirs" lineno="745">
+<summary>
+Manage bpf directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="fs_manage_bpf_files" lineno="763">
 <summary>
 Manage bpf files.
 </summary>
@@ -65354,7 +65527,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_bpf_symlinks" lineno="763">
+<interface name="fs_manage_bpf_symlinks" lineno="781">
 <summary>
 Manage bpf symlinks.
 </summary>
@@ -65364,7 +65537,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_cgroup" lineno="781">
+<interface name="fs_mount_cgroup" lineno="799">
 <summary>
 Mount cgroup filesystems.
 </summary>
@@ -65374,7 +65547,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_cgroup" lineno="799">
+<interface name="fs_remount_cgroup" lineno="817">
 <summary>
 Remount cgroup filesystems.
 </summary>
@@ -65384,7 +65557,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_cgroup" lineno="817">
+<interface name="fs_unmount_cgroup" lineno="835">
 <summary>
 Unmount cgroup filesystems.
 </summary>
@@ -65394,7 +65567,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_cgroup" lineno="835">
+<interface name="fs_getattr_cgroup" lineno="853">
 <summary>
 Get attributes of cgroup filesystems.
 </summary>
@@ -65404,7 +65577,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_cgroup_dirs" lineno="853">
+<interface name="fs_search_cgroup_dirs" lineno="871">
 <summary>
 Search cgroup directories.
 </summary>
@@ -65414,7 +65587,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_cgroup_dirs" lineno="872">
+<interface name="fs_list_cgroup_dirs" lineno="890">
 <summary>
 list cgroup directories.
 </summary>
@@ -65424,7 +65597,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_ioctl_cgroup_dirs" lineno="891">
+<interface name="fs_ioctl_cgroup_dirs" lineno="909">
 <summary>
 Ioctl cgroup directories.
 </summary>
@@ -65434,7 +65607,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_cgroup_dirs" lineno="910">
+<interface name="fs_create_cgroup_dirs" lineno="928">
 <summary>
 Create cgroup directories.
 </summary>
@@ -65444,7 +65617,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_delete_cgroup_dirs" lineno="929">
+<interface name="fs_delete_cgroup_dirs" lineno="947">
 <summary>
 Delete cgroup directories.
 </summary>
@@ -65454,7 +65627,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cgroup_dirs" lineno="948">
+<interface name="fs_manage_cgroup_dirs" lineno="966">
 <summary>
 Manage cgroup directories.
 </summary>
@@ -65464,7 +65637,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_cgroup_dirs" lineno="968">
+<interface name="fs_relabel_cgroup_dirs" lineno="986">
 <summary>
 Relabel cgroup directories.
 </summary>
@@ -65474,7 +65647,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_cgroup_files" lineno="986">
+<interface name="fs_getattr_cgroup_files" lineno="1004">
 <summary>
 Get attributes of cgroup files.
 </summary>
@@ -65484,7 +65657,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cgroup_files" lineno="1006">
+<interface name="fs_read_cgroup_files" lineno="1024">
 <summary>
 Read cgroup files.
 </summary>
@@ -65494,7 +65667,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_cgroup_files" lineno="1027">
+<interface name="fs_create_cgroup_files" lineno="1045">
 <summary>
 Create cgroup files.
 </summary>
@@ -65504,7 +65677,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_cgroup_files" lineno="1047">
+<interface name="fs_watch_cgroup_files" lineno="1065">
 <summary>
 Watch cgroup files.
 </summary>
@@ -65514,7 +65687,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cgroup_symlinks" lineno="1066">
+<interface name="fs_read_cgroup_symlinks" lineno="1084">
 <summary>
 Read cgroup symlnks.
 </summary>
@@ -65524,7 +65697,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_cgroup_links" lineno="1085">
+<interface name="fs_create_cgroup_links" lineno="1103">
 <summary>
 Create cgroup lnk_files.
 </summary>
@@ -65534,7 +65707,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_cgroup_files" lineno="1105">
+<interface name="fs_write_cgroup_files" lineno="1123">
 <summary>
 Write cgroup files.
 </summary>
@@ -65544,7 +65717,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_cgroup_files" lineno="1124">
+<interface name="fs_rw_cgroup_files" lineno="1142">
 <summary>
 Read and write cgroup files.
 </summary>
@@ -65554,7 +65727,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_rw_cgroup_files" lineno="1146">
+<interface name="fs_dontaudit_rw_cgroup_files" lineno="1164">
 <summary>
 Do not audit attempts to open,
 get attributes, read and write
@@ -65566,7 +65739,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cgroup_files" lineno="1164">
+<interface name="fs_manage_cgroup_files" lineno="1182">
 <summary>
 Manage cgroup files.
 </summary>
@@ -65576,7 +65749,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_cgroup_symlinks" lineno="1184">
+<interface name="fs_relabel_cgroup_symlinks" lineno="1202">
 <summary>
 Relabel cgroup symbolic links.
 </summary>
@@ -65586,7 +65759,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_cgroup_dirs" lineno="1202">
+<interface name="fs_watch_cgroup_dirs" lineno="1220">
 <summary>
 Watch cgroup directories.
 </summary>
@@ -65596,7 +65769,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_cgroup" lineno="1220">
+<interface name="fs_mounton_cgroup" lineno="1238">
 <summary>
 Mount on cgroup directories.
 </summary>
@@ -65606,7 +65779,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_cgroup_files" lineno="1238">
+<interface name="fs_mounton_cgroup_files" lineno="1256">
 <summary>
 Mount on cgroup files.
 </summary>
@@ -65616,7 +65789,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_cgroup_filetrans" lineno="1272">
+<interface name="fs_cgroup_filetrans" lineno="1290">
 <summary>
 Create an object in a cgroup tmpfs filesystem, with a private
 type using a type transition.
@@ -65642,7 +65815,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_cgroup_filetrans_memory_pressure" lineno="1303">
+<interface name="fs_cgroup_filetrans_memory_pressure" lineno="1321">
 <summary>
 Create an object in a cgroup tmpfs filesystem, with the memory_pressure_t
 type using a type transition.
@@ -65663,7 +65836,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_memory_pressure" lineno="1321">
+<interface name="fs_getattr_memory_pressure" lineno="1339">
 <summary>
 Get the attributes of cgroup's memory.pressure files.
 </summary>
@@ -65673,7 +65846,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_memory_pressure" lineno="1339">
+<interface name="fs_watch_memory_pressure" lineno="1357">
 <summary>
 Allow managing a cgroup's memory.pressure file to get notifications
 </summary>
@@ -65683,7 +65856,7 @@ Source domain
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_cifs_dirs" lineno="1358">
+<interface name="fs_dontaudit_list_cifs_dirs" lineno="1376">
 <summary>
 Do not audit attempts to read
 dirs on a CIFS or SMB filesystem.
@@ -65694,7 +65867,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_cifs" lineno="1376">
+<interface name="fs_mount_cifs" lineno="1394">
 <summary>
 Mount a CIFS or SMB network filesystem.
 </summary>
@@ -65704,7 +65877,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_cifs" lineno="1395">
+<interface name="fs_remount_cifs" lineno="1413">
 <summary>
 Remount a CIFS or SMB network filesystem.
 This allows some mount options to be changed.
@@ -65715,7 +65888,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_cifs" lineno="1413">
+<interface name="fs_unmount_cifs" lineno="1431">
 <summary>
 Unmount a CIFS or SMB network filesystem.
 </summary>
@@ -65725,7 +65898,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_cifs" lineno="1433">
+<interface name="fs_getattr_cifs" lineno="1451">
 <summary>
 Get the attributes of a CIFS or
 SMB network filesystem.
@@ -65737,7 +65910,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_search_cifs" lineno="1451">
+<interface name="fs_search_cifs" lineno="1469">
 <summary>
 Search directories on a CIFS or SMB filesystem.
 </summary>
@@ -65747,7 +65920,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_cifs" lineno="1470">
+<interface name="fs_list_cifs" lineno="1488">
 <summary>
 List the contents of directories on a
 CIFS or SMB filesystem.
@@ -65758,7 +65931,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_cifs" lineno="1489">
+<interface name="fs_dontaudit_list_cifs" lineno="1507">
 <summary>
 Do not audit attempts to list the contents
 of directories on a CIFS or SMB filesystem.
@@ -65769,7 +65942,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_cifs" lineno="1507">
+<interface name="fs_mounton_cifs" lineno="1525">
 <summary>
 Mounton a CIFS filesystem.
 </summary>
@@ -65779,7 +65952,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_files" lineno="1526">
+<interface name="fs_read_cifs_files" lineno="1544">
 <summary>
 Read files on a CIFS or SMB filesystem.
 </summary>
@@ -65790,7 +65963,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_all_inherited_image_files" lineno="1546">
+<interface name="fs_read_all_inherited_image_files" lineno="1564">
 <summary>
 Read all inherited filesystem image files.
 </summary>
@@ -65801,7 +65974,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_all_image_files" lineno="1565">
+<interface name="fs_read_all_image_files" lineno="1583">
 <summary>
 Read all filesystem image files.
 </summary>
@@ -65812,7 +65985,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_read_all_image_files" lineno="1584">
+<interface name="fs_mmap_read_all_image_files" lineno="1602">
 <summary>
 Mmap-read all filesystem image files.
 </summary>
@@ -65823,7 +65996,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_rw_all_image_files" lineno="1603">
+<interface name="fs_rw_all_image_files" lineno="1621">
 <summary>
 Read and write all filesystem image files.
 </summary>
@@ -65834,7 +66007,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_rw_all_image_files" lineno="1622">
+<interface name="fs_mmap_rw_all_image_files" lineno="1640">
 <summary>
 Mmap-Read-write all filesystem image files.
 </summary>
@@ -65845,7 +66018,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_write_all_image_files" lineno="1641">
+<interface name="fs_dontaudit_write_all_image_files" lineno="1659">
 <summary>
 Do not audit attempts to write all filesystem image files.
 </summary>
@@ -65856,7 +66029,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_noxattr_fs" lineno="1661">
+<interface name="fs_getattr_noxattr_fs" lineno="1679">
 <summary>
 Get the attributes of filesystems that
 do not have extended attribute support.
@@ -65868,7 +66041,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_list_noxattr_fs" lineno="1679">
+<interface name="fs_list_noxattr_fs" lineno="1697">
 <summary>
 Read all noxattrfs directories.
 </summary>
@@ -65878,7 +66051,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_noxattr_fs" lineno="1698">
+<interface name="fs_dontaudit_list_noxattr_fs" lineno="1716">
 <summary>
 Do not audit attempts to list all
 noxattrfs directories.
@@ -65889,7 +66062,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_dirs" lineno="1716">
+<interface name="fs_manage_noxattr_fs_dirs" lineno="1734">
 <summary>
 Create, read, write, and delete all noxattrfs directories.
 </summary>
@@ -65899,7 +66072,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_noxattr_fs_files" lineno="1734">
+<interface name="fs_read_noxattr_fs_files" lineno="1752">
 <summary>
 Read all noxattrfs files.
 </summary>
@@ -65909,7 +66082,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1754">
+<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1772">
 <summary>
 Do not audit attempts to read all
 noxattrfs files.
@@ -65920,7 +66093,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1772">
+<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1790">
 <summary>
 Dont audit attempts to write to noxattrfs files.
 </summary>
@@ -65930,7 +66103,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_files" lineno="1790">
+<interface name="fs_manage_noxattr_fs_files" lineno="1808">
 <summary>
 Create, read, write, and delete all noxattrfs files.
 </summary>
@@ -65940,7 +66113,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_noxattr_fs_symlinks" lineno="1809">
+<interface name="fs_read_noxattr_fs_symlinks" lineno="1827">
 <summary>
 Read all noxattrfs symbolic links.
 </summary>
@@ -65950,7 +66123,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_noxattr_fs_symlinks" lineno="1828">
+<interface name="fs_manage_noxattr_fs_symlinks" lineno="1846">
 <summary>
 Manage all noxattrfs symbolic links.
 </summary>
@@ -65960,7 +66133,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_noxattr_fs" lineno="1848">
+<interface name="fs_relabelfrom_noxattr_fs" lineno="1866">
 <summary>
 Relabel all objects from filesystems that
 do not support extended attributes.
@@ -65971,7 +66144,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_cifs_files" lineno="1874">
+<interface name="fs_dontaudit_read_cifs_files" lineno="1892">
 <summary>
 Do not audit attempts to read
 files on a CIFS or SMB filesystem.
@@ -65982,7 +66155,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_append_cifs_files" lineno="1894">
+<interface name="fs_append_cifs_files" lineno="1912">
 <summary>
 Append files
 on a CIFS filesystem.
@@ -65994,7 +66167,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_append_cifs_files" lineno="1914">
+<interface name="fs_dontaudit_append_cifs_files" lineno="1932">
 <summary>
 dontaudit Append files
 on a CIFS filesystem.
@@ -66006,7 +66179,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_rw_cifs_files" lineno="1933">
+<interface name="fs_dontaudit_rw_cifs_files" lineno="1951">
 <summary>
 Do not audit attempts to read or
 write files on a CIFS or SMB filesystem.
@@ -66017,7 +66190,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_symlinks" lineno="1951">
+<interface name="fs_read_cifs_symlinks" lineno="1969">
 <summary>
 Read symbolic links on a CIFS or SMB filesystem.
 </summary>
@@ -66027,7 +66200,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_named_pipes" lineno="1971">
+<interface name="fs_read_cifs_named_pipes" lineno="1989">
 <summary>
 Read named pipes
 on a CIFS or SMB network filesystem.
@@ -66038,7 +66211,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_cifs_named_sockets" lineno="1990">
+<interface name="fs_read_cifs_named_sockets" lineno="2008">
 <summary>
 Read named sockets
 on a CIFS or SMB network filesystem.
@@ -66049,7 +66222,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_exec_cifs_files" lineno="2011">
+<interface name="fs_exec_cifs_files" lineno="2029">
 <summary>
 Execute files on a CIFS or SMB
 network filesystem, in the caller
@@ -66062,7 +66235,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_cifs_dirs" lineno="2032">
+<interface name="fs_manage_cifs_dirs" lineno="2050">
 <summary>
 Create, read, write, and delete directories
 on a CIFS or SMB network filesystem.
@@ -66074,7 +66247,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_cifs_dirs" lineno="2052">
+<interface name="fs_dontaudit_manage_cifs_dirs" lineno="2070">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -66086,7 +66259,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_files" lineno="2072">
+<interface name="fs_manage_cifs_files" lineno="2090">
 <summary>
 Create, read, write, and delete files
 on a CIFS or SMB network filesystem.
@@ -66098,7 +66271,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_cifs_files" lineno="2092">
+<interface name="fs_dontaudit_manage_cifs_files" lineno="2110">
 <summary>
 Do not audit attempts to create, read,
 write, and delete files
@@ -66110,7 +66283,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_symlinks" lineno="2111">
+<interface name="fs_manage_cifs_symlinks" lineno="2129">
 <summary>
 Create, read, write, and delete symbolic links
 on a CIFS or SMB network filesystem.
@@ -66121,7 +66294,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_named_pipes" lineno="2130">
+<interface name="fs_manage_cifs_named_pipes" lineno="2148">
 <summary>
 Create, read, write, and delete named pipes
 on a CIFS or SMB network filesystem.
@@ -66132,7 +66305,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_cifs_named_sockets" lineno="2149">
+<interface name="fs_manage_cifs_named_sockets" lineno="2167">
 <summary>
 Create, read, write, and delete named sockets
 on a CIFS or SMB network filesystem.
@@ -66143,7 +66316,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_cifs_domtrans" lineno="2192">
+<interface name="fs_cifs_domtrans" lineno="2210">
 <summary>
 Execute a file on a CIFS or SMB filesystem
 in the specified domain.
@@ -66178,7 +66351,7 @@ The type of the new process.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_configfs_dirs" lineno="2212">
+<interface name="fs_manage_configfs_dirs" lineno="2230">
 <summary>
 Create, read, write, and delete dirs
 on a configfs filesystem.
@@ -66189,7 +66362,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_configfs_files" lineno="2231">
+<interface name="fs_manage_configfs_files" lineno="2249">
 <summary>
 Create, read, write, and delete files
 on a configfs filesystem.
@@ -66200,7 +66373,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_dos_fs" lineno="2250">
+<interface name="fs_mount_dos_fs" lineno="2268">
 <summary>
 Mount a DOS filesystem, such as
 FAT32 or NTFS.
@@ -66211,7 +66384,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_dos_fs" lineno="2270">
+<interface name="fs_remount_dos_fs" lineno="2288">
 <summary>
 Remount a DOS filesystem, such as
 FAT32 or NTFS.  This allows
@@ -66223,7 +66396,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_dos_fs" lineno="2289">
+<interface name="fs_unmount_dos_fs" lineno="2307">
 <summary>
 Unmount a DOS filesystem, such as
 FAT32 or NTFS.
@@ -66234,7 +66407,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_dos_fs" lineno="2309">
+<interface name="fs_getattr_dos_fs" lineno="2327">
 <summary>
 Get the attributes of a DOS
 filesystem, such as FAT32 or NTFS.
@@ -66246,7 +66419,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_relabelfrom_dos_fs" lineno="2328">
+<interface name="fs_relabelfrom_dos_fs" lineno="2346">
 <summary>
 Allow changing of the label of a
 DOS filesystem using the context= mount option.
@@ -66257,7 +66430,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_dos_dirs" lineno="2346">
+<interface name="fs_getattr_dos_dirs" lineno="2364">
 <summary>
 Get attributes of directories on a dosfs filesystem.
 </summary>
@@ -66267,7 +66440,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_dos" lineno="2364">
+<interface name="fs_search_dos" lineno="2382">
 <summary>
 Search dosfs filesystem.
 </summary>
@@ -66277,7 +66450,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_dos" lineno="2382">
+<interface name="fs_list_dos" lineno="2400">
 <summary>
 List dirs DOS filesystem.
 </summary>
@@ -66287,7 +66460,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_dos_dirs" lineno="2401">
+<interface name="fs_manage_dos_dirs" lineno="2419">
 <summary>
 Create, read, write, and delete dirs
 on a DOS filesystem.
@@ -66298,7 +66471,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_dos_files" lineno="2419">
+<interface name="fs_read_dos_files" lineno="2437">
 <summary>
 Read files on a DOS filesystem.
 </summary>
@@ -66308,7 +66481,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mmap_read_dos_files" lineno="2437">
+<interface name="fs_mmap_read_dos_files" lineno="2455">
 <summary>
 Read and map files on a DOS filesystem.
 </summary>
@@ -66318,7 +66491,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_dos_files" lineno="2457">
+<interface name="fs_manage_dos_files" lineno="2475">
 <summary>
 Create, read, write, and delete files
 on a DOS filesystem.
@@ -66329,7 +66502,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_ecryptfs" lineno="2475">
+<interface name="fs_list_ecryptfs" lineno="2493">
 <summary>
 Read symbolic links on an eCryptfs filesystem.
 </summary>
@@ -66339,7 +66512,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ecryptfs_dirs" lineno="2496">
+<interface name="fs_manage_ecryptfs_dirs" lineno="2514">
 <summary>
 Create, read, write, and delete directories
 on an eCryptfs filesystem.
@@ -66351,7 +66524,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_ecryptfs_files" lineno="2516">
+<interface name="fs_manage_ecryptfs_files" lineno="2534">
 <summary>
 Create, read, write, and delete files
 on an eCryptfs filesystem.
@@ -66363,7 +66536,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_ecryptfs_named_sockets" lineno="2535">
+<interface name="fs_manage_ecryptfs_named_sockets" lineno="2553">
 <summary>
 Create, read, write, and delete named sockets
 on an eCryptfs filesystem.
@@ -66374,7 +66547,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_efivarfs" lineno="2553">
+<interface name="fs_getattr_efivarfs" lineno="2571">
 <summary>
 Get the attributes of efivarfs filesystems.
 </summary>
@@ -66384,7 +66557,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_efivars" lineno="2571">
+<interface name="fs_list_efivars" lineno="2589">
 <summary>
 List dirs in efivarfs filesystem.
 </summary>
@@ -66394,7 +66567,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_efivarfs_files" lineno="2591">
+<interface name="fs_read_efivarfs_files" lineno="2609">
 <summary>
 Read files in efivarfs
 - contains Linux Kernel configuration options for UEFI systems
@@ -66406,7 +66579,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_efivarfs_files" lineno="2611">
+<interface name="fs_setattr_efivarfs_files" lineno="2629">
 <summary>
 Set the attributes of files in efivarfs
 - contains Linux Kernel configuration options for UEFI systems
@@ -66418,7 +66591,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_efivarfs_files" lineno="2631">
+<interface name="fs_manage_efivarfs_files" lineno="2649">
 <summary>
 Create, read, write, and delete files
 on a efivarfs filesystem.
@@ -66430,7 +66603,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs" lineno="2649">
+<interface name="fs_getattr_fusefs" lineno="2667">
 <summary>
 stat a FUSE filesystem
 </summary>
@@ -66440,7 +66613,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_fusefs" lineno="2667">
+<interface name="fs_mount_fusefs" lineno="2685">
 <summary>
 Mount a FUSE filesystem.
 </summary>
@@ -66450,7 +66623,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_fusefs" lineno="2685">
+<interface name="fs_unmount_fusefs" lineno="2703">
 <summary>
 Unmount a FUSE filesystem.
 </summary>
@@ -66460,7 +66633,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_fusefs" lineno="2703">
+<interface name="fs_remount_fusefs" lineno="2721">
 <summary>
 Remount a FUSE filesystem.
 </summary>
@@ -66470,7 +66643,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_fusefs" lineno="2721">
+<interface name="fs_mounton_fusefs" lineno="2739">
 <summary>
 Mounton a FUSEFS filesystem.
 </summary>
@@ -66480,7 +66653,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_fusefs_files" lineno="2739">
+<interface name="fs_mounton_fusefs_files" lineno="2757">
 <summary>
 Mount on files on a FUSEFS filesystem.
 </summary>
@@ -66490,7 +66663,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_fusefs_entry_type" lineno="2758">
+<interface name="fs_fusefs_entry_type" lineno="2776">
 <summary>
 Make FUSEFS files an entrypoint for the
 specified domain.
@@ -66501,7 +66674,7 @@ The domain for which fusefs_t is an entrypoint.
 </summary>
 </param>
 </interface>
-<interface name="fs_fusefs_domtrans" lineno="2791">
+<interface name="fs_fusefs_domtrans" lineno="2809">
 <summary>
 Execute FUSEFS files in a specified domain.
 </summary>
@@ -66526,7 +66699,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_fusefs" lineno="2811">
+<interface name="fs_search_fusefs" lineno="2829">
 <summary>
 Search directories
 on a FUSEFS filesystem.
@@ -66538,7 +66711,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_list_fusefs" lineno="2831">
+<interface name="fs_list_fusefs" lineno="2849">
 <summary>
 List the contents of directories
 on a FUSEFS filesystem.
@@ -66550,7 +66723,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_list_fusefs" lineno="2850">
+<interface name="fs_dontaudit_list_fusefs" lineno="2868">
 <summary>
 Do not audit attempts to list the contents
 of directories on a FUSEFS filesystem.
@@ -66561,7 +66734,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_fusefs_dirs" lineno="2870">
+<interface name="fs_setattr_fusefs_dirs" lineno="2888">
 <summary>
 Set the attributes of directories
 on a FUSEFS filesystem.
@@ -66573,7 +66746,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_dirs" lineno="2890">
+<interface name="fs_manage_fusefs_dirs" lineno="2908">
 <summary>
 Create, read, write, and delete directories
 on a FUSEFS filesystem.
@@ -66585,7 +66758,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2910">
+<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2928">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -66597,7 +66770,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_fusefs_dirs" lineno="2928">
+<interface name="fs_watch_fusefs_dirs" lineno="2946">
 <summary>
 Watch directories on a FUSEFS filesystem.
 </summary>
@@ -66607,7 +66780,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs_files" lineno="2948">
+<interface name="fs_getattr_fusefs_files" lineno="2966">
 <summary>
 Get the attributes of files on a
 FUSEFS filesystem.
@@ -66619,7 +66792,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_fusefs_files" lineno="2967">
+<interface name="fs_read_fusefs_files" lineno="2985">
 <summary>
 Read, a FUSEFS filesystem.
 </summary>
@@ -66630,7 +66803,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_exec_fusefs_files" lineno="2986">
+<interface name="fs_exec_fusefs_files" lineno="3004">
 <summary>
 Execute files on a FUSEFS filesystem.
 </summary>
@@ -66641,7 +66814,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_files" lineno="3006">
+<interface name="fs_setattr_fusefs_files" lineno="3024">
 <summary>
 Set the attributes of files on a
 FUSEFS filesystem.
@@ -66653,7 +66826,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_files" lineno="3026">
+<interface name="fs_manage_fusefs_files" lineno="3044">
 <summary>
 Create, read, write, and delete files
 on a FUSEFS filesystem.
@@ -66665,7 +66838,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_fusefs_files" lineno="3046">
+<interface name="fs_dontaudit_manage_fusefs_files" lineno="3064">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -66677,7 +66850,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_fusefs_files" lineno="3064">
+<interface name="fs_watch_fusefs_files" lineno="3082">
 <summary>
 Watch files on a FUSEFS filesystem.
 </summary>
@@ -66687,7 +66860,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_fusefs_symlinks" lineno="3084">
+<interface name="fs_getattr_fusefs_symlinks" lineno="3102">
 <summary>
 Get the attributes of symlinks
 on a FUSEFS filesystem.
@@ -66699,7 +66872,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_read_fusefs_symlinks" lineno="3102">
+<interface name="fs_read_fusefs_symlinks" lineno="3120">
 <summary>
 Read symbolic links on a FUSEFS filesystem.
 </summary>
@@ -66709,7 +66882,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_fusefs_symlinks" lineno="3123">
+<interface name="fs_setattr_fusefs_symlinks" lineno="3141">
 <summary>
 Set the attributes of symlinks
 on a FUSEFS filesystem.
@@ -66721,7 +66894,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_symlinks" lineno="3142">
+<interface name="fs_manage_fusefs_symlinks" lineno="3160">
 <summary>
 Manage symlinks on a FUSEFS filesystem.
 </summary>
@@ -66732,7 +66905,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_fifo_files" lineno="3162">
+<interface name="fs_getattr_fusefs_fifo_files" lineno="3180">
 <summary>
 Get the attributes of named pipes
 on a FUSEFS filesystem.
@@ -66744,7 +66917,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_fifo_files" lineno="3182">
+<interface name="fs_setattr_fusefs_fifo_files" lineno="3200">
 <summary>
 Set the attributes of named pipes
 on a FUSEFS filesystem.
@@ -66756,7 +66929,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_fifo_files" lineno="3202">
+<interface name="fs_manage_fusefs_fifo_files" lineno="3220">
 <summary>
 Manage named pipes on a FUSEFS
 filesystem.
@@ -66768,7 +66941,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_sock_files" lineno="3222">
+<interface name="fs_getattr_fusefs_sock_files" lineno="3240">
 <summary>
 Get the attributes of named sockets
 on a FUSEFS filesystem.
@@ -66780,7 +66953,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_sock_files" lineno="3242">
+<interface name="fs_setattr_fusefs_sock_files" lineno="3260">
 <summary>
 Set the attributes of named sockets
 on a FUSEFS filesystem.
@@ -66792,7 +66965,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_sock_files" lineno="3262">
+<interface name="fs_manage_fusefs_sock_files" lineno="3280">
 <summary>
 Manage named sockets on a FUSEFS
 filesystem.
@@ -66804,7 +66977,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_fusefs_chr_files" lineno="3282">
+<interface name="fs_getattr_fusefs_chr_files" lineno="3300">
 <summary>
 Get the attributes of character files
 on a FUSEFS filesystem.
@@ -66816,7 +66989,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_chr_files" lineno="3302">
+<interface name="fs_setattr_fusefs_chr_files" lineno="3320">
 <summary>
 Set the attributes of character files
 on a FUSEFS filesystem.
@@ -66828,7 +67001,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_fusefs_chr_files" lineno="3322">
+<interface name="fs_manage_fusefs_chr_files" lineno="3340">
 <summary>
 Manage character files on a FUSEFS
 filesystem.
@@ -66840,7 +67013,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_create_fusefs_blk_files" lineno="3342">
+<interface name="fs_create_fusefs_blk_files" lineno="3360">
 <summary>
 Create block files on a FUSEFS
 filesystem.
@@ -66852,7 +67025,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_setattr_fusefs_blk_files" lineno="3362">
+<interface name="fs_setattr_fusefs_blk_files" lineno="3380">
 <summary>
 Set the attributes of block files on
 a FUSEFS filesystem.
@@ -66864,7 +67037,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_hugetlbfs" lineno="3381">
+<interface name="fs_getattr_hugetlbfs" lineno="3399">
 <summary>
 Get the attributes of an hugetlbfs
 filesystem.
@@ -66875,7 +67048,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_hugetlbfs" lineno="3399">
+<interface name="fs_list_hugetlbfs" lineno="3417">
 <summary>
 List hugetlbfs.
 </summary>
@@ -66885,7 +67058,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_hugetlbfs_dirs" lineno="3417">
+<interface name="fs_manage_hugetlbfs_dirs" lineno="3435">
 <summary>
 Manage hugetlbfs dirs.
 </summary>
@@ -66895,7 +67068,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3435">
+<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3453">
 <summary>
 Read and write inherited hugetlbfs files.
 </summary>
@@ -66905,7 +67078,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_hugetlbfs_files" lineno="3453">
+<interface name="fs_rw_hugetlbfs_files" lineno="3471">
 <summary>
 Read and write hugetlbfs files.
 </summary>
@@ -66915,7 +67088,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3471">
+<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3489">
 <summary>
 Read, map and write hugetlbfs files.
 </summary>
@@ -66925,7 +67098,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_associate_hugetlbfs" lineno="3490">
+<interface name="fs_associate_hugetlbfs" lineno="3508">
 <summary>
 Allow the type to associate to hugetlbfs filesystems.
 </summary>
@@ -66935,7 +67108,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_inotifyfs" lineno="3508">
+<interface name="fs_search_inotifyfs" lineno="3526">
 <summary>
 Search inotifyfs filesystem.
 </summary>
@@ -66945,7 +67118,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_inotifyfs" lineno="3526">
+<interface name="fs_list_inotifyfs" lineno="3544">
 <summary>
 List inotifyfs filesystem.
 </summary>
@@ -66955,7 +67128,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_inotifyfs" lineno="3544">
+<interface name="fs_dontaudit_list_inotifyfs" lineno="3562">
 <summary>
 Dontaudit List inotifyfs filesystem.
 </summary>
@@ -66965,7 +67138,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_hugetlbfs_filetrans" lineno="3578">
+<interface name="fs_hugetlbfs_filetrans" lineno="3596">
 <summary>
 Create an object in a hugetlbfs filesystem, with a private
 type using a type transition.
@@ -66991,7 +67164,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_iso9660_fs" lineno="3598">
+<interface name="fs_mount_iso9660_fs" lineno="3616">
 <summary>
 Mount an iso9660 filesystem, which
 is usually used on CDs.
@@ -67002,7 +67175,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_iso9660_fs" lineno="3618">
+<interface name="fs_remount_iso9660_fs" lineno="3636">
 <summary>
 Remount an iso9660 filesystem, which
 is usually used on CDs.  This allows
@@ -67014,7 +67187,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_iso9660_fs" lineno="3637">
+<interface name="fs_relabelfrom_iso9660_fs" lineno="3655">
 <summary>
 Allow changing of the label of a
 filesystem with iso9660 type
@@ -67025,7 +67198,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_iso9660_fs" lineno="3656">
+<interface name="fs_unmount_iso9660_fs" lineno="3674">
 <summary>
 Unmount an iso9660 filesystem, which
 is usually used on CDs.
@@ -67036,7 +67209,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_iso9660_fs" lineno="3676">
+<interface name="fs_getattr_iso9660_fs" lineno="3694">
 <summary>
 Get the attributes of an iso9660
 filesystem, which is usually used on CDs.
@@ -67048,7 +67221,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_iso9660_files" lineno="3695">
+<interface name="fs_getattr_iso9660_files" lineno="3713">
 <summary>
 Get the attributes of files on an iso9660
 filesystem, which is usually used on CDs.
@@ -67059,7 +67232,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_iso9660_files" lineno="3715">
+<interface name="fs_read_iso9660_files" lineno="3733">
 <summary>
 Read files on an iso9660 filesystem, which
 is usually used on CDs.
@@ -67070,7 +67243,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_nfs" lineno="3735">
+<interface name="fs_mount_nfs" lineno="3753">
 <summary>
 Mount a NFS filesystem.
 </summary>
@@ -67080,7 +67253,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_nfs" lineno="3754">
+<interface name="fs_remount_nfs" lineno="3772">
 <summary>
 Remount a NFS filesystem.  This allows
 some mount options to be changed.
@@ -67091,7 +67264,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nfs" lineno="3772">
+<interface name="fs_unmount_nfs" lineno="3790">
 <summary>
 Unmount a NFS filesystem.
 </summary>
@@ -67101,7 +67274,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfs" lineno="3791">
+<interface name="fs_getattr_nfs" lineno="3809">
 <summary>
 Get the attributes of a NFS filesystem.
 </summary>
@@ -67112,7 +67285,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_search_nfs" lineno="3809">
+<interface name="fs_search_nfs" lineno="3827">
 <summary>
 Search directories on a NFS filesystem.
 </summary>
@@ -67122,7 +67295,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_nfs" lineno="3827">
+<interface name="fs_list_nfs" lineno="3845">
 <summary>
 List NFS filesystem.
 </summary>
@@ -67132,7 +67305,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_nfs" lineno="3846">
+<interface name="fs_dontaudit_list_nfs" lineno="3864">
 <summary>
 Do not audit attempts to list the contents
 of directories on a NFS filesystem.
@@ -67143,7 +67316,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfs_dirs" lineno="3865">
+<interface name="fs_watch_nfs_dirs" lineno="3883">
 <summary>
 Add a watch on directories on an NFS
 filesystem.
@@ -67154,7 +67327,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_nfs" lineno="3883">
+<interface name="fs_mounton_nfs" lineno="3901">
 <summary>
 Mounton a NFS filesystem.
 </summary>
@@ -67164,7 +67337,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_files" lineno="3902">
+<interface name="fs_read_nfs_files" lineno="3920">
 <summary>
 Read files on a NFS filesystem.
 </summary>
@@ -67175,7 +67348,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_read_nfs_files" lineno="3922">
+<interface name="fs_dontaudit_read_nfs_files" lineno="3940">
 <summary>
 Do not audit attempts to read
 files on a NFS filesystem.
@@ -67186,7 +67359,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_nfs_files" lineno="3940">
+<interface name="fs_write_nfs_files" lineno="3958">
 <summary>
 Read files on a NFS filesystem.
 </summary>
@@ -67196,7 +67369,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_exec_nfs_files" lineno="3960">
+<interface name="fs_exec_nfs_files" lineno="3978">
 <summary>
 Execute files on a NFS filesystem.
 </summary>
@@ -67207,7 +67380,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_append_nfs_files" lineno="3981">
+<interface name="fs_append_nfs_files" lineno="3999">
 <summary>
 Append files
 on a NFS filesystem.
@@ -67219,7 +67392,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_append_nfs_files" lineno="4001">
+<interface name="fs_dontaudit_append_nfs_files" lineno="4019">
 <summary>
 dontaudit Append files
 on a NFS filesystem.
@@ -67231,7 +67404,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_rw_nfs_files" lineno="4020">
+<interface name="fs_dontaudit_rw_nfs_files" lineno="4038">
 <summary>
 Do not audit attempts to read or
 write files on a NFS filesystem.
@@ -67242,7 +67415,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfs_files" lineno="4038">
+<interface name="fs_watch_nfs_files" lineno="4056">
 <summary>
 Add a watch on files on an NFS filesystem.
 </summary>
@@ -67252,7 +67425,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_symlinks" lineno="4056">
+<interface name="fs_read_nfs_symlinks" lineno="4074">
 <summary>
 Read symbolic links on a NFS filesystem.
 </summary>
@@ -67262,7 +67435,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_nfs_symlinks" lineno="4075">
+<interface name="fs_dontaudit_read_nfs_symlinks" lineno="4093">
 <summary>
 Dontaudit read symbolic links on a NFS filesystem.
 </summary>
@@ -67272,7 +67445,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_named_sockets" lineno="4093">
+<interface name="fs_read_nfs_named_sockets" lineno="4111">
 <summary>
 Read named sockets on a NFS filesystem.
 </summary>
@@ -67282,7 +67455,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nfs_named_pipes" lineno="4112">
+<interface name="fs_read_nfs_named_pipes" lineno="4130">
 <summary>
 Read named pipes on a NFS network filesystem.
 </summary>
@@ -67293,7 +67466,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_getattr_rpc_dirs" lineno="4131">
+<interface name="fs_getattr_rpc_dirs" lineno="4149">
 <summary>
 Get the attributes of directories of RPC
 file system pipes.
@@ -67304,7 +67477,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_rpc" lineno="4150">
+<interface name="fs_search_rpc" lineno="4168">
 <summary>
 Search directories of RPC file system pipes.
 </summary>
@@ -67314,7 +67487,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_removable" lineno="4168">
+<interface name="fs_search_removable" lineno="4186">
 <summary>
 Search removable storage directories.
 </summary>
@@ -67324,7 +67497,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_removable" lineno="4186">
+<interface name="fs_dontaudit_list_removable" lineno="4204">
 <summary>
 Do not audit attempts to list removable storage directories.
 </summary>
@@ -67334,7 +67507,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_files" lineno="4204">
+<interface name="fs_read_removable_files" lineno="4222">
 <summary>
 Read removable storage files.
 </summary>
@@ -67344,7 +67517,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_removable_files" lineno="4222">
+<interface name="fs_dontaudit_read_removable_files" lineno="4240">
 <summary>
 Do not audit attempts to read removable storage files.
 </summary>
@@ -67354,7 +67527,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_removable_files" lineno="4240">
+<interface name="fs_dontaudit_write_removable_files" lineno="4258">
 <summary>
 Do not audit attempts to write removable storage files.
 </summary>
@@ -67364,7 +67537,7 @@ Domain not to audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_symlinks" lineno="4258">
+<interface name="fs_read_removable_symlinks" lineno="4276">
 <summary>
 Read removable storage symbolic links.
 </summary>
@@ -67374,7 +67547,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_removable_blk_files" lineno="4276">
+<interface name="fs_read_removable_blk_files" lineno="4294">
 <summary>
 Read block nodes on removable filesystems.
 </summary>
@@ -67384,7 +67557,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_removable_blk_files" lineno="4295">
+<interface name="fs_rw_removable_blk_files" lineno="4313">
 <summary>
 Read and write block nodes on removable filesystems.
 </summary>
@@ -67394,7 +67567,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_rpc" lineno="4314">
+<interface name="fs_list_rpc" lineno="4332">
 <summary>
 Read directories of RPC file system pipes.
 </summary>
@@ -67404,7 +67577,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_files" lineno="4332">
+<interface name="fs_read_rpc_files" lineno="4350">
 <summary>
 Read files of RPC file system pipes.
 </summary>
@@ -67414,7 +67587,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_symlinks" lineno="4350">
+<interface name="fs_read_rpc_symlinks" lineno="4368">
 <summary>
 Read symbolic links of RPC file system pipes.
 </summary>
@@ -67424,7 +67597,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_rpc_sockets" lineno="4368">
+<interface name="fs_read_rpc_sockets" lineno="4386">
 <summary>
 Read sockets of RPC file system pipes.
 </summary>
@@ -67434,7 +67607,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_rpc_sockets" lineno="4386">
+<interface name="fs_rw_rpc_sockets" lineno="4404">
 <summary>
 Read and write sockets of RPC file system pipes.
 </summary>
@@ -67444,7 +67617,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_dirs" lineno="4406">
+<interface name="fs_manage_nfs_dirs" lineno="4424">
 <summary>
 Create, read, write, and delete directories
 on a NFS filesystem.
@@ -67456,7 +67629,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4426">
+<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4444">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -67468,7 +67641,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_files" lineno="4446">
+<interface name="fs_manage_nfs_files" lineno="4464">
 <summary>
 Create, read, write, and delete files
 on a NFS filesystem.
@@ -67480,7 +67653,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_nfs_files" lineno="4466">
+<interface name="fs_dontaudit_manage_nfs_files" lineno="4484">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -67492,7 +67665,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_symlinks" lineno="4486">
+<interface name="fs_manage_nfs_symlinks" lineno="4504">
 <summary>
 Create, read, write, and delete symbolic links
 on a NFS network filesystem.
@@ -67504,7 +67677,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_manage_nfs_named_pipes" lineno="4505">
+<interface name="fs_manage_nfs_named_pipes" lineno="4523">
 <summary>
 Create, read, write, and delete named pipes
 on a NFS filesystem.
@@ -67515,7 +67688,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_nfs_named_sockets" lineno="4524">
+<interface name="fs_manage_nfs_named_sockets" lineno="4542">
 <summary>
 Create, read, write, and delete named sockets
 on a NFS filesystem.
@@ -67526,7 +67699,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_nfs_domtrans" lineno="4567">
+<interface name="fs_nfs_domtrans" lineno="4585">
 <summary>
 Execute a file on a NFS filesystem
 in the specified domain.
@@ -67561,7 +67734,7 @@ The type of the new process.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_nfsd_fs" lineno="4586">
+<interface name="fs_mount_nfsd_fs" lineno="4604">
 <summary>
 Mount a NFS server pseudo filesystem.
 </summary>
@@ -67571,7 +67744,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_nfsd_fs" lineno="4605">
+<interface name="fs_remount_nfsd_fs" lineno="4623">
 <summary>
 Mount a NFS server pseudo filesystem.
 This allows some mount options to be changed.
@@ -67582,7 +67755,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nfsd_fs" lineno="4623">
+<interface name="fs_unmount_nfsd_fs" lineno="4641">
 <summary>
 Unmount a NFS server pseudo filesystem.
 </summary>
@@ -67592,7 +67765,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfsd_fs" lineno="4642">
+<interface name="fs_getattr_nfsd_fs" lineno="4660">
 <summary>
 Get the attributes of a NFS server
 pseudo filesystem.
@@ -67603,7 +67776,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_nfsd_fs" lineno="4660">
+<interface name="fs_search_nfsd_fs" lineno="4678">
 <summary>
 Search NFS server directories.
 </summary>
@@ -67613,7 +67786,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_nfsd_fs" lineno="4678">
+<interface name="fs_list_nfsd_fs" lineno="4696">
 <summary>
 List NFS server directories.
 </summary>
@@ -67623,7 +67796,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfsd_dirs" lineno="4696">
+<interface name="fs_watch_nfsd_dirs" lineno="4714">
 <summary>
 Watch NFS server directories.
 </summary>
@@ -67633,7 +67806,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nfsd_files" lineno="4714">
+<interface name="fs_getattr_nfsd_files" lineno="4732">
 <summary>
 Getattr files on an nfsd filesystem
 </summary>
@@ -67643,7 +67816,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_nfsd_fs" lineno="4732">
+<interface name="fs_rw_nfsd_fs" lineno="4750">
 <summary>
 Read and write NFS server files.
 </summary>
@@ -67653,7 +67826,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nsfs_files" lineno="4750">
+<interface name="fs_getattr_nsfs_files" lineno="4768">
 <summary>
 Get the attributes of nsfs inodes (e.g. /proc/pid/ns/uts)
 </summary>
@@ -67663,7 +67836,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_nsfs_files" lineno="4768">
+<interface name="fs_read_nsfs_files" lineno="4786">
 <summary>
 Read nsfs inodes (e.g. /proc/pid/ns/uts)
 </summary>
@@ -67673,7 +67846,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_nfsd_files" lineno="4786">
+<interface name="fs_watch_nfsd_files" lineno="4804">
 <summary>
 Watch NFS server files.
 </summary>
@@ -67683,7 +67856,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_nsfs" lineno="4804">
+<interface name="fs_getattr_nsfs" lineno="4822">
 <summary>
 Get the attributes of an nsfs filesystem.
 </summary>
@@ -67693,7 +67866,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_nsfs" lineno="4822">
+<interface name="fs_unmount_nsfs" lineno="4840">
 <summary>
 Unmount an nsfs filesystem.
 </summary>
@@ -67703,7 +67876,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_pstorefs" lineno="4840">
+<interface name="fs_getattr_pstorefs" lineno="4858">
 <summary>
 Get the attributes of a pstore filesystem.
 </summary>
@@ -67713,7 +67886,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_pstore_dirs" lineno="4859">
+<interface name="fs_getattr_pstore_dirs" lineno="4877">
 <summary>
 Get the attributes of directories
 of a pstore filesystem.
@@ -67724,7 +67897,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_pstore_dirs" lineno="4878">
+<interface name="fs_create_pstore_dirs" lineno="4896">
 <summary>
 Create pstore directories.
 </summary>
@@ -67734,7 +67907,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_pstore_dirs" lineno="4897">
+<interface name="fs_relabel_pstore_dirs" lineno="4915">
 <summary>
 Relabel to/from pstore_t directories.
 </summary>
@@ -67744,7 +67917,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_pstore_dirs" lineno="4916">
+<interface name="fs_list_pstore_dirs" lineno="4934">
 <summary>
 List the directories
 of a pstore filesystem.
@@ -67755,7 +67928,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_pstore_files" lineno="4935">
+<interface name="fs_read_pstore_files" lineno="4953">
 <summary>
 Read pstore_t files
 </summary>
@@ -67765,7 +67938,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_delete_pstore_files" lineno="4954">
+<interface name="fs_delete_pstore_files" lineno="4972">
 <summary>
 Delete the files
 of a pstore filesystem.
@@ -67776,7 +67949,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_associate_ramfs" lineno="4973">
+<interface name="fs_associate_ramfs" lineno="4991">
 <summary>
 Allow the type to associate to ramfs filesystems.
 </summary>
@@ -67786,7 +67959,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_ramfs" lineno="4991">
+<interface name="fs_mount_ramfs" lineno="5009">
 <summary>
 Mount a RAM filesystem.
 </summary>
@@ -67796,7 +67969,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_ramfs" lineno="5010">
+<interface name="fs_remount_ramfs" lineno="5028">
 <summary>
 Remount a RAM filesystem.  This allows
 some mount options to be changed.
@@ -67807,7 +67980,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_ramfs" lineno="5028">
+<interface name="fs_unmount_ramfs" lineno="5046">
 <summary>
 Unmount a RAM filesystem.
 </summary>
@@ -67817,7 +67990,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_ramfs" lineno="5046">
+<interface name="fs_getattr_ramfs" lineno="5064">
 <summary>
 Get the attributes of a RAM filesystem.
 </summary>
@@ -67827,7 +68000,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_ramfs" lineno="5064">
+<interface name="fs_search_ramfs" lineno="5082">
 <summary>
 Search directories on a ramfs
 </summary>
@@ -67837,7 +68010,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_search_ramfs" lineno="5082">
+<interface name="fs_dontaudit_search_ramfs" lineno="5100">
 <summary>
 Dontaudit Search directories on a ramfs
 </summary>
@@ -67847,7 +68020,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_ramfs_dirs" lineno="5101">
+<interface name="fs_setattr_ramfs_dirs" lineno="5119">
 <summary>
 Set the attributes of directories on
 a ramfs.
@@ -67858,7 +68031,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_dirs" lineno="5120">
+<interface name="fs_manage_ramfs_dirs" lineno="5138">
 <summary>
 Create, read, write, and delete
 directories on a ramfs.
@@ -67869,7 +68042,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_ramfs_files" lineno="5138">
+<interface name="fs_dontaudit_read_ramfs_files" lineno="5156">
 <summary>
 Dontaudit read on a ramfs files.
 </summary>
@@ -67879,7 +68052,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_read_ramfs_pipes" lineno="5156">
+<interface name="fs_dontaudit_read_ramfs_pipes" lineno="5174">
 <summary>
 Dontaudit read on a ramfs fifo_files.
 </summary>
@@ -67889,7 +68062,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_files" lineno="5175">
+<interface name="fs_manage_ramfs_files" lineno="5193">
 <summary>
 Create, read, write, and delete
 files on a ramfs filesystem.
@@ -67900,7 +68073,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_ramfs_pipes" lineno="5193">
+<interface name="fs_write_ramfs_pipes" lineno="5211">
 <summary>
 Write to named pipe on a ramfs filesystem.
 </summary>
@@ -67910,7 +68083,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_ramfs_pipes" lineno="5212">
+<interface name="fs_dontaudit_write_ramfs_pipes" lineno="5230">
 <summary>
 Do not audit attempts to write to named
 pipes on a ramfs filesystem.
@@ -67921,7 +68094,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_ramfs_pipes" lineno="5230">
+<interface name="fs_rw_ramfs_pipes" lineno="5248">
 <summary>
 Read and write a named pipe on a ramfs filesystem.
 </summary>
@@ -67931,7 +68104,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_pipes" lineno="5249">
+<interface name="fs_manage_ramfs_pipes" lineno="5267">
 <summary>
 Create, read, write, and delete
 named pipes on a ramfs filesystem.
@@ -67942,7 +68115,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_write_ramfs_sockets" lineno="5267">
+<interface name="fs_write_ramfs_sockets" lineno="5285">
 <summary>
 Write to named socket on a ramfs filesystem.
 </summary>
@@ -67952,7 +68125,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_ramfs_sockets" lineno="5286">
+<interface name="fs_manage_ramfs_sockets" lineno="5304">
 <summary>
 Create, read, write, and delete
 named sockets on a ramfs filesystem.
@@ -67963,7 +68136,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_romfs" lineno="5304">
+<interface name="fs_mount_romfs" lineno="5322">
 <summary>
 Mount a ROM filesystem.
 </summary>
@@ -67973,7 +68146,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_romfs" lineno="5323">
+<interface name="fs_remount_romfs" lineno="5341">
 <summary>
 Remount a ROM filesystem.  This allows
 some mount options to be changed.
@@ -67984,7 +68157,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_romfs" lineno="5341">
+<interface name="fs_unmount_romfs" lineno="5359">
 <summary>
 Unmount a ROM filesystem.
 </summary>
@@ -67994,7 +68167,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_romfs" lineno="5360">
+<interface name="fs_getattr_romfs" lineno="5378">
 <summary>
 Get the attributes of a ROM
 filesystem.
@@ -68005,7 +68178,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_rpc_pipefs" lineno="5378">
+<interface name="fs_mount_rpc_pipefs" lineno="5396">
 <summary>
 Mount a RPC pipe filesystem.
 </summary>
@@ -68015,7 +68188,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_rpc_pipefs" lineno="5397">
+<interface name="fs_remount_rpc_pipefs" lineno="5415">
 <summary>
 Remount a RPC pipe filesystem.  This
 allows some mount option to be changed.
@@ -68026,7 +68199,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_rpc_pipefs" lineno="5415">
+<interface name="fs_unmount_rpc_pipefs" lineno="5433">
 <summary>
 Unmount a RPC pipe filesystem.
 </summary>
@@ -68036,7 +68209,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_rpc_pipefs" lineno="5434">
+<interface name="fs_getattr_rpc_pipefs" lineno="5452">
 <summary>
 Get the attributes of a RPC pipe
 filesystem.
@@ -68047,7 +68220,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_rpc_named_pipes" lineno="5452">
+<interface name="fs_rw_rpc_named_pipes" lineno="5470">
 <summary>
 Read and write RPC pipe filesystem named pipes.
 </summary>
@@ -68057,7 +68230,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_rpc_pipefs_dirs" lineno="5470">
+<interface name="fs_watch_rpc_pipefs_dirs" lineno="5488">
 <summary>
 Watch RPC pipe filesystem directories.
 </summary>
@@ -68067,7 +68240,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_tmpfs" lineno="5488">
+<interface name="fs_mount_tmpfs" lineno="5506">
 <summary>
 Mount a tmpfs filesystem.
 </summary>
@@ -68077,7 +68250,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_tmpfs" lineno="5506">
+<interface name="fs_remount_tmpfs" lineno="5524">
 <summary>
 Remount a tmpfs filesystem.
 </summary>
@@ -68087,7 +68260,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_tmpfs" lineno="5524">
+<interface name="fs_unmount_tmpfs" lineno="5542">
 <summary>
 Unmount a tmpfs filesystem.
 </summary>
@@ -68097,7 +68270,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs" lineno="5542">
+<interface name="fs_dontaudit_getattr_tmpfs" lineno="5560">
 <summary>
 Do not audit getting the attributes of a tmpfs filesystem
 </summary>
@@ -68107,7 +68280,7 @@ Domain to not audit
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tmpfs" lineno="5562">
+<interface name="fs_getattr_tmpfs" lineno="5580">
 <summary>
 Get the attributes of a tmpfs
 filesystem.
@@ -68119,7 +68292,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_associate_tmpfs" lineno="5580">
+<interface name="fs_associate_tmpfs" lineno="5598">
 <summary>
 Allow the type to associate to tmpfs filesystems.
 </summary>
@@ -68129,7 +68302,7 @@ The type of the object to be associated.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs" lineno="5598">
+<interface name="fs_relabelfrom_tmpfs" lineno="5616">
 <summary>
 Relabel from tmpfs filesystem.
 </summary>
@@ -68139,7 +68312,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tmpfs_dirs" lineno="5616">
+<interface name="fs_getattr_tmpfs_dirs" lineno="5634">
 <summary>
 Get the attributes of tmpfs directories.
 </summary>
@@ -68149,7 +68322,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5635">
+<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5653">
 <summary>
 Do not audit attempts to get the attributes
 of tmpfs directories.
@@ -68160,7 +68333,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_tmpfs" lineno="5653">
+<interface name="fs_mounton_tmpfs" lineno="5671">
 <summary>
 Mount on tmpfs directories.
 </summary>
@@ -68170,7 +68343,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mounton_tmpfs_files" lineno="5671">
+<interface name="fs_mounton_tmpfs_files" lineno="5689">
 <summary>
 Mount on tmpfs files.
 </summary>
@@ -68180,7 +68353,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_setattr_tmpfs_dirs" lineno="5689">
+<interface name="fs_setattr_tmpfs_dirs" lineno="5707">
 <summary>
 Set the attributes of tmpfs directories.
 </summary>
@@ -68190,7 +68363,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_tmpfs" lineno="5707">
+<interface name="fs_search_tmpfs" lineno="5725">
 <summary>
 Search tmpfs directories.
 </summary>
@@ -68200,7 +68373,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_tmpfs" lineno="5725">
+<interface name="fs_list_tmpfs" lineno="5743">
 <summary>
 List the contents of generic tmpfs directories.
 </summary>
@@ -68210,7 +68383,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_list_tmpfs" lineno="5744">
+<interface name="fs_dontaudit_list_tmpfs" lineno="5762">
 <summary>
 Do not audit attempts to list the
 contents of generic tmpfs directories.
@@ -68221,7 +68394,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_dirs" lineno="5763">
+<interface name="fs_manage_tmpfs_dirs" lineno="5781">
 <summary>
 Create, read, write, and delete
 tmpfs directories
@@ -68232,7 +68405,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5782">
+<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5800">
 <summary>
 Do not audit attempts to write
 tmpfs directories
@@ -68243,7 +68416,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5800">
+<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5818">
 <summary>
 Relabel from tmpfs_t dir
 </summary>
@@ -68253,7 +68426,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_dirs" lineno="5818">
+<interface name="fs_relabel_tmpfs_dirs" lineno="5836">
 <summary>
 Relabel directory on tmpfs filesystems.
 </summary>
@@ -68263,7 +68436,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_watch_tmpfs_dirs" lineno="5835">
+<interface name="fs_watch_tmpfs_dirs" lineno="5853">
 <summary>
 Watch directories on tmpfs filesystems.
 </summary>
@@ -68273,7 +68446,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_tmpfs_filetrans" lineno="5869">
+<interface name="fs_tmpfs_filetrans" lineno="5887">
 <summary>
 Create an object in a tmpfs filesystem, with a private
 type using a type transition.
@@ -68299,7 +68472,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5889">
+<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5907">
 <summary>
 Do not audit attempts to getattr
 generic tmpfs files.
@@ -68310,7 +68483,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5908">
+<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5926">
 <summary>
 Do not audit attempts to read or write
 generic tmpfs files.
@@ -68321,7 +68494,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_delete_tmpfs_symlinks" lineno="5926">
+<interface name="fs_delete_tmpfs_symlinks" lineno="5944">
 <summary>
 Delete tmpfs symbolic links.
 </summary>
@@ -68331,7 +68504,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_auto_mountpoints" lineno="5945">
+<interface name="fs_manage_auto_mountpoints" lineno="5963">
 <summary>
 Create, read, write, and delete
 auto moutpoints.
@@ -68342,7 +68515,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_tmpfs_files" lineno="5963">
+<interface name="fs_read_tmpfs_files" lineno="5981">
 <summary>
 Read generic tmpfs files.
 </summary>
@@ -68352,7 +68525,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_files" lineno="5981">
+<interface name="fs_rw_tmpfs_files" lineno="5999">
 <summary>
 Read and write generic tmpfs files.
 </summary>
@@ -68362,7 +68535,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_files" lineno="5999">
+<interface name="fs_relabel_tmpfs_files" lineno="6017">
 <summary>
 Relabel files on tmpfs filesystems.
 </summary>
@@ -68372,7 +68545,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_read_tmpfs_symlinks" lineno="6017">
+<interface name="fs_read_tmpfs_symlinks" lineno="6035">
 <summary>
 Read tmpfs link files.
 </summary>
@@ -68382,7 +68555,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_sockets" lineno="6035">
+<interface name="fs_relabelfrom_tmpfs_sockets" lineno="6053">
 <summary>
 Relabelfrom socket files on tmpfs filesystems.
 </summary>
@@ -68392,7 +68565,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="6053">
+<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="6071">
 <summary>
 Relabelfrom tmpfs link files.
 </summary>
@@ -68402,7 +68575,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_chr_files" lineno="6071">
+<interface name="fs_rw_tmpfs_chr_files" lineno="6089">
 <summary>
 Read and write character nodes on tmpfs filesystems.
 </summary>
@@ -68412,7 +68585,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="6090">
+<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="6108">
 <summary>
 dontaudit Read and write character nodes on tmpfs filesystems.
 </summary>
@@ -68422,7 +68595,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_chr_files" lineno="6109">
+<interface name="fs_relabel_tmpfs_chr_files" lineno="6127">
 <summary>
 Relabel character nodes on tmpfs filesystems.
 </summary>
@@ -68432,7 +68605,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tmpfs_blk_files" lineno="6128">
+<interface name="fs_rw_tmpfs_blk_files" lineno="6146">
 <summary>
 Read and write block nodes on tmpfs filesystems.
 </summary>
@@ -68442,7 +68615,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_blk_files" lineno="6147">
+<interface name="fs_relabel_tmpfs_blk_files" lineno="6165">
 <summary>
 Relabel block nodes on tmpfs filesystems.
 </summary>
@@ -68452,7 +68625,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_relabel_tmpfs_fifo_files" lineno="6166">
+<interface name="fs_relabel_tmpfs_fifo_files" lineno="6184">
 <summary>
 Relabel named pipes on tmpfs filesystems.
 </summary>
@@ -68462,7 +68635,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_files" lineno="6186">
+<interface name="fs_manage_tmpfs_files" lineno="6204">
 <summary>
 Read and write, create and delete generic
 files on tmpfs filesystems.
@@ -68473,7 +68646,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_symlinks" lineno="6205">
+<interface name="fs_manage_tmpfs_symlinks" lineno="6223">
 <summary>
 Read and write, create and delete symbolic
 links on tmpfs filesystems.
@@ -68484,7 +68657,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_sockets" lineno="6224">
+<interface name="fs_manage_tmpfs_sockets" lineno="6242">
 <summary>
 Read and write, create and delete socket
 files on tmpfs filesystems.
@@ -68495,7 +68668,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_chr_files" lineno="6243">
+<interface name="fs_manage_tmpfs_chr_files" lineno="6261">
 <summary>
 Read and write, create and delete character
 nodes on tmpfs filesystems.
@@ -68506,7 +68679,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_tmpfs_blk_files" lineno="6262">
+<interface name="fs_manage_tmpfs_blk_files" lineno="6280">
 <summary>
 Read and write, create and delete block nodes
 on tmpfs filesystems.
@@ -68517,7 +68690,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs" lineno="6280">
+<interface name="fs_getattr_tracefs" lineno="6298">
 <summary>
 Get the attributes of a trace filesystem.
 </summary>
@@ -68527,7 +68700,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs_dirs" lineno="6298">
+<interface name="fs_getattr_tracefs_dirs" lineno="6316">
 <summary>
 Get attributes of dirs on tracefs filesystem.
 </summary>
@@ -68537,7 +68710,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_tracefs" lineno="6316">
+<interface name="fs_search_tracefs" lineno="6334">
 <summary>
 search directories on a tracefs filesystem
 </summary>
@@ -68547,7 +68720,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_tracefs_files" lineno="6335">
+<interface name="fs_getattr_tracefs_files" lineno="6353">
 <summary>
 Get the attributes of files
 on a trace filesystem.
@@ -68558,7 +68731,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_rw_tracefs_files" lineno="6353">
+<interface name="fs_rw_tracefs_files" lineno="6371">
 <summary>
 Read/write trace filesystem files
 </summary>
@@ -68568,7 +68741,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_create_tracefs_dirs" lineno="6372">
+<interface name="fs_create_tracefs_dirs" lineno="6390">
 <summary>
 create trace filesystem directories
 </summary>
@@ -68578,7 +68751,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_xenfs" lineno="6390">
+<interface name="fs_mount_xenfs" lineno="6408">
 <summary>
 Mount a XENFS filesystem.
 </summary>
@@ -68588,7 +68761,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_xenfs" lineno="6408">
+<interface name="fs_search_xenfs" lineno="6426">
 <summary>
 Search the XENFS filesystem.
 </summary>
@@ -68598,7 +68771,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_xenfs_dirs" lineno="6428">
+<interface name="fs_manage_xenfs_dirs" lineno="6446">
 <summary>
 Create, read, write, and delete directories
 on a XENFS filesystem.
@@ -68610,7 +68783,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6448">
+<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6466">
 <summary>
 Do not audit attempts to create, read,
 write, and delete directories
@@ -68622,7 +68795,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_manage_xenfs_files" lineno="6468">
+<interface name="fs_manage_xenfs_files" lineno="6486">
 <summary>
 Create, read, write, and delete files
 on a XENFS filesystem.
@@ -68634,7 +68807,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_mmap_xenfs_files" lineno="6486">
+<interface name="fs_mmap_xenfs_files" lineno="6504">
 <summary>
 Map files a XENFS filesystem.
 </summary>
@@ -68644,7 +68817,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_manage_xenfs_files" lineno="6506">
+<interface name="fs_dontaudit_manage_xenfs_files" lineno="6524">
 <summary>
 Do not audit attempts to create,
 read, write, and delete files
@@ -68656,7 +68829,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_mount_all_fs" lineno="6524">
+<interface name="fs_mount_all_fs" lineno="6542">
 <summary>
 Mount all filesystems.
 </summary>
@@ -68666,7 +68839,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_remount_all_fs" lineno="6543">
+<interface name="fs_remount_all_fs" lineno="6561">
 <summary>
 Remount all filesystems.  This
 allows some mount options to be changed.
@@ -68677,7 +68850,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unmount_all_fs" lineno="6561">
+<interface name="fs_unmount_all_fs" lineno="6579">
 <summary>
 Unmount all filesystems.
 </summary>
@@ -68687,7 +68860,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_fs" lineno="6593">
+<interface name="fs_getattr_all_fs" lineno="6611">
 <summary>
 Get the attributes of all filesystems.
 </summary>
@@ -68711,7 +68884,7 @@ Domain allowed access.
 <infoflow type="read" weight="5"/>
 <rolecap/>
 </interface>
-<interface name="fs_dontaudit_getattr_all_fs" lineno="6613">
+<interface name="fs_dontaudit_getattr_all_fs" lineno="6631">
 <summary>
 Do not audit attempts to get the attributes
 all filesystems.
@@ -68722,7 +68895,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_get_all_fs_quotas" lineno="6632">
+<interface name="fs_get_all_fs_quotas" lineno="6650">
 <summary>
 Get the quotas of all filesystems.
 </summary>
@@ -68733,7 +68906,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_set_all_quotas" lineno="6651">
+<interface name="fs_set_all_quotas" lineno="6669">
 <summary>
 Set the quotas of all filesystems.
 </summary>
@@ -68744,7 +68917,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="fs_relabelfrom_all_fs" lineno="6669">
+<interface name="fs_relabelfrom_all_fs" lineno="6687">
 <summary>
 Relabelfrom all filesystems.
 </summary>
@@ -68754,7 +68927,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_dirs" lineno="6688">
+<interface name="fs_watch_all_fs" lineno="6706">
+<summary>
+Watch all filesystems.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="fs_getattr_all_dirs" lineno="6725">
 <summary>
 Get the attributes of all directories
 with a filesystem type.
@@ -68765,7 +68949,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_search_all" lineno="6706">
+<interface name="fs_search_all" lineno="6743">
 <summary>
 Search all directories with a filesystem type.
 </summary>
@@ -68775,7 +68959,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_list_all" lineno="6724">
+<interface name="fs_list_all" lineno="6761">
 <summary>
 List all directories with a filesystem type.
 </summary>
@@ -68785,7 +68969,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_files" lineno="6743">
+<interface name="fs_getattr_all_files" lineno="6780">
 <summary>
 Get the attributes of all files with
 a filesystem type.
@@ -68796,7 +68980,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_files" lineno="6762">
+<interface name="fs_dontaudit_getattr_all_files" lineno="6799">
 <summary>
 Do not audit attempts to get the attributes
 of all files with a filesystem type.
@@ -68807,7 +68991,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_symlinks" lineno="6781">
+<interface name="fs_getattr_all_symlinks" lineno="6818">
 <summary>
 Get the attributes of all symbolic links with
 a filesystem type.
@@ -68818,7 +69002,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6800">
+<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6837">
 <summary>
 Do not audit attempts to get the attributes
 of all symbolic links with a filesystem type.
@@ -68829,7 +69013,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_pipes" lineno="6819">
+<interface name="fs_getattr_all_pipes" lineno="6856">
 <summary>
 Get the attributes of all named pipes with
 a filesystem type.
@@ -68840,7 +69024,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_pipes" lineno="6838">
+<interface name="fs_dontaudit_getattr_all_pipes" lineno="6875">
 <summary>
 Do not audit attempts to get the attributes
 of all named pipes with a filesystem type.
@@ -68851,7 +69035,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_sockets" lineno="6857">
+<interface name="fs_getattr_all_sockets" lineno="6894">
 <summary>
 Get the attributes of all named sockets with
 a filesystem type.
@@ -68862,7 +69046,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_dontaudit_getattr_all_sockets" lineno="6876">
+<interface name="fs_dontaudit_getattr_all_sockets" lineno="6913">
 <summary>
 Do not audit attempts to get the attributes
 of all named sockets with a filesystem type.
@@ -68873,7 +69057,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_blk_files" lineno="6895">
+<interface name="fs_getattr_all_blk_files" lineno="6932">
 <summary>
 Get the attributes of all block device nodes with
 a filesystem type.
@@ -68884,7 +69068,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_getattr_all_chr_files" lineno="6914">
+<interface name="fs_getattr_all_chr_files" lineno="6951">
 <summary>
 Get the attributes of all character device nodes with
 a filesystem type.
@@ -68895,7 +69079,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="fs_unconfined" lineno="6932">
+<interface name="fs_unconfined" lineno="6969">
 <summary>
 Unconfined access to filesystems
 </summary>
@@ -70521,7 +70705,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_dirs" lineno="2898">
+<interface name="kernel_create_unlabeled_dirs" lineno="2898">
+<summary>
+Create unlabeled directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kernel_delete_unlabeled_dirs" lineno="2916">
 <summary>
 Delete unlabeled directories.
 </summary>
@@ -70531,7 +70725,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_dirs" lineno="2916">
+<interface name="kernel_manage_unlabeled_dirs" lineno="2934">
 <summary>
 Create, read, write, and delete unlabeled directories.
 </summary>
@@ -70541,7 +70735,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_mounton_unlabeled_dirs" lineno="2934">
+<interface name="kernel_mounton_unlabeled_dirs" lineno="2952">
 <summary>
 Mount a filesystem on an unlabeled directory.
 </summary>
@@ -70551,7 +70745,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_unlabeled_files" lineno="2952">
+<interface name="kernel_read_unlabeled_files" lineno="2970">
 <summary>
 Read unlabeled files.
 </summary>
@@ -70561,7 +70755,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_unlabeled_files" lineno="2970">
+<interface name="kernel_rw_unlabeled_files" lineno="2988">
 <summary>
 Read and write unlabeled files.
 </summary>
@@ -70571,7 +70765,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_files" lineno="2988">
+<interface name="kernel_delete_unlabeled_files" lineno="3006">
 <summary>
 Delete unlabeled files.
 </summary>
@@ -70581,7 +70775,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_files" lineno="3006">
+<interface name="kernel_manage_unlabeled_files" lineno="3024">
 <summary>
 Create, read, write, and delete unlabeled files.
 </summary>
@@ -70591,7 +70785,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="3025">
+<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="3043">
 <summary>
 Do not audit attempts by caller to get the
 attributes of an unlabeled file.
@@ -70602,7 +70796,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_read_unlabeled_files" lineno="3044">
+<interface name="kernel_dontaudit_read_unlabeled_files" lineno="3062">
 <summary>
 Do not audit attempts by caller to
 read an unlabeled file.
@@ -70613,7 +70807,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_unlabeled_filetrans" lineno="3078">
+<interface name="kernel_unlabeled_filetrans" lineno="3096">
 <summary>
 Create an object in unlabeled directories
 with a private type.
@@ -70639,7 +70833,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_symlinks" lineno="3096">
+<interface name="kernel_delete_unlabeled_symlinks" lineno="3114">
 <summary>
 Delete unlabeled symbolic links.
 </summary>
@@ -70649,7 +70843,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_symlinks" lineno="3114">
+<interface name="kernel_manage_unlabeled_symlinks" lineno="3132">
 <summary>
 Create, read, write, and delete unlabeled symbolic links.
 </summary>
@@ -70659,7 +70853,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3133">
+<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3151">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled symbolic links.
@@ -70670,7 +70864,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3152">
+<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3170">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled named pipes.
@@ -70681,7 +70875,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3171">
+<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3189">
 <summary>
 Do not audit attempts by caller to get the
 attributes of unlabeled named sockets.
@@ -70692,7 +70886,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3190">
+<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3208">
 <summary>
 Do not audit attempts by caller to get attributes for
 unlabeled block devices.
@@ -70703,7 +70897,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_rw_unlabeled_blk_files" lineno="3208">
+<interface name="kernel_rw_unlabeled_blk_files" lineno="3226">
 <summary>
 Read and write unlabeled block device nodes.
 </summary>
@@ -70713,7 +70907,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_blk_files" lineno="3226">
+<interface name="kernel_delete_unlabeled_blk_files" lineno="3244">
 <summary>
 Delete unlabeled block device nodes.
 </summary>
@@ -70723,7 +70917,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_blk_files" lineno="3244">
+<interface name="kernel_manage_unlabeled_blk_files" lineno="3262">
 <summary>
 Create, read, write, and delete unlabeled block device nodes.
 </summary>
@@ -70733,7 +70927,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3263">
+<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3281">
 <summary>
 Do not audit attempts by caller to get attributes for
 unlabeled character devices.
@@ -70744,7 +70938,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3282">
+<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3300">
 <summary>
 Do not audit attempts to
 write unlabeled character devices.
@@ -70755,7 +70949,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_chr_files" lineno="3300">
+<interface name="kernel_delete_unlabeled_chr_files" lineno="3318">
 <summary>
 Delete unlabeled character device nodes.
 </summary>
@@ -70765,7 +70959,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_manage_unlabeled_chr_files" lineno="3319">
+<interface name="kernel_manage_unlabeled_chr_files" lineno="3337">
 <summary>
 Create, read, write, and delete unlabeled character device nodes.
 </summary>
@@ -70775,7 +70969,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3337">
+<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3355">
 <summary>
 Allow caller to relabel unlabeled directories.
 </summary>
@@ -70785,7 +70979,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_files" lineno="3355">
+<interface name="kernel_relabelfrom_unlabeled_files" lineno="3373">
 <summary>
 Allow caller to relabel unlabeled files.
 </summary>
@@ -70795,7 +70989,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3374">
+<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3392">
 <summary>
 Allow caller to relabel unlabeled symbolic links.
 </summary>
@@ -70805,7 +70999,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3393">
+<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3411">
 <summary>
 Allow caller to relabel unlabeled named pipes.
 </summary>
@@ -70815,7 +71009,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_pipes" lineno="3412">
+<interface name="kernel_delete_unlabeled_pipes" lineno="3430">
 <summary>
 Delete unlabeled named pipes
 </summary>
@@ -70825,7 +71019,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3430">
+<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3448">
 <summary>
 Allow caller to relabel unlabeled named sockets.
 </summary>
@@ -70835,7 +71029,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_delete_unlabeled_sockets" lineno="3449">
+<interface name="kernel_delete_unlabeled_sockets" lineno="3467">
 <summary>
 Delete unlabeled named sockets.
 </summary>
@@ -70845,7 +71039,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3467">
+<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3485">
 <summary>
 Allow caller to relabel from unlabeled block devices.
 </summary>
@@ -70855,7 +71049,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3485">
+<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3503">
 <summary>
 Allow caller to relabel from unlabeled character devices.
 </summary>
@@ -70865,7 +71059,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_setattr_all_unlabeled" lineno="3504">
+<interface name="kernel_setattr_all_unlabeled" lineno="3522">
 <summary>
 Allow caller set the attributes on all unlabeled
 directory and file objects.
@@ -70876,7 +71070,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sendrecv_unlabeled_association" lineno="3537">
+<interface name="kernel_sendrecv_unlabeled_association" lineno="3555">
 <summary>
 Send and receive messages from an
 unlabeled IPSEC association.
@@ -70901,7 +71095,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3570">
+<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3588">
 <summary>
 Do not audit attempts to send and receive messages
 from an	unlabeled IPSEC association.
@@ -70926,7 +71120,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3597">
+<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3615">
 <summary>
 Receive TCP packets from an unlabeled connection.
 </summary>
@@ -70945,7 +71139,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3626">
+<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3644">
 <summary>
 Do not audit attempts to receive TCP packets from an unlabeled
 connection.
@@ -70966,7 +71160,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_udp_recvfrom_unlabeled" lineno="3653">
+<interface name="kernel_udp_recvfrom_unlabeled" lineno="3671">
 <summary>
 Receive UDP packets from an unlabeled connection.
 </summary>
@@ -70985,7 +71179,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3682">
+<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3700">
 <summary>
 Do not audit attempts to receive UDP packets from an unlabeled
 connection.
@@ -71006,7 +71200,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_raw_recvfrom_unlabeled" lineno="3709">
+<interface name="kernel_raw_recvfrom_unlabeled" lineno="3727">
 <summary>
 Receive Raw IP packets from an unlabeled connection.
 </summary>
@@ -71025,7 +71219,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3738">
+<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3756">
 <summary>
 Do not audit attempts to receive Raw IP packets from an unlabeled
 connection.
@@ -71046,7 +71240,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_sendrecv_unlabeled_packets" lineno="3768">
+<interface name="kernel_sendrecv_unlabeled_packets" lineno="3786">
 <summary>
 Send and receive unlabeled packets.
 </summary>
@@ -71068,7 +71262,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_recvfrom_unlabeled_peer" lineno="3796">
+<interface name="kernel_recvfrom_unlabeled_peer" lineno="3814">
 <summary>
 Receive packets from an unlabeled peer.
 </summary>
@@ -71088,7 +71282,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3824">
+<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3842">
 <summary>
 Do not audit attempts to receive packets from an unlabeled peer.
 </summary>
@@ -71108,7 +71302,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="kernel_relabelfrom_unlabeled_database" lineno="3842">
+<interface name="kernel_relabelfrom_unlabeled_database" lineno="3860">
 <summary>
 Relabel from unlabeled database objects.
 </summary>
@@ -71118,7 +71312,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_unconfined" lineno="3879">
+<interface name="kernel_unconfined" lineno="3897">
 <summary>
 Unconfined access to kernel module resources.
 </summary>
@@ -71128,7 +71322,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_read_vm_overcommit_sysctl" lineno="3899">
+<interface name="kernel_read_vm_overcommit_sysctl" lineno="3917">
 <summary>
 Read virtual memory overcommit sysctl.
 </summary>
@@ -71139,7 +71333,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3919">
+<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3937">
 <summary>
 Read and write virtual memory overcommit sysctl.
 </summary>
@@ -71150,7 +71344,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3938">
+<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3956">
 <summary>
 Access unlabeled infiniband pkeys.
 </summary>
@@ -71160,7 +71354,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3956">
+<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3974">
 <summary>
 Manage subnet on unlabeled Infiniband endports.
 </summary>
@@ -72294,7 +72488,7 @@ enforcing mode.  Set this to true and you have to reboot to set it back.
 <bool name="secure_mode_setbool" dftval="false">
 <desc>
 <p>
-Boolean to determine whether the system permits setting Booelan values.
+Boolean to determine whether the system permits setting Boolean values.
 </p>
 </desc>
 </bool>
@@ -76751,7 +76945,19 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="bluetooth_domtrans" lineno="99">
+<interface name="bluetooth_use" lineno="101">
+<summary>
+Connect to bluetooth over a unix domain
+stream socket. The socket can be used
+for read and write.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_domtrans" lineno="123">
 <summary>
 Execute bluetooth in the bluetooth domain.
 </summary>
@@ -76761,7 +76967,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="bluetooth_read_config" lineno="118">
+<interface name="bluetooth_read_config" lineno="142">
 <summary>
 Read bluetooth configuration files.
 </summary>
@@ -76771,7 +76977,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="bluetooth_dbus_chat" lineno="137">
+<interface name="bluetooth_dbus_chat" lineno="161">
 <summary>
 Send and receive messages from
 bluetooth over dbus.
@@ -76782,7 +76988,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="bluetooth_dontaudit_read_helper_state" lineno="158">
+<interface name="bluetooth_dontaudit_read_helper_state" lineno="182">
 <summary>
 Do not audit attempts to read
 bluetooth process state files.
@@ -76793,7 +76999,19 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="bluetooth_admin" lineno="184">
+<interface name="bluetooth_use_inherited_helper_stream_sockets" lineno="204">
+<summary>
+Connect to bluetooth over a unix domain
+stream socket. The socket can be used
+for read and write. This is required for
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="bluetooth_admin" lineno="230">
 <summary>
 All of the rules required to
 administrate an bluetooth environment.
@@ -78472,7 +78690,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_engine_tmp_files" lineno="494">
+<interface name="container_read_engine_tmp_files" lineno="494">
+<summary>
+Allow the specified domain to read
+container engine temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_manage_engine_tmp_files" lineno="514">
 <summary>
 Allow the specified domain to manage
 container engine temporary files.
@@ -78483,7 +78712,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_engine_tmp_sock_files" lineno="514">
+<interface name="container_manage_engine_tmp_sock_files" lineno="534">
 <summary>
 Allow the specified domain to manage
 container engine temporary named sockets.
@@ -78494,7 +78723,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_engine_tmp_filetrans" lineno="546">
+<interface name="container_engine_tmp_filetrans" lineno="566">
 <summary>
 Allow the specified domain to create
 objects in generic temporary directories
@@ -78517,7 +78746,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_read_all_container_state" lineno="565">
+<interface name="container_read_all_container_state" lineno="585">
 <summary>
 Read the process state (/proc/pid)
 of all containers.
@@ -78528,7 +78757,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_system_container_state" lineno="584">
+<interface name="container_read_system_container_state" lineno="604">
 <summary>
 Read the process state (/proc/pid)
 of all system containers.
@@ -78539,7 +78768,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_user_container_state" lineno="603">
+<interface name="container_read_user_container_state" lineno="623">
 <summary>
 Read the process state (/proc/pid)
 of all user containers.
@@ -78550,7 +78779,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_all_container_engine_state" lineno="622">
+<interface name="container_read_all_container_engine_state" lineno="642">
 <summary>
 Read the process state (/proc/pid)
 of all container engines.
@@ -78561,7 +78790,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_all_containers" lineno="642">
+<interface name="container_manage_all_containers" lineno="662">
 <summary>
 All of the permissions necessary
 for a container engine to manage
@@ -78573,7 +78802,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_domtrans" lineno="662">
+<interface name="container_domtrans" lineno="682">
 <summary>
 Allow the specified domain to
 perform a type transition to
@@ -78585,7 +78814,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="container_fusefs_domtrans_spc" lineno="682">
+<interface name="container_fusefs_domtrans_spc" lineno="702">
 <summary>
 Execute FUSEFS files with a type
 transition to the super privileged
@@ -78597,7 +78826,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_system_engine" lineno="701">
+<interface name="container_stream_connect_system_engine" lineno="721">
 <summary>
 Connect to a system container engine
 domain over a unix stream socket.
@@ -78608,7 +78837,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_system_containers" lineno="723">
+<interface name="container_stream_connect_system_containers" lineno="743">
 <summary>
 Connect to a system container domain
 over a unix stream socket.
@@ -78619,7 +78848,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_user_containers" lineno="745">
+<interface name="container_stream_connect_user_containers" lineno="765">
 <summary>
 Connect to a user container domain
 over a unix stream socket.
@@ -78630,7 +78859,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_spc" lineno="767">
+<interface name="container_stream_connect_spc" lineno="787">
 <summary>
 Connect to super privileged containers
 over a unix stream socket.
@@ -78641,7 +78870,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_spc_tcp_sockets" lineno="789">
+<interface name="container_rw_spc_tcp_sockets" lineno="809">
 <summary>
 Read and write super privileged
 container TCP sockets.
@@ -78652,7 +78881,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_all_containers" lineno="808">
+<interface name="container_stream_connect_all_containers" lineno="828">
 <summary>
 Connect to a container domain
 over a unix stream socket.
@@ -78663,7 +78892,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_stream_connect_spec_container" lineno="830">
+<interface name="container_stream_connect_spec_container" lineno="850">
 <summary>
 Connect to the specified container
 domain over a unix stream socket.
@@ -78674,7 +78903,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_kill_all_containers" lineno="851">
+<interface name="container_kill_all_containers" lineno="871">
 <summary>
 Allow the specified domain to
 send a kill signal to all containers.
@@ -78685,7 +78914,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="container_signal_all_containers" lineno="871">
+<interface name="container_signal_all_containers" lineno="891">
 <summary>
 Allow the specified domain to
 send all signals to a container
@@ -78697,7 +78926,17 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="container_dev_filetrans" lineno="900">
+<interface name="container_signal_system_containers" lineno="909">
+<summary>
+Send signals to a system container.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_dev_filetrans" lineno="938">
 <summary>
 Create objects in /dev with an automatic
 transition to the container device type.
@@ -78718,7 +78957,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_device_files" lineno="918">
+<interface name="container_rw_device_files" lineno="956">
 <summary>
 Read and write container device files.
 </summary>
@@ -78728,7 +78967,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_device_files" lineno="936">
+<interface name="container_manage_device_files" lineno="974">
 <summary>
 Manage container device files.
 </summary>
@@ -78738,7 +78977,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_getattr_device_blk_files" lineno="955">
+<interface name="container_getattr_device_blk_files" lineno="993">
 <summary>
 Get the attributes of container device
 block files.
@@ -78749,7 +78988,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_device_blk_files" lineno="973">
+<interface name="container_read_device_blk_files" lineno="1011">
 <summary>
 Read container device block files.
 </summary>
@@ -78759,7 +78998,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_mounton_all_devices" lineno="991">
+<interface name="container_mounton_all_devices" lineno="1029">
 <summary>
 Mount on all container devices.
 </summary>
@@ -78769,7 +79008,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_setattr_container_ptys" lineno="1009">
+<interface name="container_setattr_container_ptys" lineno="1047">
 <summary>
 Set the attributes of container ptys.
 </summary>
@@ -78779,7 +79018,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_use_container_ptys" lineno="1027">
+<interface name="container_use_container_ptys" lineno="1065">
 <summary>
 Read and write container ptys.
 </summary>
@@ -78789,7 +79028,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_mountpoint" lineno="1046">
+<interface name="container_mountpoint" lineno="1084">
 <summary>
 Make the specified type usable as a mountpoint
 for containers.
@@ -78800,7 +79039,7 @@ Type to be used as a mountpoint.
 </summary>
 </param>
 </interface>
-<interface name="container_list_plugin_dirs" lineno="1066">
+<interface name="container_list_plugin_dirs" lineno="1104">
 <summary>
 Allow the specified domain to
 list the contents of container
@@ -78812,7 +79051,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_plugin_dirs" lineno="1086">
+<interface name="container_watch_plugin_dirs" lineno="1124">
 <summary>
 Allow the specified domain to
 add a watch on container plugin
@@ -78824,7 +79063,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_plugin_files" lineno="1105">
+<interface name="container_manage_plugin_files" lineno="1143">
 <summary>
 Allow the specified domain to
 manage container plugin files.
@@ -78835,7 +79074,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_exec_plugins" lineno="1124">
+<interface name="container_exec_plugins" lineno="1162">
 <summary>
 Allow the specified domain to
 execute container plugins.
@@ -78846,7 +79085,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_search_config" lineno="1144">
+<interface name="container_search_config" lineno="1182">
 <summary>
 Allow the specified domain to
 search container config directories.
@@ -78857,7 +79096,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_config" lineno="1164">
+<interface name="container_read_config" lineno="1202">
 <summary>
 Allow the specified domain to
 read container config files.
@@ -78868,7 +79107,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_config_dirs" lineno="1184">
+<interface name="container_watch_config_dirs" lineno="1222">
 <summary>
 Allow the specified domain to
 watch container config directories.
@@ -78879,7 +79118,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_create_config_files" lineno="1203">
+<interface name="container_create_config_dirs" lineno="1241">
+<summary>
+Allow the specified domain to
+create container config directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_create_config_files" lineno="1260">
 <summary>
 Allow the specified domain to
 create container config files.
@@ -78890,7 +79140,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_config_files" lineno="1222">
+<interface name="container_rw_config_files" lineno="1279">
 <summary>
 Allow the specified domain to read
 and write container config files.
@@ -78901,7 +79151,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_config_files" lineno="1241">
+<interface name="container_manage_config_files" lineno="1298">
 <summary>
 Allow the specified domain to
 manage container config files.
@@ -78912,7 +79162,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_file_root_filetrans" lineno="1262">
+<interface name="container_file_root_filetrans" lineno="1319">
 <summary>
 Allow the specified domain to
 create container files in the
@@ -78925,7 +79175,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_dirs" lineno="1281">
+<interface name="container_manage_dirs" lineno="1338">
 <summary>
 Allow the specified domain to
 manage container file directories.
@@ -78936,7 +79186,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_dirs" lineno="1300">
+<interface name="container_watch_dirs" lineno="1357">
 <summary>
 Allow the specified domain to
 watch container file directories.
@@ -78947,7 +79197,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_files" lineno="1319">
+<interface name="container_manage_files" lineno="1376">
 <summary>
 Allow the specified domain to
 manage container files.
@@ -78958,7 +79208,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_dontaudit_relabel_dirs" lineno="1338">
+<interface name="container_ioctl_files" lineno="1394">
+<summary>
+IOCTL container files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_dontaudit_relabel_dirs" lineno="1413">
 <summary>
 Do not audit attempts to relabel
 container file directories.
@@ -78969,7 +79229,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="container_dontaudit_relabel_files" lineno="1357">
+<interface name="container_dontaudit_relabel_files" lineno="1432">
 <summary>
 Do not audit attempts to relabel
 container files.
@@ -78980,7 +79240,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_lnk_files" lineno="1376">
+<interface name="container_manage_lnk_files" lineno="1451">
 <summary>
 Allow the specified domain to
 manage container lnk files.
@@ -78991,7 +79251,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_fifo_files" lineno="1395">
+<interface name="container_rw_fifo_files" lineno="1470">
 <summary>
 Allow the specified domain to
 read and write container fifo files.
@@ -79002,7 +79262,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_fifo_files" lineno="1414">
+<interface name="container_manage_fifo_files" lineno="1489">
 <summary>
 Allow the specified domain to
 manage container fifo files.
@@ -79013,7 +79273,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_sock_files" lineno="1433">
+<interface name="container_manage_sock_files" lineno="1508">
 <summary>
 Allow the specified domain to
 manage container sock files.
@@ -79024,7 +79284,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_chr_files" lineno="1452">
+<interface name="container_rw_chr_files" lineno="1527">
 <summary>
 Allow the specified domain to read
 and write container chr files.
@@ -79035,7 +79295,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_dontaudit_rw_chr_files" lineno="1471">
+<interface name="container_dontaudit_rw_chr_files" lineno="1546">
 <summary>
 Do not audit attempts to read
 and write container chr files.
@@ -79046,7 +79306,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_chr_files" lineno="1490">
+<interface name="container_manage_chr_files" lineno="1565">
 <summary>
 Allow the specified domain to
 manage container chr files.
@@ -79057,7 +79317,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_spec_filetrans_file" lineno="1526">
+<interface name="container_spec_filetrans_file" lineno="1601">
 <summary>
 Allow the specified domain to create
 objects in specified directories with
@@ -79085,7 +79345,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_getattr_all_files" lineno="1546">
+<interface name="container_getattr_all_files" lineno="1621">
 <summary>
 Allow the specified domain to get
 the attributes of all container
@@ -79097,7 +79357,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_list_ro_dirs" lineno="1566">
+<interface name="container_list_ro_dirs" lineno="1641">
 <summary>
 Allow the specified domain to list
 the contents of read-only container
@@ -79109,7 +79369,19 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_getattr_all_ro_files" lineno="1586">
+<interface name="container_getattr_all_ro_chr_files" lineno="1661">
+<summary>
+Allow the specified domain to get
+the attributes of all read-only
+container file character devices.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="container_getattr_all_ro_files" lineno="1681">
 <summary>
 Allow the specified domain to get
 the attributes of all read-only
@@ -79121,7 +79393,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_home_config" lineno="1604">
+<interface name="container_read_home_config" lineno="1699">
 <summary>
 Read container config home content.
 </summary>
@@ -79131,7 +79403,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_home_config" lineno="1625">
+<interface name="container_manage_home_config" lineno="1720">
 <summary>
 Allow the specified domain to
 manage container config home content.
@@ -79142,7 +79414,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_config_home_filetrans" lineno="1657">
+<interface name="container_config_home_filetrans" lineno="1752">
 <summary>
 Allow the specified domain to create
 objects in an xdg_config directory
@@ -79165,7 +79437,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_home_data_files" lineno="1677">
+<interface name="container_manage_home_data_files" lineno="1772">
 <summary>
 Allow the specified domain to
 manage container data home files.
@@ -79176,7 +79448,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_home_data_fifo_files" lineno="1697">
+<interface name="container_manage_home_data_fifo_files" lineno="1792">
 <summary>
 Allow the specified domain to
 manage container data home named
@@ -79188,7 +79460,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_home_data_sock_files" lineno="1717">
+<interface name="container_manage_home_data_sock_files" lineno="1812">
 <summary>
 Allow the specified domain to
 manage container data home named
@@ -79200,7 +79472,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_admin_all_files" lineno="1735">
+<interface name="container_admin_all_files" lineno="1830">
 <summary>
 Administrate all container files.
 </summary>
@@ -79210,7 +79482,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_admin_all_ro_files" lineno="1755">
+<interface name="container_admin_all_ro_files" lineno="1850">
 <summary>
 Administrate all container read-only files.
 </summary>
@@ -79220,7 +79492,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_admin_all_user_runtime_content" lineno="1777">
+<interface name="container_admin_all_user_runtime_content" lineno="1872">
 <summary>
 All of the rules necessary for a user
 to manage user container runtime data
@@ -79232,7 +79504,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_all_home_content" lineno="1797">
+<interface name="container_manage_all_home_content" lineno="1892">
 <summary>
 All of the rules necessary for a user
 to manage container data in their home
@@ -79244,7 +79516,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_relabel_all_content" lineno="1841">
+<interface name="container_relabel_all_content" lineno="1936">
 <summary>
 Allow the specified domain to
 relabel container files and
@@ -79256,7 +79528,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_remount_fs" lineno="1860">
+<interface name="container_remount_fs" lineno="1955">
 <summary>
 Allow the specified domain to
 remount container filesystems.
@@ -79267,7 +79539,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_relabel_fs" lineno="1879">
+<interface name="container_relabel_fs" lineno="1974">
 <summary>
 Allow the specified domain to
 relabel container filesystems.
@@ -79278,7 +79550,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_getattr_fs" lineno="1899">
+<interface name="container_getattr_fs" lineno="1994">
 <summary>
 Allow the specified domain to
 get the attributes of container
@@ -79290,7 +79562,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_search_runtime" lineno="1918">
+<interface name="container_search_runtime" lineno="2013">
 <summary>
 Allow the specified domain to search
 runtime container directories.
@@ -79301,7 +79573,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_runtime_files" lineno="1938">
+<interface name="container_read_runtime_files" lineno="2033">
 <summary>
 Allow the specified domain to read
 runtime container files.
@@ -79312,7 +79584,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_getattr_runtime_sock_files" lineno="1959">
+<interface name="container_getattr_runtime_sock_files" lineno="2054">
 <summary>
 Allow the specified domain to get
 the attributes runtime container of
@@ -79324,7 +79596,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_create_runtime_dirs" lineno="1978">
+<interface name="container_create_runtime_dirs" lineno="2073">
 <summary>
 Allow the specified domain to create
 runtime container directories.
@@ -79335,7 +79607,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_runtime_files" lineno="1997">
+<interface name="container_manage_runtime_files" lineno="2092">
 <summary>
 Allow the specified domain to manage
 runtime container files.
@@ -79346,7 +79618,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_runtime_fifo_files" lineno="2016">
+<interface name="container_manage_runtime_fifo_files" lineno="2111">
 <summary>
 Allow the specified domain to manage
 runtime container named pipes.
@@ -79357,7 +79629,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_runtime_lnk_files" lineno="2035">
+<interface name="container_manage_runtime_lnk_files" lineno="2130">
 <summary>
 Allow the specified domain to manage
 runtime container symlinks.
@@ -79368,7 +79640,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_runtime_sock_files" lineno="2054">
+<interface name="container_manage_runtime_sock_files" lineno="2149">
 <summary>
 Allow the specified domain to manage
 runtime container named sockets.
@@ -79379,7 +79651,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_user_runtime_files" lineno="2073">
+<interface name="container_manage_user_runtime_files" lineno="2168">
 <summary>
 Allow the specified domain to manage
 user runtime container files.
@@ -79390,7 +79662,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_rw_user_runtime_sock_files" lineno="2092">
+<interface name="container_rw_user_runtime_sock_files" lineno="2187">
 <summary>
 Allow the specified domain to read and
 write user runtime container named sockets.
@@ -79401,7 +79673,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_search_var_lib" lineno="2111">
+<interface name="container_search_var_lib" lineno="2206">
 <summary>
 Allow the specified domain to search
 container directories in /var/lib.
@@ -79412,7 +79684,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_list_var_lib" lineno="2132">
+<interface name="container_list_var_lib" lineno="2227">
 <summary>
 Allow the specified domain to list
 the contents of container directories
@@ -79424,7 +79696,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_dirs" lineno="2152">
+<interface name="container_manage_var_lib_dirs" lineno="2247">
 <summary>
 Allow the specified domain to manage
 container file directories in /var/lib.
@@ -79435,7 +79707,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_read_var_lib_files" lineno="2171">
+<interface name="container_read_var_lib_files" lineno="2266">
 <summary>
 Allow the specified domain to read
 container files in /var/lib.
@@ -79446,7 +79718,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_files" lineno="2190">
+<interface name="container_manage_var_lib_files" lineno="2285">
 <summary>
 Allow the specified domain to manage
 container files in /var/lib.
@@ -79457,7 +79729,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_map_var_lib_files" lineno="2209">
+<interface name="container_map_var_lib_files" lineno="2304">
 <summary>
 Allow the specified domain to memory
 map container files in /var/lib.
@@ -79468,7 +79740,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_fifo_files" lineno="2228">
+<interface name="container_manage_var_lib_fifo_files" lineno="2323">
 <summary>
 Allow the specified domain to manage
 container named pipes in /var/lib.
@@ -79479,7 +79751,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_lnk_files" lineno="2247">
+<interface name="container_manage_var_lib_lnk_files" lineno="2342">
 <summary>
 Allow the specified domain to manage
 container symlinks in /var/lib.
@@ -79490,7 +79762,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_var_lib_sock_files" lineno="2266">
+<interface name="container_manage_var_lib_sock_files" lineno="2361">
 <summary>
 Allow the specified domain to manage
 container named sockets in /var/lib.
@@ -79501,7 +79773,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_var_lib_filetrans" lineno="2296">
+<interface name="container_var_lib_filetrans" lineno="2391">
 <summary>
 Allow the specified domain to create
 objects in /var/lib with an automatic
@@ -79523,7 +79795,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_var_lib_filetrans_file" lineno="2326">
+<interface name="container_var_lib_filetrans_file" lineno="2421">
 <summary>
 Allow the specified domain to create
 objects in /var/lib with an automatic
@@ -79545,7 +79817,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_filetrans_var_lib_file" lineno="2357">
+<interface name="container_filetrans_var_lib_file" lineno="2452">
 <summary>
 Allow the specified domain to create
 objects in container /var/lib directories
@@ -79568,7 +79840,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_unlabeled_var_lib_filetrans" lineno="2389">
+<interface name="container_unlabeled_var_lib_filetrans" lineno="2484">
 <summary>
 Allow the specified domain to create
 objects in unlabeled directories with
@@ -79591,7 +79863,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_getattr_all_var_lib_files" lineno="2411">
+<interface name="container_getattr_all_var_lib_files" lineno="2506">
 <summary>
 Allow the specified domain to get
 the attributes of all container
@@ -79603,7 +79875,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_search_logs" lineno="2430">
+<interface name="container_search_logs" lineno="2525">
 <summary>
 Allow the specified domain to search
 container log file directories.
@@ -79614,7 +79886,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_list_log_dirs" lineno="2450">
+<interface name="container_list_log_dirs" lineno="2545">
 <summary>
 Allow the specified domain to list
 the contents of container log directories.
@@ -79625,7 +79897,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_create_log_dirs" lineno="2469">
+<interface name="container_create_log_dirs" lineno="2564">
 <summary>
 Allow the specified domain to create
 container log file directories.
@@ -79636,7 +79908,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_log_dirs" lineno="2488">
+<interface name="container_manage_log_dirs" lineno="2583">
 <summary>
 Allow the specified domain to manage
 container log file directories.
@@ -79647,7 +79919,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_log_dirs" lineno="2507">
+<interface name="container_watch_log_dirs" lineno="2602">
 <summary>
 Allow the specified domain to watch
 container log file directories.
@@ -79658,7 +79930,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_create_log_files" lineno="2526">
+<interface name="container_create_log_files" lineno="2621">
 <summary>
 Allow the specified domain to create
 container log files.
@@ -79669,7 +79941,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_append_log_files" lineno="2545">
+<interface name="container_append_log_files" lineno="2640">
 <summary>
 Allow the specified domain to append
 data to container log files.
@@ -79680,7 +79952,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_log_files" lineno="2564">
+<interface name="container_manage_log_files" lineno="2659">
 <summary>
 Allow the specified domain to manage
 container log files.
@@ -79691,7 +79963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_watch_log_files" lineno="2583">
+<interface name="container_watch_log_files" lineno="2678">
 <summary>
 Allow the specified domain to watch
 container log files.
@@ -79702,7 +79974,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_log_filetrans" lineno="2614">
+<interface name="container_log_filetrans" lineno="2709">
 <summary>
 Allow the specified domain to create
 objects in log directories with an
@@ -79725,7 +79997,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="container_manage_log_symlinks" lineno="2634">
+<interface name="container_manage_log_symlinks" lineno="2729">
 <summary>
 Allow the specified domain to manage
 container log symlinks.
@@ -79736,7 +80008,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_start_units" lineno="2653">
+<interface name="container_start_units" lineno="2748">
 <summary>
 Allow the specified domain to start
 systemd units for containers.
@@ -79747,7 +80019,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="container_admin" lineno="2680">
+<interface name="container_admin" lineno="2775">
 <summary>
 All of the rules required to
 administrate a container
@@ -80946,18 +81218,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cups_stream_connect_ptal" lineno="285">
-<summary>
-Connect to ptal over an unix
-domain stream socket.
-</summary>
-<param name="domain">
-<summary>
-Domain allowed access.
-</summary>
-</param>
-</interface>
-<interface name="cups_read_state" lineno="304">
+<interface name="cups_read_state" lineno="284">
 <summary>
 Read the process state (/proc/pid) of cupsd.
 </summary>
@@ -80967,7 +81228,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="cups_domtrans_hplip" lineno="326">
+<interface name="cups_domtrans_hplip" lineno="306">
 <summary>
 Execute HP Linux Imaging and
 Printing applications in their
@@ -80979,7 +81240,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="cups_admin" lineno="352">
+<interface name="cups_admin" lineno="332">
 <summary>
 All of the rules required to
 administrate an cups environment.
@@ -81448,7 +81709,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="646">
+<interface name="dbus_use_system_bus_pidfds" lineno="646">
+<summary>
+Use PIDFD file descriptors from the
+DBUS system bus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="665">
 <summary>
 Do not audit attempts to read and
 write DBUS system bus TCP sockets.
@@ -81459,7 +81731,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dbus_watch_system_bus_runtime_dirs" lineno="664">
+<interface name="dbus_watch_system_bus_runtime_dirs" lineno="683">
 <summary>
 Watch system bus runtime directories.
 </summary>
@@ -81469,7 +81741,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_system_bus_runtime_files" lineno="682">
+<interface name="dbus_read_system_bus_runtime_files" lineno="701">
 <summary>
 Read system bus runtime files.
 </summary>
@@ -81479,7 +81751,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_list_system_bus_runtime" lineno="701">
+<interface name="dbus_list_system_bus_runtime" lineno="720">
 <summary>
 List system bus runtime directories.
 </summary>
@@ -81489,7 +81761,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="719">
+<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="738">
 <summary>
 Watch system bus runtime named sockets.
 </summary>
@@ -81499,7 +81771,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="737">
+<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="756">
 <summary>
 Read system bus runtime named sockets.
 </summary>
@@ -81509,7 +81781,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="756">
+<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="775">
 <summary>
 Do not audit attempts to write to
 system bus runtime named sockets.
@@ -81520,7 +81792,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="dbus_rw_session_tmp_sockets" lineno="774">
+<interface name="dbus_rw_session_tmp_sockets" lineno="793">
 <summary>
 Read and write session named sockets in the tmp directory (/tmp).
 </summary>
@@ -81530,7 +81802,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_unconfined" lineno="792">
+<interface name="dbus_unconfined" lineno="811">
 <summary>
 Unconfined access to DBUS.
 </summary>
@@ -81540,7 +81812,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="822">
+<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="841">
 <summary>
 Create resources in /run or /var/run with the system_dbusd_runtime_t
 label. This method is deprecated in favor of the init_daemon_run_dir
@@ -81562,7 +81834,7 @@ Optional file name used for the resource
 </summary>
 </param>
 </interface>
-<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="836">
+<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="855">
 <summary>
 Create directories with the system_dbusd_runtime_t label
 </summary>
@@ -83814,7 +84086,7 @@ Role allowed access.
 <summary>policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling</summary>
 <interface name="gssproxy_domtrans" lineno="13">
 <summary>
-Execute gssproxy in the gssproxy domin.
+Execute gssproxy in the gssproxy domain.
 </summary>
 <param name="domain">
 <summary>
@@ -84097,6 +84369,85 @@ Role allowed access.
 <rolecap/>
 </interface>
 </module>
+<module name="haproxy" filename="policy/modules/services/haproxy.if">
+<summary>A TCP/HTTP reverse proxy for high availability environments.</summary>
+<interface name="haproxy_domtrans" lineno="13">
+<summary>
+Execute haproxy in the haproxy domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="haproxy_run" lineno="39">
+<summary>
+Execute haproxy in the haproxy domain, and
+allow the specified role the haproxy domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="haproxy_admin" lineno="65">
+<summary>
+All of the rules required to
+administrate an haproxy environment.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<tunable name="haproxy_bind_all_tcp_ports" dftval="false">
+<desc>
+<p>
+Determine whether haproxy can bind to
+all TCP ports.
+</p>
+</desc>
+</tunable>
+<tunable name="haproxy_bind_kubernetes_port" dftval="false">
+<desc>
+<p>
+Determine whether haproxy can bind to
+kubernetes ports (typically 6443/tcp).
+</p>
+</desc>
+</tunable>
+<tunable name="haproxy_connect_all_tcp_ports" dftval="false">
+<desc>
+<p>
+Determine whether haproxy can connect to
+all TCP ports.
+</p>
+</desc>
+</tunable>
+<tunable name="haproxy_connect_kubernetes_port" dftval="false">
+<desc>
+<p>
+Determine whether haproxy can connect to
+kubernetes ports (typically 6443/tcp).
+</p>
+</desc>
+</tunable>
+</module>
 <module name="hddtemp" filename="policy/modules/services/hddtemp.if">
 <summary>Hard disk temperature tool running as a daemon.</summary>
 <interface name="hddtemp_domtrans" lineno="13">
@@ -84371,7 +84722,7 @@ Role allowed access.
 
 <desc>
 Industrial I/O subsystem is intended to provide support for devices
-that in some sense are analog to digital or digital to analog convertors
+that in some sense are analog to digital or digital to analog converters
 .
 Devices that fall into this category are:
 * ADCs
@@ -85400,7 +85751,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_search_config" lineno="390">
+<interface name="kubernetes_rw_container_engine_fifo_files" lineno="391">
+<summary>
+Read and write FIFO files from
+kubernetes container engines.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="kubernetes_search_config" lineno="409">
 <summary>
 Search kubernetes config directories.
 </summary>
@@ -85410,7 +85772,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_read_config" lineno="409">
+<interface name="kubernetes_read_config" lineno="428">
 <summary>
 Read kubernetes config files and symlinks.
 </summary>
@@ -85420,7 +85782,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_mounton_config_dirs" lineno="429">
+<interface name="kubernetes_mounton_config_dirs" lineno="448">
 <summary>
 Mount on kubernetes config directories.
 </summary>
@@ -85430,7 +85792,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_config_dirs" lineno="448">
+<interface name="kubernetes_watch_config_dirs" lineno="467">
 <summary>
 Allow the specified domain to watch
 kubernetes config directories.
@@ -85441,7 +85803,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_config_files" lineno="466">
+<interface name="kubernetes_manage_config_files" lineno="485">
 <summary>
 Manage kubernetes config files.
 </summary>
@@ -85451,7 +85813,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_mounton_config_files" lineno="484">
+<interface name="kubernetes_mounton_config_files" lineno="503">
 <summary>
 Mount on kubernetes config files.
 </summary>
@@ -85461,7 +85823,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_config_files" lineno="503">
+<interface name="kubernetes_watch_config_files" lineno="522">
 <summary>
 Allow the specified domain to watch
 kubernetes config files.
@@ -85472,7 +85834,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_search_plugin_dirs" lineno="523">
+<interface name="kubernetes_search_plugin_dirs" lineno="542">
 <summary>
 Allow the specified domain to search
 through the contents of kubernetes plugin
@@ -85484,7 +85846,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_list_plugins" lineno="544">
+<interface name="kubernetes_list_plugins" lineno="563">
 <summary>
 Allow the specified domain to list
 the contents of kubernetes plugin
@@ -85496,7 +85858,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_plugin_dirs" lineno="563">
+<interface name="kubernetes_watch_plugin_dirs" lineno="582">
 <summary>
 Allow the specified domain to watch
 kubernetes plugin directories.
@@ -85507,7 +85869,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_plugin_files" lineno="582">
+<interface name="kubernetes_manage_plugin_files" lineno="601">
 <summary>
 Allow the specified domain to manage
 kubernetes plugin files.
@@ -85518,7 +85880,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_runtime_dirs" lineno="600">
+<interface name="kubernetes_manage_runtime_dirs" lineno="619">
 <summary>
 Manage kubernetes runtime directories.
 </summary>
@@ -85528,7 +85890,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_mounton_runtime_dirs" lineno="618">
+<interface name="kubernetes_mounton_runtime_dirs" lineno="637">
 <summary>
 Mount on kubernetes runtime directories.
 </summary>
@@ -85538,7 +85900,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_runtime_files" lineno="636">
+<interface name="kubernetes_manage_runtime_files" lineno="655">
 <summary>
 Manage kubernetes runtime files.
 </summary>
@@ -85548,7 +85910,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_map_runtime_files" lineno="654">
+<interface name="kubernetes_map_runtime_files" lineno="673">
 <summary>
 Memory map kubernetes runtime files.
 </summary>
@@ -85558,7 +85920,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_runtime_files" lineno="672">
+<interface name="kubernetes_watch_runtime_files" lineno="691">
 <summary>
 Watch kubernetes runtime files.
 </summary>
@@ -85568,7 +85930,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_runtime_symlinks" lineno="690">
+<interface name="kubernetes_manage_runtime_symlinks" lineno="709">
 <summary>
 Manage kubernetes runtime symlinks.
 </summary>
@@ -85578,7 +85940,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_runtime_sock_files" lineno="708">
+<interface name="kubernetes_manage_runtime_sock_files" lineno="727">
 <summary>
 Manage kubernetes runtime sock files.
 </summary>
@@ -85588,7 +85950,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_list_tmpfs" lineno="727">
+<interface name="kubernetes_list_tmpfs" lineno="746">
 <summary>
 List the contents of kubernetes tmpfs
 directories.
@@ -85599,7 +85961,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_tmpfs_dirs" lineno="745">
+<interface name="kubernetes_manage_tmpfs_dirs" lineno="764">
 <summary>
 Manage kubernetes tmpfs directories.
 </summary>
@@ -85609,7 +85971,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_tmpfs_dirs" lineno="763">
+<interface name="kubernetes_watch_tmpfs_dirs" lineno="782">
 <summary>
 Watch kubernetes tmpfs directories.
 </summary>
@@ -85619,7 +85981,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_read_tmpfs_files" lineno="781">
+<interface name="kubernetes_read_tmpfs_files" lineno="800">
 <summary>
 Read kubernetes tmpfs files.
 </summary>
@@ -85629,7 +85991,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_tmpfs_files" lineno="799">
+<interface name="kubernetes_manage_tmpfs_files" lineno="818">
 <summary>
 Manage kubernetes tmpfs files.
 </summary>
@@ -85639,7 +86001,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_watch_tmpfs_files" lineno="817">
+<interface name="kubernetes_watch_tmpfs_files" lineno="836">
 <summary>
 Watch kubernetes tmpfs files.
 </summary>
@@ -85649,7 +86011,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_read_tmpfs_symlinks" lineno="835">
+<interface name="kubernetes_read_tmpfs_symlinks" lineno="854">
 <summary>
 Read kubernetes tmpfs symlinks.
 </summary>
@@ -85659,7 +86021,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_manage_tmpfs_symlinks" lineno="853">
+<interface name="kubernetes_manage_tmpfs_symlinks" lineno="872">
 <summary>
 Manage kubernetes tmpfs symlinks.
 </summary>
@@ -85669,7 +86031,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_relabelfrom_tmpfs_dirs" lineno="872">
+<interface name="kubernetes_relabelfrom_tmpfs_dirs" lineno="891">
 <summary>
 Relabel directories from the kubernetes
 tmpfs type.
@@ -85680,7 +86042,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_relabelfrom_tmpfs_files" lineno="890">
+<interface name="kubernetes_relabelfrom_tmpfs_files" lineno="909">
 <summary>
 Relabel files from the kubernetes tmpfs type.
 </summary>
@@ -85690,7 +86052,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_relabelfrom_tmpfs_symlinks" lineno="908">
+<interface name="kubernetes_relabelfrom_tmpfs_symlinks" lineno="927">
 <summary>
 Relabel symlinks from the kubernetes tmpfs type.
 </summary>
@@ -85700,7 +86062,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_get_unit_status" lineno="926">
+<interface name="kubernetes_get_unit_status" lineno="945">
 <summary>
 Get the status of kubernetes systemd units.
 </summary>
@@ -85710,7 +86072,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_start_unit" lineno="945">
+<interface name="kubernetes_start_unit" lineno="964">
 <summary>
 Start kubernetes systemd units.
 </summary>
@@ -85720,7 +86082,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_stop_unit" lineno="964">
+<interface name="kubernetes_stop_unit" lineno="983">
 <summary>
 Stop kubernetes systemd units.
 </summary>
@@ -85730,7 +86092,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_reload_unit" lineno="983">
+<interface name="kubernetes_reload_unit" lineno="1002">
 <summary>
 Reload kubernetes systemd units.
 </summary>
@@ -85740,7 +86102,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="kubernetes_admin" lineno="1009">
+<interface name="kubernetes_admin" lineno="1028">
 <summary>
 All of the rules required to administrate
 a kubernetes environment.
@@ -85930,7 +86292,7 @@ Role allowed access.
 </interface>
 </module>
 <module name="lircd" filename="policy/modules/services/lircd.if">
-<summary>Linux infared remote control daemon.</summary>
+<summary>Linux infrared remote control daemon.</summary>
 <interface name="lircd_domtrans" lineno="13">
 <summary>
 Execute a domain transition to run lircd.
@@ -86437,6 +86799,16 @@ Determine whether Matrixd can connect to the Postgres database.
 </p>
 </desc>
 </tunable>
+<tunable name="matrix_bind_all_unreserved_tcp_ports" dftval="false">
+<desc>
+<p>
+Determine whether Matrixd is allowed to bind all
+TCP ports. This is intended for more complex Matrix
+server configurations (e.g. Synapse workers) and may
+be used in lieu of manually labeling each port.
+</p>
+</desc>
+</tunable>
 </module>
 <module name="mediawiki" filename="policy/modules/services/mediawiki.if">
 <summary>Open source wiki package written in PHP.</summary>
@@ -91389,6 +91761,13 @@ The role to be allowed to manage the postgresql domain.
 </param>
 <rolecap/>
 </interface>
+<tunable name="psql_allow_execmem" dftval="false">
+<desc>
+<p>
+Allow postgresql to map memory regions as both executable and writable (e.g. for JIT).
+</p>
+</desc>
+</tunable>
 <tunable name="sepgsql_enable_users_ddl" dftval="false">
 <desc>
 <p>
@@ -91515,7 +91894,7 @@ The name of the object being created.
 </interface>
 <interface name="ppp_use_fds" lineno="101">
 <summary>
-Inherit and use ppp file discriptors.
+Inherit and use ppp file descriptors.
 </summary>
 <param name="domain">
 <summary>
@@ -91526,7 +91905,7 @@ Domain allowed access.
 <interface name="ppp_dontaudit_use_fds" lineno="120">
 <summary>
 Do not audit attempts to inherit
-and use ppp file discriptors.
+and use ppp file descriptors.
 </summary>
 <param name="domain">
 <summary>
@@ -94328,7 +94707,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="sasl_admin" lineno="58">
+<interface name="sasl_mmap_read_keytab" lineno="51">
+<summary>
+Memory map and read SASL keytab files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="sasl_admin" lineno="77">
 <summary>
 All of the rules required to
 administrate an sasl environment.
@@ -95615,7 +96004,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_pipes" lineno="548">
+<interface name="ssh_use_sshd_pidfds" lineno="549">
+<summary>
+Use PIDFD file descriptors from the
+ssh server.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ssh_read_pipes" lineno="567">
 <summary>
 Read a ssh server unnamed pipe.
 </summary>
@@ -95625,7 +96025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_pipes" lineno="565">
+<interface name="ssh_rw_pipes" lineno="584">
 <summary>
 Read and write a ssh server unnamed pipe.
 </summary>
@@ -95635,7 +96035,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_stream_sockets" lineno="583">
+<interface name="ssh_rw_stream_sockets" lineno="602">
 <summary>
 Read and write ssh server unix domain stream sockets.
 </summary>
@@ -95645,7 +96045,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_rw_tcp_sockets" lineno="601">
+<interface name="ssh_rw_tcp_sockets" lineno="620">
 <summary>
 Read and write ssh server TCP sockets.
 </summary>
@@ -95655,7 +96055,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="620">
+<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="639">
 <summary>
 Do not audit attempts to read and write
 ssh server TCP sockets.
@@ -95666,7 +96066,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="ssh_exec_sshd" lineno="638">
+<interface name="ssh_exec_sshd" lineno="657">
 <summary>
 Execute the ssh daemon in the caller domain.
 </summary>
@@ -95676,7 +96076,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_domtrans" lineno="657">
+<interface name="ssh_domtrans" lineno="676">
 <summary>
 Execute the ssh daemon sshd domain.
 </summary>
@@ -95686,7 +96086,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_client_domtrans" lineno="675">
+<interface name="ssh_client_domtrans" lineno="694">
 <summary>
 Execute the ssh client in the ssh client domain.
 </summary>
@@ -95696,7 +96096,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_exec" lineno="693">
+<interface name="ssh_exec" lineno="712">
 <summary>
 Execute the ssh client in the caller domain.
 </summary>
@@ -95706,7 +96106,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_setattr_key_files" lineno="712">
+<interface name="ssh_setattr_key_files" lineno="731">
 <summary>
 Set the attributes of sshd key files.
 </summary>
@@ -95716,7 +96116,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_agent_exec" lineno="731">
+<interface name="ssh_agent_exec" lineno="750">
 <summary>
 Execute the ssh agent client in the caller domain.
 </summary>
@@ -95726,7 +96126,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_setattr_home_dirs" lineno="750">
+<interface name="ssh_setattr_home_dirs" lineno="769">
 <summary>
 Set the attributes of ssh home directory (~/.ssh)
 </summary>
@@ -95736,7 +96136,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_create_home_dirs" lineno="768">
+<interface name="ssh_create_home_dirs" lineno="787">
 <summary>
 Create ssh home directory (~/.ssh)
 </summary>
@@ -95746,7 +96146,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_user_home_files" lineno="787">
+<interface name="ssh_read_user_home_files" lineno="806">
 <summary>
 Read ssh home directory content
 </summary>
@@ -95756,7 +96156,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_domtrans_keygen" lineno="808">
+<interface name="ssh_domtrans_keygen" lineno="827">
 <summary>
 Execute the ssh key generator in the ssh keygen domain.
 </summary>
@@ -95766,7 +96166,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="ssh_run_keygen" lineno="832">
+<interface name="ssh_run_keygen" lineno="851">
 <summary>
 Execute the ssh key generator in the ssh keygen domain,
 and allow the specified	role the ssh keygen domain.
@@ -95782,7 +96182,7 @@ Role allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_read_server_keys" lineno="851">
+<interface name="ssh_read_server_keys" lineno="870">
 <summary>
 Read ssh server keys
 </summary>
@@ -95792,7 +96192,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_read_server_keys" lineno="869">
+<interface name="ssh_dontaudit_read_server_keys" lineno="888">
 <summary>
 Do not audit denials on reading ssh server keys
 </summary>
@@ -95802,7 +96202,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="ssh_manage_home_files" lineno="887">
+<interface name="ssh_manage_home_files" lineno="906">
 <summary>
 Manage ssh home directory content
 </summary>
@@ -95812,7 +96212,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_delete_tmp" lineno="906">
+<interface name="ssh_delete_tmp" lineno="925">
 <summary>
 Delete from the ssh temp files.
 </summary>
@@ -95822,7 +96222,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="ssh_dontaudit_agent_tmp" lineno="925">
+<interface name="ssh_dontaudit_agent_tmp" lineno="944">
 <summary>
 dontaudit access to ssh agent tmp dirs
 </summary>
@@ -95853,6 +96253,13 @@ Allow ssh to use gpg-agent
 </p>
 </desc>
 </tunable>
+<tunable name="sshd_port_forwarding" dftval="false">
+<desc>
+<p>
+Allow sshd to use remote port forwarding (bind to any TCP port)
+</p>
+</desc>
+</tunable>
 </module>
 <module name="sssd" filename="policy/modules/services/sssd.if">
 <summary>System Security Services Daemon.</summary>
@@ -96515,7 +96922,7 @@ Domain allowed access.
 <interface name="tgtd_manage_semaphores" lineno="32">
 <summary>
 Create, read, write, and delete
-tgtd sempaphores.
+tgtd semaphores.
 </summary>
 <param name="domain">
 <summary>
@@ -97408,7 +97815,7 @@ Domain prefix to be used.
 </summary>
 </param>
 </template>
-<interface name="virt_image" lineno="102">
+<interface name="virt_image" lineno="100">
 <summary>
 Make the specified type virt image type.
 </summary>
@@ -97418,7 +97825,7 @@ Type to be used as a virtual image.
 </summary>
 </param>
 </interface>
-<interface name="virt_domtrans" lineno="122">
+<interface name="virt_domtrans" lineno="120">
 <summary>
 Execute a domain transition to run virtd.
 </summary>
@@ -97428,7 +97835,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="virt_domtrans_qmf" lineno="141">
+<interface name="virt_domtrans_qmf" lineno="139">
 <summary>
 Execute a domain transition to run virt qmf.
 </summary>
@@ -97438,7 +97845,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="virt_domtrans_bridgehelper" lineno="161">
+<interface name="virt_domtrans_bridgehelper" lineno="159">
 <summary>
 Execute a domain transition to
 run virt bridgehelper.
@@ -97449,7 +97856,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="virt_domtrans_leaseshelper" lineno="181">
+<interface name="virt_domtrans_leaseshelper" lineno="179">
 <summary>
 Execute a domain transition to
 run virt leaseshelper.
@@ -97460,7 +97867,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="virt_run_bridgehelper" lineno="207">
+<interface name="virt_run_bridgehelper" lineno="205">
 <summary>
 Execute bridgehelper in the bridgehelper
 domain, and allow the specified role
@@ -97477,7 +97884,7 @@ Role allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_run_virt_domain" lineno="233">
+<interface name="virt_run_virt_domain" lineno="231">
 <summary>
 Execute virt domain in the their
 domain, and allow the specified
@@ -97494,7 +97901,7 @@ Role allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_signal_all_virt_domains" lineno="257">
+<interface name="virt_signal_all_virt_domains" lineno="255">
 <summary>
 Send generic signals to all virt domains.
 </summary>
@@ -97504,7 +97911,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_kill_all_virt_domains" lineno="275">
+<interface name="virt_kill_all_virt_domains" lineno="273">
 <summary>
 Send kill signals to all virt domains.
 </summary>
@@ -97514,7 +97921,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_getattr_virtd_exec_files" lineno="293">
+<interface name="virt_getattr_virtd_exec_files" lineno="291">
 <summary>
 Get attributes of virtd executable files.
 </summary>
@@ -97524,7 +97931,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_stream_connect" lineno="312">
+<interface name="virt_stream_connect" lineno="310">
 <summary>
 Connect to virt with a unix
 domain stream socket.
@@ -97535,7 +97942,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_attach_tun_iface" lineno="331">
+<interface name="virt_attach_tun_iface" lineno="329">
 <summary>
 Attach to virt tun devices.
 </summary>
@@ -97545,7 +97952,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_read_config" lineno="350">
+<interface name="virt_read_config" lineno="348">
 <summary>
 Read virt configuration content.
 </summary>
@@ -97555,7 +97962,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_config" lineno="373">
+<interface name="virt_manage_config" lineno="371">
 <summary>
 Create, read, write, and delete
 virt configuration content.
@@ -97566,7 +97973,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_read_content" lineno="395">
+<interface name="virt_read_content" lineno="393">
 <summary>
 Read virt content.
 </summary>
@@ -97576,7 +97983,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_virt_content" lineno="431">
+<interface name="virt_manage_virt_content" lineno="429">
 <summary>
 Create, read, write, and delete
 virt content.
@@ -97587,7 +97994,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_relabel_virt_content" lineno="467">
+<interface name="virt_relabel_virt_content" lineno="465">
 <summary>
 Relabel virt content.
 </summary>
@@ -97597,7 +98004,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_home_filetrans_virt_content" lineno="502">
+<interface name="virt_home_filetrans_virt_content" lineno="500">
 <summary>
 Create specified objects in user home
 directories with the virt content type.
@@ -97618,7 +98025,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_svirt_home_content" lineno="521">
+<interface name="virt_manage_svirt_home_content" lineno="519">
 <summary>
 Create, read, write, and delete
 svirt home content.
@@ -97629,7 +98036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_relabel_svirt_home_content" lineno="556">
+<interface name="virt_relabel_svirt_home_content" lineno="554">
 <summary>
 Relabel svirt home content.
 </summary>
@@ -97639,7 +98046,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_home_filetrans_svirt_home" lineno="590">
+<interface name="virt_home_filetrans_svirt_home" lineno="588">
 <summary>
 Create specified objects in user home
 directories with the svirt home type.
@@ -97660,7 +98067,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="virt_home_filetrans" lineno="625">
+<interface name="virt_home_filetrans" lineno="623">
 <summary>
 Create specified objects in generic
 virt home directories with private
@@ -97687,7 +98094,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_home_files" lineno="645">
+<interface name="virt_manage_home_files" lineno="643">
 <summary>
 Create, read, write, and delete
 virt home files.
@@ -97698,7 +98105,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_generic_virt_home_content" lineno="665">
+<interface name="virt_manage_generic_virt_home_content" lineno="663">
 <summary>
 Create, read, write, and delete
 virt home content.
@@ -97709,7 +98116,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_relabel_generic_virt_home_content" lineno="700">
+<interface name="virt_relabel_generic_virt_home_content" lineno="698">
 <summary>
 Relabel virt home content.
 </summary>
@@ -97719,7 +98126,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_home_filetrans_virt_home" lineno="735">
+<interface name="virt_home_filetrans_virt_home" lineno="733">
 <summary>
 Create specified objects in user home
 directories with the generic virt
@@ -97741,7 +98148,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="virt_read_runtime_files" lineno="753">
+<interface name="virt_read_runtime_files" lineno="751">
 <summary>
 Read virt runtime files.
 </summary>
@@ -97751,7 +98158,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_runtime_filetrans" lineno="788">
+<interface name="virt_runtime_filetrans" lineno="786">
 <summary>
 Create an object in the libvirt runtime directory, with a private type.
 </summary>
@@ -97777,7 +98184,7 @@ The name of the object being created.
 </param>
 <infoflow type="write" weight="10"/>
 </interface>
-<interface name="virt_search_lib" lineno="806">
+<interface name="virt_search_lib" lineno="804">
 <summary>
 Search virt lib directories.
 </summary>
@@ -97787,7 +98194,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_read_lib_files" lineno="825">
+<interface name="virt_read_lib_files" lineno="823">
 <summary>
 Read virt lib files.
 </summary>
@@ -97797,7 +98204,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_lib_files" lineno="846">
+<interface name="virt_manage_lib_files" lineno="844">
 <summary>
 Create, read, write, and delete
 virt lib files.
@@ -97808,7 +98215,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_read_log" lineno="866">
+<interface name="virt_read_log" lineno="864">
 <summary>
 Read virt log files.
 </summary>
@@ -97819,7 +98226,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="virt_append_log" lineno="885">
+<interface name="virt_append_log" lineno="883">
 <summary>
 Append virt log files.
 </summary>
@@ -97829,7 +98236,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_log" lineno="905">
+<interface name="virt_manage_log" lineno="903">
 <summary>
 Create, read, write, and delete
 virt log files.
@@ -97840,7 +98247,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_search_images" lineno="926">
+<interface name="virt_search_images" lineno="924">
 <summary>
 Search virt image directories.
 </summary>
@@ -97850,7 +98257,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_read_images" lineno="945">
+<interface name="virt_read_images" lineno="943">
 <summary>
 Read virt image files.
 </summary>
@@ -97860,7 +98267,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_rw_all_image_chr_files" lineno="981">
+<interface name="virt_rw_all_image_chr_files" lineno="979">
 <summary>
 Read and write all virt image
 character files.
@@ -97871,7 +98278,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_virt_cache" lineno="1002">
+<interface name="virt_manage_virt_cache" lineno="1000">
 <summary>
 Create, read, write, and delete
 virt cache content.
@@ -97882,7 +98289,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_manage_images" lineno="1024">
+<interface name="virt_manage_images" lineno="1022">
 <summary>
 Create, read, write, and delete
 virt image files.
@@ -97893,7 +98300,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_lxc_use_fds" lineno="1060">
+<interface name="virt_lxc_use_fds" lineno="1058">
 <summary>
 Inherit and use virtd lxc
 file descriptors.
@@ -97904,7 +98311,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_lxc_sigchld" lineno="1078">
+<interface name="virt_lxc_sigchld" lineno="1076">
 <summary>
 Send a SIGCHLD to virtd lxc.
 </summary>
@@ -97914,9 +98321,9 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_lxc_rw_pipes" lineno="1096">
+<interface name="virt_lxc_rw_pipes" lineno="1094">
 <summary>
-Read and write virtd lxc unamed pipes.
+Read and write virtd lxc unnamed pipes.
 </summary>
 <param name="domain">
 <summary>
@@ -97924,7 +98331,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_lxc_stream_connect" lineno="1115">
+<interface name="virt_lxc_stream_connect" lineno="1113">
 <summary>
 Connect to virtd lxc over
 a unix stream socket.
@@ -97935,7 +98342,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_lxc_list_runtime" lineno="1135">
+<interface name="virt_lxc_list_runtime" lineno="1133">
 <summary>
 List the contents of virtd lxc
 directories.
@@ -97946,7 +98353,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_lxc_read_runtime" lineno="1153">
+<interface name="virt_lxc_read_runtime" lineno="1151">
 <summary>
 Read virtd lxc runtime files.
 </summary>
@@ -97956,7 +98363,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_virsh_use_fds" lineno="1172">
+<interface name="virt_virsh_use_fds" lineno="1170">
 <summary>
 Inherit and use virsh file
 descriptors.
@@ -97967,7 +98374,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_virsh_sigchld" lineno="1190">
+<interface name="virt_virsh_sigchld" lineno="1188">
 <summary>
 Send a SIGCHLD to virsh.
 </summary>
@@ -97977,9 +98384,9 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_virsh_rw_pipes" lineno="1208">
+<interface name="virt_virsh_rw_pipes" lineno="1206">
 <summary>
-Read and write virsh unamed pipes.
+Read and write virsh unnamed pipes.
 </summary>
 <param name="domain">
 <summary>
@@ -97987,7 +98394,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="virt_admin" lineno="1233">
+<interface name="virt_admin" lineno="1231">
 <summary>
 All of the rules required to
 administrate an virt environment.
@@ -99704,7 +100111,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_use_pam_motd_dynamic" lineno="122">
+<interface name="auth_use_pam_motd_dynamic" lineno="125">
 <summary>
 Use the pam module motd with dynamic support during authentication.
 This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071)
@@ -99716,7 +100123,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_pam_motd_dynamic" lineno="147">
+<interface name="auth_read_pam_motd_dynamic" lineno="150">
 <summary>
 Read the pam module motd with dynamic support during authentication.
 </summary>
@@ -99726,7 +100133,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_login_pgm_domain" lineno="166">
+<interface name="auth_login_pgm_domain" lineno="169">
 <summary>
 Make the specified domain used for a login program.
 </summary>
@@ -99736,7 +100143,7 @@ Domain type used for a login program domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_login_entry_type" lineno="253">
+<interface name="auth_login_entry_type" lineno="256">
 <summary>
 Use the login program as an entry point program.
 </summary>
@@ -99746,7 +100153,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_login_program" lineno="276">
+<interface name="auth_domtrans_login_program" lineno="279">
 <summary>
 Execute a login_program in the target domain.
 </summary>
@@ -99761,7 +100168,7 @@ The type of the login_program process.
 </summary>
 </param>
 </interface>
-<interface name="auth_ranged_domtrans_login_program" lineno="306">
+<interface name="auth_ranged_domtrans_login_program" lineno="309">
 <summary>
 Execute a login_program in the target domain,
 with a range transition.
@@ -99782,7 +100189,7 @@ Range of the login program.
 </summary>
 </param>
 </interface>
-<interface name="auth_search_cache" lineno="332">
+<interface name="auth_search_cache" lineno="335">
 <summary>
 Search authentication cache
 </summary>
@@ -99792,7 +100199,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_cache" lineno="350">
+<interface name="auth_read_cache" lineno="353">
 <summary>
 Read authentication cache
 </summary>
@@ -99802,7 +100209,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_cache" lineno="368">
+<interface name="auth_rw_cache" lineno="371">
 <summary>
 Read/Write authentication cache
 </summary>
@@ -99812,7 +100219,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_cache" lineno="386">
+<interface name="auth_manage_cache" lineno="389">
 <summary>
 Manage authentication cache
 </summary>
@@ -99822,7 +100229,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_var_filetrans_cache" lineno="405">
+<interface name="auth_var_filetrans_cache" lineno="408">
 <summary>
 Automatic transition from cache_t to cache.
 </summary>
@@ -99832,7 +100239,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_chk_passwd" lineno="423">
+<interface name="auth_domtrans_chk_passwd" lineno="426">
 <summary>
 Run unix_chkpwd to check a password.
 </summary>
@@ -99842,7 +100249,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_chkpwd" lineno="467">
+<interface name="auth_domtrans_chkpwd" lineno="470">
 <summary>
 Run unix_chkpwd to check a password.
 Stripped down version to be called within boolean
@@ -99853,7 +100260,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_chk_passwd" lineno="489">
+<interface name="auth_run_chk_passwd" lineno="492">
 <summary>
 Execute chkpwd programs in the chkpwd domain.
 </summary>
@@ -99868,7 +100275,7 @@ The role to allow the chkpwd domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_upd_passwd" lineno="508">
+<interface name="auth_domtrans_upd_passwd" lineno="511">
 <summary>
 Execute a domain transition to run unix_update.
 </summary>
@@ -99878,7 +100285,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_upd_passwd" lineno="533">
+<interface name="auth_run_upd_passwd" lineno="536">
 <summary>
 Execute updpwd programs in the updpwd domain.
 </summary>
@@ -99893,7 +100300,7 @@ The role to allow the updpwd domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_getattr_shadow" lineno="552">
+<interface name="auth_getattr_shadow" lineno="555">
 <summary>
 Get the attributes of the shadow passwords file.
 </summary>
@@ -99903,7 +100310,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_getattr_shadow" lineno="572">
+<interface name="auth_dontaudit_getattr_shadow" lineno="575">
 <summary>
 Do not audit attempts to get the attributes
 of the shadow passwords file.
@@ -99914,7 +100321,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_shadow" lineno="594">
+<interface name="auth_read_shadow" lineno="597">
 <summary>
 Read the shadow passwords file (/etc/shadow)
 </summary>
@@ -99924,7 +100331,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_map_shadow" lineno="610">
+<interface name="auth_map_shadow" lineno="613">
 <summary>
 Map the shadow passwords file (/etc/shadow)
 </summary>
@@ -99934,7 +100341,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_can_read_shadow_passwords" lineno="636">
+<interface name="auth_can_read_shadow_passwords" lineno="639">
 <summary>
 Pass shadow assertion for reading.
 </summary>
@@ -99953,7 +100360,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_tunable_read_shadow" lineno="662">
+<interface name="auth_tunable_read_shadow" lineno="665">
 <summary>
 Read the shadow password file.
 </summary>
@@ -99971,7 +100378,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_read_shadow" lineno="682">
+<interface name="auth_dontaudit_read_shadow" lineno="685">
 <summary>
 Do not audit attempts to read the shadow
 password file (/etc/shadow).
@@ -99982,7 +100389,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_shadow" lineno="700">
+<interface name="auth_rw_shadow" lineno="703">
 <summary>
 Read and write the shadow password file (/etc/shadow).
 </summary>
@@ -99992,7 +100399,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_shadow" lineno="723">
+<interface name="auth_manage_shadow" lineno="726">
 <summary>
 Create, read, write, and delete the shadow
 password file.
@@ -100003,7 +100410,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_etc_filetrans_shadow" lineno="751">
+<interface name="auth_etc_filetrans_shadow" lineno="754">
 <summary>
 Automatic transition from etc to shadow.
 </summary>
@@ -100018,7 +100425,17 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_shadow_history" lineno="769">
+<interface name="auth_getattr_shadow_history" lineno="772">
+<summary>
+Get the attributes of the shadow history file.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_read_shadow_history" lineno="791">
 <summary>
 Read the shadow history file.
 </summary>
@@ -100028,7 +100445,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_shadow_history" lineno="788">
+<interface name="auth_manage_shadow_history" lineno="810">
 <summary>
 Manage the shadow history file.
 </summary>
@@ -100038,7 +100455,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabelto_shadow" lineno="808">
+<interface name="auth_relabelto_shadow" lineno="830">
 <summary>
 Relabel to the shadow
 password file type.
@@ -100049,7 +100466,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_shadow" lineno="830">
+<interface name="auth_relabel_shadow" lineno="852">
 <summary>
 Relabel from and to the shadow
 password file type.
@@ -100060,7 +100477,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_shadow_lock" lineno="851">
+<interface name="auth_rw_shadow_lock" lineno="873">
 <summary>
 Read/Write shadow lock files.
 </summary>
@@ -100070,7 +100487,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_append_faillog" lineno="869">
+<interface name="auth_search_faillog" lineno="891">
+<summary>
+Search faillock directory (/run/faillock).
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="auth_append_faillog" lineno="909">
 <summary>
 Append to the login failure log.
 </summary>
@@ -100080,7 +100507,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_create_faillog_files" lineno="888">
+<interface name="auth_create_faillog_files" lineno="928">
 <summary>
 Create fail log lock (in /run/faillock).
 </summary>
@@ -100090,7 +100517,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_faillog" lineno="906">
+<interface name="auth_rw_faillog" lineno="946">
 <summary>
 Read and write the login failure log.
 </summary>
@@ -100100,7 +100527,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_faillog" lineno="925">
+<interface name="auth_manage_faillog" lineno="965">
 <summary>
 Manage the login failure logs.
 </summary>
@@ -100110,7 +100537,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_setattr_faillog_files" lineno="944">
+<interface name="auth_setattr_faillog_files" lineno="984">
 <summary>
 Setattr the login failure logs.
 </summary>
@@ -100120,7 +100547,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_lastlog" lineno="963">
+<interface name="auth_read_lastlog" lineno="1003">
 <summary>
 Read the last logins log.
 </summary>
@@ -100131,7 +100558,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_append_lastlog" lineno="982">
+<interface name="auth_append_lastlog" lineno="1022">
 <summary>
 Append only to the last logins log.
 </summary>
@@ -100141,7 +100568,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_lastlog" lineno="1001">
+<interface name="auth_relabel_lastlog" lineno="1041">
 <summary>
 relabel the last logins log.
 </summary>
@@ -100151,7 +100578,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_lastlog" lineno="1020">
+<interface name="auth_rw_lastlog" lineno="1060">
 <summary>
 Read and write to the last logins log.
 </summary>
@@ -100161,7 +100588,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_lastlog" lineno="1039">
+<interface name="auth_manage_lastlog" lineno="1079">
 <summary>
 Manage the last logins log.
 </summary>
@@ -100171,7 +100598,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_pam" lineno="1058">
+<interface name="auth_domtrans_pam" lineno="1098">
 <summary>
 Execute pam programs in the pam domain.
 </summary>
@@ -100181,7 +100608,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_signal_pam" lineno="1076">
+<interface name="auth_signal_pam" lineno="1116">
 <summary>
 Send generic signals to pam processes.
 </summary>
@@ -100191,7 +100618,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_pam" lineno="1099">
+<interface name="auth_run_pam" lineno="1139">
 <summary>
 Execute pam programs in the PAM domain.
 </summary>
@@ -100206,7 +100633,7 @@ The role to allow the PAM domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_exec_pam" lineno="1118">
+<interface name="auth_exec_pam" lineno="1158">
 <summary>
 Execute the pam program.
 </summary>
@@ -100216,7 +100643,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_var_auth" lineno="1137">
+<interface name="auth_read_var_auth" lineno="1177">
 <summary>
 Read var auth files. Used by various other applications
 and pam applets etc.
@@ -100227,7 +100654,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_var_auth" lineno="1157">
+<interface name="auth_rw_var_auth" lineno="1197">
 <summary>
 Read and write var auth files. Used by various other applications
 and pam applets etc.
@@ -100238,7 +100665,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_var_auth" lineno="1177">
+<interface name="auth_manage_var_auth" lineno="1217">
 <summary>
 Manage var auth files. Used by various other applications
 and pam applets etc.
@@ -100249,7 +100676,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_runtime_dirs" lineno="1198">
+<interface name="auth_manage_pam_runtime_dirs" lineno="1238">
 <summary>
 Manage pam runtime dirs.
 </summary>
@@ -100259,7 +100686,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_runtime_filetrans_pam_runtime" lineno="1229">
+<interface name="auth_runtime_filetrans_pam_runtime" lineno="1269">
 <summary>
 Create specified objects in
 pid directories with the pam runtime
@@ -100281,7 +100708,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_pam_runtime_files" lineno="1247">
+<interface name="auth_read_pam_runtime_files" lineno="1287">
 <summary>
 Read PAM runtime files.
 </summary>
@@ -100291,7 +100718,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1267">
+<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1307">
 <summary>
 Do not audit attempts to read PAM runtime files.
 </summary>
@@ -100301,7 +100728,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_delete_pam_runtime_files" lineno="1285">
+<interface name="auth_delete_pam_runtime_files" lineno="1325">
 <summary>
 Delete pam runtime files.
 </summary>
@@ -100311,7 +100738,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_runtime_files" lineno="1304">
+<interface name="auth_manage_pam_runtime_files" lineno="1344">
 <summary>
 Create, read, write, and delete pam runtime files.
 </summary>
@@ -100321,7 +100748,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_pam_console" lineno="1323">
+<interface name="auth_domtrans_pam_console" lineno="1363">
 <summary>
 Execute pam_console with a domain transition.
 </summary>
@@ -100331,7 +100758,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_search_pam_console_data" lineno="1342">
+<interface name="auth_search_pam_console_data" lineno="1382">
 <summary>
 Search the contents of the
 pam_console data directory.
@@ -100342,7 +100769,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_list_pam_console_data" lineno="1362">
+<interface name="auth_list_pam_console_data" lineno="1402">
 <summary>
 List the contents of the pam_console
 data directory.
@@ -100353,7 +100780,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_create_pam_console_data_dirs" lineno="1381">
+<interface name="auth_create_pam_console_data_dirs" lineno="1421">
 <summary>
 Create pam var console pid directories.
 </summary>
@@ -100363,7 +100790,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_pam_console_data_dirs" lineno="1400">
+<interface name="auth_relabel_pam_console_data_dirs" lineno="1440">
 <summary>
 Relabel pam_console data directories.
 </summary>
@@ -100373,7 +100800,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_pam_console_data" lineno="1418">
+<interface name="auth_read_pam_console_data" lineno="1458">
 <summary>
 Read pam_console data files.
 </summary>
@@ -100383,7 +100810,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_pam_console_data" lineno="1439">
+<interface name="auth_manage_pam_console_data" lineno="1479">
 <summary>
 Create, read, write, and delete
 pam_console data files.
@@ -100394,7 +100821,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_delete_pam_console_data" lineno="1459">
+<interface name="auth_delete_pam_console_data" lineno="1499">
 <summary>
 Delete pam_console data.
 </summary>
@@ -100404,7 +100831,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_runtime_filetrans_pam_var_console" lineno="1492">
+<interface name="auth_runtime_filetrans_pam_var_console" lineno="1532">
 <summary>
 Create specified objects in generic
 runtime directories with the pam var
@@ -100427,7 +100854,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="auth_domtrans_utempter" lineno="1510">
+<interface name="auth_domtrans_utempter" lineno="1550">
 <summary>
 Execute utempter programs in the utempter domain.
 </summary>
@@ -100437,7 +100864,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="auth_run_utempter" lineno="1533">
+<interface name="auth_run_utempter" lineno="1573">
 <summary>
 Execute utempter programs in the utempter domain.
 </summary>
@@ -100452,7 +100879,7 @@ The role to allow the utempter domain.
 </summary>
 </param>
 </interface>
-<interface name="auth_dontaudit_exec_utempter" lineno="1552">
+<interface name="auth_dontaudit_exec_utempter" lineno="1592">
 <summary>
 Do not audit attempts to execute utempter executable.
 </summary>
@@ -100462,7 +100889,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_setattr_login_records" lineno="1570">
+<interface name="auth_setattr_login_records" lineno="1610">
 <summary>
 Set the attributes of login record files.
 </summary>
@@ -100472,7 +100899,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_read_login_records" lineno="1590">
+<interface name="auth_read_login_records" lineno="1630">
 <summary>
 Read login records files (/var/log/wtmp).
 </summary>
@@ -100483,7 +100910,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_dontaudit_read_login_records" lineno="1611">
+<interface name="auth_dontaudit_read_login_records" lineno="1651">
 <summary>
 Do not audit attempts to read login records
 files (/var/log/wtmp).
@@ -100495,7 +100922,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="auth_dontaudit_write_login_records" lineno="1630">
+<interface name="auth_dontaudit_write_login_records" lineno="1670">
 <summary>
 Do not audit attempts to write to
 login records files.
@@ -100506,7 +100933,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="auth_append_login_records" lineno="1648">
+<interface name="auth_append_login_records" lineno="1688">
 <summary>
 Append to login records (wtmp).
 </summary>
@@ -100516,7 +100943,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_write_login_records" lineno="1667">
+<interface name="auth_write_login_records" lineno="1707">
 <summary>
 Write to login records (wtmp).
 </summary>
@@ -100526,7 +100953,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_rw_login_records" lineno="1685">
+<interface name="auth_rw_login_records" lineno="1725">
 <summary>
 Read and write login records.
 </summary>
@@ -100536,7 +100963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_log_filetrans_login_records" lineno="1705">
+<interface name="auth_log_filetrans_login_records" lineno="1745">
 <summary>
 Create a login records in the log directory
 using a type transition.
@@ -100547,7 +100974,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_manage_login_records" lineno="1724">
+<interface name="auth_manage_login_records" lineno="1764">
 <summary>
 Create, read, write, and delete login
 records files.
@@ -100558,7 +100985,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_relabel_login_records" lineno="1743">
+<interface name="auth_relabel_login_records" lineno="1783">
 <summary>
 Relabel login record files.
 </summary>
@@ -100568,7 +100995,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="auth_use_nsswitch" lineno="1771">
+<interface name="auth_use_nsswitch" lineno="1811">
 <summary>
 Use nsswitch to look up user, password, group, or
 host information.
@@ -100588,7 +101015,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="auth_unconfined" lineno="1799">
+<interface name="auth_unconfined" lineno="1839">
 <summary>
 Unconfined access to the authlogin module.
 </summary>
@@ -101214,7 +101641,7 @@ Type of the script file used as an entry point to this domain.
 </summary>
 </param>
 </interface>
-<interface name="init_domain" lineno="170">
+<interface name="init_domain" lineno="161">
 <summary>
 Create a domain which can be started by init.
 </summary>
@@ -101229,7 +101656,7 @@ Type of the program to be used as an entry point to this domain.
 </summary>
 </param>
 </interface>
-<interface name="init_ranged_domain" lineno="221">
+<interface name="init_ranged_domain" lineno="198">
 <summary>
 Create a domain which can be started by init,
 with a range transition.
@@ -101250,7 +101677,7 @@ Range for the domain.
 </summary>
 </param>
 </interface>
-<interface name="init_spec_daemon_domain" lineno="262">
+<interface name="init_spec_daemon_domain" lineno="239">
 <summary>
 Setup a domain which can be manually transitioned to from init.
 </summary>
@@ -101274,7 +101701,7 @@ Type of the program being executed when starting this domain.
 </summary>
 </param>
 </interface>
-<interface name="init_daemon_domain" lineno="343">
+<interface name="init_daemon_domain" lineno="291">
 <summary>
 Create a domain for long running processes
 (daemons/services) which are started by init scripts.
@@ -101309,7 +101736,7 @@ Type of the program to be used as an entry point to this domain.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="init_ranged_daemon_domain" lineno="437">
+<interface name="init_ranged_daemon_domain" lineno="354">
 <summary>
 Create a domain for long running processes
 (daemons/services) which are started by init scripts,
@@ -101351,7 +101778,7 @@ MLS/MCS range for the domain.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="init_abstract_socket_activation" lineno="468">
+<interface name="init_abstract_socket_activation" lineno="385">
 <summary>
 Abstract socket service activation (systemd).
 </summary>
@@ -101361,7 +101788,7 @@ The domain to be started by systemd socket activation.
 </summary>
 </param>
 </interface>
-<interface name="init_named_socket_activation" lineno="493">
+<interface name="init_named_socket_activation" lineno="410">
 <summary>
 Named socket service activation (systemd).
 </summary>
@@ -101376,7 +101803,7 @@ The domain socket file type.
 </summary>
 </param>
 </interface>
-<interface name="init_system_domain" lineno="544">
+<interface name="init_system_domain" lineno="461">
 <summary>
 Create a domain for short running processes
 which are started by init scripts.
@@ -101413,7 +101840,7 @@ Type of the program to be used as an entry point to this domain.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="init_ranged_system_domain" lineno="608">
+<interface name="init_ranged_system_domain" lineno="523">
 <summary>
 Create a domain for short running processes
 which are started by init scripts.
@@ -101456,7 +101883,7 @@ Range for the domain.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="init_dyntrans" lineno="639">
+<interface name="init_dyntrans" lineno="554">
 <summary>
 Allow domain dyntransition to init_t domain.
 </summary>
@@ -101466,7 +101893,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_daemon_runtime_file" lineno="668">
+<interface name="init_daemon_runtime_file" lineno="583">
 <summary>
 Mark the file type as a daemon runtime file, allowing initrc_t
 to create it
@@ -101487,7 +101914,7 @@ Filename of the file that the init script creates
 </summary>
 </param>
 </interface>
-<interface name="init_daemon_lock_file" lineno="701">
+<interface name="init_daemon_lock_file" lineno="616">
 <summary>
 Mark the file type as a daemon lock file, allowing initrc_t
 to create it
@@ -101508,7 +101935,7 @@ Filename of the file that the init script creates
 </summary>
 </param>
 </interface>
-<interface name="init_domtrans" lineno="723">
+<interface name="init_domtrans" lineno="638">
 <summary>
 Execute init (/sbin/init) with a domain transition.
 </summary>
@@ -101518,7 +101945,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_pgm_spec_user_daemon_domain" lineno="747">
+<interface name="init_pgm_spec_user_daemon_domain" lineno="662">
 <summary>
 Execute init (/sbin/init) with a domain transition
 to the provided domain.
@@ -101534,7 +101961,7 @@ The type to be used as a systemd --user domain.
 </summary>
 </param>
 </interface>
-<interface name="init_exec" lineno="775">
+<interface name="init_exec" lineno="690">
 <summary>
 Execute the init program in the caller domain.
 </summary>
@@ -101545,7 +101972,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_pgm_entrypoint" lineno="796">
+<interface name="init_pgm_entrypoint" lineno="711">
 <summary>
 Allow the init program to be an entrypoint
 for the specified domain.
@@ -101557,7 +101984,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_exec_rc" lineno="825">
+<interface name="init_exec_rc" lineno="740">
 <summary>
 Execute the rc application in the caller domain.
 </summary>
@@ -101578,7 +102005,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getpgid" lineno="844">
+<interface name="init_getpgid" lineno="759">
 <summary>
 Get the process group of init.
 </summary>
@@ -101588,7 +102015,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signal" lineno="862">
+<interface name="init_signal" lineno="777">
 <summary>
 Send init a generic signal.
 </summary>
@@ -101598,7 +102025,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signull" lineno="880">
+<interface name="init_signull" lineno="795">
 <summary>
 Send init a null signal.
 </summary>
@@ -101608,7 +102035,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_sigchld" lineno="898">
+<interface name="init_sigchld" lineno="813">
 <summary>
 Send init a SIGCHLD signal.
 </summary>
@@ -101618,7 +102045,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_setsched" lineno="916">
+<interface name="init_setsched" lineno="831">
 <summary>
 Set the nice level of init.
 </summary>
@@ -101628,7 +102055,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_write_mountpoint_files" lineno="940">
+<interface name="init_write_mountpoint_files" lineno="855">
 <summary>
 Write systemd mountpoint files.
 </summary>
@@ -101644,7 +102071,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="init_create_mountpoint_files" lineno="964">
+<interface name="init_create_mountpoint_files" lineno="879">
 <summary>
 Create systemd mountpoint files.
 </summary>
@@ -101660,7 +102087,7 @@ must be negated by the caller.
 </summary>
 </param>
 </interface>
-<interface name="init_stream_connect" lineno="982">
+<interface name="init_stream_connect" lineno="897">
 <summary>
 Connect to init with a unix socket.
 </summary>
@@ -101670,7 +102097,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_unix_stream_socket_connectto" lineno="1003">
+<interface name="init_unix_stream_socket_connectto" lineno="918">
 <summary>
 Connect to init with a unix socket.
 Without any additional permissions.
@@ -101681,7 +102108,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_unix_stream_socket_sendto" lineno="1022">
+<interface name="init_unix_dgram_socket_sendto" lineno="937">
 <summary>
 Send to init with a unix socket.
 Without any additional permissions.
@@ -101692,7 +102119,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_fds" lineno="1080">
+<interface name="init_use_fds" lineno="995">
 <summary>
 Inherit and use file descriptors from init.
 </summary>
@@ -101742,7 +102169,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="1"/>
 </interface>
-<interface name="init_dontaudit_use_fds" lineno="1099">
+<interface name="init_dontaudit_use_fds" lineno="1014">
 <summary>
 Do not audit attempts to inherit file
 descriptors from init.
@@ -101753,7 +102180,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_dgram_send" lineno="1118">
+<interface name="init_dgram_send" lineno="1033">
 <summary>
 Send messages to init unix datagram sockets.
 </summary>
@@ -101764,7 +102191,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_rw_inherited_stream_socket" lineno="1138">
+<interface name="init_rw_inherited_stream_socket" lineno="1053">
 <summary>
 Read and write to inherited init unix streams.
 </summary>
@@ -101774,7 +102201,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_stream_sockets" lineno="1157">
+<interface name="init_rw_stream_sockets" lineno="1072">
 <summary>
 Allow the specified domain to read/write to
 init with unix domain stream sockets.
@@ -101785,7 +102212,19 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_search_keys" lineno="1175">
+<interface name="init_setattr_stream_sockets" lineno="1092">
+<summary>
+Allow the specified domain to set the
+attributes of init's unix domain stream
+sockets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="init_dontaudit_search_keys" lineno="1110">
 <summary>
 Do not audit attempts to search init keys.
 </summary>
@@ -101795,7 +102234,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_system" lineno="1193">
+<interface name="init_start_system" lineno="1128">
 <summary>
 start service (systemd).
 </summary>
@@ -101805,7 +102244,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_system" lineno="1212">
+<interface name="init_stop_system" lineno="1147">
 <summary>
 stop service (systemd).
 </summary>
@@ -101815,7 +102254,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_system_status" lineno="1231">
+<interface name="init_get_system_status" lineno="1166">
 <summary>
 Get all service status (systemd).
 </summary>
@@ -101825,7 +102264,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_enable" lineno="1250">
+<interface name="init_enable" lineno="1185">
 <summary>
 Enable all systemd services (systemd).
 </summary>
@@ -101835,7 +102274,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_disable" lineno="1269">
+<interface name="init_disable" lineno="1204">
 <summary>
 Disable all services (systemd).
 </summary>
@@ -101845,7 +102284,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_reload" lineno="1288">
+<interface name="init_reload" lineno="1223">
 <summary>
 Reload all services (systemd).
 </summary>
@@ -101855,7 +102294,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_reboot_system" lineno="1307">
+<interface name="init_reboot_system" lineno="1242">
 <summary>
 Reboot the system (systemd).
 </summary>
@@ -101865,7 +102304,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_shutdown_system" lineno="1326">
+<interface name="init_shutdown_system" lineno="1261">
 <summary>
 Shutdown (halt) the system (systemd).
 </summary>
@@ -101875,7 +102314,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_service_status" lineno="1345">
+<interface name="init_service_status" lineno="1280">
 <summary>
 Allow specified domain to get init status
 </summary>
@@ -101885,7 +102324,7 @@ Domain to allow access.
 </summary>
 </param>
 </interface>
-<interface name="init_service_start" lineno="1364">
+<interface name="init_service_start" lineno="1299">
 <summary>
 Allow specified domain to get init start
 </summary>
@@ -101895,7 +102334,7 @@ Domain to allow access.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_chat" lineno="1384">
+<interface name="init_dbus_chat" lineno="1319">
 <summary>
 Send and receive messages from
 systemd over dbus.
@@ -101906,7 +102345,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_run_bpf" lineno="1404">
+<interface name="init_run_bpf" lineno="1339">
 <summary>
 Run init BPF programs.
 </summary>
@@ -101916,7 +102355,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_var_lib_links" lineno="1422">
+<interface name="init_read_var_lib_links" lineno="1357">
 <summary>
 read/follow symlinks under /var/lib/systemd/
 </summary>
@@ -101926,7 +102365,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_search_var_lib_dirs" lineno="1441">
+<interface name="init_search_var_lib_dirs" lineno="1376">
 <summary>
 Search /var/lib/systemd/ dirs
 </summary>
@@ -101936,7 +102375,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_var_lib_dirs" lineno="1460">
+<interface name="init_list_var_lib_dirs" lineno="1395">
 <summary>
 List /var/lib/systemd/ dir
 </summary>
@@ -101946,7 +102385,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_relabel_var_lib_dirs" lineno="1478">
+<interface name="init_relabel_var_lib_dirs" lineno="1413">
 <summary>
 Relabel dirs in /var/lib/systemd/.
 </summary>
@@ -101956,7 +102395,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_random_seed" lineno="1499">
+<interface name="init_manage_random_seed" lineno="1434">
 <summary>
 Create, read, write, and delete the
 pseudorandom number generator seed
@@ -101969,7 +102408,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_var_lib_files" lineno="1520">
+<interface name="init_manage_var_lib_files" lineno="1455">
 <summary>
 Manage files in /var/lib/systemd/.
 </summary>
@@ -101979,7 +102418,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_var_lib_filetrans" lineno="1555">
+<interface name="init_var_lib_filetrans" lineno="1490">
 <summary>
 Create files in /var/lib/systemd
 with an automatic type transition.
@@ -102005,7 +102444,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_search_runtime" lineno="1574">
+<interface name="init_search_runtime" lineno="1509">
 <summary>
 Search init runtime directories, e.g. /run/systemd.
 </summary>
@@ -102015,7 +102454,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_runtime" lineno="1592">
+<interface name="init_list_runtime" lineno="1527">
 <summary>
 List init runtime directories, e.g. /run/systemd.
 </summary>
@@ -102025,7 +102464,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_runtime_dirs" lineno="1612">
+<interface name="init_manage_runtime_dirs" lineno="1547">
 <summary>
 Create, read, write, and delete
 directories in the /run/systemd directory.
@@ -102036,7 +102475,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_runtime_files" lineno="1631">
+<interface name="init_manage_runtime_files" lineno="1566">
 <summary>
 Create, read, write, and delete
 files in the /run/systemd directory.
@@ -102047,7 +102486,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_runtime_filetrans" lineno="1664">
+<interface name="init_runtime_filetrans" lineno="1599">
 <summary>
 Create files in an init runtime directory with a private type.
 </summary>
@@ -102072,7 +102511,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_write_runtime_files" lineno="1683">
+<interface name="init_write_runtime_files" lineno="1618">
 <summary>
 Write init runtime files, e.g. in /run/systemd.
 </summary>
@@ -102082,7 +102521,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_create_runtime_files" lineno="1701">
+<interface name="init_create_runtime_files" lineno="1636">
 <summary>
 Create init runtime files, e.g. in /run/systemd.
 </summary>
@@ -102092,7 +102531,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_runtime_symlinks" lineno="1719">
+<interface name="init_manage_runtime_symlinks" lineno="1654">
 <summary>
 Create init runtime symbolic links, e.g. in /run/systemd.
 </summary>
@@ -102102,7 +102541,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_initctl" lineno="1737">
+<interface name="init_getattr_initctl" lineno="1672">
 <summary>
 Get the attributes of initctl.
 </summary>
@@ -102112,7 +102551,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_getattr_initctl" lineno="1758">
+<interface name="init_dontaudit_getattr_initctl" lineno="1693">
 <summary>
 Do not audit attempts to get the
 attributes of initctl.
@@ -102123,7 +102562,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_write_initctl" lineno="1776">
+<interface name="init_write_initctl" lineno="1711">
 <summary>
 Write to initctl.
 </summary>
@@ -102133,7 +102572,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_telinit" lineno="1797">
+<interface name="init_telinit" lineno="1732">
 <summary>
 Use telinit (Read and write initctl).
 </summary>
@@ -102144,7 +102583,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_rw_initctl" lineno="1830">
+<interface name="init_rw_initctl" lineno="1765">
 <summary>
 Read and write initctl.
 </summary>
@@ -102154,7 +102593,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_rw_initctl" lineno="1851">
+<interface name="init_dontaudit_rw_initctl" lineno="1786">
 <summary>
 Do not audit attempts to read and
 write initctl.
@@ -102165,7 +102604,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_script_file_entry_type" lineno="1870">
+<interface name="init_script_file_entry_type" lineno="1805">
 <summary>
 Make init scripts an entry point for
 the specified domain.
@@ -102176,7 +102615,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_spec_domtrans_script" lineno="1893">
+<interface name="init_spec_domtrans_script" lineno="1828">
 <summary>
 Execute init scripts with a specified domain transition.
 </summary>
@@ -102186,7 +102625,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_domtrans_script" lineno="1920">
+<interface name="init_domtrans_script" lineno="1855">
 <summary>
 Execute init scripts with an automatic domain transition.
 </summary>
@@ -102196,7 +102635,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_domtrans_labeled_script" lineno="1955">
+<interface name="init_domtrans_labeled_script" lineno="1890">
 <summary>
 Execute labelled init scripts with an automatic domain transition.
 </summary>
@@ -102206,7 +102645,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_script_file_domtrans" lineno="2001">
+<interface name="init_script_file_domtrans" lineno="1936">
 <summary>
 Execute a init script in a specified domain.
 </summary>
@@ -102231,7 +102670,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="init_kill_scripts" lineno="2020">
+<interface name="init_kill_scripts" lineno="1955">
 <summary>
 Send a kill signal to init scripts.
 </summary>
@@ -102241,7 +102680,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_script_service" lineno="2038">
+<interface name="init_manage_script_service" lineno="1973">
 <summary>
 Allow manage service for initrc_exec_t scripts
 </summary>
@@ -102251,7 +102690,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_labeled_script_domtrans" lineno="2063">
+<interface name="init_labeled_script_domtrans" lineno="1998">
 <summary>
 Transition to the init script domain
 on a specified labeled init script.
@@ -102267,7 +102706,7 @@ Labeled init script file.
 </summary>
 </param>
 </interface>
-<interface name="init_all_labeled_script_domtrans" lineno="2085">
+<interface name="init_all_labeled_script_domtrans" lineno="2020">
 <summary>
 Transition to the init script domain
 for all labeled init script types
@@ -102278,7 +102717,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="init_get_script_status" lineno="2103">
+<interface name="init_get_script_status" lineno="2038">
 <summary>
 Allow getting service status of initrc_exec_t scripts
 </summary>
@@ -102288,7 +102727,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_startstop_service" lineno="2143">
+<interface name="init_startstop_service" lineno="2078">
 <summary>
 Allow the role to start and stop
 labeled services.
@@ -102319,7 +102758,7 @@ Systemd unit file type.
 </summary>
 </param>
 </interface>
-<interface name="init_run_daemon" lineno="2199">
+<interface name="init_run_daemon" lineno="2134">
 <summary>
 Start and stop daemon programs directly.
 </summary>
@@ -102341,7 +102780,7 @@ The role to be performing this action.
 </summary>
 </param>
 </interface>
-<interface name="init_startstop_all_script_services" lineno="2221">
+<interface name="init_startstop_all_script_services" lineno="2156">
 <summary>
 Start and stop init_script_file_type services
 </summary>
@@ -102351,7 +102790,7 @@ domain that can start and stop the services
 </summary>
 </param>
 </interface>
-<interface name="init_read_state" lineno="2240">
+<interface name="init_read_state" lineno="2175">
 <summary>
 Read the process state (/proc/pid) of init.
 </summary>
@@ -102361,7 +102800,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_state" lineno="2260">
+<interface name="init_dontaudit_read_state" lineno="2195">
 <summary>
 Dontaudit read the process state (/proc/pid) of init.
 </summary>
@@ -102371,7 +102810,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_ptrace" lineno="2281">
+<interface name="init_ptrace" lineno="2216">
 <summary>
 Ptrace init
 </summary>
@@ -102382,7 +102821,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_getattr" lineno="2300">
+<interface name="init_getattr" lineno="2235">
 <summary>
 get init process stats
 </summary>
@@ -102393,7 +102832,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="init_read_script_pipes" lineno="2318">
+<interface name="init_read_script_pipes" lineno="2253">
 <summary>
 Read an init script unnamed pipe.
 </summary>
@@ -102403,7 +102842,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_write_script_pipes" lineno="2336">
+<interface name="init_write_script_pipes" lineno="2271">
 <summary>
 Write an init script unnamed pipe.
 </summary>
@@ -102413,7 +102852,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_script_files" lineno="2354">
+<interface name="init_getattr_script_files" lineno="2289">
 <summary>
 Get the attribute of init script entrypoint files.
 </summary>
@@ -102423,7 +102862,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_files" lineno="2373">
+<interface name="init_read_script_files" lineno="2308">
 <summary>
 Read init scripts.
 </summary>
@@ -102433,7 +102872,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_exec_script_files" lineno="2392">
+<interface name="init_exec_script_files" lineno="2327">
 <summary>
 Execute init scripts in the caller domain.
 </summary>
@@ -102443,7 +102882,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_all_script_files" lineno="2411">
+<interface name="init_getattr_all_script_files" lineno="2346">
 <summary>
 Get the attribute of all init script entrypoint files.
 </summary>
@@ -102453,7 +102892,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_all_script_files" lineno="2430">
+<interface name="init_read_all_script_files" lineno="2365">
 <summary>
 Read all init script files.
 </summary>
@@ -102463,7 +102902,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_all_script_files" lineno="2454">
+<interface name="init_dontaudit_read_all_script_files" lineno="2389">
 <summary>
 Dontaudit read all init script files.
 </summary>
@@ -102473,7 +102912,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_exec_all_script_files" lineno="2472">
+<interface name="init_exec_all_script_files" lineno="2407">
 <summary>
 Execute all init scripts in the caller domain.
 </summary>
@@ -102483,7 +102922,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_state" lineno="2491">
+<interface name="init_read_script_state" lineno="2426">
 <summary>
 Read the process state (/proc/pid) of the init scripts.
 </summary>
@@ -102493,7 +102932,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_script_fds" lineno="2510">
+<interface name="init_use_script_fds" lineno="2445">
 <summary>
 Inherit and use init script file descriptors.
 </summary>
@@ -102503,7 +102942,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_use_script_fds" lineno="2529">
+<interface name="init_dontaudit_use_script_fds" lineno="2464">
 <summary>
 Do not audit attempts to inherit
 init script file descriptors.
@@ -102514,7 +102953,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_search_script_keys" lineno="2547">
+<interface name="init_search_script_keys" lineno="2482">
 <summary>
 Search init script keys.
 </summary>
@@ -102524,7 +102963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getpgid_script" lineno="2565">
+<interface name="init_getpgid_script" lineno="2500">
 <summary>
 Get the process group ID of init scripts.
 </summary>
@@ -102534,7 +102973,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_sigchld_script" lineno="2583">
+<interface name="init_sigchld_script" lineno="2518">
 <summary>
 Send SIGCHLD signals to init scripts.
 </summary>
@@ -102544,7 +102983,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signal_script" lineno="2601">
+<interface name="init_signal_script" lineno="2536">
 <summary>
 Send generic signals to init scripts.
 </summary>
@@ -102554,7 +102993,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_signull_script" lineno="2619">
+<interface name="init_signull_script" lineno="2554">
 <summary>
 Send null signals to init scripts.
 </summary>
@@ -102564,7 +103003,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_pipes" lineno="2637">
+<interface name="init_rw_script_pipes" lineno="2572">
 <summary>
 Read and write init script unnamed pipes.
 </summary>
@@ -102574,7 +103013,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stream_connect_script" lineno="2656">
+<interface name="init_stream_connect_script" lineno="2591">
 <summary>
 Allow the specified domain to connect to
 init scripts with a unix socket.
@@ -102585,7 +103024,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_stream_sockets" lineno="2675">
+<interface name="init_rw_script_stream_sockets" lineno="2610">
 <summary>
 Allow the specified domain to read/write to
 init scripts with a unix domain stream sockets.
@@ -102596,7 +103035,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_stream_connect_script" lineno="2694">
+<interface name="init_dontaudit_stream_connect_script" lineno="2629">
 <summary>
 Dont audit the specified domain connecting to
 init scripts with a unix domain stream socket.
@@ -102607,7 +103046,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_send_script" lineno="2711">
+<interface name="init_dbus_send_script" lineno="2646">
 <summary>
 Send messages to init scripts over dbus.
 </summary>
@@ -102617,7 +103056,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dbus_chat_script" lineno="2731">
+<interface name="init_dbus_chat_script" lineno="2666">
 <summary>
 Send and receive messages from
 init scripts over dbus.
@@ -102628,7 +103067,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_script_ptys" lineno="2760">
+<interface name="init_use_script_ptys" lineno="2695">
 <summary>
 Read and write the init script pty.
 </summary>
@@ -102647,7 +103086,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_use_inherited_script_ptys" lineno="2779">
+<interface name="init_use_inherited_script_ptys" lineno="2714">
 <summary>
 Read and write inherited init script ptys.
 </summary>
@@ -102657,7 +103096,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_use_script_ptys" lineno="2801">
+<interface name="init_dontaudit_use_script_ptys" lineno="2736">
 <summary>
 Do not audit attempts to read and
 write the init script pty.
@@ -102668,7 +103107,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_script_status_files" lineno="2820">
+<interface name="init_getattr_script_status_files" lineno="2755">
 <summary>
 Get the attributes of init script
 status files.
@@ -102679,7 +103118,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_read_script_status_files" lineno="2839">
+<interface name="init_dontaudit_read_script_status_files" lineno="2774">
 <summary>
 Do not audit attempts to read init script
 status files.
@@ -102690,7 +103129,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_search_run" lineno="2858">
+<interface name="init_search_run" lineno="2793">
 <summary>
 Search the /run/systemd directory.
 </summary>
@@ -102700,7 +103139,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_tmp_files" lineno="2877">
+<interface name="init_read_script_tmp_files" lineno="2812">
 <summary>
 Read init script temporary data.
 </summary>
@@ -102710,7 +103149,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_inherited_script_tmp_files" lineno="2896">
+<interface name="init_rw_inherited_script_tmp_files" lineno="2831">
 <summary>
 Read and write init script inherited temporary data.
 </summary>
@@ -102720,7 +103159,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_script_tmp_files" lineno="2914">
+<interface name="init_rw_script_tmp_files" lineno="2849">
 <summary>
 Read and write init script temporary data.
 </summary>
@@ -102730,7 +103169,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_script_tmp_filetrans" lineno="2949">
+<interface name="init_script_tmp_filetrans" lineno="2884">
 <summary>
 Create files in a init script
 temporary data directory.
@@ -102756,7 +103195,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_utmp" lineno="2968">
+<interface name="init_getattr_utmp" lineno="2903">
 <summary>
 Get the attributes of init script process id files.
 </summary>
@@ -102766,7 +103205,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_utmp" lineno="2986">
+<interface name="init_read_utmp" lineno="2921">
 <summary>
 Read utmp.
 </summary>
@@ -102776,7 +103215,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_write_utmp" lineno="3005">
+<interface name="init_dontaudit_write_utmp" lineno="2940">
 <summary>
 Do not audit attempts to write utmp.
 </summary>
@@ -102786,7 +103225,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_write_utmp" lineno="3023">
+<interface name="init_write_utmp" lineno="2958">
 <summary>
 Write to utmp.
 </summary>
@@ -102796,7 +103235,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_lock_utmp" lineno="3043">
+<interface name="init_dontaudit_lock_utmp" lineno="2978">
 <summary>
 Do not audit attempts to lock
 init script pid files.
@@ -102807,7 +103246,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_rw_utmp" lineno="3061">
+<interface name="init_rw_utmp" lineno="2996">
 <summary>
 Read and write utmp.
 </summary>
@@ -102817,7 +103256,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_rw_utmp" lineno="3080">
+<interface name="init_dontaudit_rw_utmp" lineno="3015">
 <summary>
 Do not audit attempts to read and write utmp.
 </summary>
@@ -102827,7 +103266,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_utmp" lineno="3098">
+<interface name="init_manage_utmp" lineno="3033">
 <summary>
 Create, read, write, and delete utmp.
 </summary>
@@ -102837,7 +103276,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_watch_runtime_dirs" lineno="3117">
+<interface name="init_watch_runtime_dirs" lineno="3052">
 <summary>
 Add a watch on init runtime
 </summary>
@@ -102847,7 +103286,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_watch_utmp" lineno="3135">
+<interface name="init_watch_utmp" lineno="3070">
 <summary>
 Add a watch on utmp.
 </summary>
@@ -102857,7 +103296,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_relabel_utmp" lineno="3153">
+<interface name="init_relabel_utmp" lineno="3088">
 <summary>
 Relabel utmp.
 </summary>
@@ -102867,7 +103306,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_runtime_filetrans_utmp" lineno="3172">
+<interface name="init_runtime_filetrans_utmp" lineno="3107">
 <summary>
 Create files in /var/run with the
 utmp file type.
@@ -102878,7 +103317,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_create_runtime_dirs" lineno="3190">
+<interface name="init_create_runtime_dirs" lineno="3125">
 <summary>
 Create a directory in the /run/systemd directory.
 </summary>
@@ -102888,7 +103327,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_files" lineno="3209">
+<interface name="init_read_runtime_files" lineno="3144">
 <summary>
 Read init_runtime_t files
 </summary>
@@ -102898,7 +103337,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_rename_runtime_files" lineno="3227">
+<interface name="init_rename_runtime_files" lineno="3162">
 <summary>
 Rename init_runtime_t files
 </summary>
@@ -102908,7 +103347,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_setattr_runtime_files" lineno="3245">
+<interface name="init_setattr_runtime_files" lineno="3180">
 <summary>
 Setattr init_runtime_t files
 </summary>
@@ -102918,7 +103357,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_delete_runtime_files" lineno="3263">
+<interface name="init_delete_runtime_files" lineno="3198">
 <summary>
 Delete init_runtime_t files
 </summary>
@@ -102928,7 +103367,7 @@ domain
 </summary>
 </param>
 </interface>
-<interface name="init_write_runtime_socket" lineno="3282">
+<interface name="init_write_runtime_socket" lineno="3217">
 <summary>
 Allow the specified domain to write to
 init sock file.
@@ -102939,7 +103378,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_dontaudit_write_runtime_socket" lineno="3301">
+<interface name="init_dontaudit_write_runtime_socket" lineno="3236">
 <summary>
 Do not audit attempts to write to
 init sock files.
@@ -102950,7 +103389,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_pipes" lineno="3319">
+<interface name="init_read_runtime_pipes" lineno="3254">
 <summary>
 Read init unnamed pipes.
 </summary>
@@ -102960,7 +103399,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_runtime_symlinks" lineno="3337">
+<interface name="init_read_runtime_symlinks" lineno="3272">
 <summary>
 read systemd unit symlinks (usually under /run/systemd/units/)
 </summary>
@@ -102970,7 +103409,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_tcp_recvfrom_all_daemons" lineno="3355">
+<interface name="init_tcp_recvfrom_all_daemons" lineno="3290">
 <summary>
 Allow the specified domain to connect to daemon with a tcp socket
 </summary>
@@ -102980,7 +103419,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_udp_recvfrom_all_daemons" lineno="3373">
+<interface name="init_udp_recvfrom_all_daemons" lineno="3308">
 <summary>
 Allow the specified domain to connect to daemon with a udp socket
 </summary>
@@ -102990,7 +103429,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_script_status_files" lineno="3392">
+<interface name="init_read_script_status_files" lineno="3327">
 <summary>
 Allow reading the init script state files
 </summary>
@@ -103000,7 +103439,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="init_relabelto_script_state" lineno="3410">
+<interface name="init_relabelto_script_state" lineno="3345">
 <summary>
 Label to init script status files
 </summary>
@@ -103010,7 +103449,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="init_script_readable_type" lineno="3429">
+<interface name="init_script_readable_type" lineno="3364">
 <summary>
 Mark as a readable type for the initrc_t domain
 </summary>
@@ -103020,7 +103459,7 @@ Type that initrc_t needs read access to
 </summary>
 </param>
 </interface>
-<interface name="init_search_units" lineno="3447">
+<interface name="init_search_units" lineno="3382">
 <summary>
 Search systemd unit dirs.
 </summary>
@@ -103030,7 +103469,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_unit_dirs" lineno="3472">
+<interface name="init_list_unit_dirs" lineno="3407">
 <summary>
 List systemd unit dirs.
 </summary>
@@ -103040,7 +103479,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_generic_units_files" lineno="3492">
+<interface name="init_getattr_generic_units_files" lineno="3427">
 <summary>
 Get the attributes of systemd unit files
 </summary>
@@ -103050,7 +103489,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_generic_units_files" lineno="3510">
+<interface name="init_read_generic_units_files" lineno="3445">
 <summary>
 Read systemd unit files
 </summary>
@@ -103060,7 +103499,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_read_generic_units_symlinks" lineno="3528">
+<interface name="init_read_generic_units_symlinks" lineno="3463">
 <summary>
 Read systemd unit links
 </summary>
@@ -103070,7 +103509,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_generic_units_status" lineno="3546">
+<interface name="init_get_generic_units_status" lineno="3481">
 <summary>
 Get status of generic systemd units.
 </summary>
@@ -103080,7 +103519,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_generic_units" lineno="3565">
+<interface name="init_start_generic_units" lineno="3500">
 <summary>
 Start generic systemd units.
 </summary>
@@ -103090,7 +103529,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_generic_units" lineno="3584">
+<interface name="init_stop_generic_units" lineno="3519">
 <summary>
 Stop generic systemd units.
 </summary>
@@ -103100,7 +103539,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_generic_units" lineno="3603">
+<interface name="init_reload_generic_units" lineno="3538">
 <summary>
 Reload generic systemd units.
 </summary>
@@ -103110,7 +103549,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_runtime_units_status" lineno="3622">
+<interface name="init_get_runtime_units_status" lineno="3557">
 <summary>
 Get the status of runtime systemd units.
 </summary>
@@ -103120,7 +103559,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_runtime_units" lineno="3641">
+<interface name="init_start_runtime_units" lineno="3576">
 <summary>
 Start runtime systemd units.
 </summary>
@@ -103130,7 +103569,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_runtime_units" lineno="3660">
+<interface name="init_stop_runtime_units" lineno="3595">
 <summary>
 Stop runtime systemd units.
 </summary>
@@ -103140,7 +103579,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_transient_units_status" lineno="3679">
+<interface name="init_get_transient_units_status" lineno="3614">
 <summary>
 Get status of transient systemd units.
 </summary>
@@ -103150,7 +103589,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_transient_units" lineno="3698">
+<interface name="init_start_transient_units" lineno="3633">
 <summary>
 Start transient systemd units.
 </summary>
@@ -103160,7 +103599,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_transient_units" lineno="3717">
+<interface name="init_stop_transient_units" lineno="3652">
 <summary>
 Stop transient systemd units.
 </summary>
@@ -103170,7 +103609,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_transient_units" lineno="3736">
+<interface name="init_reload_transient_units" lineno="3671">
 <summary>
 Reload transient systemd units.
 </summary>
@@ -103180,7 +103619,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_get_all_units_status" lineno="3756">
+<interface name="init_get_all_units_status" lineno="3691">
 <summary>
 Get status of all systemd units.
 </summary>
@@ -103190,7 +103629,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_all_units" lineno="3775">
+<interface name="init_manage_all_units" lineno="3710">
 <summary>
 All perms on all systemd units.
 </summary>
@@ -103200,7 +103639,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_start_all_units" lineno="3795">
+<interface name="init_start_all_units" lineno="3730">
 <summary>
 Start all systemd units.
 </summary>
@@ -103210,7 +103649,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_stop_all_units" lineno="3814">
+<interface name="init_stop_all_units" lineno="3749">
 <summary>
 Stop all systemd units.
 </summary>
@@ -103220,7 +103659,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="init_reload_all_units" lineno="3833">
+<interface name="init_reload_all_units" lineno="3768">
 <summary>
 Reload all systemd units.
 </summary>
@@ -103230,7 +103669,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_list_all_units" lineno="3852">
+<interface name="init_list_all_units" lineno="3787">
 <summary>
 List systemd unit dirs and the files in them
 </summary>
@@ -103240,7 +103679,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_getattr_all_unit_files" lineno="3871">
+<interface name="init_getattr_all_unit_files" lineno="3806">
 <summary>
 Get the attributes of systemd unit directories and the files in them.
 </summary>
@@ -103250,7 +103689,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_manage_all_unit_files" lineno="3891">
+<interface name="init_manage_all_unit_files" lineno="3826">
 <summary>
 Manage systemd unit dirs and the files in them
 </summary>
@@ -103260,7 +103699,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_relabel_all_unit_files" lineno="3911">
+<interface name="init_relabel_all_unit_files" lineno="3846">
 <summary>
 Relabel from and to systemd unit types.
 </summary>
@@ -103270,7 +103709,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="init_linkable_keyring" lineno="3932">
+<interface name="init_linkable_keyring" lineno="3867">
 <summary>
 Associate the specified domain to be a domain whose
 keyring init should be allowed to link.
@@ -103281,7 +103720,7 @@ Domain whose keyring init should be allowed to link.
 </summary>
 </param>
 </interface>
-<interface name="init_admin" lineno="3950">
+<interface name="init_admin" lineno="3885">
 <summary>
 Allow unconfined access to send instructions to init
 </summary>
@@ -103291,7 +103730,7 @@ Target domain
 </summary>
 </param>
 </interface>
-<interface name="init_getrlimit" lineno="3982">
+<interface name="init_getrlimit" lineno="3917">
 <summary>
 Allow getting init_t rlimit
 </summary>
@@ -103301,7 +103740,7 @@ Source domain
 </summary>
 </param>
 </interface>
-<interface name="init_search_keys" lineno="4000">
+<interface name="init_search_keys" lineno="3935">
 <summary>
 Allow searching init_t keys
 </summary>
@@ -103768,7 +104207,7 @@ Domain allowed to transition.
 <interface name="iscsi_manage_semaphores" lineno="33">
 <summary>
 Create, read, write, and delete
-iscsid sempaphores.
+iscsid semaphores.
 </summary>
 <param name="domain">
 <summary>
@@ -104222,7 +104661,17 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="locallogin_dontaudit_use_fds" lineno="70">
+<interface name="locallogin_use_pidfds" lineno="70">
+<summary>
+Use PIDFDs from local login.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="locallogin_dontaudit_use_fds" lineno="88">
 <summary>
 Do not audit attempts to inherit local login file descriptors.
 </summary>
@@ -104232,7 +104681,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="locallogin_signull" lineno="88">
+<interface name="locallogin_signull" lineno="106">
 <summary>
 Send a null signal to local login processes.
 </summary>
@@ -104242,7 +104691,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="locallogin_search_keys" lineno="106">
+<interface name="locallogin_search_keys" lineno="124">
 <summary>
 Search for key.
 </summary>
@@ -104252,7 +104701,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="locallogin_link_keys" lineno="124">
+<interface name="locallogin_link_keys" lineno="142">
 <summary>
 Allow link to the local_login key ring.
 </summary>
@@ -104262,7 +104711,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="locallogin_domtrans_sulogin" lineno="142">
+<interface name="locallogin_domtrans_sulogin" lineno="160">
 <summary>
 Execute single-user logins in the single-user login domain.
 </summary>
@@ -105285,7 +105734,18 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="lvm_admin" lineno="229">
+<interface name="lvm_manage_runtime_dirs" lineno="224">
+<summary>
+Manage LVM runtime dirs.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="lvm_admin" lineno="248">
 <summary>
 All of the rules required to
 administrate an lvm environment.
@@ -105327,9 +105787,9 @@ Example:
 </p>
 <p>
 type mycertfile_t;
-cert_type(mycertfile_t)
+miscfiles_cert_type(mycertfile_t)
 allow mydomain_t mycertfile_t:file read_file_perms;
-files_search_etc(mydomain_t)
+miscfiles_search_generic_cert_dirs(mydomain_t)
 </p>
 </desc>
 <param name="type">
@@ -105363,9 +105823,9 @@ Example:
 </p>
 <p>
 type mytlsprivkeyfile_t;
-tls_privkey_type(mytlsprivkeyfile_t)
+miscfiles_tls_privkey_type(mytlsprivkeyfile_t)
 allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
-files_search_etc(mydomain_t)
+miscfiles_search_tls_privkey_dirs(mydomain_t)
 </p>
 </desc>
 <param name="type">
@@ -105386,7 +105846,18 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_read_generic_certs" lineno="124">
+<interface name="miscfiles_search_generic_cert_dirs" lineno="124">
+<summary>
+Search generic SSL/TLS directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_read_generic_certs" lineno="144">
 <summary>
 Read generic SSL/TLS certificates.
 </summary>
@@ -105397,7 +105868,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_manage_user_certs" lineno="144">
+<interface name="miscfiles_manage_user_certs" lineno="164">
 <summary>
 Manage user-managed SSL certificates
 </summary>
@@ -105407,7 +105878,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_dontaudit_read_generic_certs" lineno="160">
+<interface name="miscfiles_dontaudit_read_generic_certs" lineno="180">
 <summary>
 Do not audit attempts to read generic SSL/TLS certificates.
 </summary>
@@ -105418,7 +105889,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_relabel_user_certs" lineno="180">
+<interface name="miscfiles_relabel_user_certs" lineno="200">
 <summary>
 Relabel from/to user_cert_t (user-managed SSL certificates)
 </summary>
@@ -105428,7 +105899,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_manage_generic_cert_dirs" lineno="195">
+<interface name="miscfiles_manage_generic_cert_dirs" lineno="215">
 <summary>
 Manage generic SSL/TLS certificates.
 </summary>
@@ -105438,7 +105909,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_manage_generic_cert_files" lineno="214">
+<interface name="miscfiles_manage_generic_cert_files" lineno="234">
 <summary>
 Manage generic SSL/TLS certificates.
 </summary>
@@ -105449,7 +105920,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_mounton_generic_cert_dirs" lineno="234">
+<interface name="miscfiles_mounton_generic_cert_dirs" lineno="254">
 <summary>
 Mount on generic SSL/TLS certificate directories.
 </summary>
@@ -105460,7 +105931,18 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_read_generic_tls_privkey" lineno="254">
+<interface name="miscfiles_search_tls_privkey_dirs" lineno="274">
+<summary>
+Search SSL/TLS private key directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<rolecap/>
+</interface>
+<interface name="miscfiles_read_generic_tls_privkey" lineno="295">
 <summary>
 Read generic SSL/TLS private
 keys.
@@ -105472,7 +105954,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_manage_generic_tls_privkey_dirs" lineno="275">
+<interface name="miscfiles_manage_generic_tls_privkey_dirs" lineno="316">
 <summary>
 Manage generic SSL/TLS private
 keys.
@@ -105483,7 +105965,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_manage_generic_tls_privkey_files" lineno="295">
+<interface name="miscfiles_manage_generic_tls_privkey_files" lineno="336">
 <summary>
 Manage generic SSL/TLS private
 keys.
@@ -105495,7 +105977,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_manage_generic_tls_privkey_symlinks" lineno="316">
+<interface name="miscfiles_manage_generic_tls_privkey_symlinks" lineno="357">
 <summary>
 Manage generic SSL/TLS private
 keys.
@@ -105507,7 +105989,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_read_fonts" lineno="335">
+<interface name="miscfiles_read_fonts" lineno="376">
 <summary>
 Read fonts.
 </summary>
@@ -105518,7 +106000,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_setattr_fonts_dirs" lineno="366">
+<interface name="miscfiles_setattr_fonts_dirs" lineno="407">
 <summary>
 Set the attributes on a fonts directory.
 </summary>
@@ -105529,7 +106011,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_dontaudit_setattr_fonts_dirs" lineno="386">
+<interface name="miscfiles_dontaudit_setattr_fonts_dirs" lineno="427">
 <summary>
 Do not audit attempts to set the attributes
 on a fonts directory.
@@ -105541,7 +106023,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_dontaudit_write_fonts" lineno="405">
+<interface name="miscfiles_dontaudit_write_fonts" lineno="446">
 <summary>
 Do not audit attempts to write fonts.
 </summary>
@@ -105552,7 +106034,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_manage_fonts" lineno="425">
+<interface name="miscfiles_manage_fonts" lineno="466">
 <summary>
 Create, read, write, and delete fonts.
 </summary>
@@ -105563,7 +106045,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_watch_fonts_dirs" lineno="450">
+<interface name="miscfiles_watch_fonts_dirs" lineno="491">
 <summary>
 Watch fonts directories.
 </summary>
@@ -105574,7 +106056,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_setattr_fonts_cache_dirs" lineno="468">
+<interface name="miscfiles_setattr_fonts_cache_dirs" lineno="509">
 <summary>
 Set the attributes on a fonts cache directory.
 </summary>
@@ -105584,7 +106066,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_dontaudit_setattr_fonts_cache_dirs" lineno="487">
+<interface name="miscfiles_dontaudit_setattr_fonts_cache_dirs" lineno="528">
 <summary>
 Do not audit attempts to set the attributes
 on a fonts cache directory.
@@ -105595,7 +106077,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_manage_fonts_cache" lineno="506">
+<interface name="miscfiles_manage_fonts_cache" lineno="547">
 <summary>
 Create, read, write, and delete fonts cache.
 </summary>
@@ -105606,7 +106088,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_read_hwdata" lineno="528">
+<interface name="miscfiles_read_hwdata" lineno="569">
 <summary>
 Read hardware identification data.
 </summary>
@@ -105616,7 +106098,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_getattr_localization" lineno="548">
+<interface name="miscfiles_getattr_localization" lineno="589">
 <summary>
 Allow process to get the attributes of localization info
 </summary>
@@ -105626,7 +106108,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_setattr_localization" lineno="568">
+<interface name="miscfiles_setattr_localization" lineno="609">
 <summary>
 Allow process to setattr localization info
 </summary>
@@ -105636,7 +106118,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_read_localization" lineno="600">
+<interface name="miscfiles_read_localization" lineno="641">
 <summary>
 Allow process to read localization information.
 </summary>
@@ -105658,7 +106140,7 @@ Domain allowed access.
 </param>
 <infoflow type="read" weight="10"/>
 </interface>
-<interface name="miscfiles_rw_localization" lineno="623">
+<interface name="miscfiles_rw_localization" lineno="664">
 <summary>
 Allow process to write localization info
 </summary>
@@ -105668,7 +106150,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_relabel_localization" lineno="643">
+<interface name="miscfiles_relabel_localization" lineno="684">
 <summary>
 Allow process to relabel localization info
 </summary>
@@ -105678,7 +106160,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_legacy_read_localization" lineno="662">
+<interface name="miscfiles_legacy_read_localization" lineno="703">
 <summary>
 Allow process to read legacy time localization info
 </summary>
@@ -105688,7 +106170,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_watch_localization" lineno="681">
+<interface name="miscfiles_watch_localization" lineno="722">
 <summary>
 Watch time localization info
 </summary>
@@ -105698,7 +106180,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_search_man_pages" lineno="699">
+<interface name="miscfiles_search_man_pages" lineno="740">
 <summary>
 Search man pages.
 </summary>
@@ -105708,7 +106190,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_dontaudit_search_man_pages" lineno="718">
+<interface name="miscfiles_dontaudit_search_man_pages" lineno="759">
 <summary>
 Do not audit attempts to search man pages.
 </summary>
@@ -105718,7 +106200,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_read_man_pages" lineno="737">
+<interface name="miscfiles_read_man_pages" lineno="778">
 <summary>
 Read man pages
 </summary>
@@ -105729,7 +106211,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_delete_man_pages" lineno="759">
+<interface name="miscfiles_delete_man_pages" lineno="800">
 <summary>
 Delete man pages
 </summary>
@@ -105739,7 +106221,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_manage_man_pages" lineno="781">
+<interface name="miscfiles_manage_man_pages" lineno="822">
 <summary>
 Create, read, write, and delete man pages
 </summary>
@@ -105749,7 +106231,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_read_man_cache" lineno="802">
+<interface name="miscfiles_read_man_cache" lineno="843">
 <summary>
 Read man cache content.
 </summary>
@@ -105759,7 +106241,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_map_man_cache" lineno="823">
+<interface name="miscfiles_map_man_cache" lineno="864">
 <summary>
 Map man cache content.
 </summary>
@@ -105769,7 +106251,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_manage_man_cache" lineno="842">
+<interface name="miscfiles_manage_man_cache" lineno="883">
 <summary>
 Create, read, write, and delete
 man cache content.
@@ -105780,7 +106262,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_relabel_man_cache" lineno="863">
+<interface name="miscfiles_relabel_man_cache" lineno="904">
 <summary>
 Relabel from and to man cache.
 </summary>
@@ -105790,7 +106272,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_search_public_dirs" lineno="882">
+<interface name="miscfiles_search_public_dirs" lineno="923">
 <summary>
 Search public directories.
 </summary>
@@ -105800,7 +106282,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_read_public_files" lineno="904">
+<interface name="miscfiles_read_public_files" lineno="945">
 <summary>
 Read public files used for file
 transfer services.
@@ -105812,7 +106294,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_manage_public_files" lineno="926">
+<interface name="miscfiles_manage_public_files" lineno="967">
 <summary>
 Create, read, write, and delete public files
 and directories used for file transfer services.
@@ -105824,7 +106306,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="miscfiles_watch_public_dirs" lineno="946">
+<interface name="miscfiles_watch_public_dirs" lineno="987">
 <summary>
 Watch public files
 </summary>
@@ -105834,7 +106316,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_mounton_all_public_dirs" lineno="964">
+<interface name="miscfiles_mounton_all_public_dirs" lineno="1005">
 <summary>
 Mount on all public content directories.
 </summary>
@@ -105844,7 +106326,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_mounton_all_public_files" lineno="984">
+<interface name="miscfiles_mounton_all_public_files" lineno="1025">
 <summary>
 Mount on all public content files.
 </summary>
@@ -105854,7 +106336,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_rangetrans_all_public_content" lineno="1005">
+<interface name="miscfiles_rangetrans_all_public_content" lineno="1046">
 <summary>
 Transition to the specified sensitivity
 when creating all public content objects.
@@ -105865,7 +106347,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_read_tetex_data" lineno="1031">
+<interface name="miscfiles_read_tetex_data" lineno="1072">
 <summary>
 Read TeX data
 </summary>
@@ -105875,7 +106357,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_exec_tetex_data" lineno="1055">
+<interface name="miscfiles_exec_tetex_data" lineno="1096">
 <summary>
 Execute TeX data programs in the caller domain.
 </summary>
@@ -105885,7 +106367,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_domain_entry_test_files" lineno="1079">
+<interface name="miscfiles_domain_entry_test_files" lineno="1120">
 <summary>
 Let test files be an entry point for
 a specified domain.
@@ -105896,7 +106378,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_read_test_files" lineno="1097">
+<interface name="miscfiles_read_test_files" lineno="1138">
 <summary>
 Read test files and directories.
 </summary>
@@ -105906,7 +106388,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_exec_test_files" lineno="1116">
+<interface name="miscfiles_exec_test_files" lineno="1157">
 <summary>
 Execute test files.
 </summary>
@@ -105916,7 +106398,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_etc_filetrans_localization" lineno="1136">
+<interface name="miscfiles_etc_filetrans_localization" lineno="1177">
 <summary>
 Create files in etc directories
 with localization file type.
@@ -105927,7 +106409,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="miscfiles_manage_localization" lineno="1156">
+<interface name="miscfiles_manage_localization" lineno="1197">
 <summary>
 Create, read, write, and delete localization
 </summary>
@@ -106368,7 +106850,18 @@ Role allowed access.
 </module>
 <module name="selinuxutil" filename="policy/modules/system/selinuxutil.if">
 <summary>Policy for SELinux policy and userland applications.</summary>
-<interface name="seutil_domtrans_checkpolicy" lineno="13">
+<interface name="seutil_semanage_dbus_chat" lineno="14">
+<summary>
+Send and receive messages from
+selinux semanage dbus interface.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="seutil_domtrans_checkpolicy" lineno="34">
 <summary>
 Execute checkpolicy in the checkpolicy domain.
 </summary>
@@ -106378,7 +106871,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="seutil_run_checkpolicy" lineno="41">
+<interface name="seutil_run_checkpolicy" lineno="62">
 <summary>
 Execute checkpolicy in the checkpolicy domain, and
 allow the specified role the checkpolicy domain,
@@ -106396,7 +106889,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_exec_checkpolicy" lineno="61">
+<interface name="seutil_exec_checkpolicy" lineno="82">
 <summary>
 Execute checkpolicy in the caller domain.
 </summary>
@@ -106407,7 +106900,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_domtrans_loadpolicy" lineno="81">
+<interface name="seutil_domtrans_loadpolicy" lineno="102">
 <summary>
 Execute load_policy in the load_policy domain.
 </summary>
@@ -106417,7 +106910,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="seutil_run_loadpolicy" lineno="108">
+<interface name="seutil_run_loadpolicy" lineno="129">
 <summary>
 Execute load_policy in the load_policy domain, and
 allow the specified role the load_policy domain,
@@ -106435,7 +106928,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_exec_loadpolicy" lineno="127">
+<interface name="seutil_exec_loadpolicy" lineno="148">
 <summary>
 Execute load_policy in the caller domain.
 </summary>
@@ -106445,7 +106938,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_read_loadpolicy" lineno="146">
+<interface name="seutil_read_loadpolicy" lineno="167">
 <summary>
 Read the load_policy program file.
 </summary>
@@ -106455,7 +106948,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_domtrans_newrole" lineno="165">
+<interface name="seutil_domtrans_newrole" lineno="186">
 <summary>
 Execute newrole in the newole domain.
 </summary>
@@ -106465,7 +106958,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="seutil_run_newrole" lineno="193">
+<interface name="seutil_run_newrole" lineno="214">
 <summary>
 Execute newrole in the newrole domain, and
 allow the specified role the newrole domain,
@@ -106483,7 +106976,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_exec_newrole" lineno="212">
+<interface name="seutil_exec_newrole" lineno="233">
 <summary>
 Execute newrole in the caller domain.
 </summary>
@@ -106493,7 +106986,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_dontaudit_signal_newrole" lineno="233">
+<interface name="seutil_dontaudit_signal_newrole" lineno="254">
 <summary>
 Do not audit the caller attempts to send
 a signal to newrole.
@@ -106504,7 +106997,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="seutil_sigchld_newrole" lineno="261">
+<interface name="seutil_sigchld_newrole" lineno="282">
 <summary>
 Send a SIGCHLD signal to newrole.
 </summary>
@@ -106524,7 +107017,7 @@ Domain allowed access.
 </param>
 <infoflow type="write" weight="1"/>
 </interface>
-<interface name="seutil_use_newrole_fds" lineno="279">
+<interface name="seutil_use_newrole_fds" lineno="300">
 <summary>
 Inherit and use newrole file descriptors.
 </summary>
@@ -106534,7 +107027,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_dontaudit_use_newrole_fds" lineno="298">
+<interface name="seutil_dontaudit_use_newrole_fds" lineno="319">
 <summary>
 Do not audit attempts to inherit and use
 newrole file descriptors.
@@ -106545,7 +107038,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="seutil_domtrans_runinit" lineno="316">
+<interface name="seutil_domtrans_runinit" lineno="337">
 <summary>
 Execute run_init in the run_init domain.
 </summary>
@@ -106555,7 +107048,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="seutil_labeled_init_script_domtrans_runinit" lineno="347">
+<interface name="seutil_labeled_init_script_domtrans_runinit" lineno="368">
 <summary>
 Execute file in the run_init domain.
 </summary>
@@ -106576,7 +107069,7 @@ Type of entry file.
 </summary>
 </param>
 </interface>
-<interface name="seutil_init_script_domtrans_runinit" lineno="376">
+<interface name="seutil_init_script_domtrans_runinit" lineno="397">
 <summary>
 Execute init scripts in the run_init domain.
 </summary>
@@ -106592,7 +107085,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="seutil_run_runinit" lineno="406">
+<interface name="seutil_run_runinit" lineno="427">
 <summary>
 Execute run_init in the run_init domain, and
 allow the specified role the run_init domain,
@@ -106610,7 +107103,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_init_script_run_runinit" lineno="442">
+<interface name="seutil_init_script_run_runinit" lineno="463">
 <summary>
 Execute init scripts in the run_init domain, and
 allow the specified role the run_init domain,
@@ -106637,7 +107130,7 @@ Role allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_labeled_init_script_run_runinit" lineno="483">
+<interface name="seutil_labeled_init_script_run_runinit" lineno="504">
 <summary>
 Execute specified file in the run_init domain, and
 allow the specified role the run_init domain,
@@ -106669,7 +107162,7 @@ Type of init script.
 </summary>
 </param>
 </interface>
-<interface name="seutil_use_runinit_fds" lineno="502">
+<interface name="seutil_use_runinit_fds" lineno="523">
 <summary>
 Inherit and use run_init file descriptors.
 </summary>
@@ -106679,7 +107172,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_domtrans_setfiles" lineno="520">
+<interface name="seutil_domtrans_setfiles" lineno="541">
 <summary>
 Execute setfiles in the setfiles domain.
 </summary>
@@ -106689,7 +107182,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="seutil_run_setfiles" lineno="548">
+<interface name="seutil_run_setfiles" lineno="569">
 <summary>
 Execute setfiles in the setfiles domain, and
 allow the specified role the setfiles domain,
@@ -106707,7 +107200,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_exec_setfiles" lineno="567">
+<interface name="seutil_exec_setfiles" lineno="588">
 <summary>
 Execute setfiles in the caller domain.
 </summary>
@@ -106717,7 +107210,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_dontaudit_exec_setfiles" lineno="587">
+<interface name="seutil_dontaudit_exec_setfiles" lineno="608">
 <summary>
 Do not audit attempts to execute setfiles.
 </summary>
@@ -106727,7 +107220,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="seutil_dontaudit_search_config" lineno="606">
+<interface name="seutil_dontaudit_search_config" lineno="627">
 <summary>
 Do not audit attempts to search the SELinux
 configuration directory (/etc/selinux).
@@ -106738,7 +107231,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="seutil_dontaudit_read_config" lineno="625">
+<interface name="seutil_dontaudit_read_config" lineno="646">
 <summary>
 Do not audit attempts to read the SELinux
 userland configuration (/etc/selinux).
@@ -106749,7 +107242,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="seutil_read_config" lineno="645">
+<interface name="seutil_read_config" lineno="666">
 <summary>
 Read the general SELinux configuration files.
 </summary>
@@ -106760,7 +107253,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_rw_config" lineno="667">
+<interface name="seutil_rw_config" lineno="688">
 <summary>
 Read and write the general SELinux configuration files.
 </summary>
@@ -106771,7 +107264,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_manage_config" lineno="689">
+<interface name="seutil_manage_config" lineno="710">
 <summary>
 Create, read, write, and delete
 the general selinux configuration files.
@@ -106783,7 +107276,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_manage_config_dirs" lineno="711">
+<interface name="seutil_manage_config_dirs" lineno="732">
 <summary>
 Create, read, write, and delete
 the general selinux configuration directories.
@@ -106795,7 +107288,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_search_default_contexts" lineno="730">
+<interface name="seutil_search_default_contexts" lineno="751">
 <summary>
 Search the policy directory with default_context files.
 </summary>
@@ -106805,7 +107298,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_read_default_contexts" lineno="750">
+<interface name="seutil_read_default_contexts" lineno="771">
 <summary>
 Read the default_contexts files.
 </summary>
@@ -106816,7 +107309,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_manage_default_contexts" lineno="770">
+<interface name="seutil_manage_default_contexts" lineno="791">
 <summary>
 Create, read, write, and delete the default_contexts files.
 </summary>
@@ -106826,7 +107319,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_read_file_contexts" lineno="791">
+<interface name="seutil_read_file_contexts" lineno="812">
 <summary>
 Read the file_contexts files.
 </summary>
@@ -106837,7 +107330,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_dontaudit_read_file_contexts" lineno="813">
+<interface name="seutil_dontaudit_read_file_contexts" lineno="834">
 <summary>
 Do not audit attempts to read the file_contexts files.
 </summary>
@@ -106848,7 +107341,7 @@ Domain to not audit.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_rw_file_contexts" lineno="833">
+<interface name="seutil_rw_file_contexts" lineno="854">
 <summary>
 Read and write the file_contexts files.
 </summary>
@@ -106858,7 +107351,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_manage_file_contexts" lineno="855">
+<interface name="seutil_manage_file_contexts" lineno="876">
 <summary>
 Create, read, write, and delete the file_contexts files.
 </summary>
@@ -106869,7 +107362,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_read_bin_policy" lineno="876">
+<interface name="seutil_read_bin_policy" lineno="897">
 <summary>
 Read the SELinux binary policy.
 </summary>
@@ -106879,7 +107372,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_create_bin_policy" lineno="903">
+<interface name="seutil_create_bin_policy" lineno="924">
 <summary>
 Create the SELinux binary policy.
 </summary>
@@ -106889,7 +107382,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_relabelto_bin_policy" lineno="926">
+<interface name="seutil_relabelto_bin_policy" lineno="947">
 <summary>
 Allow the caller to relabel a file to the binary policy type.
 </summary>
@@ -106899,7 +107392,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_manage_bin_policy" lineno="947">
+<interface name="seutil_manage_bin_policy" lineno="968">
 <summary>
 Create, read, write, and delete the SELinux
 binary policy.
@@ -106910,7 +107403,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_read_src_policy" lineno="969">
+<interface name="seutil_read_src_policy" lineno="990">
 <summary>
 Read SELinux policy source files.
 </summary>
@@ -106920,7 +107413,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_manage_src_policy" lineno="991">
+<interface name="seutil_manage_src_policy" lineno="1012">
 <summary>
 Create, read, write, and delete SELinux
 policy source files.
@@ -106932,7 +107425,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_domtrans_semanage" lineno="1012">
+<interface name="seutil_domtrans_semanage" lineno="1033">
 <summary>
 Execute a domain transition to run semanage.
 </summary>
@@ -106942,7 +107435,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="seutil_run_semanage" lineno="1040">
+<interface name="seutil_run_semanage" lineno="1061">
 <summary>
 Execute semanage in the semanage domain, and
 allow the specified role the semanage domain,
@@ -106960,7 +107453,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="seutil_dontaudit_exec_semanage" lineno="1059">
+<interface name="seutil_dontaudit_exec_semanage" lineno="1080">
 <summary>
 Do not audit attempts to execute semanage.
 </summary>
@@ -106970,7 +107463,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="seutil_read_module_store" lineno="1077">
+<interface name="seutil_read_module_store" lineno="1098">
 <summary>
 Read the semanage module store.
 </summary>
@@ -106980,7 +107473,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_manage_module_store" lineno="1102">
+<interface name="seutil_manage_module_store" lineno="1123">
 <summary>
 Full management of the semanage
 module store.
@@ -106991,7 +107484,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_get_semanage_read_lock" lineno="1126">
+<interface name="seutil_get_semanage_read_lock" lineno="1147">
 <summary>
 Get read lock on module store
 </summary>
@@ -107001,7 +107494,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_get_semanage_trans_lock" lineno="1145">
+<interface name="seutil_get_semanage_trans_lock" lineno="1166">
 <summary>
 Get trans lock on module store
 </summary>
@@ -107011,7 +107504,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_libselinux_linked" lineno="1173">
+<interface name="seutil_libselinux_linked" lineno="1194">
 <summary>
 SELinux-enabled program access for
 libselinux-linked programs.
@@ -107030,7 +107523,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="seutil_dontaudit_libselinux_linked" lineno="1203">
+<interface name="seutil_dontaudit_libselinux_linked" lineno="1224">
 <summary>
 Do not audit SELinux-enabled program access for
 libselinux-linked programs.
@@ -107658,7 +108151,7 @@ Domain allowed access.
 <interface name="sysnet_dhcpc_script_entry" lineno="1039">
 <summary>
 Make the specified program domain
-accessable from the DHCP hooks/scripts.
+accessible from the DHCP hooks/scripts.
 </summary>
 <param name="domain">
 <summary>
@@ -107702,7 +108195,7 @@ The user domain for the role.
 </summary>
 </param>
 </template>
-<template name="systemd_user_daemon_domain" lineno="252">
+<template name="systemd_user_daemon_domain" lineno="254">
 <summary>
 Allow the specified domain to be started as a daemon by the
 specified systemd user instance.
@@ -107723,7 +108216,7 @@ Domain to allow the systemd user domain to run.
 </summary>
 </param>
 </template>
-<interface name="systemd_user_activated_sock_file" lineno="273">
+<interface name="systemd_user_activated_sock_file" lineno="275">
 <summary>
 Associate the specified file type to be a type whose sock files
 can be managed by systemd user instances for socket activation.
@@ -107734,7 +108227,7 @@ File type to be associated.
 </summary>
 </param>
 </interface>
-<interface name="systemd_user_unix_stream_activated_socket" lineno="298">
+<interface name="systemd_user_unix_stream_activated_socket" lineno="300">
 <summary>
 Associate the specified domain to be a domain whose unix stream
 sockets and sock files can be managed by systemd user instances
@@ -107751,7 +108244,7 @@ File type of the domain's sock files to be associated.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_notify_socket" lineno="318">
+<interface name="systemd_write_notify_socket" lineno="320">
 <summary>
 Allow the specified domain to write to
 systemd-notify socket
@@ -107762,7 +108255,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<template name="systemd_user_send_systemd_notify" lineno="345">
+<template name="systemd_user_send_systemd_notify" lineno="347">
 <summary>
 Allow the target domain the permissions necessary
 to use systemd notify when started by the specified
@@ -107779,7 +108272,7 @@ Domain to be allowed systemd notify permissions.
 </summary>
 </param>
 </template>
-<template name="systemd_user_app_status" lineno="373">
+<template name="systemd_user_app_status" lineno="375">
 <summary>
 Allow the target domain to be monitored and have its output
 captured by the specified systemd user instance domain.
@@ -107795,7 +108288,7 @@ Domain to allow the systemd user instance to monitor.
 </summary>
 </param>
 </template>
-<template name="systemd_read_user_manager_state" lineno="413">
+<template name="systemd_read_user_manager_state" lineno="415">
 <summary>
 Read the process state (/proc/pid) of
 the specified systemd user instance.
@@ -107811,7 +108304,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_start" lineno="437">
+<template name="systemd_user_manager_system_start" lineno="439">
 <summary>
 Send a start request to the specified
 systemd user instance system object.
@@ -107827,7 +108320,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_stop" lineno="462">
+<template name="systemd_user_manager_system_stop" lineno="464">
 <summary>
 Send a stop request to the specified
 systemd user instance system object.
@@ -107843,7 +108336,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_system_status" lineno="487">
+<template name="systemd_user_manager_system_status" lineno="489">
 <summary>
 Get the status of the specified
 systemd user instance system object.
@@ -107859,7 +108352,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<template name="systemd_user_manager_dbus_chat" lineno="512">
+<template name="systemd_user_manager_dbus_chat" lineno="514">
 <summary>
 Send and receive messages from the
 specified systemd user instance over dbus.
@@ -107875,7 +108368,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="systemd_search_conf_home_content" lineno="533">
+<interface name="systemd_search_conf_home_content" lineno="535">
 <summary>
 Allow the specified domain to search systemd config home
 content.
@@ -107886,7 +108379,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_conf_home_content" lineno="552">
+<interface name="systemd_manage_conf_home_content" lineno="554">
 <summary>
 Allow the specified domain to manage systemd config home
 content.
@@ -107897,7 +108390,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabel_conf_home_content" lineno="573">
+<interface name="systemd_relabel_conf_home_content" lineno="575">
 <summary>
 Allow the specified domain to relabel systemd config home
 content.
@@ -107908,7 +108401,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_data_home_content" lineno="594">
+<interface name="systemd_search_data_home_content" lineno="596">
 <summary>
 Allow the specified domain to search systemd data home
 content.
@@ -107919,7 +108412,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_data_home_content" lineno="613">
+<interface name="systemd_manage_data_home_content" lineno="615">
 <summary>
 Allow the specified domain to manage systemd data home
 content.
@@ -107930,7 +108423,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabel_data_home_content" lineno="634">
+<interface name="systemd_relabel_data_home_content" lineno="636">
 <summary>
 Allow the specified domain to relabel systemd data home
 content.
@@ -107941,7 +108434,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_runtime" lineno="655">
+<interface name="systemd_search_user_runtime" lineno="657">
 <summary>
 Allow the specified domain to search systemd user runtime
 content.
@@ -107952,7 +108445,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_files" lineno="673">
+<interface name="systemd_read_user_runtime_files" lineno="675">
 <summary>
 Allow the specified domain to read systemd user runtime files.
 </summary>
@@ -107962,7 +108455,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_lnk_files" lineno="691">
+<interface name="systemd_read_user_runtime_lnk_files" lineno="693">
 <summary>
 Allow the specified domain to read systemd user runtime lnk files.
 </summary>
@@ -107972,7 +108465,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_user_runtime_socket" lineno="710">
+<interface name="systemd_write_user_runtime_socket" lineno="712">
 <summary>
 Allow the specified domain to write to
 the systemd user runtime named socket.
@@ -107983,7 +108476,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_unit_files" lineno="729">
+<interface name="systemd_read_user_unit_files" lineno="731">
 <summary>
 Allow the specified domain to read system-wide systemd
 user unit files.  (Deprecated)
@@ -107994,7 +108487,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_units_files" lineno="745">
+<interface name="systemd_read_user_units_files" lineno="747">
 <summary>
 Allow the specified domain to read system-wide systemd
 user unit files.
@@ -108005,7 +108498,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_units" lineno="765">
+<interface name="systemd_read_user_runtime_units" lineno="767">
 <summary>
 Allow the specified domain to read systemd user runtime unit files.  (Deprecated)
 </summary>
@@ -108015,7 +108508,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_runtime_units_files" lineno="780">
+<interface name="systemd_read_user_runtime_units_files" lineno="782">
 <summary>
 Allow the specified domain to read systemd user runtime unit files.
 </summary>
@@ -108025,7 +108518,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_runtime_unit_dirs" lineno="800">
+<interface name="systemd_search_user_runtime_unit_dirs" lineno="802">
 <summary>
 Allow the specified domain to search systemd user runtime unit
 directories.
@@ -108036,7 +108529,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_user_runtime_unit_dirs" lineno="819">
+<interface name="systemd_list_user_runtime_unit_dirs" lineno="821">
 <summary>
 Allow the specified domain to list the contents of systemd
 user runtime unit directories.
@@ -108047,7 +108540,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_user_runtime_units" lineno="837">
+<interface name="systemd_status_user_runtime_units" lineno="839">
 <summary>
 Allow the specified domain to get the status of systemd user runtime units.  (Deprecated)
 </summary>
@@ -108057,7 +108550,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_runtime_units_status" lineno="852">
+<interface name="systemd_get_user_runtime_units_status" lineno="854">
 <summary>
 Allow the specified domain to get the status of systemd user runtime units.
 </summary>
@@ -108067,7 +108560,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_runtime_units" lineno="871">
+<interface name="systemd_start_user_runtime_units" lineno="873">
 <summary>
 Allow the specified domain to start systemd user runtime units.
 </summary>
@@ -108077,7 +108570,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_runtime_units" lineno="890">
+<interface name="systemd_stop_user_runtime_units" lineno="892">
 <summary>
 Allow the specified domain to stop systemd user runtime units.
 </summary>
@@ -108087,7 +108580,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_runtime_units" lineno="909">
+<interface name="systemd_reload_user_runtime_units" lineno="911">
 <summary>
 Allow the specified domain to reload systemd user runtime units.
 </summary>
@@ -108097,7 +108590,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_user_transient_units_files" lineno="928">
+<interface name="systemd_read_user_transient_units_files" lineno="930">
 <summary>
 Allow the specified domain to read systemd user transient unit files.
 </summary>
@@ -108107,7 +108600,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_user_transient_unit_dirs" lineno="948">
+<interface name="systemd_search_user_transient_unit_dirs" lineno="950">
 <summary>
 Allow the specified domain to search systemd user transient unit
 directories.
@@ -108118,7 +108611,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_user_transient_unit_dirs" lineno="967">
+<interface name="systemd_list_user_transient_unit_dirs" lineno="969">
 <summary>
 Allow the specified domain to list the contents of systemd
 user transient unit directories.
@@ -108129,7 +108622,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_transient_units_status" lineno="985">
+<interface name="systemd_get_user_transient_units_status" lineno="987">
 <summary>
 Allow the specified domain to get the status of systemd user transient units.
 </summary>
@@ -108139,7 +108632,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_transient_units" lineno="1004">
+<interface name="systemd_start_user_transient_units" lineno="1006">
 <summary>
 Allow the specified domain to start systemd user transient units.
 </summary>
@@ -108149,7 +108642,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_transient_units" lineno="1023">
+<interface name="systemd_stop_user_transient_units" lineno="1025">
 <summary>
 Allow the specified domain to stop systemd user transient units.
 </summary>
@@ -108159,7 +108652,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_transient_units" lineno="1042">
+<interface name="systemd_reload_user_transient_units" lineno="1044">
 <summary>
 Allow the specified domain to reload systemd user transient units.
 </summary>
@@ -108169,7 +108662,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_log_parse_environment" lineno="1062">
+<interface name="systemd_log_parse_environment" lineno="1064">
 <summary>
 Make the specified type usable as an
 log parse environment type.
@@ -108180,7 +108673,7 @@ Type to be used as a log parse environment type.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_nss" lineno="1082">
+<interface name="systemd_use_nss" lineno="1084">
 <summary>
 Allow domain to use systemd's Name Service Switch (NSS) module.
 This module provides UNIX user and group name resolution for dynamic users
@@ -108192,7 +108685,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_PrivateDevices" lineno="1109">
+<interface name="systemd_PrivateDevices" lineno="1111">
 <summary>
 Allow domain to be used as a systemd service with a unit
 that uses PrivateDevices=yes in section [Service].
@@ -108203,7 +108696,29 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_rw_homework_semaphores" lineno="1126">
+<interface name="systemd_dbus_chat_homed" lineno="1129">
+<summary>
+Send and receive messages from
+systemd homed over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_stream_connect_homed" lineno="1150">
+<summary>
+Connect to /run/systemd/userdb/io.systemd.Home to
+query user account information.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_rw_homework_semaphores" lineno="1169">
 <summary>
 Read and write systemd-homework semaphores.
 </summary>
@@ -108213,7 +108728,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_hwdb" lineno="1144">
+<interface name="systemd_read_hwdb" lineno="1187">
 <summary>
 Allow domain to read udev hwdb file
 </summary>
@@ -108223,7 +108738,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_map_hwdb" lineno="1162">
+<interface name="systemd_map_hwdb" lineno="1205">
 <summary>
 Allow domain to map udev hwdb file
 </summary>
@@ -108233,7 +108748,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_log_dirs" lineno="1180">
+<interface name="systemd_list_log_dirs" lineno="1223">
 <summary>
 List files in /var/log/systemd.
 </summary>
@@ -108243,7 +108758,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_create_log_files" lineno="1199">
+<interface name="systemd_create_log_files" lineno="1242">
 <summary>
 Create files in /var/log/systemd.
 </summary>
@@ -108253,7 +108768,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_log_files" lineno="1218">
+<interface name="systemd_write_log_files" lineno="1261">
 <summary>
 Write to files in /var/log/systemd.
 </summary>
@@ -108263,7 +108778,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_setattr_log_files" lineno="1238">
+<interface name="systemd_setattr_log_files" lineno="1281">
 <summary>
 Set the attributes of files in
 /var/log/systemd.
@@ -108274,7 +108789,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_create_log_dirs" lineno="1257">
+<interface name="systemd_create_log_dirs" lineno="1300">
 <summary>
 Create the /var/log/systemd directory
 with an automatic type transition.
@@ -108285,7 +108800,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_logind_runtime_dirs" lineno="1276">
+<interface name="systemd_watch_logind_runtime_dirs" lineno="1319">
 <summary>
 Watch systemd-logind runtime dirs.
 </summary>
@@ -108295,7 +108810,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_runtime_files" lineno="1295">
+<interface name="systemd_read_logind_runtime_files" lineno="1338">
 <summary>
 Read systemd-logind runtime files.
 </summary>
@@ -108305,7 +108820,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_logind_runtime_pipes" lineno="1315">
+<interface name="systemd_manage_logind_runtime_pipes" lineno="1358">
 <summary>
 Manage systemd-logind runtime pipes.
 </summary>
@@ -108315,7 +108830,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_logind_runtime_pipes" lineno="1334">
+<interface name="systemd_write_logind_runtime_pipes" lineno="1377">
 <summary>
 Write systemd-logind runtime named pipe.
 </summary>
@@ -108325,7 +108840,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_logind_fds" lineno="1355">
+<interface name="systemd_use_logind_fds" lineno="1398">
 <summary>
 Use inherited systemd
 logind file descriptors.
@@ -108336,7 +108851,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_logind_sessions_dirs" lineno="1373">
+<interface name="systemd_watch_logind_sessions_dirs" lineno="1416">
 <summary>
 Watch logind sessions dirs.
 </summary>
@@ -108346,7 +108861,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_sessions_files" lineno="1392">
+<interface name="systemd_read_logind_sessions_files" lineno="1435">
 <summary>
 Read logind sessions files.
 </summary>
@@ -108356,7 +108871,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1413">
+<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1456">
 <summary>
 Write inherited logind sessions pipes.
 </summary>
@@ -108366,7 +108881,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1433">
+<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1476">
 <summary>
 Write inherited logind inhibit pipes.
 </summary>
@@ -108376,7 +108891,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_logind" lineno="1454">
+<interface name="systemd_dbus_chat_logind" lineno="1497">
 <summary>
 Send and receive messages from
 systemd logind over dbus.
@@ -108387,7 +108902,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_logind" lineno="1474">
+<interface name="systemd_status_logind" lineno="1517">
 <summary>
 Get the system status information from systemd_login
 </summary>
@@ -108397,7 +108912,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_signull_logind" lineno="1493">
+<interface name="systemd_signull_logind" lineno="1536">
 <summary>
 Send systemd_login a null signal.
 </summary>
@@ -108407,7 +108922,18 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_userdb_runtime_dirs" lineno="1511">
+<interface name="systemd_dbus_chat_locale" lineno="1555">
+<summary>
+Send and receive messages from
+systemd locale over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_list_userdb_runtime_dirs" lineno="1575">
 <summary>
 List the contents of systemd userdb runtime directories.
 </summary>
@@ -108417,7 +108943,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_dirs" lineno="1529">
+<interface name="systemd_manage_userdb_runtime_dirs" lineno="1593">
 <summary>
 Manage systemd userdb runtime directories.
 </summary>
@@ -108427,7 +108953,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_userdb_runtime_files" lineno="1547">
+<interface name="systemd_read_userdb_runtime_files" lineno="1611">
 <summary>
 Read systemd userdb runtime files.
 </summary>
@@ -108437,7 +108963,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1565">
+<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1629">
 <summary>
 Manage symbolic links under /run/systemd/userdb.
 </summary>
@@ -108447,7 +108973,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1583">
+<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1647">
 <summary>
 Manage socket files under /run/systemd/userdb .
 </summary>
@@ -108457,7 +108983,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_userdb" lineno="1601">
+<interface name="systemd_stream_connect_userdb" lineno="1665">
 <summary>
 Connect to /run/systemd/userdb/io.systemd.DynamicUser .
 </summary>
@@ -108467,7 +108993,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_machines" lineno="1623">
+<interface name="systemd_read_machines" lineno="1687">
 <summary>
 Allow reading /run/systemd/machines
 </summary>
@@ -108477,7 +109003,7 @@ Domain that can access the machines files
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_machines_dirs" lineno="1642">
+<interface name="systemd_watch_machines_dirs" lineno="1706">
 <summary>
 Allow watching /run/systemd/machines
 </summary>
@@ -108487,7 +109013,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_connect_machined" lineno="1660">
+<interface name="systemd_connect_machined" lineno="1724">
 <summary>
 Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
 </summary>
@@ -108497,7 +109023,7 @@ Domain that can access the socket
 </summary>
 </param>
 </interface>
-<interface name="systemd_dontaudit_connect_machined" lineno="1678">
+<interface name="systemd_dontaudit_connect_machined" lineno="1742">
 <summary>
 dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket
 </summary>
@@ -108507,7 +109033,7 @@ Domain that can access the socket
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_machined" lineno="1697">
+<interface name="systemd_dbus_chat_machined" lineno="1761">
 <summary>
 Send and receive messages from
 systemd machined over dbus.
@@ -108518,7 +109044,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_hostnamed" lineno="1718">
+<interface name="systemd_dbus_chat_hostnamed" lineno="1782">
 <summary>
 Send and receive messages from
 systemd hostnamed over dbus.
@@ -108529,7 +109055,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_passwd_agent_fds" lineno="1738">
+<interface name="systemd_use_passwd_agent_fds" lineno="1802">
 <summary>
 allow systemd_passwd_agent to inherit fds
 </summary>
@@ -108539,7 +109065,7 @@ Domain that owns the fds
 </summary>
 </param>
 </interface>
-<interface name="systemd_run_passwd_agent" lineno="1761">
+<interface name="systemd_run_passwd_agent" lineno="1825">
 <summary>
 allow systemd_passwd_agent to be run by admin
 </summary>
@@ -108554,7 +109080,7 @@ role that it runs in
 </summary>
 </param>
 </interface>
-<interface name="systemd_use_passwd_agent" lineno="1782">
+<interface name="systemd_use_passwd_agent" lineno="1846">
 <summary>
 Allow a systemd_passwd_agent_t process to interact with a daemon
 that needs a password from the sysadmin.
@@ -108565,7 +109091,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1806">
+<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1870">
 <summary>
 Transition to systemd_passwd_runtime_t when creating dirs
 </summary>
@@ -108575,7 +109101,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1827">
+<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1891">
 <summary>
 Transition to systemd_userdbd_runtime_t when
 creating the userdb directory inside an init runtime
@@ -108587,7 +109113,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1845">
+<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1909">
 <summary>
 Allow to domain to create systemd-passwd symlink
 </summary>
@@ -108597,7 +109123,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_passwd_runtime_dirs" lineno="1863">
+<interface name="systemd_watch_passwd_runtime_dirs" lineno="1927">
 <summary>
 Allow a domain to watch systemd-passwd runtime dirs.
 </summary>
@@ -108607,7 +109133,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_journal_dirs" lineno="1881">
+<interface name="systemd_list_journal_dirs" lineno="1945">
 <summary>
 Allow domain to list the contents of systemd_journal_t dirs
 </summary>
@@ -108617,7 +109143,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_journal_files" lineno="1899">
+<interface name="systemd_read_journal_files" lineno="1963">
 <summary>
 Allow domain to read systemd_journal_t files
 </summary>
@@ -108627,7 +109153,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_journal_files" lineno="1918">
+<interface name="systemd_manage_journal_files" lineno="1982">
 <summary>
 Allow domain to create/manage systemd_journal_t files
 </summary>
@@ -108637,7 +109163,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_journal_dirs" lineno="1938">
+<interface name="systemd_watch_journal_dirs" lineno="2002">
 <summary>
 Allow domain to add a watch on systemd_journal_t directories
 </summary>
@@ -108647,7 +109173,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelfrom_journal_files" lineno="1956">
+<interface name="systemd_relabelfrom_journal_files" lineno="2020">
 <summary>
 Relabel from systemd-journald file type.
 </summary>
@@ -108657,7 +109183,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_journal_dirs" lineno="1974">
+<interface name="systemd_relabelto_journal_dirs" lineno="2038">
 <summary>
 Relabel to systemd-journald directory type.
 </summary>
@@ -108667,7 +109193,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_journal_files" lineno="1993">
+<interface name="systemd_relabelto_journal_files" lineno="2057">
 <summary>
 Relabel to systemd-journald file type.
 </summary>
@@ -108677,7 +109203,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_networkd_units" lineno="2013">
+<interface name="systemd_read_networkd_units" lineno="2077">
 <summary>
 Allow domain to read systemd_networkd_t unit files
 </summary>
@@ -108687,7 +109213,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_manage_networkd_units" lineno="2033">
+<interface name="systemd_manage_networkd_units" lineno="2097">
 <summary>
 Allow domain to create/manage systemd_networkd_t unit files
 </summary>
@@ -108697,7 +109223,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_enabledisable_networkd" lineno="2053">
+<interface name="systemd_enabledisable_networkd" lineno="2117">
 <summary>
 Allow specified domain to enable systemd-networkd units
 </summary>
@@ -108707,7 +109233,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_startstop_networkd" lineno="2072">
+<interface name="systemd_startstop_networkd" lineno="2136">
 <summary>
 Allow specified domain to start systemd-networkd units
 </summary>
@@ -108717,7 +109243,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_networkd" lineno="2092">
+<interface name="systemd_dbus_chat_networkd" lineno="2156">
 <summary>
 Send and receive messages from
 systemd networkd over dbus.
@@ -108728,7 +109254,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_networkd" lineno="2112">
+<interface name="systemd_status_networkd" lineno="2176">
 <summary>
 Allow specified domain to get status of systemd-networkd
 </summary>
@@ -108738,7 +109264,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="2131">
+<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="2195">
 <summary>
 Relabel systemd_networkd tun socket.
 </summary>
@@ -108748,7 +109274,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="2149">
+<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="2213">
 <summary>
 Read/Write from systemd_networkd netlink route socket.
 </summary>
@@ -108758,7 +109284,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_networkd_runtime" lineno="2167">
+<interface name="systemd_list_networkd_runtime" lineno="2231">
 <summary>
 Allow domain to list dirs under /run/systemd/netif
 </summary>
@@ -108768,7 +109294,7 @@ domain permitted the access
 </summary>
 </param>
 </interface>
-<interface name="systemd_watch_networkd_runtime_dirs" lineno="2186">
+<interface name="systemd_watch_networkd_runtime_dirs" lineno="2250">
 <summary>
 Watch directories under /run/systemd/netif
 </summary>
@@ -108778,7 +109304,7 @@ Domain permitted the access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_networkd_runtime" lineno="2205">
+<interface name="systemd_read_networkd_runtime" lineno="2269">
 <summary>
 Allow domain to read files generated by systemd_networkd
 </summary>
@@ -108788,7 +109314,18 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_logind_state" lineno="2224">
+<interface name="systemd_stream_connect_nsresourced" lineno="2289">
+<summary>
+Connect to systemd-nsresourced over
+/run/systemd/io.systemd.NamespaceResource .
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="systemd_read_logind_state" lineno="2309">
 <summary>
 Allow systemd_logind_t to read process state for cgroup file
 </summary>
@@ -108798,7 +109335,7 @@ Domain systemd_logind_t may access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_create_logind_linger_dir" lineno="2245">
+<interface name="systemd_create_logind_linger_dir" lineno="2330">
 <summary>
 Allow the specified domain to create
 the systemd-logind linger directory with
@@ -108810,7 +109347,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_user_manager_units" lineno="2265">
+<interface name="systemd_start_user_manager_units" lineno="2350">
 <summary>
 Allow the specified domain to start systemd
 user manager units (systemd --user).
@@ -108821,7 +109358,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stop_user_manager_units" lineno="2285">
+<interface name="systemd_stop_user_manager_units" lineno="2370">
 <summary>
 Allow the specified domain to stop systemd
 user manager units (systemd --user).
@@ -108832,7 +109369,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_reload_user_manager_units" lineno="2305">
+<interface name="systemd_reload_user_manager_units" lineno="2390">
 <summary>
 Allow the specified domain to reload systemd
 user manager units (systemd --user).
@@ -108843,7 +109380,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_get_user_manager_units_status" lineno="2325">
+<interface name="systemd_get_user_manager_units_status" lineno="2410">
 <summary>
 Get the status of systemd user manager
 units (systemd --user).
@@ -108854,7 +109391,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_start_power_units" lineno="2344">
+<interface name="systemd_start_power_units" lineno="2429">
 <summary>
 Allow specified domain to start power units
 </summary>
@@ -108864,7 +109401,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="systemd_status_power_units" lineno="2363">
+<interface name="systemd_status_power_units" lineno="2448">
 <summary>
 Get the system status information about power units
 </summary>
@@ -108874,7 +109411,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_socket_proxyd" lineno="2382">
+<interface name="systemd_stream_connect_socket_proxyd" lineno="2467">
 <summary>
 Allows connections to the systemd-socket-proxyd's socket.
 </summary>
@@ -108884,7 +109421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_conf_file" lineno="2401">
+<interface name="systemd_tmpfiles_conf_file" lineno="2486">
 <summary>
 Make the specified type usable for
 systemd tmpfiles config files.
@@ -108895,7 +109432,7 @@ Type to be used for systemd tmpfiles config files.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_creator" lineno="2422">
+<interface name="systemd_tmpfiles_creator" lineno="2507">
 <summary>
 Allow the specified domain to create
 the tmpfiles config directory with
@@ -108907,7 +109444,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfiles_conf_filetrans" lineno="2458">
+<interface name="systemd_tmpfiles_conf_filetrans" lineno="2543">
 <summary>
 Create an object in the systemd tmpfiles config
 directory, with a private type
@@ -108934,7 +109471,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="systemd_list_tmpfiles_conf" lineno="2477">
+<interface name="systemd_list_tmpfiles_conf" lineno="2562">
 <summary>
 Allow domain to list systemd tmpfiles config directory
 </summary>
@@ -108944,7 +109481,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2495">
+<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2580">
 <summary>
 Allow domain to relabel to systemd tmpfiles config directory
 </summary>
@@ -108954,7 +109491,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2513">
+<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2598">
 <summary>
 Allow domain to relabel to systemd tmpfiles config files
 </summary>
@@ -108964,7 +109501,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_tmpfilesd_managed" lineno="2531">
+<interface name="systemd_tmpfilesd_managed" lineno="2616">
 <summary>
 Allow systemd_tmpfiles_t to manage filesystem objects
 </summary>
@@ -108974,7 +109511,7 @@ Type of object to manage
 </summary>
 </param>
 </interface>
-<interface name="systemd_stream_connect_resolved" lineno="2558">
+<interface name="systemd_stream_connect_resolved" lineno="2643">
 <summary>
 Connect to systemd resolved over
 /run/systemd/resolve/io.systemd.Resolve .
@@ -108985,7 +109522,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_dbus_chat_resolved" lineno="2579">
+<interface name="systemd_dbus_chat_resolved" lineno="2664">
 <summary>
 Send and receive messages from
 systemd resolved over dbus.
@@ -108996,7 +109533,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_read_resolved_runtime" lineno="2599">
+<interface name="systemd_read_resolved_runtime" lineno="2684">
 <summary>
 Allow domain to read resolv.conf file generated by systemd_resolved
 </summary>
@@ -109006,7 +109543,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_exec_systemctl" lineno="2621">
+<interface name="systemd_exec_systemctl" lineno="2706">
 <summary>
 Execute the systemctl program.
 </summary>
@@ -109016,7 +109553,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_getattr_updated_runtime" lineno="2654">
+<interface name="systemd_getattr_updated_runtime" lineno="2739">
 <summary>
 Allow domain to getattr on .updated file (generated by systemd-update-done
 </summary>
@@ -109026,7 +109563,7 @@ domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="systemd_search_all_user_keys" lineno="2672">
+<interface name="systemd_search_all_user_keys" lineno="2757">
 <summary>
 Search keys for the all systemd --user domains.
 </summary>
@@ -109036,7 +109573,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_create_all_user_keys" lineno="2690">
+<interface name="systemd_create_all_user_keys" lineno="2775">
 <summary>
 Create keys for the all systemd --user domains.
 </summary>
@@ -109046,7 +109583,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_write_all_user_keys" lineno="2708">
+<interface name="systemd_write_all_user_keys" lineno="2793">
 <summary>
 Write keys for the all systemd --user domains.
 </summary>
@@ -109056,7 +109593,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_domtrans_sysusers" lineno="2727">
+<interface name="systemd_domtrans_sysusers" lineno="2812">
 <summary>
 Execute systemd-sysusers in the
 systemd sysusers domain.
@@ -109067,7 +109604,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="systemd_run_sysusers" lineno="2752">
+<interface name="systemd_run_sysusers" lineno="2837">
 <summary>
 Run systemd-sysusers with a domain transition.
 </summary>
@@ -109083,7 +109620,7 @@ Role allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="systemd_use_inherited_machined_ptys" lineno="2772">
+<interface name="systemd_use_inherited_machined_ptys" lineno="2857">
 <summary>
 receive and use a systemd_machined_devpts_t file handle
 </summary>
@@ -109734,7 +110271,7 @@ Domain to make unconfined.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_domain" lineno="153">
+<interface name="unconfined_domain" lineno="156">
 <summary>
 Make the specified domain unconfined and
 audit executable heap usage.
@@ -109762,7 +110299,7 @@ Domain to make unconfined.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_domtrans" lineno="171">
+<interface name="unconfined_domtrans" lineno="174">
 <summary>
 Transition to the unconfined domain.
 </summary>
@@ -109772,7 +110309,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_run" lineno="194">
+<interface name="unconfined_run" lineno="197">
 <summary>
 Execute specified programs in the unconfined domain.
 </summary>
@@ -109787,7 +110324,7 @@ The role to allow the unconfined domain.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_shell_domtrans" lineno="213">
+<interface name="unconfined_shell_domtrans" lineno="216">
 <summary>
 Transition to the unconfined domain by executing a shell.
 </summary>
@@ -109797,7 +110334,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_domtrans_to" lineno="251">
+<interface name="unconfined_domtrans_to" lineno="254">
 <summary>
 Allow unconfined to execute the specified program in
 the specified domain.
@@ -109824,7 +110361,7 @@ Domain entry point file.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_run_to" lineno="288">
+<interface name="unconfined_run_to" lineno="291">
 <summary>
 Allow unconfined to execute the specified program in
 the specified domain.  Allow the specified domain the
@@ -109853,7 +110390,7 @@ Domain entry point file.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_use_fds" lineno="309">
+<interface name="unconfined_use_fds" lineno="312">
 <summary>
 Inherit file descriptors from the unconfined domain.
 </summary>
@@ -109863,7 +110400,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_sigchld" lineno="327">
+<interface name="unconfined_sigchld" lineno="330">
 <summary>
 Send a SIGCHLD signal to the unconfined domain.
 </summary>
@@ -109873,7 +110410,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_signull" lineno="345">
+<interface name="unconfined_signull" lineno="348">
 <summary>
 Send a SIGNULL signal to the unconfined domain.
 </summary>
@@ -109883,7 +110420,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_signal" lineno="363">
+<interface name="unconfined_signal" lineno="366">
 <summary>
 Send generic signals to the unconfined domain.
 </summary>
@@ -109893,7 +110430,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_read_pipes" lineno="381">
+<interface name="unconfined_read_pipes" lineno="384">
 <summary>
 Read unconfined domain unnamed pipes.
 </summary>
@@ -109903,7 +110440,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_write_inherited_pipes" lineno="399">
+<interface name="unconfined_write_inherited_pipes" lineno="402">
 <summary>
 Read unconfined domain unnamed pipes.
 </summary>
@@ -109913,7 +110450,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dontaudit_read_pipes" lineno="418">
+<interface name="unconfined_dontaudit_read_pipes" lineno="421">
 <summary>
 Do not audit attempts to read unconfined domain unnamed pipes.
 </summary>
@@ -109923,7 +110460,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_rw_pipes" lineno="436">
+<interface name="unconfined_rw_pipes" lineno="439">
 <summary>
 Read and write unconfined domain unnamed pipes.
 </summary>
@@ -109933,7 +110470,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dontaudit_rw_pipes" lineno="455">
+<interface name="unconfined_dontaudit_rw_pipes" lineno="458">
 <summary>
 Do not audit attempts to read and write
 unconfined domain unnamed pipes.
@@ -109944,7 +110481,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_stream_connect" lineno="474">
+<interface name="unconfined_stream_connect" lineno="477">
 <summary>
 Connect to the unconfined domain using
 a unix domain stream socket.
@@ -109955,7 +110492,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dontaudit_rw_stream_sockets" lineno="493">
+<interface name="unconfined_dontaudit_rw_stream_sockets" lineno="496">
 <summary>
 Do not audit attempts to read and write
 unconfined domain stream.
@@ -109966,7 +110503,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dontaudit_rw_tcp_sockets" lineno="522">
+<interface name="unconfined_dontaudit_rw_tcp_sockets" lineno="525">
 <summary>
 Do not audit attempts to read or write
 unconfined domain tcp sockets.
@@ -109987,7 +110524,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_search_keys" lineno="540">
+<interface name="unconfined_search_keys" lineno="543">
 <summary>
 Search keys for the unconfined domain.
 </summary>
@@ -109997,7 +110534,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_create_keys" lineno="558">
+<interface name="unconfined_create_keys" lineno="561">
 <summary>
 Create keys for the unconfined domain.
 </summary>
@@ -110007,7 +110544,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_write_keys" lineno="576">
+<interface name="unconfined_write_keys" lineno="579">
 <summary>
 Write keys for the unconfined domain.
 </summary>
@@ -110017,7 +110554,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dbus_send" lineno="594">
+<interface name="unconfined_dbus_send" lineno="597">
 <summary>
 Send messages to the unconfined domain over dbus.
 </summary>
@@ -110027,7 +110564,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dbus_chat" lineno="614">
+<interface name="unconfined_dbus_chat" lineno="617">
 <summary>
 Send and receive messages from
 unconfined_t over dbus.
@@ -110038,7 +110575,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="unconfined_dbus_connect" lineno="635">
+<interface name="unconfined_dbus_connect" lineno="638">
 <summary>
 Connect to the the unconfined DBUS
 for service (acquire_svc).
@@ -110148,7 +110685,7 @@ The user domain
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_manage_home_role" lineno="384">
+<interface name="userdom_manage_home_role" lineno="385">
 <summary>
 Allow a home directory for which the
 role has full access.
@@ -110174,7 +110711,7 @@ The user domain
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_manage_tmp_role" lineno="479">
+<interface name="userdom_manage_tmp_role" lineno="482">
 <summary>
 Manage user temporary files
 </summary>
@@ -110190,7 +110727,7 @@ Domain allowed access.
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_exec_user_tmp_files" lineno="506">
+<interface name="userdom_exec_user_tmp_files" lineno="509">
 <summary>
 The execute access user temporary files.
 </summary>
@@ -110201,7 +110738,7 @@ Domain allowed access.
 </param>
 <rolebase/>
 </interface>
-<interface name="userdom_manage_tmpfs_role" lineno="542">
+<interface name="userdom_manage_tmpfs_role" lineno="545">
 <summary>
 Role access for the user tmpfs type
 that the user has full access.
@@ -110227,7 +110764,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<template name="userdom_basic_networking_template" lineno="568">
+<template name="userdom_basic_networking_template" lineno="571">
 <summary>
 The template allowing the user basic
 network permissions
@@ -110240,7 +110777,7 @@ is the prefix for user_t).
 </param>
 <rolebase/>
 </template>
-<template name="userdom_change_password_template" lineno="608">
+<template name="userdom_change_password_template" lineno="611">
 <summary>
 The template for allowing the user to change passwords.
 </summary>
@@ -110252,7 +110789,7 @@ is the prefix for user_t).
 </param>
 <rolebase/>
 </template>
-<template name="userdom_common_user_template" lineno="638">
+<template name="userdom_common_user_template" lineno="641">
 <summary>
 The template containing rules common to unprivileged
 users and administrative users.
@@ -110270,7 +110807,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_login_user_template" lineno="969">
+<template name="userdom_login_user_template" lineno="972">
 <summary>
 The template for creating a login user.
 </summary>
@@ -110288,7 +110825,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_restricted_user_template" lineno="1093">
+<template name="userdom_restricted_user_template" lineno="1095">
 <summary>
 The template for creating a unprivileged login user.
 </summary>
@@ -110306,7 +110843,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_restricted_xwindows_user_template" lineno="1134">
+<template name="userdom_restricted_xwindows_user_template" lineno="1136">
 <summary>
 The template for creating a unprivileged xwindows login user.
 </summary>
@@ -110327,7 +110864,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_unpriv_user_template" lineno="1219">
+<template name="userdom_unpriv_user_template" lineno="1221">
 <summary>
 The template for creating a unprivileged user roughly
 equivalent to a regular linux user.
@@ -110350,7 +110887,7 @@ is the prefix for user_t).
 </summary>
 </param>
 </template>
-<template name="userdom_admin_user_template" lineno="1339">
+<template name="userdom_admin_user_template" lineno="1341">
 <summary>
 The template for creating an administrative user.
 </summary>
@@ -110379,7 +110916,7 @@ is the prefix for sysadm_t).
 </summary>
 </param>
 </template>
-<interface name="userdom_security_admin_template" lineno="1521">
+<interface name="userdom_security_admin_template" lineno="1524">
 <summary>
 Allow user to run as a secadm
 </summary>
@@ -110405,7 +110942,7 @@ The role  of the object to create.
 </summary>
 </param>
 </interface>
-<template name="userdom_xdg_user_template" lineno="1624">
+<template name="userdom_xdg_user_template" lineno="1627">
 <summary>
 Allow user to interact with xdg content types
 </summary>
@@ -110426,7 +110963,7 @@ Domain allowed access.
 </summary>
 </param>
 </template>
-<interface name="userdom_user_application_type" lineno="1673">
+<interface name="userdom_user_application_type" lineno="1676">
 <summary>
 Make the specified type usable as
 a user application domain type.
@@ -110437,7 +110974,7 @@ Type to be used as a user application domain.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_application_domain" lineno="1694">
+<interface name="userdom_user_application_domain" lineno="1697">
 <summary>
 Make the specified type usable as
 a user application domain.
@@ -110453,7 +110990,7 @@ Type to be used as the domain entry point.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_content" lineno="1711">
+<interface name="userdom_user_home_content" lineno="1714">
 <summary>
 Make the specified type usable in a
 user home directory.
@@ -110465,7 +111002,7 @@ user home directory.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmp_file" lineno="1737">
+<interface name="userdom_user_tmp_file" lineno="1740">
 <summary>
 Make the specified type usable as a
 user temporary file.
@@ -110477,7 +111014,7 @@ temporary directories.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmpfs_file" lineno="1754">
+<interface name="userdom_user_tmpfs_file" lineno="1757">
 <summary>
 Make the specified type usable as a
 user tmpfs file.
@@ -110489,7 +111026,7 @@ tmpfs directories.
 </summary>
 </param>
 </interface>
-<interface name="userdom_attach_admin_tun_iface" lineno="1769">
+<interface name="userdom_attach_admin_tun_iface" lineno="1772">
 <summary>
 Allow domain to attach to TUN devices created by administrative users.
 </summary>
@@ -110499,7 +111036,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_user_ptys" lineno="1788">
+<interface name="userdom_setattr_user_ptys" lineno="1791">
 <summary>
 Set the attributes of a user pty.
 </summary>
@@ -110509,7 +111046,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_user_pty" lineno="1806">
+<interface name="userdom_create_user_pty" lineno="1809">
 <summary>
 Create a user pty.
 </summary>
@@ -110519,7 +111056,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_user_home_dirs" lineno="1824">
+<interface name="userdom_getattr_user_home_dirs" lineno="1827">
 <summary>
 Get the attributes of user home directories.
 </summary>
@@ -110529,7 +111066,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1843">
+<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1846">
 <summary>
 Do not audit attempts to get the attributes of user home directories.
 </summary>
@@ -110539,7 +111076,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_home_dirs" lineno="1861">
+<interface name="userdom_search_user_home_dirs" lineno="1864">
 <summary>
 Search user home directories.
 </summary>
@@ -110549,7 +111086,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1888">
+<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1891">
 <summary>
 Do not audit attempts to search user home directories.
 </summary>
@@ -110567,7 +111104,7 @@ Domain to not audit.
 </param>
 <infoflow type="none"/>
 </interface>
-<interface name="userdom_list_user_home_dirs" lineno="1906">
+<interface name="userdom_list_user_home_dirs" lineno="1909">
 <summary>
 List user home directories.
 </summary>
@@ -110577,7 +111114,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1925">
+<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1928">
 <summary>
 Do not audit attempts to list user home subdirectories.
 </summary>
@@ -110587,7 +111124,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_user_home_dirs" lineno="1943">
+<interface name="userdom_create_user_home_dirs" lineno="1946">
 <summary>
 Create user home directories.
 </summary>
@@ -110597,7 +111134,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_dirs" lineno="1961">
+<interface name="userdom_manage_user_home_dirs" lineno="1964">
 <summary>
 Manage user home directories.
 </summary>
@@ -110607,7 +111144,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1980">
+<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1983">
 <summary>
 Do not audit attempts to manage user
 home directories.
@@ -110618,7 +111155,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_home_dirs" lineno="1998">
+<interface name="userdom_relabelto_user_home_dirs" lineno="2001">
 <summary>
 Relabel to user home directories.
 </summary>
@@ -110628,7 +111165,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_home_filetrans_user_home_dir" lineno="2022">
+<interface name="userdom_home_filetrans_user_home_dir" lineno="2025">
 <summary>
 Create directories in the home dir root with
 the user home directory type.
@@ -110644,7 +111181,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_domtrans" lineno="2059">
+<interface name="userdom_user_home_domtrans" lineno="2062">
 <summary>
 Do a domain transition to the specified
 domain when executing a program in the
@@ -110673,7 +111210,7 @@ Domain to transition to.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_home_content" lineno="2079">
+<interface name="userdom_dontaudit_search_user_home_content" lineno="2082">
 <summary>
 Do not audit attempts to search user home content directories.
 </summary>
@@ -110683,7 +111220,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_all_user_home_content" lineno="2097">
+<interface name="userdom_list_all_user_home_content" lineno="2100">
 <summary>
 List all users home content directories.
 </summary>
@@ -110693,7 +111230,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_user_home_content" lineno="2116">
+<interface name="userdom_list_user_home_content" lineno="2119">
 <summary>
 List contents of users home directory.
 </summary>
@@ -110703,7 +111240,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_dirs" lineno="2135">
+<interface name="userdom_manage_user_home_content_dirs" lineno="2138">
 <summary>
 Create, read, write, and delete directories
 in a user home subdirectory.
@@ -110714,7 +111251,37 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_dirs" lineno="2154">
+<interface name="userdom_create_all_user_home_dirs" lineno="2157">
+<summary>
+Create all user home content directories.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_create_all_user_home_files" lineno="2178">
+<summary>
+Create all user home content files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_write_all_user_home_files" lineno="2199">
+<summary>
+Write all user home content files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="userdom_delete_all_user_home_content_dirs" lineno="2219">
 <summary>
 Delete all user home content directories.
 </summary>
@@ -110724,7 +111291,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_dirs" lineno="2174">
+<interface name="userdom_delete_user_home_content_dirs" lineno="2239">
 <summary>
 Delete directories in a user home subdirectory.
 </summary>
@@ -110734,7 +111301,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2192">
+<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2257">
 <summary>
 Set attributes of all user home content directories.
 </summary>
@@ -110744,7 +111311,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2212">
+<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2277">
 <summary>
 Do not audit attempts to set the
 attributes of user home files.
@@ -110755,7 +111322,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_home_content_files" lineno="2230">
+<interface name="userdom_map_user_home_content_files" lineno="2295">
 <summary>
 Map user home files.
 </summary>
@@ -110765,7 +111332,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_mmap_user_home_content_files" lineno="2248">
+<interface name="userdom_mmap_user_home_content_files" lineno="2313">
 <summary>
 Mmap user home files.
 </summary>
@@ -110775,7 +111342,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_home_content_files" lineno="2267">
+<interface name="userdom_read_user_home_content_files" lineno="2332">
 <summary>
 Read user home files.
 </summary>
@@ -110785,7 +111352,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2286">
+<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2351">
 <summary>
 Do not audit attempts to read user home files.
 </summary>
@@ -110795,7 +111362,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_user_home_content" lineno="2305">
+<interface name="userdom_read_all_user_home_content" lineno="2370">
 <summary>
 Read all user home content, including application-specific resources.
 </summary>
@@ -110805,7 +111372,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_all_user_home_content" lineno="2327">
+<interface name="userdom_manage_all_user_home_content" lineno="2392">
 <summary>
 Manage all user home content, including application-specific resources.
 </summary>
@@ -110815,7 +111382,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_all_user_home_content_files" lineno="2349">
+<interface name="userdom_map_all_user_home_content_files" lineno="2414">
 <summary>
 Map all user home content, including application-specific resources.
 </summary>
@@ -110825,7 +111392,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2367">
+<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2432">
 <summary>
 Do not audit attempts to append user home files.
 </summary>
@@ -110835,7 +111402,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2385">
+<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2450">
 <summary>
 Do not audit attempts to write user home files.
 </summary>
@@ -110845,7 +111412,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_files" lineno="2403">
+<interface name="userdom_delete_all_user_home_content_files" lineno="2468">
 <summary>
 Delete all user home content files.
 </summary>
@@ -110855,7 +111422,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_files" lineno="2423">
+<interface name="userdom_delete_user_home_content_files" lineno="2488">
 <summary>
 Delete files in a user home subdirectory.
 </summary>
@@ -110865,7 +111432,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_generic_user_home_dirs" lineno="2441">
+<interface name="userdom_relabel_generic_user_home_dirs" lineno="2506">
 <summary>
 Relabel generic user home dirs.
 </summary>
@@ -110875,7 +111442,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_generic_user_home_files" lineno="2459">
+<interface name="userdom_relabel_generic_user_home_files" lineno="2524">
 <summary>
 Relabel generic user home files.
 </summary>
@@ -110885,7 +111452,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2477">
+<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2542">
 <summary>
 Do not audit attempts to relabel user home files.
 </summary>
@@ -110895,7 +111462,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_home_content_symlinks" lineno="2495">
+<interface name="userdom_read_user_home_content_symlinks" lineno="2560">
 <summary>
 Read user home subdirectory symbolic links.
 </summary>
@@ -110905,7 +111472,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_exec_user_home_content_files" lineno="2515">
+<interface name="userdom_exec_user_home_content_files" lineno="2580">
 <summary>
 Execute user home files.
 </summary>
@@ -110916,7 +111483,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2542">
+<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2607">
 <summary>
 Do not audit attempts to execute user home files.
 </summary>
@@ -110926,7 +111493,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_files" lineno="2561">
+<interface name="userdom_manage_user_home_content_files" lineno="2626">
 <summary>
 Create, read, write, and delete files
 in a user home subdirectory.
@@ -110937,7 +111504,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2582">
+<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2647">
 <summary>
 Do not audit attempts to create, read, write, and delete directories
 in a user home subdirectory.
@@ -110948,7 +111515,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_symlinks" lineno="2601">
+<interface name="userdom_manage_user_home_content_symlinks" lineno="2666">
 <summary>
 Create, read, write, and delete symbolic links
 in a user home subdirectory.
@@ -110959,7 +111526,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2621">
+<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2686">
 <summary>
 Delete all user home content symbolic links.
 </summary>
@@ -110969,7 +111536,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_home_content_symlinks" lineno="2641">
+<interface name="userdom_delete_user_home_content_symlinks" lineno="2706">
 <summary>
 Delete symbolic links in a user home directory.
 </summary>
@@ -110979,7 +111546,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_pipes" lineno="2660">
+<interface name="userdom_manage_user_home_content_pipes" lineno="2725">
 <summary>
 Create, read, write, and delete named pipes
 in a user home subdirectory.
@@ -110990,7 +111557,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_home_content_sockets" lineno="2681">
+<interface name="userdom_manage_user_home_content_sockets" lineno="2746">
 <summary>
 Create, read, write, and delete named sockets
 in a user home subdirectory.
@@ -111001,7 +111568,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans" lineno="2718">
+<interface name="userdom_user_home_dir_filetrans" lineno="2783">
 <summary>
 Create objects in a user home directory
 with an automatic type transition to
@@ -111028,7 +111595,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_content_filetrans" lineno="2755">
+<interface name="userdom_user_home_content_filetrans" lineno="2820">
 <summary>
 Create objects in a directory located
 in a user home directory with an
@@ -111056,7 +111623,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2786">
+<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2851">
 <summary>
 Automatically use the user_cert_t label for selected resources
 created in a users home directory
@@ -111077,7 +111644,7 @@ Name of the resource that is being created
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2816">
+<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2881">
 <summary>
 Create objects in a user home directory
 with an automatic type transition to
@@ -111099,7 +111666,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_exec_user_bin_files" lineno="2835">
+<interface name="userdom_exec_user_bin_files" lineno="2900">
 <summary>
 Execute user executable files.
 </summary>
@@ -111109,7 +111676,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_bin" lineno="2855">
+<interface name="userdom_manage_user_bin" lineno="2920">
 <summary>
 Manage user executable files.
 </summary>
@@ -111119,7 +111686,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_certs" lineno="2877">
+<interface name="userdom_read_user_certs" lineno="2942">
 <summary>
 Read user SSL certificates.
 </summary>
@@ -111130,7 +111697,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_dontaudit_manage_user_certs" lineno="2900">
+<interface name="userdom_dontaudit_manage_user_certs" lineno="2965">
 <summary>
 Do not audit attempts to manage
 the user SSL certificates.
@@ -111142,7 +111709,7 @@ Domain allowed access.
 </param>
 <rolecap/>
 </interface>
-<interface name="userdom_manage_user_certs" lineno="2920">
+<interface name="userdom_manage_user_certs" lineno="2985">
 <summary>
 Manage user SSL certificates.
 </summary>
@@ -111152,7 +111719,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_user_tmp_sockets" lineno="2941">
+<interface name="userdom_write_user_tmp_sockets" lineno="3006">
 <summary>
 Write to user temporary named sockets.
 </summary>
@@ -111162,7 +111729,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_user_tmp" lineno="2961">
+<interface name="userdom_list_user_tmp" lineno="3026">
 <summary>
 List user temporary directories.
 </summary>
@@ -111172,7 +111739,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_list_user_tmp" lineno="2983">
+<interface name="userdom_dontaudit_list_user_tmp" lineno="3048">
 <summary>
 Do not audit attempts to list user
 temporary directories.
@@ -111183,7 +111750,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_dirs" lineno="3001">
+<interface name="userdom_delete_user_tmp_dirs" lineno="3066">
 <summary>
 Delete users temporary directories.
 </summary>
@@ -111193,7 +111760,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3020">
+<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3085">
 <summary>
 Do not audit attempts to manage users
 temporary directories.
@@ -111204,7 +111771,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmp_files" lineno="3038">
+<interface name="userdom_read_user_tmp_files" lineno="3103">
 <summary>
 Read user temporary files.
 </summary>
@@ -111214,7 +111781,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_tmp_files" lineno="3059">
+<interface name="userdom_map_user_tmp_files" lineno="3124">
 <summary>
 Map user temporary files.
 </summary>
@@ -111224,7 +111791,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3078">
+<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3143">
 <summary>
 Do not audit attempts to read users
 temporary files.
@@ -111235,7 +111802,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3097">
+<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3162">
 <summary>
 Do not audit attempts to append users
 temporary files.
@@ -111246,7 +111813,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_user_tmp_files" lineno="3115">
+<interface name="userdom_rw_user_tmp_files" lineno="3180">
 <summary>
 Read and write user temporary files.
 </summary>
@@ -111256,7 +111823,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_files" lineno="3136">
+<interface name="userdom_delete_user_tmp_files" lineno="3201">
 <summary>
 Delete users temporary files.
 </summary>
@@ -111266,7 +111833,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3155">
+<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3220">
 <summary>
 Do not audit attempts to manage users
 temporary files.
@@ -111277,7 +111844,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmp_symlinks" lineno="3173">
+<interface name="userdom_read_user_tmp_symlinks" lineno="3238">
 <summary>
 Read user temporary symbolic links.
 </summary>
@@ -111287,7 +111854,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_symlinks" lineno="3194">
+<interface name="userdom_delete_user_tmp_symlinks" lineno="3259">
 <summary>
 Delete users temporary symbolic links.
 </summary>
@@ -111297,7 +111864,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_dirs" lineno="3213">
+<interface name="userdom_manage_user_tmp_dirs" lineno="3278">
 <summary>
 Create, read, write, and delete user
 temporary directories.
@@ -111308,7 +111875,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_named_pipes" lineno="3233">
+<interface name="userdom_delete_user_tmp_named_pipes" lineno="3298">
 <summary>
 Delete users temporary named pipes.
 </summary>
@@ -111318,7 +111885,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_files" lineno="3252">
+<interface name="userdom_manage_user_tmp_files" lineno="3317">
 <summary>
 Create, read, write, and delete user
 temporary files.
@@ -111329,7 +111896,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmp_named_sockets" lineno="3272">
+<interface name="userdom_delete_user_tmp_named_sockets" lineno="3337">
 <summary>
 Delete users temporary named sockets.
 </summary>
@@ -111339,7 +111906,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_symlinks" lineno="3291">
+<interface name="userdom_manage_user_tmp_symlinks" lineno="3356">
 <summary>
 Create, read, write, and delete user
 temporary symbolic links.
@@ -111350,7 +111917,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3312">
+<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3377">
 <summary>
 Do not audit attempts to read and write
 temporary pipes.
@@ -111361,7 +111928,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_pipes" lineno="3331">
+<interface name="userdom_manage_user_tmp_pipes" lineno="3396">
 <summary>
 Create, read, write, and delete user
 temporary named pipes.
@@ -111372,7 +111939,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_sockets" lineno="3352">
+<interface name="userdom_manage_user_tmp_sockets" lineno="3417">
 <summary>
 Create, read, write, and delete user
 temporary named sockets.
@@ -111383,7 +111950,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_tmp_filetrans" lineno="3389">
+<interface name="userdom_user_tmp_filetrans" lineno="3454">
 <summary>
 Create objects in a user temporary directory
 with an automatic type transition to
@@ -111410,7 +111977,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_tmp_filetrans_user_tmp" lineno="3421">
+<interface name="userdom_tmp_filetrans_user_tmp" lineno="3486">
 <summary>
 Create objects in the temporary directory
 with an automatic type transition to
@@ -111432,7 +111999,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_map_user_tmpfs_files" lineno="3439">
+<interface name="userdom_map_user_tmpfs_files" lineno="3504">
 <summary>
 Map user tmpfs files.
 </summary>
@@ -111442,7 +112009,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_user_tmpfs_files" lineno="3457">
+<interface name="userdom_read_user_tmpfs_files" lineno="3522">
 <summary>
 Read user tmpfs files.
 </summary>
@@ -111452,7 +112019,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3477">
+<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3542">
 <summary>
 dontaudit Read attempts of user tmpfs files.
 </summary>
@@ -111462,7 +112029,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_execute_user_tmpfs_files" lineno="3496">
+<interface name="userdom_dontaudit_execute_user_tmpfs_files" lineno="3561">
 <summary>
 dontaudit Execution attempts of user tmpfs files.
 </summary>
@@ -111472,7 +112039,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3514">
+<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3579">
 <summary>
 relabel to/from user tmpfs dirs
 </summary>
@@ -111482,7 +112049,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_tmpfs_files" lineno="3533">
+<interface name="userdom_relabel_user_tmpfs_files" lineno="3598">
 <summary>
 relabel to/from user tmpfs files
 </summary>
@@ -111492,7 +112059,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_content" lineno="3555">
+<interface name="userdom_user_runtime_content" lineno="3620">
 <summary>
 Make the specified type usable in
 the directory /run/user/%{USERID}/.
@@ -111504,7 +112071,7 @@ user_runtime_content_dir_t.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_runtime" lineno="3575">
+<interface name="userdom_search_user_runtime" lineno="3640">
 <summary>
 Search users runtime directories.
 </summary>
@@ -111514,7 +112081,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_runtime_root" lineno="3594">
+<interface name="userdom_search_user_runtime_root" lineno="3659">
 <summary>
 Search user runtime root directories.
 </summary>
@@ -111524,7 +112091,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3614">
+<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3679">
 <summary>
 Do not audit attempts to search
 user runtime root directories.
@@ -111535,7 +112102,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_runtime_root_dirs" lineno="3633">
+<interface name="userdom_manage_user_runtime_root_dirs" lineno="3698">
 <summary>
 Create, read, write, and delete user
 runtime root dirs.
@@ -111546,7 +112113,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3652">
+<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3717">
 <summary>
 Relabel to and from user runtime root dirs.
 </summary>
@@ -111556,7 +112123,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_runtime_dirs" lineno="3671">
+<interface name="userdom_manage_user_runtime_dirs" lineno="3736">
 <summary>
 Create, read, write, and delete user
 runtime dirs.
@@ -111567,7 +112134,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_watch_user_runtime_dirs" lineno="3690">
+<interface name="userdom_watch_user_runtime_dirs" lineno="3755">
 <summary>
 Watch user runtime dirs.
 </summary>
@@ -111577,7 +112144,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_mounton_user_runtime_dirs" lineno="3710">
+<interface name="userdom_mounton_user_runtime_dirs" lineno="3775">
 <summary>
 Mount a filesystem on user runtime dir
 directories.
@@ -111588,7 +112155,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_runtime_dirs" lineno="3728">
+<interface name="userdom_relabelto_user_runtime_dirs" lineno="3793">
 <summary>
 Relabel to user runtime directories.
 </summary>
@@ -111598,7 +112165,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3746">
+<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3811">
 <summary>
 Relabel from user runtime directories.
 </summary>
@@ -111608,7 +112175,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3764">
+<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3829">
 <summary>
 write user runtime socket files
 </summary>
@@ -111618,7 +112185,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_runtime_files" lineno="3783">
+<interface name="userdom_delete_user_runtime_files" lineno="3848">
 <summary>
 delete user runtime files
 </summary>
@@ -111628,7 +112195,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_all_user_runtime" lineno="3802">
+<interface name="userdom_search_all_user_runtime" lineno="3867">
 <summary>
 Search users runtime directories.
 </summary>
@@ -111638,7 +112205,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_list_all_user_runtime" lineno="3821">
+<interface name="userdom_list_all_user_runtime" lineno="3886">
 <summary>
 List user runtime directories.
 </summary>
@@ -111648,7 +112215,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_dirs" lineno="3840">
+<interface name="userdom_delete_all_user_runtime_dirs" lineno="3905">
 <summary>
 delete user runtime directories
 </summary>
@@ -111658,7 +112225,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_files" lineno="3858">
+<interface name="userdom_delete_all_user_runtime_files" lineno="3923">
 <summary>
 delete user runtime files
 </summary>
@@ -111668,7 +112235,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3876">
+<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3941">
 <summary>
 delete user runtime symlink files
 </summary>
@@ -111678,7 +112245,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3894">
+<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3959">
 <summary>
 delete user runtime fifo files
 </summary>
@@ -111688,7 +112255,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3912">
+<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3977">
 <summary>
 delete user runtime socket files
 </summary>
@@ -111698,7 +112265,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3930">
+<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3995">
 <summary>
 delete user runtime blk files
 </summary>
@@ -111708,7 +112275,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3948">
+<interface name="userdom_delete_all_user_runtime_chr_files" lineno="4013">
 <summary>
 delete user runtime chr files
 </summary>
@@ -111718,7 +112285,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3978">
+<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="4043">
 <summary>
 Create objects in the runtime directory
 with an automatic type transition to
@@ -111740,7 +112307,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_filetrans" lineno="4014">
+<interface name="userdom_user_runtime_filetrans" lineno="4079">
 <summary>
 Create objects in a user runtime
 directory with an automatic type
@@ -111768,7 +112335,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="4045">
+<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="4110">
 <summary>
 Create objects in the user runtime directory
 with an automatic type transition to
@@ -111790,7 +112357,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4075">
+<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4140">
 <summary>
 Create objects in the user runtime root
 directory with an automatic type transition
@@ -111812,7 +112379,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_user_run_filetrans_user_runtime" lineno="4106">
+<interface name="userdom_user_run_filetrans_user_runtime" lineno="4171">
 <summary>
 Create objects in the user runtime root
 directory with an automatic type transition
@@ -111834,7 +112401,7 @@ The name of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_user_tmpfs_files" lineno="4124">
+<interface name="userdom_rw_user_tmpfs_files" lineno="4189">
 <summary>
 Read and write user tmpfs files.
 </summary>
@@ -111844,7 +112411,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_delete_user_tmpfs_files" lineno="4145">
+<interface name="userdom_delete_user_tmpfs_files" lineno="4210">
 <summary>
 Delete user tmpfs files.
 </summary>
@@ -111854,7 +112421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmpfs_files" lineno="4164">
+<interface name="userdom_manage_user_tmpfs_files" lineno="4229">
 <summary>
 Create, read, write, and delete user tmpfs files.
 </summary>
@@ -111864,7 +112431,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_user_ttys" lineno="4184">
+<interface name="userdom_getattr_user_ttys" lineno="4249">
 <summary>
 Get the attributes of a user domain tty.
 </summary>
@@ -111874,7 +112441,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4202">
+<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4267">
 <summary>
 Do not audit attempts to get the attributes of a user domain tty.
 </summary>
@@ -111884,7 +112451,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_setattr_user_ttys" lineno="4220">
+<interface name="userdom_setattr_user_ttys" lineno="4285">
 <summary>
 Set the attributes of a user domain tty.
 </summary>
@@ -111894,7 +112461,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4238">
+<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4303">
 <summary>
 Do not audit attempts to set the attributes of a user domain tty.
 </summary>
@@ -111904,7 +112471,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_user_ttys" lineno="4256">
+<interface name="userdom_use_user_ttys" lineno="4321">
 <summary>
 Read and write a user domain tty.
 </summary>
@@ -111914,7 +112481,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_user_ptys" lineno="4274">
+<interface name="userdom_use_user_ptys" lineno="4339">
 <summary>
 Read and write a user domain pty.
 </summary>
@@ -111924,7 +112491,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_inherited_user_terminals" lineno="4309">
+<interface name="userdom_use_inherited_user_terminals" lineno="4374">
 <summary>
 Read and write a user TTYs and PTYs.
 </summary>
@@ -111950,7 +112517,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="userdom_use_user_terminals" lineno="4350">
+<interface name="userdom_use_user_terminals" lineno="4415">
 <summary>
 Read, write and open a user TTYs and PTYs.
 </summary>
@@ -111982,7 +112549,7 @@ Domain allowed access.
 </param>
 <infoflow type="both" weight="10"/>
 </interface>
-<interface name="userdom_dontaudit_use_user_terminals" lineno="4366">
+<interface name="userdom_dontaudit_use_user_terminals" lineno="4431">
 <summary>
 Do not audit attempts to read and write
 a user domain tty and pty.
@@ -111993,7 +112560,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_lock_user_terminals" lineno="4385">
+<interface name="userdom_lock_user_terminals" lineno="4450">
 <summary>
 Lock user TTYs and PTYs.
 </summary>
@@ -112003,7 +112570,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_spec_domtrans_all_users" lineno="4406">
+<interface name="userdom_spec_domtrans_all_users" lineno="4471">
 <summary>
 Execute a shell in all user domains.  This
 is an explicit transition, requiring the
@@ -112015,7 +112582,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4429">
+<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4494">
 <summary>
 Execute an Xserver session in all user domains.  This
 is an explicit transition, requiring the
@@ -112027,7 +112594,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_spec_domtrans_unpriv_users" lineno="4452">
+<interface name="userdom_spec_domtrans_unpriv_users" lineno="4517">
 <summary>
 Execute a shell in all unprivileged user domains.  This
 is an explicit transition, requiring the
@@ -112039,7 +112606,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4475">
+<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4540">
 <summary>
 Execute an Xserver session in all unprivileged user domains.  This
 is an explicit transition, requiring the
@@ -112051,9 +112618,9 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_unpriv_user_semaphores" lineno="4496">
+<interface name="userdom_rw_unpriv_user_semaphores" lineno="4561">
 <summary>
-Read and write unpriviledged user SysV sempaphores.
+Read and write unprivileged user SysV semaphores.
 </summary>
 <param name="domain">
 <summary>
@@ -112061,9 +112628,9 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_unpriv_user_semaphores" lineno="4514">
+<interface name="userdom_manage_unpriv_user_semaphores" lineno="4579">
 <summary>
-Manage unpriviledged user SysV sempaphores.
+Manage unprivileged user SysV semaphores.
 </summary>
 <param name="domain">
 <summary>
@@ -112071,9 +112638,9 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4533">
+<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4598">
 <summary>
-Read and write unpriviledged user SysV shared
+Read and write unprivileged user SysV shared
 memory segments.
 </summary>
 <param name="domain">
@@ -112082,9 +112649,9 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4552">
+<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4617">
 <summary>
-Manage unpriviledged user SysV shared
+Manage unprivileged user SysV shared
 memory segments.
 </summary>
 <param name="domain">
@@ -112093,7 +112660,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4572">
+<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4637">
 <summary>
 Execute bin_t in the unprivileged user domains. This
 is an explicit transition, requiring the
@@ -112105,7 +112672,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4595">
+<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4660">
 <summary>
 Execute all entrypoint files in unprivileged user
 domains. This is an explicit transition, requiring the
@@ -112117,7 +112684,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_search_user_home_content" lineno="4616">
+<interface name="userdom_search_user_home_content" lineno="4681">
 <summary>
 Search users home directories.
 </summary>
@@ -112127,7 +112694,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_watch_user_home_dirs" lineno="4635">
+<interface name="userdom_watch_user_home_dirs" lineno="4700">
 <summary>
 watch users home directories.
 </summary>
@@ -112137,7 +112704,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signull_unpriv_users" lineno="4653">
+<interface name="userdom_signull_unpriv_users" lineno="4718">
 <summary>
 Send signull to unprivileged user domains.
 </summary>
@@ -112147,7 +112714,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signal_unpriv_users" lineno="4671">
+<interface name="userdom_signal_unpriv_users" lineno="4736">
 <summary>
 Send general signals to unprivileged user domains.
 </summary>
@@ -112157,7 +112724,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_unpriv_users_fds" lineno="4689">
+<interface name="userdom_use_unpriv_users_fds" lineno="4754">
 <summary>
 Inherit the file descriptors from unprivileged user domains.
 </summary>
@@ -112167,7 +112734,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4717">
+<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4782">
 <summary>
 Do not audit attempts to inherit the file descriptors
 from unprivileged user domains.
@@ -112187,7 +112754,7 @@ Domain to not audit.
 </param>
 <infoflow type="none"/>
 </interface>
-<interface name="userdom_dontaudit_use_user_ptys" lineno="4735">
+<interface name="userdom_dontaudit_use_user_ptys" lineno="4800">
 <summary>
 Do not audit attempts to use user ptys.
 </summary>
@@ -112197,7 +112764,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabelto_user_ptys" lineno="4753">
+<interface name="userdom_relabelto_user_ptys" lineno="4818">
 <summary>
 Relabel files to unprivileged user pty types.
 </summary>
@@ -112207,7 +112774,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4772">
+<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4837">
 <summary>
 Do not audit attempts to relabel files from
 user pty types.
@@ -112218,7 +112785,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_user_tmp_files" lineno="4790">
+<interface name="userdom_write_user_tmp_files" lineno="4855">
 <summary>
 Write all users files in /tmp
 </summary>
@@ -112228,7 +112795,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4809">
+<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4874">
 <summary>
 Do not audit attempts to write users
 temporary files.
@@ -112239,7 +112806,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_user_ttys" lineno="4827">
+<interface name="userdom_dontaudit_use_user_ttys" lineno="4892">
 <summary>
 Do not audit attempts to use user ttys.
 </summary>
@@ -112249,7 +112816,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_users_state" lineno="4845">
+<interface name="userdom_read_all_users_state" lineno="4910">
 <summary>
 Read the process state of all user domains.
 </summary>
@@ -112259,7 +112826,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_getattr_all_users" lineno="4865">
+<interface name="userdom_getattr_all_users" lineno="4930">
 <summary>
 Get the attributes of all user domains.
 </summary>
@@ -112269,7 +112836,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_use_all_users_fds" lineno="4883">
+<interface name="userdom_use_all_users_fds" lineno="4948">
 <summary>
 Inherit the file descriptors from all user domains
 </summary>
@@ -112279,7 +112846,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_use_all_users_fds" lineno="4902">
+<interface name="userdom_dontaudit_use_all_users_fds" lineno="4967">
 <summary>
 Do not audit attempts to inherit the file
 descriptors from any user domains.
@@ -112290,7 +112857,7 @@ Domain to not audit.
 </summary>
 </param>
 </interface>
-<interface name="userdom_signal_all_users" lineno="4920">
+<interface name="userdom_signal_all_users" lineno="4985">
 <summary>
 Send general signals to all user domains.
 </summary>
@@ -112300,7 +112867,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_sigchld_all_users" lineno="4938">
+<interface name="userdom_sigchld_all_users" lineno="5003">
 <summary>
 Send a SIGCHLD signal to all user domains.
 </summary>
@@ -112310,7 +112877,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_read_all_users_keys" lineno="4956">
+<interface name="userdom_read_all_users_keys" lineno="5021">
 <summary>
 Read keys for all user domains.
 </summary>
@@ -112320,7 +112887,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_write_all_users_keys" lineno="4974">
+<interface name="userdom_write_all_users_keys" lineno="5039">
 <summary>
 Write keys for all user domains.
 </summary>
@@ -112330,7 +112897,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_rw_all_users_keys" lineno="4992">
+<interface name="userdom_rw_all_users_keys" lineno="5057">
 <summary>
 Read and write keys for all user domains.
 </summary>
@@ -112340,7 +112907,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_create_all_users_keys" lineno="5010">
+<interface name="userdom_create_all_users_keys" lineno="5075">
 <summary>
 Create keys for all user domains.
 </summary>
@@ -112350,7 +112917,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_all_users_keys" lineno="5028">
+<interface name="userdom_manage_all_users_keys" lineno="5093">
 <summary>
 Manage keys for all user domains.
 </summary>
@@ -112360,7 +112927,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_dbus_send_all_users" lineno="5046">
+<interface name="userdom_dbus_send_all_users" lineno="5111">
 <summary>
 Send a dbus message to all user domains.
 </summary>
@@ -112370,7 +112937,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_manage_user_tmp_chr_files" lineno="5068">
+<interface name="userdom_manage_user_tmp_chr_files" lineno="5133">
 <summary>
 Create, read, write, and delete user
 temporary character files.
@@ -112381,7 +112948,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="userdom_relabel_user_certs" lineno="5089">
+<interface name="userdom_relabel_user_certs" lineno="5154">
 <summary>
 Allow relabeling resources to user_cert_t
 </summary>
@@ -112391,7 +112958,7 @@ Domain allowed access
 </summary>
 </param>
 </interface>
-<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5112">
+<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5177">
 <summary>
 Do not audit attempts to read and write
 unserdomain stream.
@@ -113792,48 +114359,7 @@ Domain allowed access
 </module>
 <module name="xen" filename="policy/modules/system/xen.if">
 <summary>Xen hypervisor.</summary>
-<interface name="xen_domtrans" lineno="13">
-<summary>
-Execute a domain transition to run xend.
-</summary>
-<param name="domain">
-<summary>
-Domain allowed to transition.
-</summary>
-</param>
-</interface>
-<interface name="xen_exec" lineno="32">
-<summary>
-Execute xend in the caller domain.
-</summary>
-<param name="domain">
-<summary>
-Domain allowed access.
-</summary>
-</param>
-</interface>
-<interface name="xen_use_fds" lineno="51">
-<summary>
-Inherit and use xen file descriptors.
-</summary>
-<param name="domain">
-<summary>
-Domain allowed access.
-</summary>
-</param>
-</interface>
-<interface name="xen_dontaudit_use_fds" lineno="70">
-<summary>
-Do not audit attempts to inherit
-xen file descriptors.
-</summary>
-<param name="domain">
-<summary>
-Domain to not audit.
-</summary>
-</param>
-</interface>
-<interface name="xen_manage_image_dirs" lineno="89">
+<interface name="xen_manage_image_dirs" lineno="14">
 <summary>
 Create, read, write, and delete
 xend image directories.
@@ -113844,7 +114370,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xen_read_image_files" lineno="108">
+<interface name="xen_read_image_files" lineno="33">
 <summary>
 Read xend image files.
 </summary>
@@ -113854,7 +114380,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xen_rw_image_files" lineno="128">
+<interface name="xen_rw_image_files" lineno="53">
 <summary>
 Read and write xend image files.
 </summary>
@@ -113864,7 +114390,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xen_append_log" lineno="148">
+<interface name="xen_append_log" lineno="73">
 <summary>
 Append xend log files.
 </summary>
@@ -113874,7 +114400,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xen_manage_log" lineno="169">
+<interface name="xen_manage_log" lineno="94">
 <summary>
 Create, read, write, and delete
 xend log files.
@@ -113885,7 +114411,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xen_read_xenstored_runtime_files" lineno="189">
+<interface name="xen_read_xenstored_runtime_files" lineno="114">
 <summary>
 Read xenstored runtime files.
 </summary>
@@ -113895,18 +114421,7 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xen_dontaudit_rw_unix_stream_sockets" lineno="209">
-<summary>
-Do not audit attempts to read and write
-Xen unix domain stream sockets.
-</summary>
-<param name="domain">
-<summary>
-Domain to not audit.
-</summary>
-</param>
-</interface>
-<interface name="xen_stream_connect_xenstore" lineno="228">
+<interface name="xen_stream_connect_xenstore" lineno="134">
 <summary>
 Connect to xenstored with a unix
 domain stream socket.
@@ -113917,20 +114432,9 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<interface name="xen_stream_connect" lineno="248">
-<summary>
-Connect to xend with a unix
-domain stream socket.
-</summary>
-<param name="domain">
-<summary>
-Domain allowed access.
-</summary>
-</param>
-</interface>
-<interface name="xen_runtime_filetrans" lineno="280">
+<interface name="xen_runtime_filetrans" lineno="163">
 <summary>
-Create in a xend_runtime_t directory
+Create in a xen_runtime_t directory
 </summary>
 <param name="domain">
 <summary>
@@ -113948,7 +114452,7 @@ The object class of the object being created.
 </summary>
 </param>
 </interface>
-<interface name="xen_domtrans_xm" lineno="298">
+<interface name="xen_domtrans_xm" lineno="181">
 <summary>
 Execute a domain transition to run xm.
 </summary>
@@ -113958,7 +114462,7 @@ Domain allowed to transition.
 </summary>
 </param>
 </interface>
-<interface name="xen_stream_connect_xm" lineno="318">
+<interface name="xen_stream_connect_xm" lineno="201">
 <summary>
 Connect to xm with a unix
 domain stream socket.
@@ -113969,14 +114473,6 @@ Domain allowed access.
 </summary>
 </param>
 </interface>
-<tunable name="xend_run_blktap" dftval="false">
-<desc>
-<p>
-Determine whether xend can
-run blktapctrl and tapdisk.
-</p>
-</desc>
-</tunable>
 <tunable name="xen_use_fusefs" dftval="false">
 <desc>
 <p>
diff --git a/policy/booleans.conf b/policy/booleans.conf
index f38f543fb..a4a011d1c 100644
--- a/policy/booleans.conf
+++ b/policy/booleans.conf
@@ -10,7 +10,7 @@ secure_mode_insmod = false
 secure_mode_policyload = false
 
 #
-# Boolean to determine whether the system permits setting Booelan values.
+# Boolean to determine whether the system permits setting Boolean values.
 # 
 secure_mode_setbool = false
 
@@ -28,6 +28,11 @@ secure_mode = false
 # 
 aide_mmap_files = false
 
+#
+# Enable support for the cloud-init-growpart module.
+# 
+cloudinit_growpart = false
+
 #
 # Enable support for cloud-init to manage all non-security files.
 # 
@@ -803,7 +808,7 @@ phpfpm_connect_smtp = false
 
 #
 # Allow rtorrent to use dht.
-# The correspondig port must be rtorrent_udp_port_t.
+# The corresponding port must be rtorrent_udp_port_t.
 # 
 rtorrent_use_dht = true
 
@@ -813,12 +818,12 @@ rtorrent_use_dht = true
 rtorrent_use_rsync = false
 
 #
-# Determine wether the salt master can read NFS files
+# Determine whether the salt master can read NFS files
 # 
 salt_master_read_nfs = false
 
 #
-# Determine wether the salt minion can manage NFS files
+# Determine whether the salt minion can manage NFS files
 # 
 salt_minion_manage_nfs = false
 
@@ -1612,6 +1617,30 @@ glusterfs_manage_unlabeled = false
 # 
 glusterfs_modify_policy = false
 
+#
+# Determine whether haproxy can bind to
+# all TCP ports.
+# 
+haproxy_bind_all_tcp_ports = false
+
+#
+# Determine whether haproxy can bind to
+# kubernetes ports (typically 6443/tcp).
+# 
+haproxy_bind_kubernetes_port = false
+
+#
+# Determine whether haproxy can connect to
+# all TCP ports.
+# 
+haproxy_connect_all_tcp_ports = false
+
+#
+# Determine whether haproxy can connect to
+# kubernetes ports (typically 6443/tcp).
+# 
+haproxy_connect_kubernetes_port = false
+
 #
 # Grant the i18n_input domains read access to generic user content
 # 
@@ -1644,6 +1673,14 @@ matrix_allow_federation = true
 # 
 matrix_postgresql_connect = false
 
+#
+# Determine whether Matrixd is allowed to bind all
+# TCP ports. This is intended for more complex Matrix
+# server configurations (e.g. Synapse workers) and may
+# be used in lieu of manually labeling each port.
+# 
+matrix_bind_all_unreserved_tcp_ports = false
+
 #
 # Determine whether the script domain can
 # modify public files used for public file
@@ -1779,6 +1816,11 @@ postfix_manage_generic_user_content = false
 # 
 postfix_manage_all_user_content = false
 
+#
+# Allow postgresql to map memory regions as both executable and writable (e.g. for JIT).
+# 
+psql_allow_execmem = false
+
 #
 # Allow unprived users to execute DDL statement
 # 
@@ -2052,6 +2094,11 @@ ssh_sysadm_login = false
 # 
 ssh_use_gpg_agent = false
 
+#
+# Allow sshd to use remote port forwarding (bind to any TCP port)
+# 
+sshd_port_forwarding = false
+
 #
 # Determine whether tftp can modify
 # public files used for public file
@@ -2340,12 +2387,6 @@ user_write_removable = false
 # 
 user_ttyfile_stat = false
 
-#
-# Determine whether xend can
-# run blktapctrl and tapdisk.
-# 
-xend_run_blktap = false
-
 #
 # Determine whether xen can
 # use fusefs file systems.
diff --git a/policy/modules.conf b/policy/modules.conf
index 07319bbe4..c157b095a 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -1666,6 +1666,13 @@ gssproxy = module
 # 
 hadoop = module
 
+# Layer: services
+# Module: haproxy
+#
+# A TCP/HTTP reverse proxy for high availability environments.
+# 
+haproxy = module
+
 # Layer: services
 # Module: hddtemp
 #
@@ -1830,7 +1837,7 @@ likewise = module
 # Layer: services
 # Module: lircd
 #
-# Linux infared remote control daemon.
+# Linux infrared remote control daemon.
 # 
 lircd = module
 
diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if
index 7355bafab..b86f8aaf6 100644
--- a/policy/modules/kernel/corenetwork.if
+++ b/policy/modules/kernel/corenetwork.if
@@ -653,7 +653,7 @@ interface(`corenet_sctp_sendrecv_generic_node',`
 		type node_t;
 	')
 
-	allow $1 node_t:node { sendto recvfrom };
+	allow $1 node_t:node { recvfrom sendto };
 ')
 
 ########################################
@@ -732,7 +732,7 @@ interface(`corenet_tcp_sendrecv_generic_node',`
 		type node_t;
 	')
 
-	allow $1 node_t:node { sendto recvfrom };
+	allow $1 node_t:node { recvfrom sendto };
 ')
 
 ########################################
@@ -1053,7 +1053,7 @@ interface(`corenet_tcp_sendrecv_all_nodes',`
 		attribute node_type;
 	')
 
-	allow $1 node_type:node { sendto recvfrom };
+	allow $1 node_type:node { recvfrom sendto };
 ')
 
 ########################################
@@ -1108,7 +1108,7 @@ interface(`corenet_sctp_sendrecv_all_nodes',`
 		attribute node_type;
 	')
 
-	allow $1 node_type:node { sendto recvfrom };
+	allow $1 node_type:node { recvfrom sendto };
 ')
 
 ########################################
@@ -1616,7 +1616,7 @@ interface(`corenet_tcp_bind_all_ports',`
 
 ########################################
 ## <summary>
-##	Do not audit attepts to bind TCP sockets to any ports.
+##	Do not audit attempts to bind TCP sockets to any ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1671,7 +1671,7 @@ interface(`corenet_sctp_connect_generic_port',`
 
 ########################################
 ## <summary>
-##	Do not audit attepts to bind UDP sockets to any ports.
+##	Do not audit attempts to bind UDP sockets to any ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2497,7 +2497,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 
 ########################################
 ## <summary>
-##	Receive TCP packets from an unlabled connection.
+##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3348,7 +3348,7 @@ interface(`corenet_relabelto_all_server_packets',`
 
 ########################################
 ## <summary>
-##	Receive SCTP packets from an unlabled connection.
+##	Receive SCTP packets from an unlabeled connection.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te
index 4796d0bf5..dc6ac1fa7 100644
--- a/policy/modules/kernel/corenetwork.te
+++ b/policy/modules/kernel/corenetwork.te
@@ -2070,8 +2070,8 @@ typealias netif_t alias lo_netif_t;
 #
 
 allow corenet_unconfined_type node_type:node { recvfrom sendto };
-allow corenet_unconfined_type netif_type:netif { ingress egress };
-allow corenet_unconfined_type packet_type:packet { send recv relabelto forward_in forward_out };
+allow corenet_unconfined_type netif_type:netif { egress ingress };
+allow corenet_unconfined_type packet_type:packet { forward_in forward_out recv relabelto send };
 allow corenet_unconfined_type port_type:tcp_socket { name_connect };
 allow corenet_unconfined_type port_type:sctp_socket { name_connect };